diff --git a/apps/agent-zero/agent-zero.yaml b/apps/agent-zero/agent-zero.yaml index f62cf67..2ae50cb 100644 --- a/apps/agent-zero/agent-zero.yaml +++ b/apps/agent-zero/agent-zero.yaml @@ -139,6 +139,20 @@ metadata: spec: itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens" +--- +# FlowerCore DMS Manager MCP key (product-manager fan-out). Synced from the +# 1Password "FlowerCore DMS MCP Keys" item (field `credential`) into Secret +# `dms-mcp-keys`; the deployment reads it as DMS_MCP_API_KEY for the fc_dms +# MCP server. presentations/messageboard/segmentdisplay/telephony 1P MCP-key +# items also exist and follow this same pattern when added. +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: dms-mcp-keys + namespace: agent-zero +spec: + itemPath: "vaults/IAmWorkin/items/FlowerCore DMS MCP Keys" + --- apiVersion: apps/v1 kind: Deployment @@ -276,7 +290,7 @@ spec: fi export A0_SET_mcp_servers="$( - python3 -c 'import json, os; servers = {}; chat_key = os.getenv("CHAT_MCP_API_KEY"); knowledge_enabled = os.getenv("KNOWLEDGE_MCP_ENABLED", "false").lower() == "true"; token = os.getenv("KNOWLEDGE_MCP_BEARER_TOKEN", "") if knowledge_enabled else ""; chat_key and servers.setdefault("fc_chat", {"type": "streamable-http", "url": "http://chat-web.fc-chat.svc/mcp", "headers": {"X-Api-Key": chat_key}}); token and servers.setdefault("fc_knowledge", {"type": "streamable-http", "url": os.getenv("KNOWLEDGE_MCP_URL", "http://knowledge-web.knowledge.svc/mcp"), "headers": {"Authorization": f"Bearer {token}"}}); print(json.dumps({"mcpServers": servers}, separators=(",", ":")))' + python3 -c 'import json, os; servers = {}; chat_key = os.getenv("CHAT_MCP_API_KEY"); knowledge_enabled = os.getenv("KNOWLEDGE_MCP_ENABLED", "false").lower() == "true"; token = os.getenv("KNOWLEDGE_MCP_BEARER_TOKEN", "") if knowledge_enabled else ""; chat_key and servers.setdefault("fc_chat", {"type": "streamable-http", "url": "http://chat-web.fc-chat.svc/mcp", "headers": {"X-Api-Key": chat_key}}); token and servers.setdefault("fc_knowledge", {"type": "streamable-http", "url": os.getenv("KNOWLEDGE_MCP_URL", "http://knowledge-web.knowledge.svc/mcp"), "headers": {"Authorization": f"Bearer {token}"}}); dms_key = os.getenv("DMS_MCP_API_KEY"); dms_key and servers.setdefault("fc_dms", {"type": "streamable-http", "url": os.getenv("DMS_MCP_URL", "http://dms-web.fc-dms.svc/mcp"), "headers": {"X-Api-Key": dms_key}}); print(json.dumps({"mcpServers": servers}, separators=(",", ":")))' )" # Run the original entrypoint exec /exe/initialize.sh $BRANCH @@ -393,6 +407,20 @@ spec: secretKeyRef: name: knowledge-mcp-tokens key: password + # FlowerCore DMS Manager MCP (dynamic message signs) — first of the + # product-manager MCP fan-out. dms-web /mcp requires X-Api-Key; the key + # is synced from 1Password "FlowerCore DMS MCP Keys" (field credential) + # by the dms-mcp-keys OnePasswordItem CRD above. Same builder+env+netpol + # pattern extends to presentations/messageboard/segmentdisplay/telephony + # (all have 1P MCP-key items). MySQL + Signage still need 1P MCP items + # provisioned before they can join (mysql-web /mcp 401s with no key today). + - name: DMS_MCP_URL + value: "http://dms-web.fc-dms.svc/mcp" + - name: DMS_MCP_API_KEY + valueFrom: + secretKeyRef: + name: dms-mcp-keys + key: credential # Print.Web — Thermal printer service on edge2. # PRINT_WEB_URL: internal HTTP (bypasses Traefik TLS — print_web.py # runs in-cluster and can reach edge2 directly on the PROD VLAN). @@ -637,6 +665,16 @@ spec: ports: - port: 5300 protocol: TCP + # FlowerCore DMS Manager MCP (product-manager fan-out) — in-cluster + # dms-web on port 80. Every in-cluster MCP target needs an explicit + # egress allow (the policy denies private ranges by default). + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: fc-dms + ports: + - port: 80 + protocol: TCP # Allow internet (for kubectl image pull, etc) - to: - ipBlock: