Problem
The static HTTPRoute mcp-route in config/mcp-gateway/base/httproute.yaml coexists with the mcp-gateway-route HTTPRoute that is automatically created by the MCPGatewayExtension controller. Having two HTTPRoutes pointing to the same Gateway is confusing, especially for new users.
Context
The static mcp-route includes two things the auto-generated mcp-gateway-route does not:
- CORS headers via
ResponseHeaderModifier filter (Access-Control-Allow-Origin: *, etc.)
- OAuth well-known endpoint rule (
/.well-known/oauth-protected-resource)
The controller-managed mcp-gateway-route (created in internal/controller/broker_router.go) is a plain route with no filters and only a /mcp path match.
Users who need CORS headers are already directed to set spec.httpRouteManagement: Disabled on MCPGatewayExtension and create a custom HTTPRoute (documented in docs/guides/configure-mcp-gateway-listener-and-router.md). The static mcp-route essentially serves as that custom route example but is deployed by default, which causes duplication.
Questions to resolve
- Can
mcp-route be removed from config/mcp-gateway/base/ entirely, relying on the controller-managed route plus documented custom route instructions?
- Should the controller-managed
mcp-gateway-route gain support for CORS filters and/or the /.well-known/oauth-protected-resource path? That would remove the need for the static route in more scenarios.
- Is the
/.well-known/oauth-protected-resource route needed by any current flow, or is it only relevant for specific auth setups?
- Is the CORS workaround in
authentication.md (Keycloak EnvoyFilter) related to this static route, or independent?
Relevant files
config/mcp-gateway/base/httproute.yaml — the static mcp-routeinternal/controller/broker_router.go — creates mcp-gateway-routedocs/guides/configure-mcp-gateway-listener-and-router.md — custom HTTPRoute with CORS docsdocs/guides/authentication.md — Keycloak CORS workaround
Problem
The static HTTPRoute
mcp-routeinconfig/mcp-gateway/base/httproute.yamlcoexists with themcp-gateway-routeHTTPRoute that is automatically created by the MCPGatewayExtension controller. Having two HTTPRoutes pointing to the same Gateway is confusing, especially for new users.Context
The static
mcp-routeincludes two things the auto-generatedmcp-gateway-routedoes not:ResponseHeaderModifierfilter (Access-Control-Allow-Origin: *, etc.)/.well-known/oauth-protected-resource)The controller-managed
mcp-gateway-route(created ininternal/controller/broker_router.go) is a plain route with no filters and only a/mcppath match.Users who need CORS headers are already directed to set
spec.httpRouteManagement: Disabledon MCPGatewayExtension and create a custom HTTPRoute (documented indocs/guides/configure-mcp-gateway-listener-and-router.md). The staticmcp-routeessentially serves as that custom route example but is deployed by default, which causes duplication.Questions to resolve
mcp-routebe removed fromconfig/mcp-gateway/base/entirely, relying on the controller-managed route plus documented custom route instructions?mcp-gateway-routegain support for CORS filters and/or the/.well-known/oauth-protected-resourcepath? That would remove the need for the static route in more scenarios./.well-known/oauth-protected-resourceroute needed by any current flow, or is it only relevant for specific auth setups?authentication.md(Keycloak EnvoyFilter) related to this static route, or independent?Relevant files
config/mcp-gateway/base/httproute.yaml— the staticmcp-routeinternal/controller/broker_router.go— createsmcp-gateway-routedocs/guides/configure-mcp-gateway-listener-and-router.md— custom HTTPRoute with CORS docsdocs/guides/authentication.md— Keycloak CORS workaround