KIALI.md

Kiali/OSSM integration

This server can expose Kiali tools so assistants can query mesh information (e.g., mesh status/graph).

Enable the Kiali toolset

Enable the Kiali tools via the server TOML configuration file.

Config (TOML):

toolsets = ["core", "ossm"]

[toolset_configs.kiali]
url = "https://kiali.example" # Endpoint/route to reach Kiali console
# insecure = true  # optional: allow insecure TLS (not recommended in production)
# certificate_authority = "/path/to/ca.crt"  # File path to CA certificate
# When url is https and insecure is false, certificate_authority is required.

When the kiali toolset is enabled, a Kiali toolset configuration is required via [toolset_configs.kiali]. If missing or invalid, the server will refuse to start.

How authentication works

• The server uses your existing Kubernetes credentials (from kubeconfig or in-cluster) to set a bearer token for Kiali calls.
• If you pass an HTTP Authorization header to the MCP HTTP endpoint, that is not required for Kiali; Kiali calls use the server's configured token.

Troubleshooting

• Missing Kiali configuration when kiali toolset is enabled → set [toolset_configs.kiali].url in the config TOML.
• Invalid URL → ensure [toolset_configs.kiali].url is a valid http(s)://host URL.
• TLS certificate validation:
  • If [toolset_configs.kiali].url uses HTTPS and [toolset_configs.kiali].insecure is false, you must set [toolset_configs.kiali].certificate_authority with the path to the CA certificate file. Relative paths are resolved relative to the directory containing the config file.
  • For non-production environments you can set [toolset_configs.kiali].insecure = true to skip certificate verification.