From df3413f54e1b26dbda908c1dd8d3e6b6a21f73a4 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Sat, 21 Feb 2026 00:29:55 +0000 Subject: [PATCH] feat: add Kubernetes and Flux MCP servers as pod sidecars Run MCP servers as sidecar containers so they inherit the pod's ServiceAccount permissions instead of requiring separate deployments with their own RBAC. Kubernetes MCP on :8080, Flux MCP on :8081. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy --- .mcp.json | 10 +++---- chart/templates/deployment.yaml | 49 +++++++++++++++++++++++++++++++++ chart/values.yaml | 29 +++++++++++++++++++ 3 files changed, 83 insertions(+), 5 deletions(-) diff --git a/.mcp.json b/.mcp.json index ec6fc7b..5c07e52 100644 --- a/.mcp.json +++ b/.mcp.json @@ -2,15 +2,15 @@ "mcpServers": { "kubernetes": { "type": "sse", - "url": "http://kubernetes-mcp-server.kube-system.svc.cluster.local:8080/sse" + "url": "http://localhost:8080/sse" }, "flux": { "type": "sse", - "url": "http://flux-mcp.flux-system.svc.cluster.local:8080/sse" + "url": "http://localhost:8081/sse" }, - "playwright": { - "type": "sse", - "url": "http://playwright-mcp.playwright.svc.cluster.local:3000/sse" + "playwright": { + "type": "sse", + "url": "http://playwright-mcp.playwright.svc.cluster.local:3000/sse" } } } diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 96adbb3..c825bd6 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -98,6 +98,55 @@ spec: initialDelaySeconds: 5 periodSeconds: 5 {{- end }} + {{- if .Values.mcpSidecars.kubernetes.enabled }} + - name: kubernetes-mcp + image: "{{ .Values.mcpSidecars.kubernetes.image.repository }}:{{ .Values.mcpSidecars.kubernetes.image.tag }}" + args: + - --port + - {{ .Values.mcpSidecars.kubernetes.port | quote }} + ports: + - containerPort: {{ .Values.mcpSidecars.kubernetes.port }} + name: k8s-mcp + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.mcpSidecars.kubernetes.port }} + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.mcpSidecars.kubernetes.port }} + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.mcpSidecars.kubernetes.resources | nindent 12 }} + {{- end }} + {{- if .Values.mcpSidecars.flux.enabled }} + - name: flux-mcp + image: "{{ .Values.mcpSidecars.flux.image.repository }}:{{ .Values.mcpSidecars.flux.image.tag }}" + args: + - serve + - --transport=sse + - --port={{ .Values.mcpSidecars.flux.port }} + ports: + - containerPort: {{ .Values.mcpSidecars.flux.port }} + name: flux-mcp + protocol: TCP + livenessProbe: + tcpSocket: + port: {{ .Values.mcpSidecars.flux.port }} + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: {{ .Values.mcpSidecars.flux.port }} + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + {{- toYaml .Values.mcpSidecars.flux.resources | nindent 12 }} + {{- end }} volumes: - name: workspace emptyDir: {} diff --git a/chart/values.yaml b/chart/values.yaml index 565f7e7..15805e6 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -66,3 +66,32 @@ clusterAccess: none # Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.) # Defaults to: devcontainer-{name}-secrets-env envSecretName: "" + +# MCP server sidecars — run alongside the devcontainer to inherit pod RBAC. +mcpSidecars: + kubernetes: + enabled: true + image: + repository: quay.io/containers/kubernetes_mcp_server + tag: latest + port: 8080 + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "256Mi" + cpu: "500m" + flux: + enabled: true + image: + repository: ghcr.io/controlplaneio-fluxcd/flux-operator-mcp + tag: latest + port: 8081 + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "256Mi" + cpu: "500m"