[Feature Request]: Full Stack CICD build and deployment of MCP CF through single configuration #1148
Description
MCP Stack Deployment System - Proposal Summary
🎯 Overview
This feature provides a unified deployment system for MCP Context Forge that builds and deploys all containers (gateway + plugins) from a single configuration file (mcp-stack.yaml).
What It Does
- Builds all plugin containers from git repositories
- Generates mTLS certificates automatically
- Creates deployment manifests (Kubernetes or Docker Compose)
- Deploys the complete stack (gateway + all plugins)
- Integrates with CI/CD pipelines using a builder container
- Supports hybrid execution: Dagger (optimized) or plain Python (portable)
One Command Deployment
./scripts/mcp-deploy.py deploy mcp-stack.yamlThis single command orchestrates the entire deployment lifecycle from source code to running services.
📋 Example Configuration File
Here's a complete mcp-stack.yaml that defines an entire MCP deployment:
# Deployment target configuration
deployment:
type: kubernetes # or 'compose' for Docker Compose
namespace: mcp-gateway # Kubernetes namespace
# MCP Gateway configuration
gateway:
# Container image (from registry or local build)
image: ghcr.io/ibm/mcp-context-forge:latest
image_pull_policy: IfNotPresent
# Networking
port: 4444
service_type: ClusterIP
service_port: 4444
# Resource limits (Kubernetes)
replicas: 2
memory_request: 512Mi
memory_limit: 1Gi
cpu_request: 250m
cpu_limit: 1000m
# Environment configuration
env_file: gateway.env
env_vars:
LOG_LEVEL: INFO
MCPGATEWAY_UI_ENABLED: "true"
MCPGATEWAY_ADMIN_API_ENABLED: "true"
MCPGATEWAY_A2A_ENABLED: "true"
DATABASE_URL: postgresql://user:pass@postgres:5432/mcpgateway
REDIS_URL: redis://redis:6379
# Secrets injected from CI/CD vault:
JWT_SECRET_KEY: ${JWT_SECRET_KEY}
# mTLS security
mtls_enabled: true
# External plugins - built from git repositories
plugins:
# OPA Policy Filter Plugin
- name: OPAPluginFilter
# Git repository to build from
repo: https://github.com/yourorg/mcp-opa-plugin.git
ref: main
containerfile: Containerfile
# Or use pre-built image:
# image: ghcr.io/yourorg/mcp-opa-plugin:latest
# Networking
port: 8000
service_type: ClusterIP
# Resources
replicas: 2
memory_request: 256Mi
memory_limit: 512Mi
cpu_request: 100m
cpu_limit: 500m
# Environment
env_file: plugins/opa.env
env_vars:
LOG_LEVEL: DEBUG
OPA_POLICY_PATH: /app/policies
# Security
mtls_enabled: true
priority: 10
# ClamAV Virus Scanning Plugin
- name: ClamAVPlugin
repo: https://github.com/yourorg/mcp-clamav-plugin.git
ref: v1.0.0
port: 3000
replicas: 1
memory_request: 512Mi
memory_limit: 1Gi
env_file: plugins/clamav.env
env_vars:
CLAMAV_HOST: clamav-server
CLAMAV_PORT: "3310"
mtls_enabled: true
# Certificate configuration
certificates:
validity_days: 825 # ~2.25 years
auto_generate: true
ca_path: ./certs/mcp/ca
gateway_path: ./certs/mcp/gateway
plugins_path: ./certs/mcp/plugins
# CI/CD integration
ci_cd:
# Secrets to inject from vault (not stored in repo)
vault_secrets:
- JWT_SECRET_KEY
- DATABASE_PASSWORD
- REDIS_PASSWORD
- API_KEY
# Build options
build:
parallel: true # Parallel plugin builds
cache: true # Enable build caching
# Deployment options
deploy:
wait: true # Wait for deployment ready
timeout: 300 # Timeout in seconds
verify: true # Run health checks📁 Repository Structure
Here's what a deployment repository looks like using this system:
my-mcp-deployment/
├── mcp-stack.yaml # Main configuration (single source of truth)
│
├── gateway.env # Gateway environment variables
│ └── (references ${SECRETS} for vault injection)
│
├── plugins/
│ ├── opa.env # OPA plugin environment
│ └── clamav.env # ClamAV plugin environment
│
├── .github/workflows/ # CI/CD pipeline
│ └── deploy.yml # GitHub Actions workflow (10-20 lines)
│
├── certs/ # Auto-generated (not in git)
│ └── mcp/
│ ├── ca/ # Certificate Authority
│ ├── gateway/ # Gateway client cert
│ └── plugins/ # Per-plugin server certs
│ ├── OPAPluginFilter/
│ └── ClamAVPlugin/
│
├── deploy/ # Auto-generated (not in git)
│ └── manifests/
│ ├── plugins-config.yaml # Auto-generated plugin config
│ ├── gateway-deployment.yaml # Kubernetes manifests
│ ├── plugin-opa-deployment.yaml
│ └── plugin-clamav-deployment.yaml
│
└── README.md # Deployment instructions
Files in Git:
- ✅
mcp-stack.yaml- Configuration - ✅
*.env- Environment templates (with${VARIABLE}placeholders) - ✅
.github/workflows/- CI/CD pipeline - ✅
.gitignore- MUST excludecerts/directory! - ❌
certs/- NEVER commit! Generated at deploy time or from vault - ❌
deploy/- Auto-generated at deploy time - ❌ Secrets - Injected from vault
certs/ directory contains sensitive cryptographic material:
certs/mcp/ca/ca.key- CA private key (CRITICAL - NEVER commit!)certs/mcp/ca/ca.crt- CA certificate (public, but still shouldn't be in git)- Gateway and plugin certificates
Best Practices:
- Development/Testing: Generate certificates locally, add
certs/to.gitignore - Production: Store CA key in vault (HashiCorp Vault, AWS Secrets Manager, etc.)
- CI/CD: Generate fresh certificates each deployment OR retrieve CA from vault and generate signed certs
🔍 Configuration Breakdown
Deployment Section
deployment:
type: kubernetes # Target: 'kubernetes' or 'compose'
namespace: mcp-gateway # K8s namespace (or compose project name)Defines where to deploy (local Docker Compose or production Kubernetes).
Gateway Section
gateway:
image: ghcr.io/ibm/mcp-context-forge:latest
port: 4444
replicas: 2
env_vars:
DATABASE_URL: postgresql://...
JWT_SECRET_KEY: ${JWT_SECRET_KEY} # From vault
mtls_enabled: trueDefines the MCP Gateway configuration with resources, networking, and security.
Plugins Section
plugins:
- name: OPAPluginFilter
repo: https://github.com/yourorg/mcp-opa-plugin.git # Build from source
ref: main
port: 8000
mtls_enabled: trueDefines external plugins to build and deploy. Each plugin:
- Can be built from a git repository OR use a pre-built image
- Gets its own container, service, and mTLS certificates
- Auto-registers with the gateway via generated
plugins-config.yaml
Auto-Generated Files
The system automatically generates:
1. plugins-config.yaml - Gateway plugin configuration
plugins:
- name: OPAPluginFilter
kind: external
mcp:
proto: STREAMABLEHTTP
url: https://mcp-plugin-opapluginfilter.mcp-gateway.svc:8000/mcp
- name: ClamAVPlugin
kind: external
mcp:
proto: STREAMABLEHTTP
url: https://mcp-plugin-clamavplugin.mcp-gateway.svc:3000/mcpURLs are automatically computed based on:
- Deployment type: Docker hostnames for Compose, K8s service DNS for Kubernetes
- mTLS setting: HTTPS when enabled, HTTP otherwise
- Port configuration: From plugin definition
2. Deployment Manifests - Kubernetes or Docker Compose
- Kubernetes: Deployments, Services, Secrets, ConfigMaps
- Docker Compose: Services, networks, volumes, health checks
3. mTLS Certificates - Complete PKI infrastructure
- CA certificate (shared trust anchor)
- Gateway client certificate (connects to plugins)
- Per-plugin server certificates (unique for each plugin)
🏗️ CI/CD Integration
GitHub Actions Example
name: Deploy MCP Stack
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Deploy to Production
run: |
docker run --rm \
-v $PWD:/workspace \
-v ~/.kube:/root/.kube:ro \
-w /workspace \
ghcr.io/ibm/mcp-builder:latest \
deploy mcp-stack.yaml
env:
JWT_SECRET_KEY: ${{ secrets.JWT_SECRET_KEY }}
DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
API_KEY: ${{ secrets.API_KEY }}10 lines of pipeline code vs typical 100+ lines for manual deployment.
Builder Container
The mcp-builder container includes all deployment tools:
- Python 3.12
- Dagger CLI (for optimized builds)
- Docker CLI
- kubectl (Kubernetes)
- helm
- docker-compose
- OpenSSL (certificate generation)
- Git
Two execution modes:
- Dagger Mode (when Dagger available): Parallel builds, automatic caching, content-addressable storage
- Plain Python Mode (fallback): Sequential builds using docker/podman, works everywhere
The system auto-detects and uses the best available option.
✨ Key Benefits
1. Single Source of Truth
- One file defines the entire deployment
- No configuration duplication or drift
- Easy to version control and review changes
- Clear understanding of the complete stack
2. Automated Configuration Generation
- Plugin URLs computed automatically based on deployment type
- mTLS certificates generated for all components
- Deployment manifests created from templates
- Eliminates manual configuration errors
3. Multi-Environment Support
- Same configuration file works for:
- Local development (Docker Compose)
- Staging (Kubernetes)
- Production (Kubernetes)
- Just change
deployment.typefield - Environment-specific values via
.envfiles
4. Git-Based Plugin Deployment
- Plugins built directly from git repositories
- Specify branch, tag, or commit (
ref: main,ref: v1.0.0) - Or use pre-built images for faster deployments
- Full traceability from source to deployment
5. Integrated Security (mTLS)
- Automatic certificate generation for all components
- Per-plugin isolation (unique server certificates)
- Certificate rotation support built-in
- Deployed as Kubernetes Secrets or Docker volumes
- Zero-trust architecture
Certificate Management Options:
Option A: Ephemeral Certificates (Development)
# Generate fresh certs each deployment (local dev)
mcp-deploy certs mcp-stack.yaml
mcp-deploy deploy mcp-stack.yaml
# Certificates discarded after deploymentOption B: Vault-Managed CA (Production)
# Retrieve CA from vault, generate signed certs
export CA_CERT=$(vault kv get -field=cert secret/mcp/ca)
export CA_KEY=$(vault kv get -field=key secret/mcp/ca)
mcp-deploy certs mcp-stack.yaml --ca-from-env
mcp-deploy deploy mcp-stack.yamlOption C: External PKI Integration
# Use existing PKI (cert-manager, Venafi, etc.)
mcp-deploy deploy mcp-stack.yaml --external-pki
# System generates CSRs, submits to PKI for signingSecurity Best Practices:
- ✅ CA private key stored in vault (HashiCorp Vault, AWS Secrets Manager, K8s Secret)
- ✅ Certificates generated per-deployment with short validity (90 days)
- ✅ Automatic rotation before expiry
- ✅
.gitignoreincludescerts/directory - ❌ NEVER commit
certs/to git - ❌ NEVER share CA private keys
6. CI/CD Native
- Builder container provides consistent environment
- Vault integration for secrets (GitHub Secrets, GitLab Variables, HashiCorp Vault)
- Secrets never committed to repository
- Simple pipeline definitions (10-20 lines)
- Works with: GitHub Actions, GitLab CI, Jenkins, etc.
7. Hybrid Execution Model
- Dagger mode: Fast parallel builds with automatic caching
- Plain Python mode: Works everywhere, zero external dependencies
- Auto-detection with manual override (
--no-dagger) - Same results regardless of execution mode
8. Developer Experience
- Quick start: One command to deploy entire stack
- Fast iteration: Change config, redeploy
- Clear errors: Validation before deployment
- Verbose mode: Debugging support
- Dry-run: Preview changes without deploying
9. Scalability
- Deploy any number of plugins
- Parallel plugin builds (with Dagger)
- Resource limits per component
- Horizontal scaling (replicas)
- Production-ready defaults
10. Flexibility
- Kubernetes for production
- Docker Compose for local development
- Mix pre-built images and git-based builds
- Custom environment variables per plugin
- Extensible template system
🚀 Usage Examples
Local Development
# Deploy locally with Docker Compose
python3 scripts/mcp-deploy.py deploy mcp-stack.yamlProduction Kubernetes
# Generate and review manifests first
python3 scripts/mcp-deploy.py generate mcp-stack.yaml -o ./deploy/staging
cat ./deploy/staging/plugins-config.yaml
# Deploy to cluster
python3 scripts/mcp-deploy.py deploy mcp-stack.yaml
# Verify deployment
python3 scripts/mcp-deploy.py verify mcp-stack.yaml --wait --timeout 300CI/CD Pipeline
# Using builder container (includes all tools)
docker run --rm \
-v $PWD:/workspace \
-v ~/.kube:/root/.kube:ro \
-w /workspace \
ghcr.io/ibm/mcp-builder:latest \
deploy mcp-stack.yamlBuild Plugins Only
# Build all plugins from git repositories
python3 scripts/mcp-deploy.py build mcp-stack.yaml --plugins-only
# Build specific plugin
python3 scripts/mcp-deploy.py build mcp-stack.yaml --plugin OPAPluginFilterCertificate Management
# Generate mTLS certificates for all plugins
python3 scripts/mcp-deploy.py certs mcp-stack.yaml
# Check certificate expiry
make certs-mcp-check🎓 How It Works
- Parse Configuration: Load and validate
mcp-stack.yaml - Build Plugins: Clone git repos and build containers (parallel with Dagger)
- Generate Certificates: Create CA + gateway client cert + plugin server certs
- Generate Manifests:
plugins-config.yamlwith environment-specific URLs- Kubernetes manifests OR Docker Compose file
- Deploy: Apply manifests to target environment
- Verify: Health checks and readiness validation
All from a single configuration file and single command.
🤔 Questions for Community
- Configuration Schema: Is this the right level of abstraction?
- Plugin Sources: Should git-based builds be the default or pre-built images?
- Deployment Targets: Need support for other platforms (Terraform, CloudFormation)?
- Certificate Management: Should auto-rotation be included in v1?
- Multi-Cluster: Support for deploying to multiple clusters from one config?
Ready for feedback and discussion! 🚀