Configuration

This guide covers configuration options for MCP Gateway components.

MCPGateway Configuration

The MCPGateway resource configures the gateway deployment:

apiVersion: mcp-gateway.ohcs.io/v1alpha1
kind: MCPGateway
metadata:
  name: my-gateway
spec:
  # Domain for the gateway
  domain: mcp.example.com

  # Number of gateway replicas
  replicas: 2

  # TLS configuration
  tls:
    enabled: true
    clusterIssuer: letsencrypt-prod
    # Or use an existing secret
    # secretName: my-tls-secret

  # Ingress class (optional)
  ingressClassName: nginx

  # Resource requirements
  resources:
    limits:
      cpu: "500m"
      memory: "256Mi"
    requests:
      cpu: "100m"
      memory: "128Mi"

  # Node selector (optional)
  nodeSelector:
    kubernetes.io/os: linux

  # Tolerations (optional)
  tolerations:
  - key: "dedicated"
    operator: "Equal"
    value: "mcp"
    effect: "NoSchedule"

Environment Variables

The gateway container supports these environment variables:

Variable	Description	Default
`AUTH_TOKEN`	Token for client authentication (sent via `X-MCP-Gateway-Token` header)	(none)
`CONFIG_NAME`	Kubernetes ConfigMap name (enables K8s mode when set)	(none)

CLI Flags

The gateway binary also accepts these CLI flags:

Flag	Description	Default
`-config`	Path to configuration file (file mode)	`/etc/mcp-gateway/config.json`
`-addr`	HTTP server address	`:8080`
`-log-level`	Log level (debug, info, warn, error)	`info`

Configuration Modes

The gateway supports two configuration modes:

Kubernetes Mode (Default)

When running in a Kubernetes cluster with the operator, the gateway automatically watches for ConfigMap changes. The operator manages the ConfigMap, and the gateway applies configuration updates without requiring a restart.

Set CONFIG_NAME to the ConfigMap name to enable this mode:

env:
- name: CONFIG_NAME
  value: my-gateway-config

File Mode

For local development or standalone deployments, the gateway can read configuration from a JSON file using the -config flag:

./mcp-gateway -config /path/to/config.json

File mode is primarily intended for local development. In production, use Kubernetes mode for zero-downtime configuration updates.

Authentication

To enable authentication, create a Secret with the auth token:

apiVersion: v1
kind: Secret
metadata:
  name: gateway-auth
type: Opaque
stringData:
  AUTH_TOKEN: your-secret-token

Then reference it in your MCPGateway:

spec:
  authSecretRef:
    name: gateway-auth
    key: AUTH_TOKEN

Clients must then include the token in requests using the X-MCP-Gateway-Token header:

curl -H "X-MCP-Gateway-Token: your-secret-token" https://mcp.example.com/

The gateway uses a dedicated X-MCP-Gateway-Token header instead of the standard Authorization header. This prevents the gateway’s auth token from leaking to upstream MCP servers. The Authorization header passes through to upstream servers untouched (for servers that require their own auth).