Nicolas Koehl
53bee3340f
- Document 24-hour automatic certificate renewal - Clarify that CA chain is stable and trustworthy long-term - Update security considerations with SSL trust setup - Provide clear guidance for long-term certificate trust 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
9.0 KiB
MCP Integration Guide
Nomad MCP provides seamless integration with AI assistants through the Model Context Protocol (MCP), enabling AI agents to interact with your Nomad cluster directly.
What is the Model Context Protocol (MCP)?
The Model Context Protocol (MCP) is a standardized way for AI agents to interact with external tools and services. It allows AI models to call specific functions and receive structured responses, which they can then incorporate into their reasoning and responses.
Zero-Config MCP Integration
Nomad MCP uses FastAPI MCP to automatically expose all API endpoints as MCP tools with zero configuration. This means that all endpoints in the REST API are immediately available as MCP tools without any manual definition or configuration.
Connection Endpoint
AI assistants can connect to the MCP endpoint at:
http://your-server:8000/mcp/sse
The SSE (Server-Sent Events) transport is used for communication between the AI agent and the MCP server.
Available Tools
All the endpoints in the following routers are automatically exposed as MCP tools:
- Jobs: Managing Nomad jobs (start, stop, restart, etc.)
- Logs: Retrieving job and allocation logs
- Configs: Managing job configurations
- Repositories: Working with code repositories
Each endpoint is converted to an MCP tool with:
- Proper parameter validation
- Detailed descriptions
- Type information
- Example values
Example MCP Interactions
Here are some examples of how an AI agent might use the MCP tools:
Listing Jobs
{
"type": "tool_call",
"content": {
"name": "list_jobs",
"parameters": {
"namespace": "development"
}
}
}
Getting Job Status
{
"type": "tool_call",
"content": {
"name": "get_job_status",
"parameters": {
"job_id": "my-service"
}
}
}
Starting a Job
{
"type": "tool_call",
"content": {
"name": "start_job",
"parameters": {
"job_id": "my-service",
"namespace": "development"
}
}
}
MCP Integration Options
Nomad MCP provides two integration approaches:
1. FastAPI MCP Integration (Zero-Config)
Automatically exposes all REST API endpoints as MCP tools via SSE:
http://your-server:8000/mcp/sse
2. Standalone MCP Server (Claude Desktop)
A dedicated MCP server optimized for Claude Desktop with enhanced capabilities.
Setting Up Claude Desktop with Standalone MCP Server
Prerequisites
-
Install Dependencies:
uv venv uv pip install -r requirements.txt -
Set Environment Variables:
export NOMAD_ADDR="http://your-nomad-server:4646" export NOMAD_NAMESPACE="development" # optional
Local Setup
-
Configure Claude Desktop (
~/Library/Application Support/Claude/claude_desktop_config.json):{ "mcpServers": { "nomad-mcp": { "command": "/path/to/nomad_mcp/run_mcp_server.sh", "env": { "NOMAD_ADDR": "http://your-nomad-server:4646" } } } } -
Restart Claude Desktop to load the configuration
Available MCP Tools
The standalone MCP server provides these tools:
list_nomad_jobs- List all jobs in a namespaceget_job_status- Get detailed job status and healthstop_job- Stop jobs with optional purgerestart_job- Restart jobscreate_job- Create jobs from specificationssubmit_job_file⭐ - Submit Nomad job files (JSON/HCL)get_job_logs- Retrieve stdout/stderr logsget_allocation_status⭐ - Detailed allocation monitoringget_job_evaluations⭐ - Placement failure analysisforce_evaluate_job⭐ - Retry failed placements
Example Workflow
-
Submit a job file:
Please submit this job file: [paste JSON job spec] -
Monitor deployment:
Check the status and allocations for my-service -
Debug issues:
Get evaluations for my-service to see why it failed -
Force retry:
Force evaluate my-service to retry placement
Claude Code Integration
Claude Code can directly connect to the FastAPI MCP endpoint:
claude-code --mcp-url http://your-server:8000/mcp/sse
Claude API Integration
For integration with the Claude API, you can use the MCP toolchain configuration provided in the claude_nomad_tool.json file.
See the Claude API Integration Documentation for more detailed instructions.
Network Deployment
Running MCP Server on Nomad Cluster
You can deploy the MCP server itself on your Nomad cluster for centralized access.
Option 1: FastAPI MCP Server (HTTP/SSE)
Deploy the full FastAPI application with MCP endpoint:
# Start the FastAPI server with MCP endpoint
uvicorn app.main:app --host 0.0.0.0 --port 8000
Access via: http://your-nomad-server:8000/mcp/sse
Option 2: Standalone MCP Server (TCP/Network)
For network access to the standalone MCP server, you'll need to modify it to use TCP transport instead of stdio.
Current limitation: The standalone MCP server (mcp_server.py) uses stdio transport, which is designed for local process communication.
Network solution: Create a TCP-based version or use the FastAPI MCP endpoint instead.
Claude Desktop Network Configuration
To connect Claude Desktop to a network MCP server:
For FastAPI MCP (Recommended)
Create a wrapper script that uses the HTTP/SSE endpoint:
{
"mcpServers": {
"nomad-mcp-network": {
"command": "npx",
"args": [
"@modelcontextprotocol/server-everything",
"--url", "http://your-nomad-server:8000/mcp/sse"
]
}
}
}
For Custom Network MCP Server
If you need a network-accessible standalone MCP server, you would need to:
- Modify the transport in
mcp_server.pyfrom stdio to TCP - Add network security (authentication, TLS)
- Configure Claude Desktop to connect via TCP
Example network MCP server (requires modification):
# In mcp_server.py - replace stdio with TCP transport
import mcp.server.tcp
async def main():
async with mcp.server.tcp.tcp_server("0.0.0.0", 8001) as server:
await server.run(...)
Claude Desktop config for network TCP:
{
"mcpServers": {
"nomad-mcp-tcp": {
"command": "mcp-client",
"args": ["tcp://your-nomad-server:8001"]
}
}
}
Security Considerations for Network Deployment
When deploying MCP servers on the network:
- Use HTTPS/TLS for HTTP-based MCP servers
- Implement authentication (API keys, OAuth, etc.)
- Network isolation (VPN, private networks)
- Firewall rules to restrict access
- Rate limiting to prevent abuse
- Audit logging for all MCP operations
SSL Certificate Trust
For Mei Sheng Group internal services:
- Use the provided CA bundle in
/certs/meisheng_ca_bundle.pem - Automatic certificate renewal - Server certificates renew every 24 hours
- Stable CA chain - The certificate authority chain can be trusted long-term
- Environment configuration - Source
.env.sslfor proper SSL verification
# Configure SSL trust for development
source .env.ssl
# Test SSL connections
uv run python certs/test_ssl.py
Recommended Network Architecture
Claude Desktop → HTTPS/WSS → Load Balancer → FastAPI MCP Server → Nomad API
(secure) (optional) (on cluster) (internal)
Debugging MCP Connections
If you're having issues with MCP connections:
- Check the server logs for connection attempts and errors
- Verify that the
BASE_URLenvironment variable is correctly set - Ensure the AI agent has network access to the MCP endpoint
- Check that the correct MCP endpoint URL is being used
- Verify the AI agent supports the SSE transport for MCP
Custom Tool Configurations
While the zero-config approach automatically exposes all endpoints, you can customize the MCP tools by modifying the FastAPI MCP initialization in app/main.py:
mcp = FastApiMCP(
app,
base_url=base_url,
name="Nomad MCP Tools",
description="Tools for managing Nomad jobs via MCP protocol",
include_tags=["jobs", "logs", "configs", "repositories"],
# Add custom configurations here
)
Security Considerations
The MCP endpoint provides powerful capabilities for managing your Nomad cluster. Consider implementing:
- Authentication for the MCP endpoint
- Proper network isolation
- Role-based access control
- Audit logging for MCP interactions
By default, the MCP endpoint is accessible without authentication. In production environments, you should implement appropriate security measures.