io.github.nogoo9/no-crd
Dynamic pod spawner & proxy for ephemeral AI agent workspaces on Kubernetes without CRDs
Verdict not yet evaluated for this tool. The hybrid eval runs adversarial cases first; coverage rolls out as the corpus expands. Until a verdict is recorded, an agent should treat this tool as not-yet-cleared and fall back to its own checks. Method: hybrid eval, four-state verdict, honest limits.
{
"mcpServers": {
"no-crd": {
"command": "npx",
"args": [
"-y",
"@nogoo9/no-crd"
],
"env": {
"KUBECONFIG": "<kubeconfig>",
"BASE_URL": "<base_url>",
"STATELESS": "<stateless>",
"TLS_CERT": "<tls_cert>",
"TLS_KEY": "<your-tls_key>",
"TLS_CA": "<tls_ca>",
"NODE_TLS_REJECT_UNAUTHORIZED": "<node_tls_reject_unauthorized>",
"REGISTRY_URL": "<registry_url>",
"TEMPLATES_DIR": "<templates_dir>",
"BUILTIN_TEMPLATES": "<builtin_templates>",
"AUTH_ENABLED": "<auth_enabled>",
"JWT_VERIFICATION_REQUIRED": "<jwt_verification_required>",
"JWT_SECRET": "<your-jwt_secret>",
"JWT_PUBLIC_KEY": "<your-jwt_public_key>",
"JWKS_URI": "<jwks_uri>",
"INTROSPECTION_ENDPOINT": "<introspection_endpoint>",
"OAUTH_CLIENT_ID": "<oauth_client_id>",
"OAUTH_CLIENT_SECRET": "<your-oauth_client_secret>",
"JWT_AUDIENCE": "<jwt_audience>",
"AUTH_ISSUER": "<auth_issuer>",
"AUTH_SUB_JSONPATH": "<auth_sub_jsonpath>",
"AUTH_ADMIN_ROLE": "<auth_admin_role>",
"PROXY_SESSION_TTL": "<proxy_session_ttl>",
"PROXY_SESSION_SECRET": "<your-proxy_session_secret>",
"UI_ENABLED": "<ui_enabled>",
"THEMES_DIR": "<themes_dir>",
"THEMES_CONFIGMAP": "<themes_configmap>",
"DOCS_DIR": "<docs_dir>",
"OAUTH_DISCOVERY_URL": "<oauth_discovery_url>",
"OAUTH_LOGIN_METHOD": "<oauth_login_method>",
"UI_TITLE": "<ui_title>",
"UI_SUBTITLE": "<ui_subtitle>"
}
}
}
}{
"mcpServers": {
"no-crd": {
"command": "npx",
"args": [
"-y",
"@nogoo9/no-crd"
],
"env": {
"KUBECONFIG": "<kubeconfig>",
"BASE_URL": "<base_url>",
"STATELESS": "<stateless>",
"TLS_CERT": "<tls_cert>",
"TLS_KEY": "<your-tls_key>",
"TLS_CA": "<tls_ca>",
"NODE_TLS_REJECT_UNAUTHORIZED": "<node_tls_reject_unauthorized>",
"REGISTRY_URL": "<registry_url>",
"TEMPLATES_DIR": "<templates_dir>",
"BUILTIN_TEMPLATES": "<builtin_templates>",
"AUTH_ENABLED": "<auth_enabled>",
"JWT_VERIFICATION_REQUIRED": "<jwt_verification_required>",
"JWT_SECRET": "<your-jwt_secret>",
"JWT_PUBLIC_KEY": "<your-jwt_public_key>",
"JWKS_URI": "<jwks_uri>",
"INTROSPECTION_ENDPOINT": "<introspection_endpoint>",
"OAUTH_CLIENT_ID": "<oauth_client_id>",
"OAUTH_CLIENT_SECRET": "<your-oauth_client_secret>",
"JWT_AUDIENCE": "<jwt_audience>",
"AUTH_ISSUER": "<auth_issuer>",
"AUTH_SUB_JSONPATH": "<auth_sub_jsonpath>",
"AUTH_ADMIN_ROLE": "<auth_admin_role>",
"PROXY_SESSION_TTL": "<proxy_session_ttl>",
"PROXY_SESSION_SECRET": "<your-proxy_session_secret>",
"UI_ENABLED": "<ui_enabled>",
"THEMES_DIR": "<themes_dir>",
"THEMES_CONFIGMAP": "<themes_configmap>",
"DOCS_DIR": "<docs_dir>",
"OAUTH_DISCOVERY_URL": "<oauth_discovery_url>",
"OAUTH_LOGIN_METHOD": "<oauth_login_method>",
"UI_TITLE": "<ui_title>",
"UI_SUBTITLE": "<ui_subtitle>"
}
}
}
}npx -y @nogoo9/no-crdKUBECONFIGPath to the Kubernetes API credentials configuration file
BASE_URLHosting URL subpath prefix for gateways and reverse proxies
STATELESSDisable in-memory session tracking for stateless execution
TLS_CERTLocal file path containing TLS public certificate (HTTPS)
TLS_KEYLocal file path containing TLS private key (HTTPS)
TLS_CALocal file path containing trusted client Certificate Authority
NODE_TLS_REJECT_UNAUTHORIZEDSet to '0' to allow connection to unverified TLS endpoints
REGISTRY_URLDefault container registry for workspace image resolution
TEMPLATES_DIRLocal filesystem directory containing custom YAML/JSON templates
BUILTIN_TEMPLATESEnable loading of standard pre-configured templates (default: true)
AUTH_ENABLEDEnforce JWT verification and user tenant isolation (default: false)
JWT_VERIFICATION_REQUIREDSet to 'false' to skip OIDC cryptographic signature checks
JWT_SECRETHMAC-SHA symmetric secret key to sign/verify JWT tokens
JWT_PUBLIC_KEYPEM public key to verify asymmetric OIDC signatures
JWKS_URIDiscovery URI to fetch keys from OIDC provider dynamically
INTROSPECTION_ENDPOINTRFC 7662 compliant token introspection validation endpoint
OAUTH_CLIENT_IDClient identifier for OAuth2 authentication flows
OAUTH_CLIENT_SECRETClient secret credentials used for token introspection
JWT_AUDIENCETarget audience check value for incoming OIDC tokens
AUTH_ISSUERExpected token issuer authority check value (e.g. Keycloak)
AUTH_SUB_JSONPATHJSONPath pattern to extract user identity subject from token
AUTH_ADMIN_ROLEBypass role name that grants admin access (default: nogoo9-admin)
PROXY_SESSION_TTLActive lifetime in seconds for signed proxy session cookies
PROXY_SESSION_SECRETSecret key for session cookie signing
UI_ENABLEDServe the built-in HTML dashboard (default: true)
THEMES_DIRFilesystem directory to scan for custom CSS themes
THEMES_CONFIGMAPConfigMap name storing dynamic CSS theme overrides
DOCS_DIRDirectory containing static documentation web files to serve
OAUTH_DISCOVERY_URLStandard OIDC .well-known configuration discovery endpoint
OAUTH_LOGIN_METHODUI SSO flow login method: 'redirect' or silent 'iframe'
UI_TITLECustom dashboard header title for white-label branding
UI_SUBTITLECustom dashboard subtitle text below the header title
Deploy containers on Kubernetes with x402 billing. 9 workload types and source builds.
Provides read access to your GKE and Kubernetes resources.
MCP server for Argo RPG Platform — connects AI assistants to campaign data via OAuth2