From 09e3b1f8e491bc1c815bdaabd40ae0a68808e161 Mon Sep 17 00:00:00 2001 From: Jeremy Eder Date: Fri, 20 Mar 2026 15:54:22 -0400 Subject: [PATCH] feat: make ALLOWED_HTTP_HOSTS configurable via env var Add support for ALLOWED_HTTP_HOSTS environment variable (comma-separated) to allow external hostnames through DNS rebinding protection. deploy.sh now auto-injects the OpenShift route hostname on apply. Co-Authored-By: Claude Opus 4.6 (1M context) --- deploy/deploy.sh | 10 ++++++++++ mcp_server.py | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/deploy/deploy.sh b/deploy/deploy.sh index 8145a98..05a5e94 100755 --- a/deploy/deploy.sh +++ b/deploy/deploy.sh @@ -118,6 +118,16 @@ cmd_apply() { if [[ -n "$EFFECTIVE_IMAGE" ]]; then mv "$KUSTOMIZE_DIR/kustomization.yaml.bak" "$KUSTOMIZE_DIR/kustomization.yaml" fi + + # Inject route hostname into ALLOWED_HTTP_HOSTS for DNS rebinding protection + if [[ "$OVERLAY" == "openshift" ]]; then + local ROUTE_HOST + ROUTE_HOST=$($KUBECTL -n "$NAMESPACE" get route gps-mcp-server -o jsonpath='{.spec.host}' 2>/dev/null || true) + if [[ -n "$ROUTE_HOST" ]]; then + echo "=== Setting ALLOWED_HTTP_HOSTS=$ROUTE_HOST ===" + $KUBECTL -n "$NAMESPACE" set env deployment/gps-mcp-server "ALLOWED_HTTP_HOSTS=$ROUTE_HOST" + fi + fi echo "" echo "=== Waiting for rollout ===" $KUBECTL -n "$NAMESPACE" rollout status deployment/gps-mcp-server --timeout=120s diff --git a/mcp_server.py b/mcp_server.py index 3fac3e4..57ed6dc 100644 --- a/mcp_server.py +++ b/mcp_server.py @@ -17,6 +17,7 @@ import argparse import json +import os import re import sqlite3 from datetime import date, datetime @@ -667,6 +668,11 @@ def get_gps_version() -> str: "host.docker.internal:*", ] +# Extra hosts from env (comma-separated), e.g. OpenShift route hostnames +_extra = os.environ.get("ALLOWED_HTTP_HOSTS", "") +if _extra: + ALLOWED_HTTP_HOSTS.extend(h.strip() for h in _extra.split(",") if h.strip()) + def _configure_http(port: int = 8000) -> None: """Configure MCP server for HTTP transport with DNS rebinding protection."""