mcp-server-kubernetes

# Example: URL-based Kubeconfig Configuration # This example shows how to fetch kubeconfig from a remote URL # Useful for centralized configuration management, secret stores, or S3 buckets # where kubeconfig files are stored and need to be retrieved dynamically. # Deploy with: helm install mcp-server ./helm-chart -f examples/url-kubeconfig.yaml image: repository: flux159/mcp-server-kubernetes tag: "latest" # HTTP transport for web accessibility transport: mode: "http" service: type: ClusterIP port: 3001 ingress: enabled: false # URL-based kubeconfig fetching kubeconfig: provider: "url" url: configs: # Example 1: Fetch from S3 bucket with pre-signed URL - name: "prod-cluster" url: "https://my-bucket.s3.amazonaws.com/kubeconfigs/prod-cluster.yaml" extraArgs: [] # Example 2: Fetch from authenticated HTTP server - name: "staging-cluster" url: "https://config-server.example.com/kubeconfig/staging.yaml" extraArgs: - "--header=Authorization: Bearer ${CONFIG_SERVER_TOKEN}" # Example 3: Fetch from internal service with custom headers - name: "dev-cluster" url: "http://internal-config-service.config-system.svc.cluster.local/kubeconfig" extraArgs: - "--header=X-API-Key: ${DEV_API_KEY}" - "--header=X-Environment: development" # Environment variables for authentication and configuration env: # Tokens/credentials for authenticating to the config server CONFIG_SERVER_TOKEN: "your-bearer-token-here" DEV_API_KEY: "your-api-key-here" # Additional environment variables as needed HTTP_PROXY: "" HTTPS_PROXY: "" NO_PROXY: "" # Init container configuration for retrying failed fetches initContainer: maxRetries: 5 retryDelay: 10 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 50m memory: 64Mi # Security configuration security: allowOnlyNonDestructive: false allowOnlyReadonly: false podSecurityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 # ServiceAccount configuration serviceAccount: create: true annotations: {} # RBAC for local cluster (minimal permissions) rbac: create: true annotations: description: "MCP Server with URL-based kubeconfig" rules: # Minimal read access to local cluster - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch"] # Resource limits resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi # Network Policy - Allow egress to config servers networkPolicy: enabled: true dns: enabled: true kubernetesApi: enabled: true serviceCidr: "10.96.0.0/12" # Allow egress to configuration servers and S3 egress: # Allow HTTPS to external config servers - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 443 - protocol: TCP port: 80 # Allow internal service access (if using in-cluster config service) - to: - namespaceSelector: matchLabels: name: config-system ports: - protocol: TCP port: 80 - protocol: TCP port: 443 # Health checks livenessProbe: enabled: true tcpSocket: port: 3001 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: enabled: true tcpSocket: port: 3001 initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 failureThreshold: 3 # Labels and annotations podLabels: app: mcp-server-kubernetes kubeconfig-type: url podAnnotations: description: "MCP Server with URL-based kubeconfig fetching" commonLabels: managed-by: helm component: mcp-server # USAGE NOTES: # # 1. URL Sources: # - AWS S3: s3://bucket/path or pre-signed HTTPS URLs # - Google Cloud Storage: https://storage.googleapis.com/bucket/path # - Azure Blob Storage: https://account.blob.core.windows.net/container/path # - HTTP/HTTPS servers: Any accessible web server # - Internal Kubernetes services: http://service.namespace.svc.cluster.local/path # # 2. Authentication Methods: # a) Pre-signed URLs (recommended for cloud storage) # b) Bearer tokens in Authorization header # c) API keys in custom headers # d) Basic authentication (not recommended) # e) IAM/Workload Identity (for cloud storage) # # 3. Using AWS S3 with IAM Roles: # serviceAccount: # annotations: # eks.amazonaws.com/role-arn: "arn:aws:iam::123456789:role/s3-config-reader" # kubeconfig: # url: # configs: # - name: "cluster" # url: "https://my-bucket.s3.amazonaws.com/kubeconfig.yaml" # # 4. Using GCS with Workload Identity: # serviceAccount: # annotations: # iam.gke.io/gcp-service-account: "config-reader@project.iam.gserviceaccount.com" # kubeconfig: # url: # configs: # - name: "cluster" # url: "https://storage.googleapis.com/my-bucket/kubeconfig.yaml" # # 5. Security Best Practices: # - Use HTTPS for external URLs # - Store credentials in Kubernetes Secrets, not in values files: # kubectl create secret generic config-server-creds \ # --from-literal=token='your-token' \ # --from-literal=api-key='your-key' # - Reference secrets in deployment via envFrom # - Use short-lived credentials when possible # - Enable NetworkPolicy to restrict egress # - Rotate credentials regularly # # 6. Using Secrets for Credentials: # Create secret first: # kubectl create secret generic url-kubeconfig-creds \ # --from-literal=CONFIG_SERVER_TOKEN='token-value' \ # --from-literal=DEV_API_KEY='key-value' # # Then in your deployment, add envFrom to reference the secret # (modify deployment.yaml or use extraEnvFrom if chart supports it) # # 7. Multi-cluster Configuration: # The init container fetches all configured URLs and merges them into # a single kubeconfig file. You can switch between clusters using the # kubectl_context tool. # # 8. Troubleshooting: # - Check init container logs: kubectl logs <pod> -c fetch-kubeconfig # - Verify URL is accessible from cluster # - Check authentication headers and credentials # - Ensure NetworkPolicy allows egress to config server # - Verify retry settings if fetch is intermittent