io.github.nogoo9

no-crd

Dynamic pod spawner & proxy for ephemeral AI agent workspaces on Kubernetes without CRDs

stdiocommunityinfra

Package Details

@nogoo9/no-crd

0.5.4https://www.npmjs.com/package/@nogoo9/no-crd
Transportstdio
Runtimebunx

Runtime Arguments

Named
--transport
Transport channel for MCP client-server communication: stdio, http, both
--mode
Kubernetes cluster access scope: cluster-wide or namespace-restricted
--namespace
Target namespace for workspace pods, services, and local templates
--port
HTTP port for SSE transport, routing proxy, and dashboard UI
--host
Network interface host address to bind the HTTP server to
--log-level
Granularity of output logs: debug, info, warning, error, fatal
--disable-permission-checks
Bypass startup diagnostics checking Kubernetes RBAC access permissions
--cors-origin
Allowed origins for HTTP CORS cross-site requests (default: *)
--cors-methods
Allowed HTTP request methods for CORS configuration
--cors-headers
Allowed HTTP header names for incoming CORS requests
--cors-allow-credentials
Allow credentials (cookies, headers) in cross-origin requests
--auth-required-read-scope
Mandatory OAuth scope claim value to query or get workspaces
--auth-required-write-scope
Mandatory OAuth scope claim value to spawn or stop workspaces
--auth-scope-jsonpath
JSONPath pattern to extract scope permissions from the token payload
--auth-required-read-role
OAuth role required to view workspaces (e.g. reader)
--auth-required-write-role
OAuth role required to spawn or delete workspaces (e.g. writer)
--auth-roles-jsonpath
JSONPath query to retrieve user roles list from token payload

Environment Variables

KUBECONFIG

Path to the Kubernetes API credentials configuration file

BASE_URL

Hosting URL subpath prefix for gateways and reverse proxies

STATELESS

Disable in-memory session tracking for stateless execution

TLS_CERT

Local file path containing TLS public certificate (HTTPS)

TLS_KEY
Secret

Local file path containing TLS private key (HTTPS)

TLS_CA

Local file path containing trusted client Certificate Authority

NODE_TLS_REJECT_UNAUTHORIZED

Set to '0' to allow connection to unverified TLS endpoints

REGISTRY_URL

Default container registry for workspace image resolution

TEMPLATES_DIR

Local filesystem directory containing custom YAML/JSON templates

BUILTIN_TEMPLATES

Enable loading of standard pre-configured templates (default: true)

AUTH_ENABLED

Enforce JWT verification and user tenant isolation (default: false)

JWT_VERIFICATION_REQUIRED

Set to 'false' to skip OIDC cryptographic signature checks

JWT_SECRET
Secret

HMAC-SHA symmetric secret key to sign/verify JWT tokens

JWT_PUBLIC_KEY
Secret

PEM public key to verify asymmetric OIDC signatures

JWKS_URI

Discovery URI to fetch keys from OIDC provider dynamically

INTROSPECTION_ENDPOINT

RFC 7662 compliant token introspection validation endpoint

OAUTH_CLIENT_ID

Client identifier for OAuth2 authentication flows

OAUTH_CLIENT_SECRET
Secret

Client secret credentials used for token introspection

JWT_AUDIENCE

Target audience check value for incoming OIDC tokens

AUTH_ISSUER

Expected token issuer authority check value (e.g. Keycloak)

AUTH_SUB_JSONPATH

JSONPath pattern to extract user identity subject from token

AUTH_ADMIN_ROLE

Bypass role name that grants admin access (default: nogoo9-admin)

PROXY_SESSION_TTL

Active lifetime in seconds for signed proxy session cookies

PROXY_SESSION_SECRET
Secret

Secret key for session cookie signing

UI_ENABLED

Serve the built-in HTML dashboard (default: true)

THEMES_DIR

Filesystem directory to scan for custom CSS themes

THEMES_CONFIGMAP

ConfigMap name storing dynamic CSS theme overrides

DOCS_DIR

Directory containing static documentation web files to serve

OAUTH_DISCOVERY_URL

Standard OIDC .well-known configuration discovery endpoint

OAUTH_LOGIN_METHOD

UI SSO flow login method: 'redirect' or silent 'iframe'

UI_TITLE

Custom dashboard header title for white-label branding

UI_SUBTITLE

Custom dashboard subtitle text below the header title