OSDOCS-18945: adds troubleshooting MCP gateway

Author: ShaunaDiaz

modules/con-mcp-gateway-ts-gateway-routing.adoc

@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="con-mcp-gateway-ts-gateway-routing_{context}"]
+= Gateway and routing troubleshooting
+
+[role="_abstract"]
+When traffic is not flowing after you installed {mcpg}, you can investigate each component of the gateway routing to check system health. Depending on the errors you are receiving, you can troubleshoot at several layers. Breaks can occur at the gateway, route, or policy levels.
+
+If you have a `Connection Refused/Timeout` error and your client cannot reach the IP address, the cause might be the
+listener. In this case, one of the following situations likely applies:
+
+* The port is not open.
+* The load balancer has not assigned an IP address.
+* The TLS handshake is failing.
+
+When you have this type of error, check the listener first.
+
+If can connect to the `Gateway `object, but you get an `HTTP` error, such as `404`, the cause can be a problem with the `HTTPRoute` custom resource (CR). The route exists, but the `Gateway` object has rejected it or the connection has failed. When you get these types of codes, check the `HTTPRoute` CR first.
+
+If requests either fail with a `503` error or bypass the router, this means that the route is recognized, but the connection to the backend failed or was not authorized properly. In this case, start with API-level checks and narrow your investigation to Envoy filters as needed.
+
+If the `EnvoyFilter` is not present, it usually means one of the following situations has occurred:
+
+* The `Gateway` CR status is not `Programmed`.
+* There is a `labels` mismatch, and the MCP controller logic does not send any pods through the filter.
+* The MCP controller is crashing or stuck.

modules/proc-mcp-gateway-register-mcp-server.adoc

@@ -93,6 +93,11 @@ spec:
 * Replace the `spec.targetRef.namespace:` field value with the namespace where your `HTTPRoute` CR is applied. In this example, `_<mcp_test>_` is used.
 * Replace the `credentialRef.name:` field value with the name of your `Secret` CR. In this example, `_<mcp_server_one_secret>_` is used. You can omit this parameter if your MCP server does not require authentication or authorization.
 * For more information about these parameters, see "Understanding the `MCPServerRegistration` custom resource."
++
+[IMPORTANT]
+====
+A `toolPrefix` value cannot include spaces or special characters.
+====
 
 . Apply the CR by running the following command:
 +

modules/proc-mcp-gateway-ts-auth-issues.adoc

@@ -0,0 +1,165 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="proc-mcp-gateway-ts-auth-issues_{context}"]
+= Troubleshooting {mcpg} authentication issues
+
+[role="_abstract"]
+Authentication errors can happen in a variety of ways, including silent failures, broken sessions, and tool-access denials, depending on your backend MCP server setup. You can troubleshoot common problems by checking your connections and custom resource (CR) configurations.
+
+.Prerequisites
+
+* You installed {mcpg}.
+* You installed {prodname}.
+* You installed the {oc-first}.
+* You configured a `Gateway` object.
+* You configured an `HTTPRoute` object for the gateway.
+* You registered an MCP server.
+* You created a `Secret` CR for authentication.
+
+.Procedure
+
+. When your clients cannot discover OAuth configuration, discovery is not working. Use the following steps to troubleshoot this situation:
+
+.. Retrieve the JSON object that lists the security requirements for your backend MCP server by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ curl http://_<mcp_hostname>_/_<.well-known/oauth-protected-resource>_
+----
++
+* Replace `_<mcp_hostname>_` with the name of the host for your MCP server.
+* Replace `_<.well-known/oauth-protected-resource>_` with the reserved path and JSON file that describes the OAuth 2.0 security requirements for the MCP server.
++
+.Example output
+[source,text]
+----
+{
+  "resource": "https://mcp.example.com",
+  "authorization_servers": [
+    "https://auth.provider.com/oauth2/default"
+  ],
+  "scopes_supported": ["mcp:tools", "mcp:resources"],
+  "bearer_methods_supported": ["header"],
+  "resource_documentation": "https://docs.example.com/mcp-help"
+}
+----
+
+.. Check that your associated `HTTPRoute` CR includes a path for your `/.well-known/oauth-protected-resource` by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get httproute _<route_name>_ -o jsonpath='{.spec.rules[*].matches[*].path.value}'
+----
++
+Replace `_<route_name>_` with the associated `HTTPRoute` CR.
+
+.. Check the specific `AuthPolicy` CR configuration by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe authpolicy _<policy_name>_ -n _<namespace>_
+----
+
+.. Check that you excluded all `/.well-known` paths from your `AuthPolicy` CR by trying to reach the endpoint without any credentials by using the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ curl -o /dev/null -s -w "%{http_code}\n" http://_<mcp_hostname>_/_<.well-known/oauth-protected-resource>_
+----
++
+* Replace `_<mcp_hostname>_` with the name of the host for your MCP server.
+* Replace `_<.well-known/oauth-protected-resource>_` with the reserved path and JSON file that describes the OAuth 2.0 security requirements for the MCP server.
++
+[NOTE]
+====
+The following codes are examples of possible outputs:
+
+* `200`: Means that the exclusion exists and matches.
+* `401`: Means that your `AuthPolicy` CR is still demanding a token for this path. The exclusion is either not present or not working.
+* `404`: The exclusion might be present and working, but the `HTTPRoute` CR does not point to that path to a valid backend.
+====
+
+.. Optional. Check all MCP broker component environment variables by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get deployment _<mcp_gateway>_ -n _<mcp_system>_ -o yaml | grep -A 10 env
+----
+* Replace `_<mcp_gateway>_` with the name of your {mcpg} deployment.
+* Replace `_<mcp_system>_` with the namespace where your {mcpg} deployment is applied.
+//Q: do we actually make Deployment or DeploymentConfig objects for MCP gateway? If yes, when?
+
+.. Check that the `OAUTH_*` environment variables are set on your MCP broker component.
++
+[source,terminal,subs="+quotes"]
+----
+$ oc set env deployment/_<mcp_gateway>_ --list
+----
++
+Replace `_<mcp_gateway>_` with the name of your {mcpg} deployment.
+
+.. Verify that the MCP broker component pod restarted after any environment variable changes.
+
+. If your valid tokens are being rejected with `401` errors, your JWT token validation is failing. Use the following steps to troubleshoot this situation:
+
+.. List the `AuthPolicy` CRs by running the following command:
++
+[source,terminal]
+----
+$ oc get authpolicy -A
+----
+
+.. Check the specific `AuthPolicy` CR configuration by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe authpolicy _<policy_name>_ -n _<namespace>_
+----
+
+.. Verify that the `issuerUrl` in the `AuthPolicy` CR matches your identity provider's `realm`.
+
+.. Check the Authorino Operator logs by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc logs -n kuadrant-system -l authorino-resource=authorino
+----
+
+.. Decode JWT to verify claims by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ echo "_<example_token>_" | cut -d. -f2 | base64 -d | jq
+----
++
+Replace `_<example_token>_` with your token.
+
+.. Ensure that your issuer URL is reachable from the cluster by using the `cluster-local` service name.
+
+.. Check the token expiration time by examining the `exp` claim.
+
+.. Verify the audience, if required, by using an `aud` claim.
+
+.. Ensure that the token includes all required claims such as `groups`, `email`, and so on.
+
+. If your `401 Unauthorized` responses do not include OAuth discovery information, the `WWW-Authenticate` header is missing. This usually means that your `AuthPolicy` CR is not properly configured. Use the following steps to troubleshoot this situation:
+
+.. Isolate the failure point by using verbose output which lists the TLS handshake, the HTTP headers, and the server response code by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ curl -v http://_<mcp_hostname>_/mcp \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'
+----
++
+Replace `_<mcp_hostname>_` with the hostname for your backend MCP server.
+
+.. Verify that your `AuthPolicy` CR `spec.response.unauthenticated.headers:` list includes `response.unauthenticated.headers.WWW-Authenticate`.
+
+.. Check that your `AuthPolicy` CR `response.unauthenticated.headers.WWW-Authenticate.value` includes the correct `metadata`.
+
+.. Ensure that your `AuthPolicy` CR is applied to the correct `Gateway` object and listener.

modules/proc-mcp-gateway-ts-ext-mcp-server-auth-issues.adoc

@@ -0,0 +1,69 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="proc-mcp-gateway-ts-ext-mcp-server-auth-issues_{context}"]
+= Troubleshooting external MCP server authentication issues
+
+[role="_abstract"]
+If your registered external MCP server fails authentication and returns `401` or `403` errors, troubleshoot by checking the credentials and the logs.
+
+.Prerequisites
+
+* You installed {mcpg}.
+* You installed {prodname}.
+* You installed the {oc-first}.
+* You configured a `Gateway` object.
+* You configured an `HTTPRoute` object for the gateway.
+* You registered an external MCP server.
+* You created a `Secret` CR for authentication.
+
+.Procedure
+
+. Check that a Secret custom resource (CR) exists and that it has the correct `label` by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get secret _<secret_name>_ -n _<namespace>_ --show-labels
+----
++
+* Replace `_<secret_name>_` with the name of your `Secret` CR.
+* Replace `_<namespace>_` with the namespace where your `Secret` CR is applied.
+
+. Verify the `Secret` CR contents by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get secret _<secret_name>_ -n _<namespace>_ -o yaml
+----
++
+* Replace `_<secret_name>_` with the name of your `Secret` CR.
+* Replace `_<namespace>_` with the namespace where your `Secret` CR is applied.
+
+. Check the `MCPServerRegistration` CR `credentialRef` parameter value by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get mcpsr _<mcpsr_name>_ -n _<namespace>_ -o yaml | grep -A 3 credentialRef
+----
++
+* Replace `_<mcpsr_name>_` with the name of your `MCPServerRegistration` CR.
+* Replace `_<namespace>_` with the namespace where your `MCPServerRegistration` CR is applied.
+
+. Ensure that the `Secret` CR has the label `mcp.kuadrant.io/secret: "true"`.
+
+. Verify that the `Secret` CR data key matches the `credentialRef.key` in the `MCPServerRegistration` CR.
+
+. Check the credential format.
+
+. Verify that the credential you are using has the necessary permissions for the external service.
+
+. Check the MCP gateway broker component logs for credential errors by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc logs -n _<mcp_system>_ deployment/mcp-gateway | grep -i auth`
+----
++
+Replace `_<mcp_system>_` with the name of your MCP gateway deployment.

modules/proc-mcp-gateway-ts-ext-mcp-server-connect-issues.adoc

@@ -0,0 +1,98 @@
+// Module included in the following assemblies:
+//
+// *mcp_gateway_config/mcp-gateway-troubleshooting.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="proc-mcp-gateway-ts-ext-mcp-server-connect-issues_{context}"]
+= Troubleshooting external MCP server authentication issues
+
+[role="_abstract"]
+If your external MCP server cannot connect, or if tools are not appearing, you can troubleshoot by checking custom resources (CRs) and network settings.
+
+.Prerequisites
+
+* You installed {mcpg}.
+* You installed {prodname}.
+* You installed the {oc-first}.
+* You configured a `Gateway` object.
+* You configured an `HTTPRoute` object for the gateway.
+* You registered an external MCP server.
+* You created a `Secret` CR for authentication.
+
+.Procedure
+
+. If you are seeing errors such as `502 Bad Gateway` and `403 Forbidden`, check the `ServiceEntry` CR by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get serviceentry -n _<namespace>_
+----
++
+Replace with the `_<namespace>_` where the `ServiceEntry` CR is applied.
+
+.. If the command returns an empty list, create a `ServiceEntry` CR to allow egress.
+
+. For detailed troubleshooting, such as to checks ports and the TLS setting, examine the `ServiceEntry` CR activity by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe serviceentry _<se_name>_ -n _<namespace>_
+----
++
+* Replace with the `_<se_name>_` with the name the `ServiceEntry` CR.
+* Replace with the `_<namespace>_` where the `ServiceEntry` CR is applied.
+
+. Verify that `ServiceEntry` CR `hosts` values are exact matches external `hostname` values.
+
+. If you are seeing `TLS` errors, verify that a `DestinationRule` CR exists by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc get destinationrule -n _<namespace>_
+----
++
+Replace with the `_<namespace>_` where the `DestinationRule` CR is applied.
+
+.. If the previous command returns `No resources found in <namespace> namespace`, then create a `DestinationRule` CR.
+
+.. Ensure that `DestinationRule` CR `host` values exactly match `ServiceEntry` CR host values.
+
+.. Check the `TLS` configuration in `DestinationRule` CR.
+
+. For detailed troubleshooting of actual connection details, such as encryption, load balancing, and connection pooling, examine the `DestinationRule` CR by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc describe destinationrule _<dr_name>_ -n <namespace>
+----
++
+* Replace with the `_<dr_name>_` with the name the `DestinationRule` CR.
+* Replace with the `_<namespace>_` where the `DestinationRule` CR is applied.
+
+.. Ensure that your network egress policies allow external traffic from the pod.
+
+. Test the DNS resolution by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc run -it --rm debug --image=_<image_path/name>_ --restart=Never -- \
+  nslookup _<external_hostname>_
+----
++
+* Replace `_<image_path/name>_` with the path to your application image.
+* Replace `_<external_hostname>_` with your external MCP server `hostname` parameter value.
+
+. Test the external connectivity by running the following command:
++
+[source,terminal,subs="+quotes"]
+----
+$ oc run -it --rm debug --image=_<image_path/name>_ --restart=Never -- \
+  curl -v https://_<external_hostname_url>_
+----
++
+* Replace `_<image_path/name>_` with the path to your application image.
+* Replace `_<external_hostname_url>_` with your external MCP server URL.
+
+. Verify that the `HTTPRoute` CR `backendRef` value is configured with the correct external hostname.
+
+. Ensure that the `HTTPRoute` CR has the `URLRewrite` filter applied to rewrite to the external hostname.