Configure External MCP Servers
Alauda Hyperflux ships with a built-in MCP server that provides cluster-aware tools. You can extend the agent's tool set with your own (external) MCP servers — for example an internal wiki search, a CMDB query service, or any other MCP-compatible endpoint.
External MCP servers are declared in ConfigMaps and registered through the installation form. At startup, Alauda Hyperflux connects to each server, lists its tools, and makes them available to the agent alongside the built-in tools.
Declare the MCP servers in a ConfigMap
Create a ConfigMap in the namespace where Alauda Hyperflux is installed (cpaas-system).
Every data key with a .yaml, .yml or .json extension is parsed; the content of each file
must be a list of server entries:
Fields per server entry:
Invalid entries (bad name, missing url, unknown transport, duplicate name) are skipped with an ERROR log; they never prevent the other servers or the service itself from starting.
NOTE: ConfigMap values are stored in plain text. Avoid putting long-lived secrets directly in
headers; rotate any token you place there as you would any shared credential.
Register the ConfigMap
In Administrator / Marketplace / Cluster Plugins, install or update the Alauda Hyperflux
plugin and add the ConfigMap name under Extra MCP Servers ConfigMaps.
Each listed ConfigMap is mounted read-only at /opt/extra-mcp/<configmap-name>/ and scanned
once at startup:
-
Adding or removing a ConfigMap name in the form triggers a rolling restart automatically.
-
Editing the content of an already-registered ConfigMap does not — restart manually:
Tool naming and approval
Tools from an external server are exposed to the agent with the server name as a prefix,
e.g. corp-wiki__search_pages, so they can never collide with built-in tool names.
External tools are subject to the same Tool Approval Strategy as built-in tools:
- With the default strategy
disabled, any tool not annotatedreadOnlyHint: trueby its MCP server is filtered out of the agent's tool set entirely. Many MCP servers do not annotate their tools — in that case none of their tools will be visible until you either switch the strategy totool_annotations(write tools then require interactive approval) or have the MCP server annotate its read-only tools. - With
tool_annotations, read-only tools run freely and all other tools prompt the user for approval before each call.
Verify
Check the startup logs:
Expected lines:
Common failure modes:
Sensitive header values (Authorization, X-API-Key, cookies, and any value longer than
16 characters) are always redacted in logs.