feat: Add Helm chart for kubernetes-mcp-server

google-labs-jules[bot] · google-labs-jules[bot] · commit 49e6a12fec0c · 2025-09-30T15:03:30.000Z
This commit introduces a Helm chart for deploying the kubernetes-mcp-server to a Kubernetes cluster. The chart is located in the `charts/kubernetes-mcp-server` directory and includes templates for the deployment, service, service account, RBAC, and a configurable `values.yaml` file.

The chart allows for easy configuration of the server, including:
- Image repository and tag
- Service ports
- Resource limits and requests
- Application-specific settings via a `ConfigMap`
- RBAC permissions for the server to interact with the Kubernetes API

Based on user feedback, the chart has been made more flexible and secure:
- `serviceAccount.create` defaults to `false`, requiring the user to specify an existing service account.
- `readOnly` and `disableDestructive` default to `true`.
- A new `rbac.create` flag allows users to disable the creation of the `Role` and `RoleBinding` if they are managing permissions externally.
- The chart is designed to work with CI/CD pipelines by allowing sensitive values like the Confluence API token to be passed via `--set-string`, preventing them from being stored in version control.

A README.md file is included with instructions on how to install and configure the chart.
diff --git a/charts/kubernetes-mcp-server/Chart.yaml b/charts/kubernetes-mcp-server/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: kubernetes-mcp-server
+description: A Helm chart for the Kubernetes Model Context Protocol (MCP) server
+type: application
+version: 0.1.0
+appVersion: "1.0"
diff --git a/charts/kubernetes-mcp-server/README.md b/charts/kubernetes-mcp-server/README.md
@@ -0,0 +1,82 @@
+# Kubernetes MCP Server
+
+A Helm chart for the Kubernetes Model Context Protocol (MCP) server.
+
+## Prerequisites
+
+- Kubernetes 1.16+
+- Helm 3+
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```bash
+helm install my-release .
+```
+
+The command deploys the Kubernetes MCP server on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```bash
+helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Parameters
+
+The following table lists the configurable parameters of the Kubernetes MCP server chart and their default values.
+
+| Parameter                  | Description                                                                                                                               | Default                                 |
+| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- |
+| `replicaCount`             | Number of replicas to deploy.                                                                                                             | `1`                                     |
+| `image.repository`         | Image repository.                                                                                                                         | `aihorde/kubernetes-mcp-server`       |
+| `image.pullPolicy`         | Image pull policy.                                                                                                                        | `IfNotPresent`                          |
+| `image.tag`                | Image tag. Overrides the chart's `appVersion`.                                                                                            | `""`                                    |
+| `imagePullSecrets`         | Image pull secrets.                                                                                                                       | `[]`                                    |
+| `nameOverride`             | String to override the name of the chart.                                                                                                 | `""`                                    |
+| `fullnameOverride`         | String to override the fully qualified app name.                                                                                          | `""`                                    |
+| `serviceAccount.create`    | If `true`, a new service account is created. If `false`, you must provide the name of an existing service account in `serviceAccount.name`. | `false`                                 |
+| `serviceAccount.name`      | The name of the service account to use. Required if `serviceAccount.create` is `false`.                                                   | `""`                                    |
+| `podAnnotations`           | Annotations to add to the pod.                                                                                                            | `{}`                                    |
+| `podSecurityContext`       | Pod security context.                                                                                                                     | `{}`                                    |
+| `securityContext`          | Container security context.                                                                                                               | `{}`                                    |
+| `service.type`             | Service type.                                                                                                                             | `ClusterIP`                             |
+| `service.port`             | Service port.                                                                                                                             | `8080`                                  |
+| `ingress.enabled`          | Enable ingress.                                                                                                                           | `false`                                 |
+| `ingress.className`        | Ingress class name.                                                                                                                       | `""`                                    |
+| `ingress.annotations`      | Ingress annotations.                                                                                                                      | `{}`                                    |
+| `ingress.hosts`            | Ingress hosts.                                                                                                                            | `[]`                                    |
+| `ingress.tls`              | Ingress TLS configuration.                                                                                                                | `[]`                                    |
+| `resources`                | Resource requests and limits.                                                                                                             | `{}`                                    |
+| `autoscaling.enabled`      | Enable autoscaling.                                                                                                                       | `false`                                 |
+| `nodeSelector`             | Node selector.                                                                                                                            | `{}`                                    |
+| `tolerations`              | Tolerations.                                                                                                                              | `[]`                                    |
+| `affinity`                 | Affinity.                                                                                                                                 | `{}`                                    |
+| `rbac.create`              | If `true`, a `Role` and `RoleBinding` will be created for the service account. If `false`, the chart will rely on existing permissions.   | `true`                                  |
+| `config`                   | Application-specific configuration. See the [Application Configuration](#application-configuration) section for more details.             | `{}`                                    |
+
+## Application Configuration
+
+The `config` parameter allows you to configure the Kubernetes MCP server. The following options are available:
+
+| Parameter                      | Description                                                                    | Default     |
+| ------------------------------ | ------------------------------------------------------------------------------ | ----------- |
+| `logLevel`                     | Log level (from 0 to 9).                                                       | `0`         |
+| `readOnly`                     | If true, only tools annotated with `readOnlyHint=true` are exposed.            | `true`      |
+| `disableDestructive`           | If true, tools annotated with `destructiveHint=true` are disabled.             | `true`      |
+| `toolsets`                     | List of MCP toolsets to use.                                                   | `[]`        |
+| `denied_resources`             | List of resources to deny access to.                                           | `[]`        |
+| `confluence.url`               | URL of the Confluence instance.                                                | `""`        |
+| `confluence.username`          | Confluence username.                                                           | `""`        |
+| `confluence.token`             | Confluence API token. **It is strongly recommended to set this via `--set-string` in a CI/CD pipeline rather than in the values file.** | `""`        |
+| `oauth.require`                | If true, requires OAuth authorization.                                         | `false`     |
+| `oauth.audience`               | OAuth audience for token claims validation.                                    | `""`        |
+| `oauth.validateToken`          | If true, validates the token against the Kubernetes API Server.                | `false`     |
+| `oauth.authorizationUrl`       | OAuth authorization server URL.                                                | `""`        |
+| `oauth.serverUrl`              | Server URL of this application.                                                | `""`        |
+| `oauth.certificateAuthority`   | Path to the certificate authority file to verify certificates.                 | `""`        |
diff --git a/charts/kubernetes-mcp-server/templates/NOTES.txt b/charts/kubernetes-mcp-server/templates/NOTES.txt
@@ -0,0 +1,23 @@
+1. Get the application URL by running these commands:
+  {{- if .Values.ingress.enabled }}
+  {{- range .Values.ingress.hosts }}
+    {{- if .tls }}
+  https://{{ .host }}{{ .path }}
+    {{- else }}
+  http://{{ .host }}{{ .path }}
+    {{- end }}
+  {{- end }}
+  {{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kubernetes-mcp-server.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+  {{- else if contains "LoadBalancer" .Values.service.type }}
+  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+        You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kubernetes-mcp-server.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kubernetes-mcp-server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+  {{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kubernetes-mcp-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use the application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:{{ .Values.service.port }}
+  {{- end }}
diff --git a/charts/kubernetes-mcp-server/templates/_helpers.tpl b/charts/kubernetes-mcp-server/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kubernetes-mcp-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kubernetes-mcp-server.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kubernetes-mcp-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kubernetes-mcp-server.labels" -}}
+helm.sh/chart: {{ include "kubernetes-mcp-server.chart" . }}
+{{ include "kubernetes-mcp-server.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kubernetes-mcp-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kubernetes-mcp-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubernetes-mcp-server.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kubernetes-mcp-server.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/kubernetes-mcp-server/templates/configmap.yaml b/charts/kubernetes-mcp-server/templates/configmap.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.config -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "kubernetes-mcp-server.fullname" . }}-config
+  labels:
+    {{- include "kubernetes-mcp-server.labels" . | nindent 4 }}
+data:
+  config.toml: |-
+    log_level = {{ .Values.config.logLevel | default 0 }}
+    read_only = {{ .Values.config.readOnly | default false }}
+    disable_destructive = {{ .Values.config.disableDestructive | default false }}
+    {{- if .Values.config.toolsets }}
+    toolsets = {{ .Values.config.toolsets | toJson }}
+    {{- end }}
+    {{- if .Values.config.denied_resources }}
+    denied_resources = {{ .Values.config.denied_resources | toJson }}
+    {{- end }}
+    {{- if .Values.config.confluence.url }}
+    [confluence]
+      url = "{{ .Values.config.confluence.url }}"
+      username = "{{ .Values.config.confluence.username }}"
+      token = "{{ .Values.config.confluence.token }}"
+    {{- end }}
+    {{- if .Values.config.oauth.require }}
+    [oauth]
+      require = {{ .Values.config.oauth.require }}
+      {{- if .Values.config.oauth.audience }}
+      audience = "{{ .Values.config.oauth.audience }}"
+      {{- end }}
+      {{- if .Values.config.oauth.validateToken }}
+      validateToken = {{ .Values.config.oauth.validateToken }}
+      {{- end }}
+      {{- if .Values.config.oauth.authorizationUrl }}
+      authorizationUrl = "{{ .Values.config.oauth.authorizationUrl }}"
+      {{- end }}
+      {{- if .Values.config.oauth.serverUrl }}
+      serverUrl = "{{ .Values.config.oauth.serverUrl }}"
+      {{- end }}
+      {{- if .Values.config.oauth.certificateAuthority }}
+      certificateAuthority = "{{ .Values.config.oauth.certificateAuthority }}"
+      {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/charts/kubernetes-mcp-server/templates/deployment.yaml b/charts/kubernetes-mcp-server/templates/deployment.yaml
@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kubernetes-mcp-server.fullname" . }}
+  labels:
+    {{- include "kubernetes-mcp-server.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kubernetes-mcp-server.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "kubernetes-mcp-server.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "kubernetes-mcp-server.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /usr/local/bin/kubernetes-mcp-server
+          args:
+            - --config=/etc/kubernetes-mcp-server/config.toml
+            - --port={{ .Values.service.port }}
+          volumeMounts:
+            - name: config
+              mountPath: /etc/kubernetes-mcp-server
+              readOnly: true
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: config
+          configMap:
+            name: {{ include "kubernetes-mcp-server.fullname" . }}-config
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/kubernetes-mcp-server/templates/role.yaml b/charts/kubernetes-mcp-server/templates/role.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kubernetes-mcp-server.fullname" . }}
+  labels:
+    {{- include "kubernetes-mcp-server.labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log", "services", "configmaps", "secrets", "persistentvolumeclaims", "events"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "daemonsets", "replicasets", "statefulsets"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["batch"]
+  resources: ["jobs", "cronjobs"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+{{- end }}
diff --git a/charts/kubernetes-mcp-server/templates/rolebinding.yaml b/charts/kubernetes-mcp-server/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kubernetes-mcp-server.fullname" . }}
+  labels:
+    {{- include "kubernetes-mcp-server.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kubernetes-mcp-server.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubernetes-mcp-server.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/kubernetes-mcp-server/templates/service.yaml b/charts/kubernetes-mcp-server/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "kubernetes-mcp-server.fullname" . }}
+  labels:
+    {{- include "kubernetes-mcp-server.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "kubernetes-mcp-server.selectorLabels" . | nindent 4 }}
diff --git a/charts/kubernetes-mcp-server/templates/serviceaccount.yaml b/charts/kubernetes-mcp-server/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kubernetes-mcp-server.serviceAccountName" . }}
+  labels:
+    {{- include "kubernetes-mcp-server.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/kubernetes-mcp-server/values.yaml b/charts/kubernetes-mcp-server/values.yaml
