Operator improvements

[CiaraM100104]

Description

This pull request implements the following:

• Changes for the controller to watch the service, route and deployment
• Adjustments for the route and deployment to fit better for the MCP server
• Python script to query the LLM and handle MCP server
• RBAC for the default service account used by the MCP server.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.

Summary by CodeRabbit

• New Features

  • Added a demo script for running Llama Stack MCP agent sessions, supporting both interactive and automated modes.
  • Introduced a requirements file for the demo, ensuring consistent Python environments.
  • Added new RBAC roles and bindings granting read-only cluster access to the default service account.

• Improvements

  • Enhanced controller to watch Deployments, Services, and Routes associated with MCPServer resources, improving event handling and reconciliation.

• Bug Fixes

  • Simplified end-to-end test logic for route host retrieval and URL construction.

• Chores

  • Updated deployment arguments and route specifications for the MCP server, including log level settings and route path adjustments.
  • Updated controller image tag to a new version.

[coderabbitai]

Walkthrough

This update introduces new RBAC ClusterRole and ClusterRoleBinding resources to grant read-only access for the MCP server's default service account, modifies controller logic to watch additional Kubernetes resources with label-based filtering, adjusts server deployment arguments and route configuration, adds a demo agent script with dependencies, and updates end-to-end tests for route handling.

Changes

File(s)	Change Summary
config/rbac/kustomization.yaml	Added references to new RBAC resource files for MCP server permissions.
config/rbac/mcp_server_get_role.yaml, config/rbac/mcp_server_get_role_binding.yaml	Introduced ClusterRole and ClusterRoleBinding granting read-only access for the MCP server's default service account.
internal/controller/mcpserver.go	Updated deployment arguments (port and log level); removed explicit route path.
internal/controller/mcpserver_controller.go	Enhanced controller to watch Deployments, Services, and Routes with label-based filtering and resource-to-owner mapping logic.
demo/llama_stack_mcp_agent.py	Added a new demo script for running an agent session with Llama Stack, supporting both interactive and automated modes.
demo/requirements.txt	Added pinned Python dependencies for the demo agent script.
test/e2e/e2e_test.go	Simplified route host retrieval in tests and adjusted URL construction to use a fixed "/sse" path.
config/manager/kustomization.yaml	Updated controller image tag from "rhoaieng-24259" to "improvements".

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Agent Script
    participant LlamaStack Server
    participant MCP Toolgroup

    User->>Agent Script: Run script (auto or interactive)
    Agent Script->>LlamaStack Server: Connect (local/remote)
    Agent Script->>LlamaStack Server: List registered tools
    Agent Script->>MCP Toolgroup: Register "mcp::openshift" (if needed)
    Agent Script->>LlamaStack Server: Create Agent with model and toolgroup
    alt Automated mode
        Agent Script->>LlamaStack Server: Run prompt ("List all namespaces...")
        LlamaStack Server-->>Agent Script: Stream responses
        Agent Script->>User: Print responses
    else Interactive mode
        loop Until user types "/bye"
            User->>Agent Script: Enter prompt
            Agent Script->>LlamaStack Server: Send prompt
            LlamaStack Server-->>Agent Script: Stream responses
            Agent Script->>User: Print responses
        end
    end
    opt Session info on exit
        Agent Script->>LlamaStack Server: Get session info
        Agent Script->>User: Print session info
    end

Loading

Estimated code review effort

3 (~45 minutes)

Possibly related PRs

• Rhoaieng 24254 #4: Adds and extends RBAC roles and reconciliation logic for services, deployments, and routes, closely related to the new RBAC resources and controller enhancements in this PR.

Suggested reviewers

• carlkyrillos

Poem

A bunny hopped through YAML files,
Granting roles with careful styles.
The agent script began to chat,
Watching routes—imagine that!
Now with code and RBAC neat,
This patch is truly quite a feat.
🐇✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (3)

config/rbac/mcp_server_get_role.yaml (1)

21-21: Add missing newline at end of file.

       - watch
+

config/rbac/mcp_server_get_role_binding.yaml (1)

12-12: Add missing newline at end of file.

     namespace: system
+

test/e2e/e2e_test.go (1)

184-196: LGTM! Consider extracting the SSE path as a constant.

The simplified route handling correctly adapts to the changes in the MCPServer deployment. The test now fetches only the host and appends the SSE path, which aligns with the updated route configuration.

For better maintainability, consider extracting the hardcoded SSE path:

+const sseEndpointPath = "/sse"

 // Create the route URL using the host and the sse path
-routeURL := fmt.Sprintf("http://%s/sse", routeHost)
+routeURL := fmt.Sprintf("http://%s%s", routeHost, sseEndpointPath)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dfc0379 and 9ef754c.

📒 Files selected for processing (8)

• config/rbac/kustomization.yaml (1 hunks)
• config/rbac/mcp_server_get_role.yaml (1 hunks)
• config/rbac/mcp_server_get_role_binding.yaml (1 hunks)
• demo/llama_stack_mcp_agent.py (1 hunks)
• demo/requirements.txt (1 hunks)
• internal/controller/mcpserver.go (1 hunks)
• internal/controller/mcpserver_controller.go (2 hunks)
• test/e2e/e2e_test.go (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (2)

test/e2e/e2e_test.go (1)

test/utils/utils.go (1)

• Run (44-61)

internal/controller/mcpserver_controller.go (3)

api/v1/mcpserver_types.go (1)

• MCPServer (44-50)

pkg/cluster/gvk/gvk.go (1)

• MCPServer (8-12)

api/v1/groupversion_info.go (1)

• GroupVersion (29-29)

🪛 YAMLlint (1.37.1)

config/rbac/mcp_server_get_role_binding.yaml

[error] 12-12: no new line character at the end of file

(new-line-at-end-of-file)

config/rbac/mcp_server_get_role.yaml

[error] 21-21: no new line character at the end of file

(new-line-at-end-of-file)

🪛 Ruff (0.12.2)

demo/llama_stack_mcp_agent.py

5-5: termcolor.cprint imported but unused

Remove unused import: termcolor.cprint

(F401)

---

58-58: f-string without any placeholders

Remove extraneous f prefix

(F541)

---

83-83: Loop control variable i not used within loop body

Rename unused i to _i

(B007)

🔇 Additional comments (5)

demo/requirements.txt (1)

1-37: Pinned package versions are up to date
I checked the key dependencies (requests, httpx, pydantic, PyYAML, numpy, urllib3) against PyPI and confirmed that each is pinned to the latest available release. No version mismatches were found.

• For a full security audit, run a tool like pip-audit or Safety against demo/requirements.txt to catch any known advisories before shipping.

internal/controller/mcpserver.go (1)

71-71: Verify server binary supports the updated command arguments.

We searched the Go code and found no definitions or registrations for the --port or --log-level flags in this repository. Please confirm that the kubernetes-mcp-server binary’s source actually defines and handles these new flags before merging.

config/rbac/kustomization.yaml (1)

28-31: LGTM! Proper integration of new RBAC resources.

The addition of the new RBAC configuration files is well-documented and properly integrated into the kustomization setup. The explanatory comment clearly states the purpose.

demo/llama_stack_mcp_agent.py (1)

36-42: Verify host.containers.internal compatibility.

The local MCP URL uses host.containers.internal, which is specific to Docker Desktop. This may not work in other container runtimes (e.g., Podman, containerd, or Linux Docker).

Consider making this configurable via an environment variable with a fallback:

 else:
     base_url="http://localhost:8321"
-    mcp_url="http://host.containers.internal:8000/sse"
+    mcp_url=os.getenv("LOCAL_MCP_URL", "http://host.containers.internal:8000/sse")

internal/controller/mcpserver_controller.go (1)

132-146: Well-implemented label-based filtering.

The predicate correctly filters events to only process resources labeled with opendatahub.io/mcp-server. This efficient filtering prevents unnecessary reconciliations and improves controller performance.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

demo/llama_stack_mcp_agent.py (1)

82-82: Rename unused loop variable.

The loop variable i is not used within the loop body.

Apply this diff to fix the issue:

-    for i, prompt in enumerate(user_prompts):
+    for _, prompt in enumerate(user_prompts):

config/rbac/mcp_server_get_role_binding.yaml (1)

10-12: Update the ServiceAccount name and add trailing newline.

The ClusterRoleBinding should target the correct ServiceAccount used by the MCP server deployment, and the file needs a trailing newline.

   subjects:
   - kind: ServiceAccount
-    name: default
+    name: controller-manager
     namespace: system
+

🧹 Nitpick comments (4)

demo/llama_stack_mcp_agent.py (3)

10-10: Consider adding error handling for environment loading.

The load_dotenv() call should handle cases where the .env file doesn't exist or contains invalid data.

-load_dotenv()
+try:
+    load_dotenv()
+except Exception as e:
+    logger.warning(f"Failed to load .env file: {e}")

---

32-32: Consider making the model configurable.

The model is hardcoded. Consider making it configurable via command-line argument or environment variable for better flexibility.

-# Model
-model="llama3.2:3b"
+# Model
+model = os.getenv("MODEL_NAME", "llama3.2:3b")

---

59-60: Consider graceful degradation instead of hard exit.

Using exit(1) terminates the entire program. Consider allowing the script to continue with reduced functionality or provide better error recovery.

    except Exception as e:
        logger.error(f"Error registering MCP tools: {e}")
-        exit(1)
+        logger.warning("Continuing without MCP tools registration")
+        # Or implement fallback behavior

config/rbac/mcp_server_get_role.yaml (1)

49-49: Add trailing newline.

The file is missing a newline character at the end.

       - get
       - list
       - watch
+

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ef754c and 2402428.

📒 Files selected for processing (6)

• config/manager/kustomization.yaml (1 hunks)
• config/rbac/kustomization.yaml (1 hunks)
• config/rbac/mcp_server_get_role.yaml (1 hunks)
• config/rbac/mcp_server_get_role_binding.yaml (1 hunks)
• demo/llama_stack_mcp_agent.py (1 hunks)
• demo/requirements.txt (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• config/manager/kustomization.yaml
• demo/requirements.txt

🚧 Files skipped from review as they are similar to previous changes (1)

• config/rbac/kustomization.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

config/rbac/mcp_server_get_role.yaml

[error] 49-49: no new line character at the end of file

(new-line-at-end-of-file)

config/rbac/mcp_server_get_role_binding.yaml

[error] 12-12: no new line character at the end of file

(new-line-at-end-of-file)

🪛 Ruff (0.12.2)

demo/llama_stack_mcp_agent.py

82-82: Loop control variable i not used within loop body

Rename unused i to _i

(B007)

🔇 Additional comments (1)

config/rbac/mcp_server_get_role.yaml (1)

7-49: RBAC permissions are well-structured.

The ClusterRole correctly organizes resources by their respective API groups and grants appropriate read-only permissions. The API group assignments are accurate for each resource type.