Traverse the resources in helm chart for client access

ardaguclu · ardaguclu · commit 91fa4f48af57 · 2025-07-09T13:40:12.000+03:00
diff --git a/pkg/helm/helm.go b/pkg/helm/helm.go
@@ -3,15 +3,16 @@ package helm
 import (
 	"context"
 	"fmt"
+	"log"
+	"time"
+
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart/loader"
 	"helm.sh/helm/v3/pkg/cli"
 	"helm.sh/helm/v3/pkg/registry"
 	"helm.sh/helm/v3/pkg/release"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"log"
 	"sigs.k8s.io/yaml"
-	"time"
 )
 
 type Kubernetes interface {
@@ -62,6 +63,57 @@ func (h *Helm) Install(ctx context.Context, chart string, values map[string]inte
 	return string(ret), nil
 }
 
+// RenderTemplateDryRun renders a Helm chart template using dry-run mode to see what resources will be created
+func (h *Helm) RenderTemplateDryRun(ctx context.Context, chart string, values map[string]interface{}, name string, namespace string) (string, error) {
+	cfg, err := h.newAction(h.kubernetes.NamespaceOrDefault(namespace), false)
+	if err != nil {
+		return "", err
+	}
+	install := action.NewInstall(cfg)
+	if name == "" {
+		install.GenerateName = true
+		install.ReleaseName, _, _ = install.NameAndChart([]string{chart})
+	} else {
+		install.ReleaseName = name
+	}
+	install.Namespace = h.kubernetes.NamespaceOrDefault(namespace)
+	install.Wait = false
+	install.Timeout = 5 * time.Minute
+	install.DryRun = true
+
+	chartRequested, err := install.ChartPathOptions.LocateChart(chart, cli.New())
+	if err != nil {
+		return "", err
+	}
+	chartLoaded, err := loader.Load(chartRequested)
+	if err != nil {
+		return "", err
+	}
+
+	dryRunRelease, err := install.RunWithContext(ctx, chartLoaded, values)
+	if err != nil {
+		return "", err
+	}
+
+	return dryRunRelease.Manifest, nil
+}
+
+// GetReleaseManifests gets the manifests for an existing Helm release
+func (h *Helm) GetReleaseManifests(name string, namespace string) (string, error) {
+	cfg, err := h.newAction(h.kubernetes.NamespaceOrDefault(namespace), false)
+	if err != nil {
+		return "", err
+	}
+
+	get := action.NewGet(cfg)
+	release, err := get.Run(name)
+	if err != nil {
+		return "", err
+	}
+
+	return release.Manifest, nil
+}
+
 // List lists all the releases for the specified namespace (or current namespace if). Or allNamespaces is true, it lists all releases across all namespaces.
 func (h *Helm) List(namespace string, allNamespaces bool) (string, error) {
 	cfg, err := h.newAction(namespace, allNamespaces)
diff --git a/pkg/kubernetes/pods.go b/pkg/kubernetes/pods.go
@@ -61,7 +61,7 @@ func (k *Kubernetes) PodsDelete(ctx context.Context, namespace, name string) (st
 
 	// Delete managed service
 	if isManaged {
-		if err = k.canClientAccess(ctx, &schema.GroupVersionResource{
+		if err = k.CanClientAccess(ctx, &schema.GroupVersionResource{
 			Group:    "",
 			Version:  "v1",
 			Resource: "services",
@@ -77,7 +77,7 @@ func (k *Kubernetes) PodsDelete(ctx context.Context, namespace, name string) (st
 			LabelSelector: managedLabelSelector.String(),
 		}); sl != nil {
 			for _, svc := range sl.Items {
-				if err = k.canClientAccess(ctx, &schema.GroupVersionResource{
+				if err = k.CanClientAccess(ctx, &schema.GroupVersionResource{
 					Group:    "",
 					Version:  "v1",
 					Resource: "services",
@@ -91,7 +91,7 @@ func (k *Kubernetes) PodsDelete(ctx context.Context, namespace, name string) (st
 
 	// Delete managed Route
 	if isManaged && k.supportsGroupVersion("route.openshift.io/v1") {
-		if err = k.canClientAccess(ctx, &schema.GroupVersionResource{
+		if err = k.CanClientAccess(ctx, &schema.GroupVersionResource{
 			Group:    "route.openshift.io",
 			Version:  "v1",
 			Resource: "routes",
@@ -106,7 +106,7 @@ func (k *Kubernetes) PodsDelete(ctx context.Context, namespace, name string) (st
 			LabelSelector: managedLabelSelector.String(),
 		}); rl != nil {
 			for _, route := range rl.Items {
-				if err = k.canClientAccess(ctx, &schema.GroupVersionResource{
+				if err = k.CanClientAccess(ctx, &schema.GroupVersionResource{
 					Group:    "route.openshift.io",
 					Version:  "v1",
 					Resource: "routes",
@@ -124,7 +124,7 @@ func (k *Kubernetes) PodsDelete(ctx context.Context, namespace, name string) (st
 
 func (k *Kubernetes) PodsLog(ctx context.Context, namespace, name, container string) (string, error) {
 	tailLines := int64(256)
-	if err := k.canClientAccess(ctx, &schema.GroupVersionResource{
+	if err := k.CanClientAccess(ctx, &schema.GroupVersionResource{
 		Group:    "",
 		Version:  "v1",
 		Resource: "pods",
@@ -135,7 +135,7 @@ func (k *Kubernetes) PodsLog(ctx context.Context, namespace, name, container str
 	if err != nil {
 		return "", err
 	}
-	if err := k.canClientAccess(ctx, &schema.GroupVersionResource{
+	if err := k.CanClientAccess(ctx, &schema.GroupVersionResource{
 		Group:    "",
 		Version:  "v1",
 		Resource: "pods",
@@ -249,7 +249,7 @@ func (k *Kubernetes) PodsTop(ctx context.Context, options PodsTopOptions) (*metr
 		namespace = k.NamespaceOrDefault(namespace)
 	}
 
-	if err := k.canClientAccess(ctx, &schema.GroupVersionResource{
+	if err := k.CanClientAccess(ctx, &schema.GroupVersionResource{
 		Group:    "metrics.k8s.io",
 		Version:  "v1beta1",
 		Resource: "podmetrics",
@@ -266,7 +266,7 @@ func (k *Kubernetes) PodsExec(ctx context.Context, namespace, name, container st
 	if err != nil {
 		return "", err
 	}
-	if err := k.canClientAccess(ctx, &schema.GroupVersionResource{
+	if err := k.CanClientAccess(ctx, &schema.GroupVersionResource{
 		Group:    "",
 		Version:  "v1",
 		Resource: "pods",
@@ -290,7 +290,7 @@ func (k *Kubernetes) PodsExec(ctx context.Context, namespace, name, container st
 		Stdout:    true,
 		Stderr:    true,
 	}
-	if err := k.canClientAccess(ctx, &schema.GroupVersionResource{
+	if err := k.CanClientAccess(ctx, &schema.GroupVersionResource{
 		Group:    "",
 		Version:  "v1",
 		Resource: "pods",
diff --git a/pkg/kubernetes/resources.go b/pkg/kubernetes/resources.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/klog/v2"
 
 	"github.com/manusa/kubernetes-mcp-server/pkg/version"
 	authv1 "k8s.io/api/authorization/v1"
@@ -30,7 +31,7 @@ type ResourceListOptions struct {
 }
 
 func (k *Kubernetes) ResourcesList(ctx context.Context, gvk *schema.GroupVersionKind, namespace string, options ResourceListOptions) (runtime.Unstructured, error) {
-	gvr, err := k.resourceFor(gvk)
+	gvr, err := k.ResourceFor(gvk)
 	if err != nil {
 		return nil, err
 	}
@@ -41,7 +42,7 @@ func (k *Kubernetes) ResourcesList(ctx context.Context, gvk *schema.GroupVersion
 		namespace = k.manager.configuredNamespace()
 	}
 
-	if err := k.canClientAccess(ctx, gvr, "", namespace, "list", ""); err != nil {
+	if err := k.CanClientAccess(ctx, gvr, "", namespace, "list", ""); err != nil {
 		return nil, err
 	}
 
@@ -52,7 +53,7 @@ func (k *Kubernetes) ResourcesList(ctx context.Context, gvk *schema.GroupVersion
 }
 
 func (k *Kubernetes) ResourcesGet(ctx context.Context, gvk *schema.GroupVersionKind, namespace, name string) (*unstructured.Unstructured, error) {
-	gvr, err := k.resourceFor(gvk)
+	gvr, err := k.ResourceFor(gvk)
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +63,7 @@ func (k *Kubernetes) ResourcesGet(ctx context.Context, gvk *schema.GroupVersionK
 		namespace = k.NamespaceOrDefault(namespace)
 	}
 
-	if err := k.canClientAccess(ctx, gvr, name, namespace, "get", ""); err != nil {
+	if err := k.CanClientAccess(ctx, gvr, name, namespace, "get", ""); err != nil {
 		return nil, err
 	}
 
@@ -84,7 +85,7 @@ func (k *Kubernetes) ResourcesCreateOrUpdate(ctx context.Context, resource strin
 }
 
 func (k *Kubernetes) ResourcesDelete(ctx context.Context, gvk *schema.GroupVersionKind, namespace, name string) error {
-	gvr, err := k.resourceFor(gvk)
+	gvr, err := k.ResourceFor(gvk)
 	if err != nil {
 		return err
 	}
@@ -94,7 +95,7 @@ func (k *Kubernetes) ResourcesDelete(ctx context.Context, gvk *schema.GroupVersi
 		namespace = k.NamespaceOrDefault(namespace)
 	}
 
-	if err := k.canClientAccess(ctx, gvr, name, namespace, "delete", ""); err != nil {
+	if err := k.CanClientAccess(ctx, gvr, name, namespace, "delete", ""); err != nil {
 		return err
 	}
 
@@ -151,7 +152,7 @@ func (k *Kubernetes) resourcesListAsTable(ctx context.Context, gvk *schema.Group
 func (k *Kubernetes) resourcesCreateOrUpdate(ctx context.Context, resources []*unstructured.Unstructured) ([]*unstructured.Unstructured, error) {
 	for i, obj := range resources {
 		gvk := obj.GroupVersionKind()
-		gvr, rErr := k.resourceFor(&gvk)
+		gvr, rErr := k.ResourceFor(&gvk)
 		if rErr != nil {
 			return nil, rErr
 		}
@@ -162,7 +163,7 @@ func (k *Kubernetes) resourcesCreateOrUpdate(ctx context.Context, resources []*u
 			namespace = k.NamespaceOrDefault(namespace)
 		}
 
-		if err := k.canClientAccess(ctx, gvr, obj.GetName(), namespace, "patch", ""); err != nil {
+		if err := k.CanClientAccess(ctx, gvr, obj.GetName(), namespace, "patch", ""); err != nil {
 			return nil, err
 		}
 
@@ -180,7 +181,7 @@ func (k *Kubernetes) resourcesCreateOrUpdate(ctx context.Context, resources []*u
 	return resources, nil
 }
 
-func (k *Kubernetes) resourceFor(gvk *schema.GroupVersionKind) (*schema.GroupVersionResource, error) {
+func (k *Kubernetes) ResourceFor(gvk *schema.GroupVersionKind) (*schema.GroupVersionResource, error) {
 	m, err := k.manager.accessControlRESTMapper.RESTMapping(schema.GroupKind{Group: gvk.Group, Kind: gvk.Kind}, gvk.Version)
 	if err != nil {
 		return nil, err
@@ -208,7 +209,7 @@ func (k *Kubernetes) supportsGroupVersion(groupVersion string) bool {
 	return true
 }
 
-func (k *Kubernetes) canClientAccess(ctx context.Context, gvr *schema.GroupVersionResource, resourceName, namespace, verb, subResource string) error {
+func (k *Kubernetes) CanClientAccess(ctx context.Context, gvr *schema.GroupVersionResource, resourceName, namespace, verb, subResource string) error {
 	if !k.manager.staticConfig.RequireOAuth {
 		return nil
 	}
@@ -223,7 +224,7 @@ func (k *Kubernetes) canClientAccess(ctx context.Context, gvr *schema.GroupVersi
 	}
 	groups := ctx.Value("X-User-Groups")
 	if groups == nil {
-		return fmt.Errorf("user groups are not set")
+		groups = []string{}
 	}
 	userGroups := strings.Split(groups.(string), ",")
 
@@ -254,6 +255,7 @@ func (k *Kubernetes) canClientAccess(ctx context.Context, gvr *schema.GroupVersi
 	if !response.Status.Allowed {
 		return fmt.Errorf("user %q does not have permission to %s %s", userName, verb, resourceName)
 	}
+	klog.V(2).Infof("User %q has permission to %s %s in namespace %s", userName, verb, resourceName, namespace)
 	return nil
 }
 
diff --git a/pkg/mcp/helm.go b/pkg/mcp/helm.go

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"strings"`
`8`	`8`
`9`	`9`	`"k8s.io/apimachinery/pkg/runtime"`
	`10`	`+ "k8s.io/klog/v2"`
`10`	`11`
`11`	`12`	`"github.com/manusa/kubernetes-mcp-server/pkg/version"`
`12`	`13`	`authv1 "k8s.io/api/authorization/v1"`
`@@ -30,7 +31,7 @@ type ResourceListOptions struct {`
`30`	`31`	`}`
`31`	`32`
`32`	`33`	`func (k Kubernetes) ResourcesList(ctx context.Context, gvk schema.GroupVersionKind, namespace string, options ResourceListOptions) (runtime.Unstructured, error) {`
`33`		`- gvr, err := k.resourceFor(gvk)`
	`34`	`+ gvr, err := k.ResourceFor(gvk)`
`34`	`35`	`if err != nil {`
`35`	`36`	`return nil, err`
`36`	`37`	`}`
`@@ -41,7 +42,7 @@ func (k Kubernetes) ResourcesList(ctx context.Context, gvk schema.GroupVersion`
`41`	`42`	`namespace = k.manager.configuredNamespace()`
`42`	`43`	`}`
`43`	`44`
`44`		`- if err := k.canClientAccess(ctx, gvr, "", namespace, "list", ""); err != nil {`
	`45`	`+ if err := k.CanClientAccess(ctx, gvr, "", namespace, "list", ""); err != nil {`
`45`	`46`	`return nil, err`
`46`	`47`	`}`
`47`	`48`
`@@ -52,7 +53,7 @@ func (k Kubernetes) ResourcesList(ctx context.Context, gvk schema.GroupVersion`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`func (k Kubernetes) ResourcesGet(ctx context.Context, gvk schema.GroupVersionKind, namespace, name string) (*unstructured.Unstructured, error) {`
`55`		`- gvr, err := k.resourceFor(gvk)`
	`56`	`+ gvr, err := k.ResourceFor(gvk)`
`56`	`57`	`if err != nil {`
`57`	`58`	`return nil, err`
`58`	`59`	`}`
`@@ -62,7 +63,7 @@ func (k Kubernetes) ResourcesGet(ctx context.Context, gvk schema.GroupVersionK`
`62`	`63`	`namespace = k.NamespaceOrDefault(namespace)`
`63`	`64`	`}`
`64`	`65`
`65`		`- if err := k.canClientAccess(ctx, gvr, name, namespace, "get", ""); err != nil {`
	`66`	`+ if err := k.CanClientAccess(ctx, gvr, name, namespace, "get", ""); err != nil {`
`66`	`67`	`return nil, err`
`67`	`68`	`}`
`68`	`69`
`@@ -84,7 +85,7 @@ func (k *Kubernetes) ResourcesCreateOrUpdate(ctx context.Context, resource strin`
`84`	`85`	`}`
`85`	`86`
`86`	`87`	`func (k Kubernetes) ResourcesDelete(ctx context.Context, gvk schema.GroupVersionKind, namespace, name string) error {`
`87`		`- gvr, err := k.resourceFor(gvk)`
	`88`	`+ gvr, err := k.ResourceFor(gvk)`
`88`	`89`	`if err != nil {`
`89`	`90`	`return err`
`90`	`91`	`}`
`@@ -94,7 +95,7 @@ func (k Kubernetes) ResourcesDelete(ctx context.Context, gvk schema.GroupVersi`
`94`	`95`	`namespace = k.NamespaceOrDefault(namespace)`
`95`	`96`	`}`
`96`	`97`
`97`		`- if err := k.canClientAccess(ctx, gvr, name, namespace, "delete", ""); err != nil {`
	`98`	`+ if err := k.CanClientAccess(ctx, gvr, name, namespace, "delete", ""); err != nil {`
`98`	`99`	`return err`
`99`	`100`	`}`
`100`	`101`
`@@ -151,7 +152,7 @@ func (k Kubernetes) resourcesListAsTable(ctx context.Context, gvk schema.Group`
`151`	`152`	`func (k Kubernetes) resourcesCreateOrUpdate(ctx context.Context, resources []unstructured.Unstructured) ([]*unstructured.Unstructured, error) {`
`152`	`153`	`for i, obj := range resources {`
`153`	`154`	`gvk := obj.GroupVersionKind()`
`154`		`- gvr, rErr := k.resourceFor(&gvk)`
	`155`	`+ gvr, rErr := k.ResourceFor(&gvk)`
`155`	`156`	`if rErr != nil {`
`156`	`157`	`return nil, rErr`
`157`	`158`	`}`
`@@ -162,7 +163,7 @@ func (k Kubernetes) resourcesCreateOrUpdate(ctx context.Context, resources []u`
`162`	`163`	`namespace = k.NamespaceOrDefault(namespace)`
`163`	`164`	`}`
`164`	`165`
`165`		`- if err := k.canClientAccess(ctx, gvr, obj.GetName(), namespace, "patch", ""); err != nil {`
	`166`	`+ if err := k.CanClientAccess(ctx, gvr, obj.GetName(), namespace, "patch", ""); err != nil {`
`166`	`167`	`return nil, err`
`167`	`168`	`}`
`168`	`169`
`@@ -180,7 +181,7 @@ func (k Kubernetes) resourcesCreateOrUpdate(ctx context.Context, resources []u`
`180`	`181`	`return resources, nil`
`181`	`182`	`}`
`182`	`183`
`183`		`-func (k Kubernetes) resourceFor(gvk schema.GroupVersionKind) (*schema.GroupVersionResource, error) {`
	`184`	`+func (k Kubernetes) ResourceFor(gvk schema.GroupVersionKind) (*schema.GroupVersionResource, error) {`
`184`	`185`	`m, err := k.manager.accessControlRESTMapper.RESTMapping(schema.GroupKind{Group: gvk.Group, Kind: gvk.Kind}, gvk.Version)`
`185`	`186`	`if err != nil {`
`186`	`187`	`return nil, err`
`@@ -208,7 +209,7 @@ func (k *Kubernetes) supportsGroupVersion(groupVersion string) bool {`
`208`	`209`	`return true`
`209`	`210`	`}`
`210`	`211`
`211`		`-func (k Kubernetes) canClientAccess(ctx context.Context, gvr schema.GroupVersionResource, resourceName, namespace, verb, subResource string) error {`
	`212`	`+func (k Kubernetes) CanClientAccess(ctx context.Context, gvr schema.GroupVersionResource, resourceName, namespace, verb, subResource string) error {`
`212`	`213`	`if !k.manager.staticConfig.RequireOAuth {`
`213`	`214`	`return nil`
`214`	`215`	`}`
`@@ -223,7 +224,7 @@ func (k Kubernetes) canClientAccess(ctx context.Context, gvr schema.GroupVersi`
`223`	`224`	`}`
`224`	`225`	`groups := ctx.Value("X-User-Groups")`
`225`	`226`	`if groups == nil {`
`226`		`- return fmt.Errorf("user groups are not set")`
	`227`	`+ groups = []string{}`
`227`	`228`	`}`
`228`	`229`	`userGroups := strings.Split(groups.(string), ",")`
`229`	`230`
`@@ -254,6 +255,7 @@ func (k Kubernetes) canClientAccess(ctx context.Context, gvr schema.GroupVersi`
`254`	`255`	`if !response.Status.Allowed {`
`255`	`256`	`return fmt.Errorf("user %q does not have permission to %s %s", userName, verb, resourceName)`
`256`	`257`	`}`
	`258`	`+ klog.V(2).Infof("User %q has permission to %s %s in namespace %s", userName, verb, resourceName, namespace)`
`257`	`259`	`return nil`
`258`	`260`	`}`
`259`	`261`