OSDOCS-18945: adds troubleshooting MCP gateway

Author: ShaunaDiaz

modules/con-mcp-gateway-ts-gateway-routing.adoc

@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="con-mcp-gateway-ts-gateway-routing_{context}"]
+= Gateway and routing troubleshooting
+
+[role="_abstract"]
+When traffic is not flowing after you installed {mcpg}, you can investigate each component of the gateway routing to check system health. Depending on the errors you are receiving, you can troubleshoot at several layers. Breaks can occur at the gateway, route, or policy levels.
+
+If you have a `Connection Refused/Timeout` error and your client cannot reach the IP address, the cause might be the
+listener. In this case, one of the following situations likely applies:
+
+* The port is not open.
+* The load balancer has not assigned an IP address.
+* The TLS handshake is failing.
+
+When you have this type of error, check the listener first.
+
+If can connect to the `Gateway `object, but you get an `HTTP` error, such as `404`, the cause can be a problem with the `HTTPRoute` custom resource (CR). The route exists, but the `Gateway` object has rejected it or the connection has failed. When you get these types of codes, check the `HTTPRoute` CR first.
+
+If requests either fail with a `503` error or bypass the router, this means that the route is recognized, but the connection to the backend failed or was not authorized properly. In this case, start with API-level checks and narrow your investigation to Envoy filters as needed.
+
+If the `EnvoyFilter` is not present, it usually means one of the following situations has occurred:
+
+* The `Gateway` CR status is not `Programmed`.
+* There is a `labels` mismatch, and the MCP controller logic does not send any pods through the filter.
+* The MCP controller is crashing or stuck.

modules/proc-mcp-gateway-ts-extension-not-ready.adoc

@@ -0,0 +1,68 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="proc-mcp-gateway-ts-extension-not-ready_{context}"]
+= Troubleshooting an MCPGatewayExtension status of not ready
+
+[role="_abstract"]
+You can troubleshoot when your `MCPGatewayExtension` custom resource (CR) shows a `Ready: False` state by running a few commands.
+
+Common causes include the following errors and indicate an associated action:
+
+* `InvalidMCPGatewayExtension`: This often means that the `targetRef` points to a Gateway object that does not exist, or you have a typing error in the `kind` or `group`.
+* `ReferenceGrantRequired`: This occurs if your extension is in one namespace but is trying to target a `Gateway` object in another. To fix this, you must apply a `ReferenceGrant` in the `Gateway` object namespace.
+* `Conflict`: Only one `MCPGatewayExtension` can target a specific `Gateway` object. If another extension is already pointing to the `Gateway` object you configured with a new extension, the new one fails.
+
+.Prerequisites
+
+* You installed {mcpg}.
+* You installed {prodname}.
+* You configured a `Gateway` object.
+* You configured an `HTTPRoute` object for the gateway.
+* You installed the {oc-first}.
+* You registered an MCP server.
+
+.Procedure
+
+. Check the status of the specific `MCPGatewayExtension` CR by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get mcpgatewayextension -n _<namespace>_
+----
++
+Replace `_<namespace>_` with the namespace where your `MCPGatewayExtension` CR is applied.
+
+. Check for conflicting `MCPGatewayExtension` CRs by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get mcpgatewayextension -A
+----
++
+There must be only one extension per namespace.
+
+. Verify that the target Gateway object exists by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get gateway -n _<gateway-namespace>_
+----
++
+Replace `_<gateway-namespace>_` with the namespace where your `Gateway` object is applied.
+
+. Check the `MCPServerRegistration` CR namespace and route status by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe mcpsr _<mcpsr_name>_ -n _<mcpsr_namespace>_
+----
++
+* Replace `_<mcpsr_name>_` with the names of your `MCPServerRegistration` CR is applied.
+* Replace `_<mcpsr_namespace>_` with the namespace where your `MCPServerRegistration` CR is applied.
+
+. Verify that an `MCPGatewayExtension` CR exists in the same namespace as the `MCPServerRegistration` CR. If the two do not share the same namespace, you must create a `ReferenceGrant` CR.
+
+. Ensure that the `MCPGatewayExtension` CR targets the `Gateway` object that the `HTTPRoute` CR is attached to.

modules/proc-mcp-gateway-ts-gateway-listener-not-working.adoc

@@ -0,0 +1,84 @@
+
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="proc-mcp-gateway-ts-gateway-listener-not-working_{context}"]
+= Troubleshooting the gateway listener not working
+
+[role="_abstract"]
+If your {mcpg} cannot reach an MCP endpoint at configured hostname, the cause might be that the `Listener` custom resource (CR) you configured is not working. You can troubleshoot this situation by using a few commands and some insight.
+
+Use the following concepts in conjunction with the commands that follow to solve a non-functioning `Listener` CR:
+
+* Ensure that your `Gateway` object has `Accepted` and `Programmed` conditions set to `True`.
+* Verify that the `hostname` in the `Listener `CR matches your DNS or hosts configuration.
+
+.Prerequisites
+
+* You installed {mcpg}.
+* You installed {prodname}.
+* You configured a `Gateway` object.
+* You configured an `HTTPRoute` object for the gateway.
+* You installed the {oc-first}.
+* You registered an MCP server.
+
+.Procedure
+
+. Check the general `Gateway` object configuration by running the following command:
++
+[source,terminal]
+----
+$ oc get gateway -A
+----
++
+This command returns general information about all `Gateway` objects in the cluster. If the `Gateway` object you are troubleshooting does exist, the command returns the `gatewayClassName` is it using, whether or not it has an IP address or hostname assigned, and a `status`, such as `Ready`, `Programmed`, or `Pending`.
+
+. Check the full metadata and status history for one specific `Gateway` object by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe gateway _<gateway_name>_ -n _<namespace>_
+----
++
+* Replace `_<gateway_name>_` with the name of the `Gateway` object.
+* Replace `_<namespace>_` with the namespace where the `Gateway` object is applied.
+* This command can help you figure out why a `Gateway` object is stuck in `Pending` by checking for port conflicts and verifying that `SSL/TLS` certificates are correctly attached to `Listener` CRs.
+
+. Verify the `Listener` CR configuration by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get gateway _<gateway_name>_ -n _<namespace>_ -o yaml | grep -A 10 listeners
+----
++
+* Replace `_<gateway_name>_` with the name of the `Gateway` object.
+* Replace `_<namespace>_` with the namespace where the `Gateway object` is applied.
+
+. Check all of your `Listener` CR configurations at the same time by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get gateway _<gateway_name>_ -n _<namespace>_ -o jsonpath='{range .spec.listeners[*]}{.name}{"\t"}{.hostname}{"\t"}{.port}{"\n"}{end}' | jq
+----
+* Replace `_<gateway_name>_` with the name of the `Gateway` object.
+* Replace `_<namespace>_` with the namespace where your `Gateway` object is applied.
+* This command uses `jq` for formatting.
+
+. Check that the Istio gateway pod is running by using the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get pods -n _<gateway_system>_ -l istio=ingressgateway
+----
++
+* Replace `_<gateway_system>_` with the name of your `Gateway` object deployment.
+* This command checks the status of Envoy-proxy pods and returns pod, traffic flow, and policy errors.
+
+. Verify that the port you are trying to use is not already in use by running the following command:
++
+[source,terminal]
+----
+$ oc get gateway -A -o yaml | grep "port:"
+----

modules/proc-mcp-gateway-ts-on-prem-mcp-server.adoc

@@ -0,0 +1,120 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="proc-mcp-gateway-ts-on-prem-mcp-server_{context}"]
+= Troubleshooting on-premise MCP server registration issues
+
+[role="_abstract"]
+When your on-premise MCP server is not discovered by your {mcpg} after you registered it, or you are having trouble with your tools, you can troubleshoot by checking for common problems.
+
+Basic steps include making sure that your backend server is available, routing is applied correctly, and that tool prefix headers are labeled correctly.
+
+.Prerequisites
+
+* You installed {mcpg}.
+* You installed {prodname}.
+* You configured a `Gateway` object.
+* You configured an `HTTPRoute` object for the gateway.
+* You installed the {oc-first}.
+* You registered an MCP server.
+
+.Procedure
+
+. If tools from your on-premise MCP server do not appear in `tools/list`, check that the MCP server is properly discovered by {mcpg} components by running the following command:
+
+. Check `MCPServerRegistration` CR status by running the following command:
++
+[source,terminal]
+----
+$ oc get mcpsr -A
+----
+
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe mcpserverregistration _<server_name> -n _<namespace>_
+----
+
+. Verify that the `MCPServerRegistration` CR `targetRef` points to correct `HTTPRoute` name and namespace.
+
+. Check that backend MCP server is running by entering the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get pods -n _<mcp_server_namespace>_
+----
+
+. Verify that the backend service exists by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get svc -n _<namespace>_ _<service_name>_
+----
+
+. Check that the attached `HTTPRoute` CR has valid backend reference by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe httproute _<route_name>_
+----
+
+. If your MCPServerRegistration CR is discovered, but tools are missing, test the backend server directly
++
+----
+$ oc run -it --rm debug --image=nicolaka/netshoot --restart=Never -- \
+  curl -X POST http://<service-name>.<namespace>.svc.cluster.local:<port>/mcp \
+  -H "mcp-session-id: SESSION_ID" \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'
+----
++
+[NOTE]
+====
+You might need a valid `mcp-session-id` header set.
+====
+
+. Check the broker router logs for errors by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc logs -n mcp-system -l app.kubernetes.io/name=mcp-gateway
+----
+
+**Solutions**:
+- Verify backend MCP server implements `tools/list` method correctly
+- Check backend server logs for errors
+- Ensure backend server returns valid MCP protocol responses
+- Verify `toolPrefix` in MCPServerRegistration spec is valid (no spaces or special chars)
+
+### Tool Prefix Not Applied
+
+**Symptom**: Tools appear without the configured prefix by running the following command:
+
+. Check `MCPServerRegistration` configuration
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get mcpsr <server-name> -n <namespace> -o yaml | grep toolPrefix
+----
+
+**Solutions**:
+- Ensure `toolPrefix` is set in MCPServerRegistration spec
+
+- Verify no typos in `toolPrefix` field name by running the following command:
+
+. Check controller logs
++
+[source,terminal,subs="+quotes"]
+----
+$ oc logs -n mcp-system deployment/mcp-gateway-controller | grep prefix
+----
+
+. Restart the MCP gateway broker component after `MCPServerRegistration` CR changes by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc rollout restart deployment/mcp-gateway -n mcp-system
+----
+

modules/proc-mcp-gateway-ts-pods-not-starting.adoc

@@ -0,0 +1,57 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="proc-mcp-gateway-ts-pods-not-starting_{context}"]
+= {mcpg} pods not starting
+
+[role="_abstract"]
+After installation, if your {mcpg} pods are stuck in one of several states that indicate that they are not starting as expected, you can take several steps to diagnose the problem.
+
+Common causes include the following states and indicate an associated action:
+
+* `ImagePullBackOff`: Check image repository access and credentials.
+* `CrashLoopBackOff`: Check the logs for application errors.
+* `Pending:` Check resource availability and node capacity.
+* `Init Container Failure*:` Check RBAC permissions.
+
+.Prerequisites
+
+* You installed {mcpg}.
+* You installed {prodname}.
+* You configured a `Gateway` object.
+* You configured an `HTTPRoute` object for the gateway.
+* You installed the {oc-first}.
+* You registered an MCP server.
+
+.Procedure
+
+. Check the pod status by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get pods -n _<mcp_system>_
+----
++
+Replace `_<mcp_system>_` with the name of the {mcpg} deployment that you are checking.
+
+. Describe problem pods by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe pod -n _<mcp_system>_ _<pod_name>_
+----
++
+* Replace `_<mcp_system>_` with the name of the {mcpg} deployment that you are checking.
+* Replace `_<pod_name>_` with the name of the pod that you are checking.
+
+. Check the namespace logs by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc logs -n _<mcp_system>_ _<pod_name>_
+----
++
+* Replace `_<mcp_system>_` with the name of the {mcpg} deployment that you are checking.
+* Replace `_<pod_name>_` with the name of the pod that you are checking.