feat(gateway): add optional openapi-to-mcp sidecar

[jarvis9443]

Summary

The OpenAPI-to-MCP server has been extracted from the gateway image into a standalone image (api7/openapi-to-mcp). This PR adds an optional sidecar deployment for it under openapiToMcp in the gateway chart.

Changes

• charts/gateway/values.yaml: new openapiToMcp block (enabled: false, image api7/openapi-to-mcp:0.0.1-beta, port 3000, empty resources).
• charts/gateway/templates/_pod.tpl: render the sidecar container when openapiToMcp.enabled is true. Shares the pod network namespace so the gateway plugin reaches it on 127.0.0.1:<port>.
• charts/gateway/README.md: regenerated via make helm-docs.

Notes

• The upstream server binds to 127.0.0.1 inside the container, so httpGet/tcpSocket probes from kubelet would fail. The template uses an exec probe that runs a small node -e script against 127.0.0.1:$SSE_PORT/health.
• Default is enabled: false. Users running the openapi-to-mcp or mcp-tools-acl plugins must flip this to true after upgrading to a gateway image that no longer bundles the server.

Related

• api7/OpenAPI2MCP#39 (standalone image + release workflow)
• api7/api7-ee-3-gateway#1463 (strip OpenAPI2MCP from gateway image)

Verification

helm lint charts/gateway                    # passes
helm template t charts/gateway              # no openapi-to-mcp container
helm template t charts/gateway --set openapiToMcp.enabled=true   # container rendered

Summary by CodeRabbit

• New Features

  • Optional OpenAPI-to-MCP sidecar with enable/disable toggle, configurable image, port, and resource requests/limits.
  • Built-in readiness and liveness checks for the sidecar.
  • Deployment-time validation to ensure the sidecar port matches the gateway plugin port.

• Documentation

  • Updated Helm chart values and README with sidecar configuration and usage guidance.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Helm values and README documentation for an optional OpenAPI-to-MCP sidecar and updates the gateway pod template to conditionally inject that sidecar (image, port, env, probes, resources) with template-time validation that the sidecar port matches gateway plugin attributes.

Changes

Cohort / File(s)	Summary
Helm values & docs charts/gateway/values.yaml, charts/gateway/README.md	Add openapiToMcp values: enabled, image.{repository,tag,pullPolicy}, port, and resources; document that openapiToMcp.port must match plugin_attr.openapi-to-mcp (plugin attribute port).
Pod template charts/gateway/templates/_pod.tpl	Conditionally inject an openapi-to-mcp container when .Values.openapiToMcp.enabled is true; configure image/pullPolicy, set SSE_PORT from .Values.openapiToMcp.port, expose TCP port http, add HTTP readiness/liveness probes on /health, apply .Values.openapiToMcp.resources, and perform template-time fail if the configured port is missing or mismatched with pluginAttrs["openapi-to-mcp"].port.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
E2e Test Quality Review	⚠️ Warning	PR lacks E2E tests for the new OpenAPI-to-MCP sidecar container feature in the Helm chart.	Implement E2E tests validating sidecar deployment, port binding, health probes, and resource limits across enabled/disabled scenarios.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: adding an optional openapi-to-mcp sidecar to the gateway chart. It is concise, specific, and directly reflects the primary objective of the changeset.
Security Check	✅ Passed	OpenAPI-to-MCP sidecar container includes proper environment variable injection, port binding to localhost, health probes, and no hardcoded secrets.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/openapi-to-mcp-sidecar

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/gateway/templates/_pod.tpl`:
- Around line 231-273: The template currently wires the sidecar to
.Values.openapiToMcp.port but doesn't validate equality with
pluginAttrs["openapi-to-mcp"].port, allowing silent runtime breakage; add a Helm
template guard at the top of the openapi-to-mcp block that compares
.Values.openapiToMcp.port with index .Values.pluginAttrs "openapi-to-mcp" .port
and calls fail(...) if they differ so the chart rendering fails fast; locate the
openapiToMcp block in _pod.tpl and add the eq check using Helm's eq/if or ne and
fail to produce a clear error message referencing both .Values.openapiToMcp.port
and pluginAttrs["openapi-to-mcp"].port.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aef03d22-ecda-46e0-b474-8f58bef58637

📥 Commits

Reviewing files that changed from the base of the PR and between 8e20c00 and 0b1232a.

📒 Files selected for processing (3)

• charts/gateway/README.md
• charts/gateway/templates/_pod.tpl
• charts/gateway/values.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/gateway/templates/_pod.tpl`:
- Around line 232-235: The template currently skips validation when
pluginAttrs.openapi-to-mcp.port is missing; change the logic in the block using
$mcpAttr and the hasKey check so you always validate port alignment: retrieve
pluginPort from (index $mcpAttr "port") using a default/sentinel and then
compare int(pluginPort) to int(.Values.openapiToMcp.port), and if pluginPort is
absent fail when .Values.openapiToMcp.port does not equal the plugin’s expected
default port; update the fail message in the same block to reference
.Values.openapiToMcp.port and the plugin port value so a mismatch is caught even
when pluginAttrs omits the port.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cbd830d4-0bfc-4a74-ba64-9769da0a5de8

📥 Commits

Reviewing files that changed from the base of the PR and between 6a074fb and 9ac8a14.

📒 Files selected for processing (1)

• charts/gateway/templates/_pod.tpl

[coderabbitai]

🧹 Nitpick comments (1)

charts/gateway/templates/_pod.tpl (1)

232-235: Prefer merged plugin attrs over raw .Values.pluginAttrs to avoid default drift.

This works, but using the merged helper output as the source of truth will reduce maintenance risk if base plugin defaults change later.

♻️ Proposed refactor

-    {{- $mcpAttr := (index .Values.pluginAttrs "openapi-to-mcp" | default dict) -}}
+    {{- $pluginAttrs := (include "apisix.pluginAttrs" . | fromYaml) -}}
+    {{- $mcpAttr := (index $pluginAttrs "openapi-to-mcp" | default dict) -}}
     {{- $pluginMcpPort := (index $mcpAttr "port" | default 3000 | int) -}}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/gateway/templates/_pod.tpl` around lines 232 - 235, The comparison is
reading raw .Values.pluginAttrs via $mcpAttr but should use the chart's merged
plugin-attrs helper output to avoid default-drift; replace the lookup currently
using (index .Values.pluginAttrs "openapi-to-mcp") with the merged-plugin-attrs
variable or helper used elsewhere (e.g., the template variable that holds merged
plugin attrs, such as $mergedPluginAttrs or the include/tuple helper that
returns merged attrs), then use (index $mergedPluginAttrs "openapi-to-mcp" |
default dict) to compute $mcpAttr and keep the rest of the check against
.Values.openapiToMcp.port unchanged so plugin defaults remain authoritative.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@charts/gateway/templates/_pod.tpl`:
- Around line 232-235: The comparison is reading raw .Values.pluginAttrs via
$mcpAttr but should use the chart's merged plugin-attrs helper output to avoid
default-drift; replace the lookup currently using (index .Values.pluginAttrs
"openapi-to-mcp") with the merged-plugin-attrs variable or helper used elsewhere
(e.g., the template variable that holds merged plugin attrs, such as
$mergedPluginAttrs or the include/tuple helper that returns merged attrs), then
use (index $mergedPluginAttrs "openapi-to-mcp" | default dict) to compute
$mcpAttr and keep the rest of the check against .Values.openapiToMcp.port
unchanged so plugin defaults remain authoritative.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 061002d3-fc4e-4416-843f-959c88e3bca3

📥 Commits

Reviewing files that changed from the base of the PR and between 9ac8a14 and 5cb6415.

📒 Files selected for processing (1)

• charts/gateway/templates/_pod.tpl