Add ansible mcp role#116
Conversation
EMaksy
force-pushed
the
mcp-ansible
branch
3 times, most recently
from
b6ed59b to
4447989
Compare
antgamdia
left a comment
antgamdia
left a comment
There was a problem hiding this comment.
Thanks for the effort in adding the MCP server to the Ansible playbook! Looking good!
I'm not that skilled in the Ansible stuff, but I've added some general comments around the MCP server.
| and `agent` playbooks. MCP is enabled by default and can be skipped | ||
| by setting `provision_mcp=false`. |
There was a problem hiding this comment.
I personally like it's installed by default; however, I don't think it is the case for other installations (like the Helm Chart). Ideally, the installation experience should be consistent, IMO.
There was a problem hiding this comment.
I agree the cross-installer inconsistency isn't ideal. The reason i kept it default-on for Ansible is that site.yml has always been the "give me everything" entry point.
| mcp_server_oas_paths: | ||
| - "http://127.0.0.1:{{ trento_web_listen_port }}/api/all/openapi" | ||
| - "http://127.0.0.1:{{ trento_wanda_listen_port }}/api/all/openapi" | ||
| mcp_server_trento_url: "{{ trento_server_url | default('https://{}'.format(trento_server_name), true) }}" |
There was a problem hiding this comment.
No need to populate it for local installations, I think.
Ref: https://github.com/trento-project/mcp-server/blob/4d12ea104ccba3e480b9344384e67a5151d286ca/packaging/suse/rpm/systemd/mcp-server-trento.example#L44-L45
| galaxy_info: | ||
| author: "trento-developers@suse.com" | ||
| description: Install and configure Trento MCP Server | ||
| company: SUSE |
There was a problem hiding this comment.
| company: SUSE | |
| company: SUSE LLC |
| MCP client. With the default `mcp_server_header_name`, clients pass the | ||
| token through the `Authorization` header. | ||
|
|
||
| Example MCPHost server entry: |
There was a problem hiding this comment.
I know we have documented it, but we might shift from MCPHost (now deprecated and archived) to Kit. I mean, no action required now, but eventually we'll have to change the docs 😅
| For client setup and configuration details, see the official Trento MCP | ||
| Server usage guide at | ||
| https://www.trento-project.io/docs/latest/user-guide/trento-mcp-how-to-use.html | ||
| and the configuration reference at | ||
| https://www.trento-project.io/docs/mcp-server/Trento%20MCP%20Server%20documentation/configuration-options.html. | ||
|
|
There was a problem hiding this comment.
Re: https://github.com/trento-project/ansible/pull/116/changes#r3201020015
Or maybe just the pointers to the docs are enough... that way we don't have to change again and again.
| key for the agents is automatically retrieved from Trento server and | ||
| passed on to the deployed agents. Thus, the value of | ||
| `agent_web_api_key` variables is ignored when using this playbook. | ||
| `site.yml` also provisions the Trento MCP Server through `mcp.yml` |
There was a problem hiding this comment.
skrech
left a comment
skrech
left a comment
There was a problem hiding this comment.
I'm going through the PR but before detailed review, I want to point out two things:
- When having a ROLE for something, it has a
defaults/main.ymlfile that handles the default values, so there is no need to specify| default()filter on every usage. This makes reading the code hard and at the same time defeats the purpose ofdefaults/main.yml. - Other services use the firewall role from outside the specific functionality role. Maybe you could adapt the code to be like that? I suspect that did that because you needed variables from the MCP role... I encourage you to think if such configurability is actually needed. For example, I don't know why somebody won't want to enable the port for communication with the MCP server. Even if it really wants to not open a port, then this seems like a condition that comes from host networking concerns (topology), and it's not a role concern. Or at least you should pass-in the value from the playbook to the role if you want to preserve the configurability of this role value.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
license-eye has checked 142 files.
| Valid | Invalid | Ignored | Fixed |
|---|---|---|---|
| 110 | 8 | 24 | 0 |
Click to see the invalid file list
- cleanup-mcp.yml
- mcp.yml
- roles/mcp_server/defaults/main.yml
- roles/mcp_server/handlers/main.yml
- roles/mcp_server/meta/main.yml
- roles/mcp_server/tasks/cleanup.yml
- roles/mcp_server/tasks/main.yml
- roles/mcp_server/templates/mcp-server-trento.j2
Use this command to fix any missing license headers
```bash
docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header fix
</details>
4 participants
Description
This pr adds Ansible support for deploying the Trento MCP Server
This pr adds a new
mcp.ymlplaybook andmcp_serverrole toinstall, configure, and start
mcp-server-trentoas a systemd service.Supported deployment modes:
trento_serverand use local OpenAPI paths.mcp_hostsand usemcp_server_trento_urlwith OpenAPI autodiscovery paths.site.ymlnow importsmcp.ymlafter server provisioning. MCP isenabled by default but it can be skipped by provision_mcp: false.
The goal of the site playbook was a simple way to deploy everything, so why not add the mcp server to it ?
Changes
mcp.ymlfor MCP Server provisioning.cleanup-mcp.ymlfor MCP-only cleanup.mcp_serverroleDeployment Behavior
Users choose the target by defining inventory groups in their
inventory.yml:mcp_hostsgroup, the playbook installsmcp-server-trentoon the hosts in that group. This is the dedicatedMCP deployment path.
mcp_hosts, the playbook installsmcp-server-trentoontrento_server. This is the default same-hostdeployment path.
specifications through OAS_PATH
127.0.0.1OpenAPI paths becauseWeb and Wanda run on the Trento server host. Instead, it connects to
Trento through TRENTO_URL and AUTODISCOVERY_PATHS
Usage
Install only the MCP Server. Without an
mcp_hostsgroup, this deploysMCP on
trento_server:Install MCP as part of the full Trento deployment:
Skip MCP when running the full Trento deployment:
Deploy MCP on a dedicated host by adding an
mcp_hostsgroup next totrento_serverin the inventory and running eithermcp.ymlorsite.yml:Client Access
When
provision_proxyistrue, MCP clients should connect through theTrento reverse proxy:
The Trento MCP Server does not install or configure an LLM client. Users must
generate a Personal Access Token in Trento Web and configure it in their
MCP client.
Cleanup Behavior
This PR adds
cleanup-mcp.ymlfor removing only the Trento MCP Serverwhile keeping the core Trento deployment intact.
Run MCP-only cleanup with:
Cleanup follows the same host selection rules as installation:
mcp_hostsexists, MCP cleanup runs on the hosts inmcp_hosts.mcp_hostsis absent, MCP cleanup runs ontrento_server.The MCP cleanup role:
mcp-server-trentosystemd service;health-port exposure were enabled.
The cleanup playbook does not remove the
mcp-server-trentoRPMpackage, matching the existing cleanup convention for most installed
packages.