# FlowerCore.Mcp.Gateway — Agent Zero MCP tool-router. # Exposes one AZ-facing MCP endpoint with three meta-tools: # list_capabilities, search_tools, invoke_tool. --- apiVersion: v1 kind: Namespace metadata: name: fc-gateway labels: app.kubernetes.io/part-of: flowercore --- # Inbound key Agent Zero sends to the gateway as X-Api-Key. apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: gateway-mcp-keys namespace: fc-gateway spec: itemPath: "vaults/IAmWorkin/items/FlowerCore Gateway MCP Keys" --- # Embedding API key for fc:embedding via fc-llm-bridge. Optional at runtime: # the gateway falls back to deterministic keyword ranking if embeddings are down. apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: fc-llm-bridge-api-keys namespace: fc-gateway spec: itemPath: "vaults/IAmWorkin/items/FC LLM Bridge API Keys" --- apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: mysql-mcp-keys namespace: fc-gateway spec: itemPath: "vaults/IAmWorkin/items/FlowerCore MySQL MCP Keys" --- apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: telephony-mcp-keys namespace: fc-gateway spec: itemPath: "vaults/IAmWorkin/items/Twilio IVR MCP Token (Agent Zero)" --- apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: chat-mcp-keys namespace: fc-gateway spec: itemPath: "vaults/IAmWorkin/items/FlowerCore Chat MCP Keys" --- apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: dms-mcp-keys namespace: fc-gateway spec: itemPath: "vaults/IAmWorkin/items/FlowerCore DMS MCP Keys" --- apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: knowledge-mcp-tokens namespace: fc-gateway spec: itemPath: "vaults/IAmWorkin/items/FlowerCore Knowledge MCP Tokens" --- apiVersion: apps/v1 kind: Deployment metadata: name: fc-gateway namespace: fc-gateway labels: app.kubernetes.io/name: fc-gateway app.kubernetes.io/part-of: flowercore spec: replicas: 1 revisionHistoryLimit: 3 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: fc-gateway template: metadata: labels: app.kubernetes.io/name: fc-gateway app.kubernetes.io/part-of: flowercore annotations: fc.flowercore.io/healthz-anon: "true" fc.flowercore.io/probe-path: "/healthz" prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics/prometheus" spec: securityContext: runAsNonRoot: true fsGroup: 1654 fsGroupChangePolicy: OnRootMismatch containers: - name: web image: localhost/fc-gateway:v20260617-az-gateway imagePullPolicy: Never ports: - containerPort: 8080 name: http env: - name: ASPNETCORE_URLS value: "http://+:8080" - name: ASPNETCORE_ENVIRONMENT value: "Production" - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT value: "false" - name: FlowerCore__Mcp__ApiKey__Key valueFrom: secretKeyRef: name: gateway-mcp-keys key: agent-zero - name: FlowerCore__Mcp__Gateway__Embedding__BaseUrl value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1" - name: FlowerCore__Mcp__Gateway__Embedding__Model value: "fc:embedding" - name: FlowerCore__Mcp__Gateway__Embedding__Mode value: "openai" - name: FlowerCore__Mcp__Gateway__Embedding__ApiKey valueFrom: secretKeyRef: name: fc-llm-bridge-api-keys key: agent-zero-k8s optional: true - name: GW_BACKEND_fc_mysql_KEY valueFrom: secretKeyRef: name: mysql-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_telephony_KEY valueFrom: secretKeyRef: name: telephony-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_chat_KEY valueFrom: secretKeyRef: name: chat-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_dms_KEY valueFrom: secretKeyRef: name: dms-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_knowledge_KEY valueFrom: secretKeyRef: name: knowledge-mcp-tokens key: password optional: true resources: requests: cpu: 50m memory: 128Mi limits: cpu: 500m memory: 384Mi volumeMounts: - name: tmp mountPath: /tmp - name: logs mountPath: /home/app/logs securityContext: runAsNonRoot: true runAsUser: 1654 runAsGroup: 1654 allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: [ALL] startupProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 5 periodSeconds: 5 failureThreshold: 30 readinessProbe: httpGet: path: /healthz port: 8080 periodSeconds: 10 livenessProbe: tcpSocket: port: 8080 initialDelaySeconds: 30 periodSeconds: 30 volumes: - name: tmp emptyDir: {} - name: logs emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: fc-gateway namespace: fc-gateway spec: type: ClusterIP selector: app.kubernetes.io/name: fc-gateway ports: - name: http port: 80 targetPort: 8080 protocol: TCP --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: fc-gateway-tls namespace: fc-gateway spec: secretName: fc-gateway-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - gateway.iamworkin.lan duration: 720h renewBefore: 240h --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: fc-gateway namespace: fc-gateway spec: entryPoints: - websecure routes: - match: Host(`gateway.iamworkin.lan`) kind: Rule services: - name: fc-gateway port: 80 tls: secretName: fc-gateway-tls --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: fc-gateway-netpol namespace: fc-gateway spec: podSelector: matchLabels: app.kubernetes.io/name: fc-gateway policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: agent-zero ports: - port: 8080 protocol: TCP - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik-system ports: - port: 8080 protocol: TCP - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring ports: - port: 8080 protocol: TCP egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-llm-bridge ports: - port: 8080 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-mysql ports: - port: 5300 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: telephony ports: - port: 5100 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-chat ports: - port: 80 protocol: TCP - port: 8080 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-dms ports: - port: 80 protocol: TCP - port: 8080 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: knowledge ports: - port: 80 protocol: TCP - port: 8080 protocol: TCP