updates

Author: dprince

api/assistant/v1beta1/openstackassistant_types.go

@@ -52,16 +52,24 @@ type LightspeedStackSpec struct {
 	CaBundleSecretName string `json:"caBundleSecretName,omitempty"`
 }
 
-// MCPServerRef references an MCP server endpoint to configure as a Goose extension
+// MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+// Either URL or OpenStackClientRef must be specified, but not both.
 type MCPServerRef struct {
 	// Name is the extension name in Goose config
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 
-	// URL is the MCP server's Streamable HTTP endpoint
-	// (e.g. http://openstackclient-mcp.openstack.svc:8080/openstack/)
-	// +kubebuilder:validation:Required
-	URL string `json:"url"`
+	// URL is the MCP server's Streamable HTTP endpoint.
+	// Mutually exclusive with OpenStackClientRef.
+	// +kubebuilder:validation:Optional
+	URL string `json:"url,omitempty"`
+
+	// OpenStackClientRef is the name of an OpenStackClient CR in the same
+	// namespace that has MCP enabled. The controller auto-computes the
+	// correct service URL and TLS CA configuration.
+	// Mutually exclusive with URL.
+	// +kubebuilder:validation:Optional
+	OpenStackClientRef string `json:"openstackClientRef,omitempty"`
 }
 
 // GooseConfig defines Goose-specific provider configuration

api/bases/assistant.openstack.org_openstackassistants.yaml

@@ -192,20 +192,27 @@ spec:
                     description: MCPServers lists MCP server endpoints to configure
                       as Goose extensions.
                     items:
-                      description: MCPServerRef references an MCP server endpoint
-                        to configure as a Goose extension
+                      description: |-
+                        MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+                        Either URL or OpenStackClientRef must be specified, but not both.
                       properties:
                         name:
                           description: Name is the extension name in Goose config
                           type: string
+                        openstackClientRef:
+                          description: |-
+                            OpenStackClientRef is the name of an OpenStackClient CR in the same
+                            namespace that has MCP enabled. The controller auto-computes the
+                            correct service URL and TLS CA configuration.
+                            Mutually exclusive with URL.
+                          type: string
                         url:
                           description: |-
-                            URL is the MCP server's Streamable HTTP endpoint
-                            (e.g. http://openstackclient-mcp.openstack.svc:8080/openstack/)
+                            URL is the MCP server's Streamable HTTP endpoint.
+                            Mutually exclusive with OpenStackClientRef.
                           type: string
                       required:
                       - name
-                      - url
                       type: object
                     type: array
                   model:

bindata/crds/crds.yaml

@@ -191,20 +191,27 @@ spec:
                     description: MCPServers lists MCP server endpoints to configure
                       as Goose extensions.
                     items:
-                      description: MCPServerRef references an MCP server endpoint
-                        to configure as a Goose extension
+                      description: |-
+                        MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+                        Either URL or OpenStackClientRef must be specified, but not both.
                       properties:
                         name:
                           description: Name is the extension name in Goose config
                           type: string
+                        openstackClientRef:
+                          description: |-
+                            OpenStackClientRef is the name of an OpenStackClient CR in the same
+                            namespace that has MCP enabled. The controller auto-computes the
+                            correct service URL and TLS CA configuration.
+                            Mutually exclusive with URL.
+                          type: string
                         url:
                           description: |-
-                            URL is the MCP server's Streamable HTTP endpoint
-                            (e.g. http://openstackclient-mcp.openstack.svc:8080/openstack/)
+                            URL is the MCP server's Streamable HTTP endpoint.
+                            Mutually exclusive with OpenStackClientRef.
                           type: string
                       required:
                       - name
-                      - url
                       type: object
                     type: array
                   model:

config/crd/bases/assistant.openstack.org_openstackassistants.yaml

@@ -192,20 +192,27 @@ spec:
                     description: MCPServers lists MCP server endpoints to configure
                       as Goose extensions.
                     items:
-                      description: MCPServerRef references an MCP server endpoint
-                        to configure as a Goose extension
+                      description: |-
+                        MCPServerRef references an MCP server endpoint to configure as a Goose extension.
+                        Either URL or OpenStackClientRef must be specified, but not both.
                       properties:
                         name:
                           description: Name is the extension name in Goose config
                           type: string
+                        openstackClientRef:
+                          description: |-
+                            OpenStackClientRef is the name of an OpenStackClient CR in the same
+                            namespace that has MCP enabled. The controller auto-computes the
+                            correct service URL and TLS CA configuration.
+                            Mutually exclusive with URL.
+                          type: string
                         url:
                           description: |-
-                            URL is the MCP server's Streamable HTTP endpoint
-                            (e.g. http://openstackclient-mcp.openstack.svc:8080/openstack/)
+                            URL is the MCP server's Streamable HTTP endpoint.
+                            Mutually exclusive with OpenStackClientRef.
                           type: string
                       required:
                       - name
-                      - url
                       type: object
                     type: array
                   model:

internal/controller/assistant/openstackassistant_controller.go

@@ -53,6 +53,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 
 	assistantv1 "github.com/openstack-k8s-operators/openstack-operator/api/assistant/v1beta1"
+	clientv1 "github.com/openstack-k8s-operators/openstack-operator/api/client/v1beta1"
 	"github.com/openstack-k8s-operators/openstack-operator/internal/openstackassistant"
 )
 
@@ -81,6 +82,7 @@ func (r *OpenStackAssistantReconciler) GetLogger(ctx context.Context) logr.Logge
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=rolebindings,verbs=get;list;watch;create;update;patch
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups="rbac.authorization.k8s.io",resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=client.openstack.org,resources=openstackclients,verbs=get;list;watch
 
 // Reconcile -
 func (r *OpenStackAssistantReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, _err error) {
@@ -223,7 +225,7 @@ func (r *OpenStackAssistantReconciler) Reconcile(ctx context.Context, req ctrl.R
 					condition.ErrorReason,
 					condition.SeverityWarning,
 					assistantv1.OpenStackAssistantReadyErrorMessage,
-					fmt.Sprintf("CA bundle secret %s not found", instance.Spec.LightspeedStack.CaBundleSecretName)))
+					"CA bundle secret "+instance.Spec.LightspeedStack.CaBundleSecretName))
 				return ctrl.Result{}, nil
 			}
 			return ctrl.Result{}, err
@@ -288,8 +290,74 @@ func (r *OpenStackAssistantReconciler) Reconcile(ctx context.Context, req ctrl.R
 		return ctrl.Result{}, err
 	}
 
+	// Resolve MCP servers (auto-discover from OpenStackClientRef or use manual URL)
+	resolvedMCPServers := make(map[string]string)
+	mcpCaBundleSecretName := ""
+	if instance.Spec.Goose != nil {
+		for _, mcp := range instance.Spec.Goose.MCPServers {
+			if mcp.OpenStackClientRef != "" {
+				osclient := &clientv1.OpenStackClient{}
+				err := r.Get(ctx, types.NamespacedName{
+					Name:      mcp.OpenStackClientRef,
+					Namespace: instance.Namespace,
+				}, osclient)
+				if err != nil {
+					if k8s_errors.IsNotFound(err) {
+						instance.Status.Conditions.Set(condition.FalseCondition(
+							assistantv1.OpenStackAssistantReadyCondition,
+							condition.RequestedReason,
+							condition.SeverityInfo,
+							"Waiting for OpenStackClient %s", mcp.OpenStackClientRef))
+						return ctrl.Result{RequeueAfter: time.Duration(10) * time.Second}, nil
+					}
+					return ctrl.Result{}, fmt.Errorf("error looking up OpenStackClient %s: %w", mcp.OpenStackClientRef, err)
+				}
+
+				if osclient.Spec.MCP == nil || !osclient.Spec.MCP.Enabled {
+					instance.Status.Conditions.Set(condition.FalseCondition(
+						assistantv1.OpenStackAssistantReadyCondition,
+						condition.ErrorReason,
+						condition.SeverityWarning,
+						assistantv1.OpenStackAssistantReadyErrorMessage,
+						"OpenStackClient "+mcp.OpenStackClientRef+" does not have MCP enabled"))
+					return ctrl.Result{}, nil
+				}
+
+				mcpSvcName := mcp.OpenStackClientRef + "-mcp"
+				scheme := "http"
+				if osclient.Spec.CaBundleSecretName != "" {
+					scheme = "https"
+					mcpCaBundleSecretName = osclient.Spec.CaBundleSecretName
+				}
+				mcpURL := fmt.Sprintf("%s://%s.%s.svc:8080/openstack/", scheme, mcpSvcName, instance.Namespace)
+				resolvedMCPServers[mcp.Name] = mcpURL
+				Log.Info("Auto-resolved MCP server", "name", mcp.Name, "url", mcpURL, "openstackClientRef", mcp.OpenStackClientRef)
+			} else if mcp.URL != "" {
+				resolvedMCPServers[mcp.Name] = mcp.URL
+			}
+		}
+	}
+
+	// Validate MCP CA bundle secret if auto-discovered
+	if mcpCaBundleSecretName != "" && mcpCaBundleSecretName != instance.Spec.LightspeedStack.CaBundleSecretName {
+		_, mcpCaHash, err := secret.GetSecret(ctx, helper, mcpCaBundleSecretName, instance.Namespace)
+		if err != nil {
+			if k8s_errors.IsNotFound(err) {
+				instance.Status.Conditions.Set(condition.FalseCondition(
+					assistantv1.OpenStackAssistantReadyCondition,
+					condition.ErrorReason,
+					condition.SeverityWarning,
+					assistantv1.OpenStackAssistantReadyErrorMessage,
+					"MCP CA bundle secret "+mcpCaBundleSecretName+" not found"))
+				return ctrl.Result{}, nil
+			}
+			return ctrl.Result{}, err
+		}
+		configVars["mcp-ca-bundle"] = env.SetValue(mcpCaHash)
+	}
+
 	// Build PodSpec
-	spec := openstackassistant.AssistantPodSpec(instance, configVarsHash)
+	spec := openstackassistant.AssistantPodSpec(instance, configVarsHash, resolvedMCPServers, mcpCaBundleSecretName)
 
 	podSpecHash, err := util.ObjectHash(spec)
 	if err != nil {
@@ -623,9 +691,47 @@ func (r *OpenStackAssistantReconciler) SetupWithManager(
 			handler.EnqueueRequestsFromMapFunc(r.findObjectsForSrc),
 			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
 		).
+		Watches(
+			&clientv1.OpenStackClient{},
+			handler.EnqueueRequestsFromMapFunc(r.findAssistantsForOpenStackClient),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+		).
 		Complete(r)
 }
 
+func (r *OpenStackAssistantReconciler) findAssistantsForOpenStackClient(ctx context.Context, src client.Object) []reconcile.Request {
+	Log := r.GetLogger(ctx)
+	requests := []reconcile.Request{}
+
+	crList := &assistantv1.OpenStackAssistantList{}
+	if err := r.List(ctx, crList, client.InNamespace(src.GetNamespace())); err != nil {
+		Log.Error(err, "listing OpenStackAssistants for OpenStackClient change")
+		return requests
+	}
+
+	for _, item := range crList.Items {
+		if item.Spec.Goose == nil {
+			continue
+		}
+		for _, mcp := range item.Spec.Goose.MCPServers {
+			if mcp.OpenStackClientRef == src.GetName() {
+				Log.Info("OpenStackClient changed, reconciling assistant",
+					"openstackClient", src.GetName(),
+					"assistant", item.GetName())
+				requests = append(requests, reconcile.Request{
+					NamespacedName: types.NamespacedName{
+						Name:      item.GetName(),
+						Namespace: item.GetNamespace(),
+					},
+				})
+				break
+			}
+		}
+	}
+
+	return requests
+}
+
 func (r *OpenStackAssistantReconciler) findObjectsForSrc(ctx context.Context, src client.Object) []reconcile.Request {
 	requests := []reconcile.Request{}
 

internal/openstackassistant/funcs.go

@@ -102,14 +102,31 @@ if [ -f /tmp/lightspeed-provider/lightspeed.json ]; then
   cp /tmp/lightspeed-provider/lightspeed.json $HOME/.config/goose/custom_providers/lightspeed.json
 fi
 
+# Combine CA bundles if MCP CA is present alongside Lightspeed CA
+if [ -f /etc/ssl/certs/mcp-ca-bundle.crt ]; then
+  if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+    cp /etc/ssl/certs/ca-certificates.crt /tmp/combined-ca.crt
+    cat /etc/ssl/certs/mcp-ca-bundle.crt >> /tmp/combined-ca.crt
+    export SSL_CERT_FILE=/tmp/combined-ca.crt
+  else
+    export SSL_CERT_FILE=/etc/ssl/certs/mcp-ca-bundle.crt
+  fi
+fi
+
 exec sleep infinity
 `
 }
 
-// AssistantPodSpec returns the PodSpec for the assistant pod
+// AssistantPodSpec returns the PodSpec for the assistant pod.
+// resolvedMCPServers maps extension name to URL for all MCP servers
+// (both manually specified and auto-resolved from OpenStackClientRef).
+// mcpCaBundleSecretName is the CA bundle secret for MCP TLS connections,
+// auto-discovered from the referenced OpenStackClient.
 func AssistantPodSpec(
 	instance *assistantv1.OpenStackAssistant,
 	configHash string,
+	resolvedMCPServers map[string]string,
+	mcpCaBundleSecretName string,
 ) corev1.PodSpec {
 	envVars := map[string]env.Setter{}
 	envVars["CONFIG_HASH"] = env.SetValue(configHash)
@@ -125,10 +142,8 @@ func AssistantPodSpec(
 		envVars["GOOSE_MODEL"] = env.SetValue(instance.Spec.Goose.Model)
 	}
 
-	if instance.Spec.Goose != nil {
-		for _, mcp := range instance.Spec.Goose.MCPServers {
-			envVars["MCP_SERVER_"+mcp.Name] = env.SetValue(mcp.URL)
-		}
+	for name, url := range resolvedMCPServers {
+		envVars["MCP_SERVER_"+name] = env.SetValue(url)
 	}
 
 	if instance.Spec.Env != nil {
@@ -141,8 +156,8 @@ func AssistantPodSpec(
 		}
 	}
 
-	volumes := assistantPodVolumes(instance)
-	volumeMounts := assistantPodVolumeMounts(instance)
+	volumes := assistantPodVolumes(instance, mcpCaBundleSecretName)
+	volumeMounts := assistantPodVolumeMounts(instance, mcpCaBundleSecretName)
 
 	containerName := "goose"
 	if instance.Spec.Provider != "" {
@@ -181,7 +196,7 @@ func AssistantPodSpec(
 	return podSpec
 }
 
-func assistantPodVolumeMounts(instance *assistantv1.OpenStackAssistant) []corev1.VolumeMount {
+func assistantPodVolumeMounts(instance *assistantv1.OpenStackAssistant, mcpCaBundleSecretName string) []corev1.VolumeMount {
 	mounts := []corev1.VolumeMount{
 		{
 			Name:      "entrypoint",
@@ -221,10 +236,19 @@ func assistantPodVolumeMounts(instance *assistantv1.OpenStackAssistant) []corev1
 		})
 	}
 
+	if mcpCaBundleSecretName != "" && mcpCaBundleSecretName != instance.Spec.LightspeedStack.CaBundleSecretName {
+		mounts = append(mounts, corev1.VolumeMount{
+			Name:      "mcp-ca-bundle",
+			MountPath: "/etc/ssl/certs/mcp-ca-bundle.crt",
+			SubPath:   "ca-bundle.crt",
+			ReadOnly:  true,
+		})
+	}
+
 	return mounts
 }
 
-func assistantPodVolumes(instance *assistantv1.OpenStackAssistant) []corev1.Volume {
+func assistantPodVolumes(instance *assistantv1.OpenStackAssistant, mcpCaBundleSecretName string) []corev1.Volume {
 	volumes := []corev1.Volume{
 		{
 			Name: "entrypoint",
@@ -285,5 +309,16 @@ func assistantPodVolumes(instance *assistantv1.OpenStackAssistant) []corev1.Volu
 		})
 	}
 
+	if mcpCaBundleSecretName != "" && mcpCaBundleSecretName != instance.Spec.LightspeedStack.CaBundleSecretName {
+		volumes = append(volumes, corev1.Volume{
+			Name: "mcp-ca-bundle",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: mcpCaBundleSecretName,
+				},
+			},
+		})
+	}
+
 	return volumes
 }