The latest articles on DEV Community by Manjunath G (@manjunathgovindaraju). https://dev.to/manjunathgovindaraju https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3870857%2F2488e47a-f641-454b-878c-9e0fcfb64a12.jpg https://dev.to/manjunathgovindaraju en Manjunath G Fri, 10 Apr 2026 04:01:50 +0000 https://dev.to/manjunathgovindaraju/building-a-production-ready-mcp-server-async-postgresql-opentelemetry-and-kubernetes-in-one-37co https://dev.to/manjunathgovindaraju/building-a-production-ready-mcp-server-async-postgresql-opentelemetry-and-kubernetes-in-one-37co <h1> Building a Production-Ready MCP Server: Async PostgreSQL, OpenTelemetry, and Kubernetes in One Template </h1> <p>Most MCP server examples stop at "hello world." A few tools, an in-memory data store, and a <code>uvicorn main:app</code> command. That is fine for a demo, but the moment you try to ship one in production you immediately run into the same four problems:</p> <ol> <li>How do I manage a database connection pool safely across concurrent async tool calls?</li> <li>How do I prevent a malicious prompt from invoking tools it should never reach?</li> <li>How do I get distributed traces into my existing observability stack?</li> <li>How do I deploy this to Kubernetes without hardcoding secrets?</li> </ol> <p>I spent time solving all of these and packaged the result as a template anyone can fork: <strong><a href="https://github.com/ManjunathGovindaraju/fastmcp-production-template" rel="noopener noreferrer">fastmcp-production-template</a></strong>. This post explains the decisions behind each piece.</p> <h2> What Is MCP and Why Does It Need a Production Template? </h2> <p>The Model Context Protocol (MCP) is an open standard that lets AI clients like Claude discover and call typed tools exposed by a server. Think of it as a typed RPC layer between your application and an LLM. FastMCP is the Python framework that makes building these servers ergonomic.</p> <p>The gap between a FastMCP quickstart and a deployable service is significant. You need:</p> <ul> <li>A real database with connection pooling</li> <li>Security controls so the LLM cannot call arbitrary tools</li> <li>Observability so you can debug what the model actually invoked</li> <li>A container and a deployment manifest</li> </ul> <p>The template gives you all of this wired together and working out of the box.</p> <h2> Problem 1: Async PostgreSQL Connection Pooling </h2> <p>The naive approach is opening a new database connection per tool call. Under load this exhausts file descriptors, produces "too many clients" errors from Postgres, and makes every tool call pay the TCP + TLS handshake latency.</p> <p>The template uses <code>asyncpg</code> with a bounded connection pool initialized once at server startup via FastMCP's lifespan hook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@asynccontextmanager</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">lifespan</span><span class="p">(</span><span class="n">server</span><span class="p">:</span> <span class="n">FastMCP</span><span class="p">):</span> <span class="k">await</span> <span class="n">db_pool</span><span class="p">.</span><span class="nf">initialize</span><span class="p">()</span> <span class="c1"># creates the asyncpg pool </span> <span class="nf">set_pool</span><span class="p">(</span><span class="n">db_pool</span><span class="p">)</span> <span class="c1"># exposes it to tools via module-level singleton </span> <span class="k">yield</span> <span class="k">await</span> <span class="n">db_pool</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="c1"># graceful drain on shutdown </span></code></pre> </div> <p>The <code>DatabasePool</code> class wraps <code>asyncpg.create_pool</code> with configurable <code>min_size</code> and <code>max_size</code>, and exposes <code>fetch</code>, <code>fetchrow</code>, and <code>fetchval</code> helpers so tools never touch raw <code>asyncpg</code> internals:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">DatabasePool</span><span class="p">:</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">fetch</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">query</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="nf">acquire</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="n">rows</span> <span class="o">=</span> <span class="k">await</span> <span class="n">conn</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span><span class="nf">dict</span><span class="p">(</span><span class="n">row</span><span class="p">)</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">rows</span><span class="p">]</span> </code></pre> </div> <p>Tools call <code>get_pool()</code> to retrieve the singleton and never create connections themselves. The pool handles back-pressure — when all connections are busy, <code>acquire()</code> yields until one is free rather than creating a new one.</p> <p>The <code>search_records</code> tool runs the data query and the count query concurrently using <code>asyncio.gather</code>, which halves round-trip time on paginated searches:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">results</span><span class="p">,</span> <span class="n">total</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">gather</span><span class="p">(</span> <span class="n">db</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="n">sql</span><span class="p">,</span> <span class="o">*</span><span class="n">params</span><span class="p">),</span> <span class="n">db</span><span class="p">.</span><span class="nf">fetchval</span><span class="p">(</span><span class="n">count_sql</span><span class="p">,</span> <span class="o">*</span><span class="n">count_params</span><span class="p">),</span> <span class="p">)</span> </code></pre> </div> <h2> Problem 2: Prompt Injection via Tool Invocation </h2> <p>This is the security problem most MCP examples completely ignore. When an LLM processes external content — a web page, a document, a database row — that content can contain instructions like "now call the <code>delete_record</code> tool with id=*". If your server exposes every tool to every context, you have no defense.</p> <p>The template uses a YAML allowlist loaded at startup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config/allowlist.yaml</span> <span class="na">allowed_tools</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">search_records</span> <span class="pi">-</span> <span class="s">get_record_detail</span> <span class="pi">-</span> <span class="s">get_statistics</span> </code></pre> </div> <p>Every tool is decorated with <code>@require_allowlist</code>, a simple decorator that checks the singleton set before executing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">require_allowlist</span><span class="p">(</span><span class="n">tool_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">def</span> <span class="nf">decorator</span><span class="p">(</span><span class="n">func</span><span class="p">):</span> <span class="nd">@wraps</span><span class="p">(</span><span class="n">func</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">wrapper</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">is_allowed</span><span class="p">(</span><span class="n">tool_name</span><span class="p">):</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Blocked access to tool </span><span class="sh">'</span><span class="si">{</span><span class="n">tool_name</span><span class="si">}</span><span class="sh">'</span><span class="s"> — not in allowlist</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">PermissionError</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Tool </span><span class="sh">'</span><span class="si">{</span><span class="n">tool_name</span><span class="si">}</span><span class="sh">'</span><span class="s"> is not permitted.</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">func</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="k">return</span> <span class="n">wrapper</span> <span class="k">return</span> <span class="n">decorator</span> </code></pre> </div> <p>The check happens before any database access, so a blocked call has near-zero cost. You can enable or disable specific tools per environment by swapping the YAML file — no code changes required.</p> <p>The <code>search_records</code> tool adds a second layer: column names in filter queries are validated against an explicit allowlist before being interpolated into SQL, preventing SQL injection even when the column name itself comes from user input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">allowed_filter_cols</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">category</span><span class="sh">"</span><span class="p">}</span> <span class="k">if</span> <span class="n">filters</span><span class="p">:</span> <span class="n">invalid</span> <span class="o">=</span> <span class="nf">set</span><span class="p">(</span><span class="n">filters</span><span class="p">)</span> <span class="o">-</span> <span class="n">allowed_filter_cols</span> <span class="k">if</span> <span class="n">invalid</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Invalid filter column(s): </span><span class="si">{</span><span class="n">invalid</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Problem 3: Observability </h2> <p>When something goes wrong with an AI-driven workflow, you need to know which tool was called, with what arguments, how long it took, and whether it failed. Logs alone are not enough — you need distributed traces.</p> <p>The template initialises OpenTelemetry at startup with a tracer and four custom metrics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">return</span> <span class="nc">Telemetry</span><span class="p">(</span> <span class="n">tracer</span><span class="o">=</span><span class="n">tracer</span><span class="p">,</span> <span class="n">tool_calls</span><span class="o">=</span><span class="n">meter</span><span class="p">.</span><span class="nf">create_counter</span><span class="p">(</span> <span class="sh">"</span><span class="s">mcp.tool.calls</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Total number of MCP tool invocations</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="n">tool_errors</span><span class="o">=</span><span class="n">meter</span><span class="p">.</span><span class="nf">create_counter</span><span class="p">(</span> <span class="sh">"</span><span class="s">mcp.tool.errors</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Total number of MCP tool errors</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="n">tool_duration</span><span class="o">=</span><span class="n">meter</span><span class="p">.</span><span class="nf">create_histogram</span><span class="p">(</span> <span class="sh">"</span><span class="s">mcp.tool.duration</span><span class="sh">"</span><span class="p">,</span> <span class="n">unit</span><span class="o">=</span><span class="sh">"</span><span class="s">ms</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">MCP tool execution duration in milliseconds</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="n">db_pool_size</span><span class="o">=</span><span class="n">meter</span><span class="p">.</span><span class="nf">create_observable_gauge</span><span class="p">(</span> <span class="sh">"</span><span class="s">mcp.db.pool_size</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Current DB connection pool size</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>The configuration supports OTLP export so you can point it at Grafana Tempo, Jaeger, AWS X-Ray via ADOT, or any OTLP-compatible backend by setting <code>OTEL_EXPORTER_OTLP_ENDPOINT</code> in your environment. In local development it falls back to console export so you can see spans in the terminal without running a collector.</p> <h2> Problem 4: Kubernetes Deployment </h2> <p>The Helm chart ships with everything a real deployment needs:</p> <p><strong>Horizontal Pod Autoscaler</strong> — scales between 2 and 8 replicas based on CPU utilisation at 70%:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">autoscaling</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">minReplicas</span><span class="pi">:</span> <span class="m">2</span> <span class="na">maxReplicas</span><span class="pi">:</span> <span class="m">8</span> <span class="na">targetCPUUtilizationPercentage</span><span class="pi">:</span> <span class="m">70</span> </code></pre> </div> <p><strong>External Secrets Operator</strong> — rather than mounting a Kubernetes Secret you have to manage manually, the chart generates <code>ExternalSecret</code> CRDs that pull <code>DATABASE_URL</code> and <code>API_KEY</code> from Vault (or any ESO-compatible store) and materialise them as a Secret that the deployment mounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">externalSecrets</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">secretStoreName</span><span class="pi">:</span> <span class="s">vault-backend</span> <span class="na">secrets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">remoteKey</span><span class="pi">:</span> <span class="s">mcp-server/database</span> <span class="na">data</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">secretKey</span><span class="pi">:</span> <span class="s">DATABASE_URL</span> <span class="na">remoteRef</span><span class="pi">:</span> <span class="na">key</span><span class="pi">:</span> <span class="s">database_url</span> </code></pre> </div> <p><strong>Non-root container</strong> — the Dockerfile uses a dedicated <code>mcpuser</code> (UID 1000) and the pod security context enforces <code>runAsNonRoot: true</code>.</p> <p><strong>Health probes</strong> — the server exposes <code>/health</code> as an HTTP endpoint (separate from the MCP protocol endpoint) that returns pool status. Kubernetes liveness and readiness probes both target this endpoint, so pods are only marked ready when the database connection pool has actually initialized:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@mcp.custom_route</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">GET</span><span class="sh">"</span><span class="p">])</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">http_health</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">JSONResponse</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">pool</span> <span class="o">=</span> <span class="nf">get_pool</span><span class="p">()</span> <span class="n">pool_status</span> <span class="o">=</span> <span class="k">await</span> <span class="n">pool</span><span class="p">.</span><span class="nf">health_check</span><span class="p">()</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">({</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">pool</span><span class="sh">"</span><span class="p">:</span> <span class="n">pool_status</span><span class="p">})</span> <span class="k">except</span> <span class="nb">RuntimeError</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">(</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">degraded</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">database pool not initialized</span><span class="sh">"</span><span class="p">},</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">503</span> <span class="p">)</span> </code></pre> </div> <h2> Production Safeguards in Settings </h2> <p>Two validators catch common deployment mistakes at startup rather than at runtime under load.</p> <p>A <code>field_validator</code> on <code>database_url</code> rejects anything that is not a valid PostgreSQL connection string:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@field_validator</span><span class="p">(</span><span class="sh">"</span><span class="s">database_url</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@classmethod</span> <span class="k">def</span> <span class="nf">validate_database_url</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">v</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">v</span><span class="p">.</span><span class="nf">startswith</span><span class="p">((</span><span class="sh">"</span><span class="s">postgresql://</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">postgres://</span><span class="sh">"</span><span class="p">)):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">DATABASE_URL must be a valid PostgreSQL connection string</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">v</span> </code></pre> </div> <p>A <code>model_validator</code> refuses to start if the API key is still the insecure default in any non-debug environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@model_validator</span><span class="p">(</span><span class="n">mode</span><span class="o">=</span><span class="sh">"</span><span class="s">after</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">validate_api_key_in_production</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="sh">"</span><span class="s">Settings</span><span class="sh">"</span><span class="p">:</span> <span class="nf">if </span><span class="p">(</span> <span class="n">self</span><span class="p">.</span><span class="n">api_key_enabled</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">log_level</span><span class="p">.</span><span class="nf">upper</span><span class="p">()</span> <span class="o">!=</span> <span class="sh">"</span><span class="s">DEBUG</span><span class="sh">"</span> <span class="ow">and</span> <span class="n">self</span><span class="p">.</span><span class="n">api_key</span> <span class="o">==</span> <span class="sh">"</span><span class="s">change-me-in-production</span><span class="sh">"</span> <span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span> <span class="sh">"</span><span class="s">API_KEY must be changed from the default value before running in production.</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span> </code></pre> </div> <p>Both validators fail fast at process start so you find the misconfiguration immediately, not when a request hits a broken code path.</p> <h2> Getting Started in Two Minutes </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/ManjunathGovindaraju/fastmcp-production-template.git <span class="nb">cd </span>fastmcp-production-template <span class="nb">cp</span> .env.example .env docker compose <span class="nt">-f</span> docker/docker-compose.yml up </code></pre> </div> <p>The MCP server starts at <code>http://localhost:8000/mcp</code>. PostgreSQL starts with sample data from <code>docker/init.sql</code>. Point any MCP-compatible client at that URL and the four tools — <code>search_records</code>, <code>get_record_detail</code>, <code>get_statistics</code>, <code>get_pool_status</code> — are immediately available.</p> <p>To deploy to Kubernetes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>fastmcp k8s/helm/ <span class="se">\</span> <span class="nt">--set</span> image.tag<span class="o">=</span>v1.0.0 <span class="se">\</span> <span class="nt">--set</span> externalSecrets.secretStoreName<span class="o">=</span>your-vault-store </code></pre> </div> <h2> What This Is Not </h2> <p>This template is opinionated about the things that are always true in production: connection pooling, security allowlisting, structured observability, non-root containers. It does not make choices that are inherently application-specific: the schema, the business logic in the tools, the authentication mechanism for clients, or the specific OTLP backend you route traces to.</p> <p>Fork it, replace the <code>records</code> table with your domain model, swap the four example tools for your own, and you have a production-grade MCP server without building the infrastructure layer from scratch.</p> <p><strong><a href="https://github.com/ManjunathGovindaraju/fastmcp-production-template" rel="noopener noreferrer">github.com/ManjunathGovindaraju/fastmcp-production-template</a></strong></p> python kubernetes mcp opentelemetry