Add MCP server sidecar support to OpenStackClient

Adds the ability to run the rhos-mcps MCP server as a sidecar container
inside the openstackclient pod, exposed via a k8s Service. This allows
the OpenStackAssistant (Goose) to execute read-only OpenStack CLI
commands through the MCP protocol.

OpenStackClient changes:
- New MCPConfig struct (enabled, containerImage) on the CR spec
- When enabled, adds an mcp-server sidecar container sharing the same
  clouds.yaml/secure.yaml credential mounts
- Controller creates a ConfigMap with rhos-mcps config (openstack
  enabled, openshift disabled, allow_write: false)
- Controller creates a Service on port 8080 for the MCP endpoint

OpenStackAssistant changes:
- New MCPServerRef (name, url) and mcpServers field on GooseConfig
- Each MCP server is passed as MCP_SERVER_<name> env var to the pod
- Entrypoint script generates Goose streamable_http extension entries
  from these env vars

Users can create a second OpenStackClient instance with reader-only
credentials for credential-level read-only enforcement in addition to
the rhos-mcps allow_write:false guardrail.

Author: dprince

api/assistant/v1beta1/openstackassistant_types.go

@@ -52,6 +52,26 @@ type LightspeedStackSpec struct {
 	CaBundleSecretName string `json:"caBundleSecretName,omitempty"`
 }
 
+// MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+// Either URL or OpenStackClientRef must be specified, but not both.
+type MCPServerRef struct {
+	// Name is the extension name in Goose config
+	// +kubebuilder:validation:Required
+	Name string `json:"name"`
+
+	// URL is the MCP server's Streamable HTTP endpoint.
+	// Mutually exclusive with OpenStackClientRef.
+	// +kubebuilder:validation:Optional
+	URL string `json:"url,omitempty"`
+
+	// OpenStackClientRef is the name of an OpenStackClient CR in the same
+	// namespace that has MCP enabled. The controller auto-computes the
+	// correct service URL and TLS CA configuration.
+	// Mutually exclusive with URL.
+	// +kubebuilder:validation:Optional
+	OpenStackClientRef string `json:"openstackClientRef,omitempty"`
+}
+
 // GooseConfig defines Goose-specific provider configuration
 type GooseConfig struct {
 	// Model is the model identifier for the Goose AI agent
@@ -70,6 +90,10 @@ type GooseConfig struct {
 	// will be written to ~/.goosehints in the pod.
 	// +kubebuilder:validation:Optional
 	Hints *string `json:"hints,omitempty"`
+
+	// MCPServers lists MCP server endpoints to configure as Goose extensions.
+	// +kubebuilder:validation:Optional
+	MCPServers []MCPServerRef `json:"mcpServers,omitempty"`
 }
 
 // OpenStackAssistantSpec defines the desired state of OpenStackAssistant

api/assistant/v1beta1/zz_generated.deepcopy.go

@@ -188,6 +188,33 @@ spec:
                       The ConfigMap must have a key "hints" with the content that
                       will be written to ~/.goosehints in the pod.
                     type: string
+                  mcpServers:
+                    description: MCPServers lists MCP server endpoints to configure
+                      as Goose extensions.
+                    items:
+                      description: |-
+                        MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+                        Either URL or OpenStackClientRef must be specified, but not both.
+                      properties:
+                        name:
+                          description: Name is the extension name in Goose config
+                          type: string
+                        openstackClientRef:
+                          description: |-
+                            OpenStackClientRef is the name of an OpenStackClient CR in the same
+                            namespace that has MCP enabled. The controller auto-computes the
+                            correct service URL and TLS CA configuration.
+                            Mutually exclusive with URL.
+                          type: string
+                        url:
+                          description: |-
+                            URL is the MCP server's Streamable HTTP endpoint.
+                            Mutually exclusive with OpenStackClientRef.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
                   model:
                     description: |-
                       Model is the model identifier for the Goose AI agent

api/bases/assistant.openstack.org_openstackassistants.yaml

@@ -180,6 +180,23 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
+              mcp:
+                description: |-
+                  MCP is the optional MCP server sidecar configuration.
+                  When enabled, the rhos-mcps server runs alongside the openstackclient
+                  container and is exposed via a k8s Service.
+                properties:
+                  containerImage:
+                    description: ContainerImage for the rhos-mcps MCP server container.
+                    type: string
+                  enabled:
+                    default: false
+                    description: Enabled controls whether the MCP server sidecar is
+                      added to the pod.
+                    type: boolean
+                required:
+                - containerImage
+                type: object
               nodeSelector:
                 additionalProperties:
                   type: string

api/bases/client.openstack.org_openstackclients.yaml

@@ -12982,6 +12982,16 @@ spec:
                         x-kubernetes-list-map-keys:
                         - name
                         x-kubernetes-list-type: map
+                      mcp:
+                        properties:
+                          containerImage:
+                            type: string
+                          enabled:
+                            default: false
+                            type: boolean
+                        required:
+                        - containerImage
+                        type: object
                       nodeSelector:
                         additionalProperties:
                           type: string

api/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -37,6 +37,18 @@ type OpenStackClientSpec struct {
 	ContainerImage string `json:"containerImage"`
 }
 
+// MCPConfig defines optional MCP server sidecar configuration
+type MCPConfig struct {
+	// Enabled controls whether the MCP server sidecar is added to the pod.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// ContainerImage for the rhos-mcps MCP server container.
+	// +kubebuilder:validation:Required
+	ContainerImage string `json:"containerImage"`
+}
+
 // OpenStackClientSpecCore defines the desired state of OpenStackClient
 type OpenStackClientSpecCore struct {
 	// +kubebuilder:validation:Required
@@ -67,6 +79,12 @@ type OpenStackClientSpecCore struct {
 	// +optional
 	// List of environment variables to set in the container.
 	Env []corev1.EnvVar `json:"env,omitempty" patchMergeKey:"name" patchStrategy:"merge"`
+
+	// MCP is the optional MCP server sidecar configuration.
+	// When enabled, the rhos-mcps server runs alongside the openstackclient
+	// container and is exposed via a k8s Service.
+	// +kubebuilder:validation:Optional
+	MCP *MCPConfig `json:"mcp,omitempty"`
 }
 
 // OpenStackClientStatus defines the observed state of OpenStackClient

api/client/v1beta1/openstackclient_types.go

@@ -187,6 +187,33 @@ spec:
                       The ConfigMap must have a key "hints" with the content that
                       will be written to ~/.goosehints in the pod.
                     type: string
+                  mcpServers:
+                    description: MCPServers lists MCP server endpoints to configure
+                      as Goose extensions.
+                    items:
+                      description: |-
+                        MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+                        Either URL or OpenStackClientRef must be specified, but not both.
+                      properties:
+                        name:
+                          description: Name is the extension name in Goose config
+                          type: string
+                        openstackClientRef:
+                          description: |-
+                            OpenStackClientRef is the name of an OpenStackClient CR in the same
+                            namespace that has MCP enabled. The controller auto-computes the
+                            correct service URL and TLS CA configuration.
+                            Mutually exclusive with URL.
+                          type: string
+                        url:
+                          description: |-
+                            URL is the MCP server's Streamable HTTP endpoint.
+                            Mutually exclusive with OpenStackClientRef.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
                   model:
                     description: |-
                       Model is the model identifier for the Goose AI agent
@@ -748,6 +775,23 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
+              mcp:
+                description: |-
+                  MCP is the optional MCP server sidecar configuration.
+                  When enabled, the rhos-mcps server runs alongside the openstackclient
+                  container and is exposed via a k8s Service.
+                properties:
+                  containerImage:
+                    description: ContainerImage for the rhos-mcps MCP server container.
+                    type: string
+                  enabled:
+                    default: false
+                    description: Enabled controls whether the MCP server sidecar is
+                      added to the pod.
+                    type: boolean
+                required:
+                - containerImage
+                type: object
               nodeSelector:
                 additionalProperties:
                   type: string
@@ -13816,6 +13860,16 @@ spec:
                         x-kubernetes-list-map-keys:
                         - name
                         x-kubernetes-list-type: map
+                      mcp:
+                        properties:
+                          containerImage:
+                            type: string
+                          enabled:
+                            default: false
+                            type: boolean
+                        required:
+                        - containerImage
+                        type: object
                       nodeSelector:
                         additionalProperties:
                           type: string

api/client/v1beta1/zz_generated.deepcopy.go

@@ -188,6 +188,33 @@ spec:
                       The ConfigMap must have a key "hints" with the content that
                       will be written to ~/.goosehints in the pod.
                     type: string
+                  mcpServers:
+                    description: MCPServers lists MCP server endpoints to configure
+                      as Goose extensions.
+                    items:
+                      description: |-
+                        MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+                        Either URL or OpenStackClientRef must be specified, but not both.
+                      properties:
+                        name:
+                          description: Name is the extension name in Goose config
+                          type: string
+                        openstackClientRef:
+                          description: |-
+                            OpenStackClientRef is the name of an OpenStackClient CR in the same
+                            namespace that has MCP enabled. The controller auto-computes the
+                            correct service URL and TLS CA configuration.
+                            Mutually exclusive with URL.
+                          type: string
+                        url:
+                          description: |-
+                            URL is the MCP server's Streamable HTTP endpoint.
+                            Mutually exclusive with OpenStackClientRef.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
                   model:
                     description: |-
                       Model is the model identifier for the Goose AI agent

bindata/crds/crds.yaml

@@ -180,6 +180,23 @@ spec:
                 x-kubernetes-list-map-keys:
                 - name
                 x-kubernetes-list-type: map
+              mcp:
+                description: |-
+                  MCP is the optional MCP server sidecar configuration.
+                  When enabled, the rhos-mcps server runs alongside the openstackclient
+                  container and is exposed via a k8s Service.
+                properties:
+                  containerImage:
+                    description: ContainerImage for the rhos-mcps MCP server container.
+                    type: string
+                  enabled:
+                    default: false
+                    description: Enabled controls whether the MCP server sidecar is
+                      added to the pod.
+                    type: boolean
+                required:
+                - containerImage
+                type: object
               nodeSelector:
                 additionalProperties:
                   type: string