Skip to main content
Glama
flightctl

Flight Control MCP Server

Official
by flightctl
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

mcp-server

Model Context Protocol (MCP) server for Flight Control

Overview

The MCP server provides a read-only API layer for querying and retrieving contextual information about devices and fleets managed by Flight Control. It is designed for safe external integration, reporting, and automation, exposing a REST API that supports filtering and selector-based queries. The MCP server leverages the flightctl-python-client for backend communication and enforces authentication compatible with Flight Control's authorization model.

Building locally

To build the container image locally using Podman, run:

podman build -t mcp-server:latest .

This will create a local image named mcp-server:latest that you can use to run the server.

Pre-built Container Images

โœ… Ready-to-use images are automatically published to quay.io!

# Pull the latest stable image docker pull quay.io/flightctl/flightctl-mcp:latest # Run immediately with streamable-http transport docker run -p 8000:8000 quay.io/flightctl/flightctl-mcp:latest

Automated Publishing

  • ๐Ÿ”„ Automatic builds: Every commit merged to main triggers a new build

  • โœ… Quality assured: Only builds after passing all tests (linting, type checking, unit tests)

  • ๐Ÿ”’ Security scanned: All images are scanned for vulnerabilities with Trivy

  • ๐Ÿ—๏ธ Multi-platform: Available for both linux/amd64 and linux/arm64

  • ๐Ÿท๏ธ Smart tagging: Images tagged with latest, branch name, and commit SHA

For maintainers: See CONTAINER-PUBLISHING.md for setup instructions and workflow details.

Running with Podman or Docker

Example: Using Automatic Configuration (Recommended)

If you've run flightctl login, you can mount the config directory. Note: The server now defaults to streamable-http transport for better web-based integration.

{ "mcpServers": { "mcp-server": { "command": "podman", "args": [ "run", "-i", "--rm", "-p", "8000:8000", "-v", "~/.config/flightctl:/root/.config/flightctl:ro", "-e", "MCP_TRANSPORT", "-e", "MCP_HOST", "-e", "MCP_PORT", "quay.io/flightctl/flightctl-mcp:latest" ], "env": { "MCP_TRANSPORT": "streamable-http", "MCP_HOST": "0.0.0.0", "MCP_PORT": "8000" } } } }

Example: Using Environment Variables

For environments where mounting the config file isn't possible:

{ "mcpServers": { "mcp-server": { "command": "podman", "args": [ "run", "-i", "--rm", "-p", "8000:8000", "-e", "API_BASE_URL", "-e", "OIDC_TOKEN_URL", "-e", "OIDC_CLIENT_ID", "-e", "REFRESH_TOKEN", "-e", "INSECURE_SKIP_VERIFY", "-e", "LOG_LEVEL", "-e", "MCP_TRANSPORT", "-e", "MCP_HOST", "-e", "MCP_PORT", "quay.io/flightctl/flightctl-mcp:latest" ], "env": { "API_BASE_URL": "https://api.flightctl.example.com", "OIDC_TOKEN_URL": "https://auth.flightctl.example.com/realms/flightctl/protocol/openid-connect/token", "OIDC_CLIENT_ID": "flightctl", "REFRESH_TOKEN": "REDACTED", "INSECURE_SKIP_VERIFY": "false", "LOG_LEVEL": "INFO", "MCP_TRANSPORT": "streamable-http", "MCP_HOST": "0.0.0.0", "MCP_PORT": "8000" } } } }

Transport Configuration

The MCP server supports three transport methods with stdio as the default for maximum compatibility:

STDIO (Default - Most Compatible)

  • Best for: Local tools, command-line scripts, integrations with clients like Claude Desktop

  • Configuration: Set MCP_TRANSPORT=stdio (default)

  • Why default: Maximum compatibility with existing MCP clients

Streamable HTTP (Recommended for Web Deployments)

  • Best for: Web-based deployments, microservices, exposing MCP over a network

  • Default endpoint: http://127.0.0.1:8000/mcp

  • Configuration: Set MCP_TRANSPORT=streamable-http

  • Note: Requires MCP clients that support the new streamable-http transport

SSE (Server-Sent Events)

  • Best for: Legacy deployments that specifically require SSE

  • Configuration: Set MCP_TRANSPORT=sse

  • Default endpoint: http://127.0.0.1:8000/sse

Authentication Setup

The MCP server uses OIDC/OAuth2 refresh tokens for authentication. To obtain the required credentials:

  1. OIDC_TOKEN_URL: This is typically in the format https://your-auth-server/realms/your-realm/protocol/openid-connect/token

    • If you only have the base realm URL (e.g., https://auth.example.com/realms/flightctl), the server will automatically append /protocol/openid-connect/token

  2. REFRESH_TOKEN: Obtain this from your Flight Control authentication system

    • This token should have appropriate permissions to read Flight Control resources

  3. OIDC_CLIENT_ID: Usually flightctl (this is the default if not specified)

Configuration

The MCP server supports two configuration methods:

1. Automatic Configuration (Recommended)

If you've run flightctl login, the server will automatically read configuration from ~/.config/flightctl/client.yaml. This includes:

  • API server URL

  • OIDC authentication settings

  • SSL certificate configuration

  • Refresh tokens

2. Environment Variable Configuration

The following environment variables can override or supplement the automatic configuration:

  • API_BASE_URL: Base URL for the Flight Control API (e.g., https://api.flightctl.example.com) - Optional (read from config file)

  • OIDC_TOKEN_URL: Full URL to the OIDC token endpoint (e.g., https://auth.flightctl.example.com/realms/flightctl/protocol/openid-connect/token) - Optional (read from config file)

  • OIDC_CLIENT_ID: OIDC client identifier (defaults to flightctl) - Optional

  • REFRESH_TOKEN: OAuth2 refresh token for authentication - Optional (read from config file)

  • INSECURE_SKIP_VERIFY: Skip SSL certificate verification (true/false) - Optional (read from config file)

  • CA_CERT_PATH: Path to custom CA certificate file for SSL verification - Optional

  • LOG_LEVEL: Logging level (DEBUG, INFO, WARNING, ERROR) - Optional (defaults to INFO)

3. MCP Transport Configuration

The following environment variables control the MCP server transport and network settings:

  • MCP_TRANSPORT: Transport mechanism (stdio, sse, streamable-http) - Optional (defaults to stdio)

  • MCP_HOST: Host to bind to for HTTP transports - Optional (defaults to 127.0.0.1)

  • MCP_PORT: Port to listen on for HTTP transports - Optional (defaults to 8000)

  • MCP_PATH: Path for the MCP endpoint - Optional (defaults to /mcp for streamable-http)

  • MCP_LOG_LEVEL: Server log level (debug, info, warning, error) - Optional (defaults to info)

SSL Certificate Handling

The server properly handles SSL certificates in the following priority:

  1. Custom CA Certificate: If CA_CERT_PATH is set, uses the specified certificate file

  2. Skip SSL Verification: If INSECURE_SKIP_VERIFY=true, disables certificate verification (useful for development)

  3. System CA Bundle: Uses the system's default certificate authority bundle (production default)

Logging

The server uses file-based logging to avoid conflicts with the MCP protocol on stdio:

  • Log Location: ~/.local/share/flightctl-mcp/flightctl-mcp.log

  • Log Rotation: Automatic rotation at 10MB with 5 backup files

  • Log Levels: Configurable via LOG_LEVEL environment variable

  • Structured Logging: Includes timestamps, component names, and detailed error context

Error Handling

The server provides robust error handling:

  • Specific Exceptions: Uses typed exceptions (AuthenticationError, APIError, FlightControlError)

  • Detailed Logging: All errors are logged with full context

Running the Server

Local Development

# Run with default stdio transport python main.py # Run with streamable-http transport (for web deployments) MCP_TRANSPORT=streamable-http python main.py # Run with custom HTTP configuration MCP_TRANSPORT=streamable-http MCP_HOST=0.0.0.0 MCP_PORT=8080 python main.py

Accessing the HTTP Endpoint

When running with HTTP transport, the MCP endpoint will be available at:

  • Streamable HTTP: http://127.0.0.1:8000/mcp (default)

  • SSE: http://127.0.0.1:8000/sse

Client Connection Examples

For HTTP clients (streamable-http):

from fastmcp import Client # Connect to streamable-http server client = Client("http://127.0.0.1:8000/mcp")

For Claude Desktop (stdio):

{ "mcpServers": { "flightctl": { "command": "python", "args": ["main.py"], "env": { "MCP_TRANSPORT": "stdio" } } } }

API Endpoints

The MCP server exposes the following tool endpoints:

Device Management

  • query_devices: Query and filter devices using label and field selectors

  • run_command_on_device: Execute Linux commands on specific devices

Fleet Management

  • query_fleets: Query and filter fleet configurations

Events and Monitoring

  • query_events: Query system events and audit logs

Enrollment

  • query_enrollment_requests: Query device enrollment requests

Configuration Management

  • query_repositories: Query configuration repositories

  • query_resource_syncs: Query resource synchronization status

Testing

Live Instance Testing

To test against your actual Flight Control instance:

# Ensure you have logged in first flightctl login # Run the live integration test python test_live_instance.py

Unit Testing

# Run unit tests python -m pytest test_flightctl_mcp.py -v # Run with coverage python -m pytest test_flightctl_mcp.py --cov=resource_queries --cov=main --cov=cli --cov-report=html

MCP Client Testing

# Test the MCP server with a simple client python -c " from fastmcp import Client import asyncio async def test(): client = Client('http://127.0.0.1:8000/mcp') async with client: tools = await client.list_tools() print(f'Available tools: {[t.name for t in tools]}') asyncio.run(test()) "

Troubleshooting

Common Issues

  1. Server not starting: Check if the port is already in use

    lsof -i :8000

  2. Authentication failures: Verify your Flight Control credentials

    flightctl login

  3. Connection refused: Ensure the server is running and accessible

    curl -v http://127.0.0.1:8000/mcp

  4. Transport issues: Verify the transport configuration matches your client

    # Check server logs tail -f ~/.local/share/flightctl-mcp/flightctl-mcp.log

Debug Mode

Enable debug logging for more detailed information:

MCP_LOG_LEVEL=debug LOG_LEVEL=DEBUG python main.py

Migration from STDIO

If you're migrating from the previous stdio-only version:

  1. Update your client configuration to use HTTP endpoints instead of stdio

  2. Set environment variables for host/port configuration if needed

  3. Update firewall rules if running on a remote server

  4. Test the connection using the provided client examples

The server will still support stdio transport if you set MCP_TRANSPORT=stdio, maintaining backward compatibility.

Features

  • Read-only querying of devices, fleets, events, enrollment requests, repositories, and resource syncs from Flight Control

  • Support for filtering by labels and fields using Kubernetes-style selectors

  • Context-rich JSON responses including metadata and links to related resources

  • Secure OIDC/OAuth2 refresh tokenโ€“based authentication

  • Remote device console access for executing commands on managed devices

  • Automatic pagination handling for large result sets

Documentation

API endpoints, filtering options, and example requests will be described in the docs/ directory or in the OpenAPI specification.

License

This project is open source. See LICENSE for details.

Contributing

Issues and pull requests are welcome! Please see CONTRIBUTING.md for guidelines.

This server cannot be installed

-
security - not tested
F
license - not found
-
quality - not tested

How are these scores calculated?

Resources

New MCP Servers

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/flightctl/flightctl-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server