mcpg-control-plane-server
The MCPG control-plane REST/gRPC server that mcpg-ctl and gateway agents talk to — its flags, defaults, and secure-deployment notes.
mcpg-control-plane-server is the REST (/v1) + gRPC server that
mcpg-ctl and gateway agents talk to.
mcpg-ctl quickstart / serve run it in-process; in production you run the
binary directly. Every flag has an MCPG_CP_* env var (and also accepts the
long-form MCPG_CONTROL_PLANE_* — the short form wins when both are set).
| Flag | Default | Purpose |
|---|---|---|
--bind-http | 127.0.0.1:7843 | REST API + UI |
--bind-grpc | 127.0.0.1:7844 | Agent gRPC contract (mTLS + JWT) |
--db-url | sqlite://./mcpg-cp.db?mode=rwc | SQLite (self-host) or postgres://… (K8s / Cloud) |
--auth-mode | none | none (loopback), oidc, mock |
--oidc-issuer / --oidc-client-id / --oidc-client-secret | — | OIDC provider |
--license-pubkey-pem | — | Trusted federation Ed25519 public key (PEM) for license-JWT verification |
--external-url | http://127.0.0.1:7843 | Base URL used in enrolment URLs / OIDC redirects |
--grpc-tls / --grpc-mtls | false | TLS / mutual-TLS for the agent gRPC (mTLS implies TLS) |
--provisioner-endpoint | — | Cloud Provisioner gRPC (unset → Cloud features off, gateway-create returns 503) |
--kms-master-key-b64 | — | Base64 32-byte key for AES-256-GCM envelope encryption of at-rest data |
--platform-admin-emails | "" | Comma-separated admin emails for /v1/admin/* under oidc (ignored under none) |
--enforce-paid-plans | false | Gate gateway creation by license plan tier (free → 402) |
--json-logs | (pretty) | Emit JSON logs |
The binary also exposes Kube-provider, tenant-subdomain, Provisioner mTLS, and
telemetry flags (--kube-provider, --kube-namespace,
--tenant-subdomain-suffix, --provisioner-client-cert-path and peers,
--telemetry-endpoint); run mcpg-control-plane-server --help for the full
list with their MCPG_CP_* env vars.
mcpg-control-plane-server # Tier-0 loopback (defaults)
mcpg-control-plane-server \
--bind-http 0.0.0.0:7843 --bind-grpc 0.0.0.0:7844 \
--db-url "postgres://cp:secret@db/mcpg" \
--auth-mode oidc --oidc-issuer https://auth.mcpg.dev --oidc-client-id mcpg-cp \
--grpc-mtls --external-url https://cp.mcpg.dev \
--platform-admin-emails alice@acme.com --json-logs
The server does not refuse to start when bound beyond loopback with
auth_mode=none, or when the agent gRPC runs without TLS — it prints loudINSECURE:warnings instead. Don't ignore them: turn on--auth-mode oidcand--grpc-mtlsfor any non-loopback deployment.
The CLI that drives this server is mcpg-ctl.