From 39fe6f1dba71a9623157e364d0d1b0f6140b66fe Mon Sep 17 00:00:00 2001 From: Andrew Stoltz Date: Thu, 23 Apr 2026 13:26:10 -0500 Subject: [PATCH] fix(agent-zero): route chat mcp in-cluster --- apps/agent-zero/agent-zero.yaml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/apps/agent-zero/agent-zero.yaml b/apps/agent-zero/agent-zero.yaml index d9f8603..d9a8b9d 100644 --- a/apps/agent-zero/agent-zero.yaml +++ b/apps/agent-zero/agent-zero.yaml @@ -267,8 +267,11 @@ spec: # Phase 0 Chat MCP pilot: Agent Zero does not interpolate env vars # inside A0_SET_mcp_servers JSON, so build the final JSON here from # the secret-backed CHAT_MCP_API_KEY env var before initialize.sh. + # Use the in-cluster Chat service URL rather than the public + # Traefik hostname so the pod stays off the private VIP lane that + # the default egress rule blocks. if [ -n "${CHAT_MCP_API_KEY:-}" ]; then - export A0_SET_mcp_servers="{\"mcpServers\":{\"fc-chat\":{\"type\":\"http\",\"url\":\"https://chat.iamworkin.lan/mcp\",\"headers\":{\"X-Api-Key\":\"${CHAT_MCP_API_KEY}\"}}}}" + export A0_SET_mcp_servers="{\"mcpServers\":{\"fc-chat\":{\"type\":\"http\",\"url\":\"http://chat-web.fc-chat.svc/mcp\",\"headers\":{\"X-Api-Key\":\"${CHAT_MCP_API_KEY}\"}}}}" fi # Run the original entrypoint exec /exe/initialize.sh $BRANCH @@ -563,6 +566,16 @@ spec: ports: - port: 8080 protocol: TCP + # FlowerCore.Chat MCP (Phase 0 pilot) — use the in-cluster chat-web + # service instead of the public Traefik VIP so MCP traffic stays inside + # the cluster and survives the private-range egress denylist. + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: fc-chat + ports: + - port: 80 + protocol: TCP # Allow internet (for kubectl image pull, etc) - to: - ipBlock: