Root cause: The TLS commit changed the MCP service port from 8080 to 8443

  when TLS is enabled. This broke existing clients (like the
  OpenStackAssistant's Goose extension) that have the http://...:8080 URL
  configured.

  Fix: Keep port 8080 for both TLS and non-TLS modes. TLS doesn't require a
  different port — the MCP server can serve HTTPS on 8080. Changes in three
  places:

  1. internal/openstackclient/funcs.go — removed the container port change
  (always 8080) and removed the port change in MCPConfigYAML (always port:
  8080)
  2. internal/controller/client/openstackclient_controller.go — removed the
  service port change (always 8080)

  The TLS cert/key mounting, TLS config in the YAML, and https allowed origins
  are all still in place — only the port change was removed.

Author: dprince

internal/controller/client/openstackclient_controller.go

@@ -385,12 +385,6 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 
 	// Reconcile MCP Service after configVarsHash so the hash annotation captures all config changes
 	if instance.Spec.MCP != nil && instance.Spec.MCP.Enabled {
-		mcpTLSEnabled := instance.Spec.CaBundleSecretName != ""
-		mcpPort := int32(8080)
-		if mcpTLSEnabled {
-			mcpPort = 8443
-		}
-
 		mcpService := &corev1.Service{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      instance.Name + "-mcp",
@@ -400,7 +394,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 		mcpServiceHash, err := util.ObjectHash(map[string]interface{}{
 			"containerImage":    instance.Spec.ContainerImage,
 			"mcpContainerImage": instance.Spec.MCP.ContainerImage,
-			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, mcpTLSEnabled),
+			"mcpConfig":         openstackclient.MCPConfigYAML(instance.Spec.CaBundleSecretName, instance.Spec.CaBundleSecretName != ""),
 			"configVarsHash":    configVarsHash,
 		})
 		if err != nil {
@@ -415,7 +409,7 @@ func (r *OpenStackClientReconciler) Reconcile(ctx context.Context, req ctrl.Requ
 			mcpService.Spec.Ports = []corev1.ServicePort{
 				{
 					Name:     "mcp",
-					Port:     mcpPort,
+					Port:     8080,
 					Protocol: corev1.ProtocolTCP,
 				},
 			}

internal/openstackclient/funcs.go

@@ -136,9 +136,7 @@ func ClientPodSpec(
 			mcpVolumeMounts = append(mcpVolumeMounts, instance.Spec.CreateVolumeMounts(nil)...)
 		}
 
-		mcpPort := int32(8080)
 		if mcpTLSSecretName != "" {
-			mcpPort = 8443
 			mcpVolumeMounts = append(mcpVolumeMounts, corev1.VolumeMount{
 				Name:      "mcp-tls",
 				MountPath: "/etc/pki/tls/mcp",
@@ -184,7 +182,7 @@ func ClientPodSpec(
 			Command: []string{"rhos-ls-mcps"},
 			Env:     mcpEnvVars,
 			Ports: []corev1.ContainerPort{
-				{Name: "mcp", ContainerPort: mcpPort, Protocol: corev1.ProtocolTCP},
+				{Name: "mcp", ContainerPort: 8080, Protocol: corev1.ProtocolTCP},
 			},
 			SecurityContext: &corev1.SecurityContext{
 				RunAsUser:                ptr.To[int64](42401),
@@ -212,18 +210,16 @@ func MCPConfigYAML(caBundleSecretName string, tlsEnabled bool) string {
 	if caBundleSecretName != "" {
 		caCert = fmt.Sprintf("\n  ca_cert: %s", tls.DownstreamTLSCABundlePath)
 	}
-	port := "8080"
 	tlsConfig := ""
 	allowedOriginScheme := "http"
 	if tlsEnabled {
-		port = "8443"
 		tlsConfig = `
 tls:
   cert_file: /etc/pki/tls/mcp/tls.crt
   key_file: /etc/pki/tls/mcp/tls.key`
 		allowedOriginScheme = "https"
 	}
-	return fmt.Sprintf(`port: %s
+	return fmt.Sprintf(`port: 8080
 openstack:
   enabled: true
   allow_write: false%s
@@ -235,7 +231,7 @@ mcp_transport_security:
     - "*:*"
   allowed_origins:
     - "%s://*:*"
-`, port, caCert, tlsConfig, allowedOriginScheme)
+`, caCert, tlsConfig, allowedOriginScheme)
 }
 
 func clientPodVolumeMounts() []corev1.VolumeMount {