Skip to main content

MCP server for read-only access to Argo CD instances using browser session cookies

Project description

MCP Read-Only Argo CD Server

Tests License: MIT Python 3.11+

A secure MCP (Model Context Protocol) server that provides read-only access to Argo CD instances using browser session cookies.

Default layout:

  • Config: ~/.config/lukleh/mcp-read-only-argocd/connections.yaml
  • Credentials: stored in connections.yaml
  • Cache: ~/.cache/lukleh/mcp-read-only-argocd/

Features

  • Read-only by design: only read operations are exposed
  • Session cookie authentication: uses your existing argocd.token browser session
  • Multi-instance support: connect to multiple Argo CD instances at once
  • Automatic cookie rotation: refreshed session cookies are persisted to connections.yaml
  • Stale token recovery: a 401 response triggers a one-time Chrome cookie refresh and retry
  • Package-native runtime paths: no repository checkout required for normal use

Why Session Cookies?

Unlike token-based setups, this server can reuse your existing browser session:

  • no extra API token management
  • uses your existing SSO/OIDC login
  • matches the permissions you already have in the UI

Prerequisites

  • Python 3.11 or higher
  • uv
  • an Argo CD browser session cookie
  • an MCP client such as Claude Code or Codex

Quick Start

1. Install the Server

# Run the published package without cloning the repository
uvx mcp-read-only-argocd@latest --write-sample-config

# Or install it once and reuse the command directly
uv tool install mcp-read-only-argocd
mcp-read-only-argocd --write-sample-config

When using uvx, prefer mcp-read-only-argocd@latest in user-facing docs and MCP client configs. This avoids reusing a stale cached tool environment after a new release is published.

The command above writes a starter config to ~/.config/lukleh/mcp-read-only-argocd/connections.yaml.

2. Confirm Runtime Paths

uvx mcp-read-only-argocd@latest --print-paths

3. Edit the Connections File

Edit ~/.config/lukleh/mcp-read-only-argocd/connections.yaml:

- connection_name: staging
  url: https://argocd.example.com
  description: Staging Argo CD
  session_token: your-session-token

- connection_name: production
  url: https://argocd-prod.example.com
  description: Production Argo CD
  session_token: your-other-session-token

4. Get Your argocd.token Session Cookie

  1. Log in to your Argo CD web UI
  2. Open browser developer tools
  3. Go to Application/Storage -> Cookies
  4. Copy the value of the argocd.token cookie

5. Store the Session Cookie

Put the cookie value in the session_token field for each connection in ~/.config/lukleh/mcp-read-only-argocd/connections.yaml. The server detects changes to connections.yaml before tool calls, so editing this file does not require an MCP restart.

If Argo CD rejects the active token with a 401 response, the server tries once to load a fresh argocd.token from Chrome Profile 1 for the matching connection domain. When that token differs from the active token, the failed request is retried once. If the retry succeeds, the fresh token is written back to connections.yaml.

6. Configure Your MCP Client

Claude Code

claude mcp add mcp-read-only-argocd \
  --scope user \
  -- uvx mcp-read-only-argocd@latest

Codex

codex mcp add mcp-read-only-argocd \
  -- uvx mcp-read-only-argocd@latest

7. Restart and Test

Restart your MCP client and try a simple query such as:

List all applications in the staging Argo CD instance.

Configuration

connections.yaml supports a list of Argo CD connections:

- connection_name: staging
  url: https://argocd.example.com
  description: Staging Argo CD instance
  session_token: your-session-token
  timeout: 30
  verify_ssl: true

Fields:

  • connection_name: unique identifier used in tool calls and token refreshes
  • url: Argo CD base URL
  • description: optional human-readable description
  • session_token: Argo CD argocd.token browser cookie
  • timeout: optional request timeout in seconds
  • verify_ssl: optional SSL verification toggle

Runtime path override environment variables:

  • MCP_READ_ONLY_ARGOCD_CONFIG_DIR
  • MCP_READ_ONLY_ARGOCD_CACHE_DIR

Command Line Testing

# Show the resolved runtime paths
uvx mcp-read-only-argocd@latest --print-paths

# Write or refresh the default connections.yaml
uvx mcp-read-only-argocd@latest --write-sample-config
uvx mcp-read-only-argocd@latest --write-sample-config --overwrite

# Run the server with the default home-directory config
uvx mcp-read-only-argocd@latest

# Or point at a different runtime root
uvx mcp-read-only-argocd@latest --config-dir /path/to/config-dir

MCP Tools

Core

  • list_connections
  • get_version
  • get_settings

Applications

  • list_applications
  • get_application
  • get_application_resource_tree
  • get_application_managed_resources
  • get_application_logs

Projects

  • list_projects
  • get_project

Clusters

  • list_clusters
  • get_cluster

Repositories

  • list_repositories
  • get_repository

Local Development

If you want to work on the repository itself:

git clone https://github.com/lukleh/mcp-read-only-argocd.git
cd mcp-read-only-argocd
uv sync --extra dev
uv run pytest -q
uv run mcp-read-only-argocd --print-paths
uv run python smoke_test.py --print-paths

The checked-in sample file remains available at connections.yaml.sample for documentation and review, but package users should prefer --write-sample-config.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcp_read_only_argocd-0.3.0.tar.gz (96.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcp_read_only_argocd-0.3.0-py3-none-any.whl (24.7 kB view details)

Uploaded Python 3

File details

Details for the file mcp_read_only_argocd-0.3.0.tar.gz.

File metadata

  • Download URL: mcp_read_only_argocd-0.3.0.tar.gz
  • Upload date:
  • Size: 96.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mcp_read_only_argocd-0.3.0.tar.gz
Algorithm Hash digest
SHA256 3ee7b9f4d58fc7655c2a3003a74c016689cbb70060d9582808a4b7161b7868a6
MD5 4328f92825b34666d2e2d9b7810cd0c8
BLAKE2b-256 9e41a3748cb127a00bb819e7bec48f6e602f3f3fcaf849713e0a28e67ca1a714

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcp_read_only_argocd-0.3.0.tar.gz:

Publisher: publish.yml on lukleh/mcp-read-only-argocd

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file mcp_read_only_argocd-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for mcp_read_only_argocd-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 155c71cf655eacfaeb247db8a71cadc6780888bff8d0feb2893351f3761c1ec3
MD5 bc8e3b6ae1b98c7da50e20f4845949b1
BLAKE2b-256 5a8eb7cf06ce2587da5654efe8980eab6a06b835428cbe78424942f6453e8244

See more details on using hashes here.

Provenance

The following attestation bundles were made for mcp_read_only_argocd-0.3.0-py3-none-any.whl:

Publisher: publish.yml on lukleh/mcp-read-only-argocd

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page