Extend helm to support port remap and extraFlags

mjudeikis · mjudeikis · commit 2a647102b220 · 2026-02-06T09:55:44.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -10,6 +10,6 @@ LABEL io.modelcontextprotocol.server.name="io.github.containers/kubernetes-mcp-s
 WORKDIR /app
 COPY --from=builder /app/kubernetes-mcp-server /app/kubernetes-mcp-server
 USER 65532:65532
-ENTRYPOINT ["/app/kubernetes-mcp-server", "--port", "8080"]
+ENTRYPOINT ["/app/kubernetes-mcp-server"]
 
 EXPOSE 8080
diff --git a/charts/kubernetes-mcp-server/README.md b/charts/kubernetes-mcp-server/README.md
@@ -1,8 +1,6 @@
 # kubernetes-mcp-server
 
-
-
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square) 
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 Helm Chart for the Kubernetes MCP Server
 
@@ -15,15 +13,11 @@ Helm Chart for the Kubernetes MCP Server
 | Andrew Block | <ablock@redhat.com> |  |
 | Marc Nuri | <marc.nuri@redhat.com> |  |
 
-
-
-
-
 ## Installing the Chart
 
 The Chart can be installed quickly and easily to a Kubernetes cluster. Since an _Ingress_ is added as part of the default install of the Chart, the `ingress.host` Value must be specified.
 
-Install the Chart using the following command from the root of this directory: 
+Install the Chart using the following command from the root of this directory:
 
 ```shell
 helm upgrade -i -n kubernetes-mcp-server --create-namespace kubernetes-mcp-server oci://ghcr.io/containers/charts/kubernetes-mcp-server --set ingress.host=<hostname>
@@ -82,6 +76,7 @@ Each container accepts any valid Kubernetes container field including `image`, `
 | configFilePath | string | `"/etc/kubernetes-mcp-server/config.toml"` |  |
 | defaultPodSecurityContext | object | `{"seccompProfile":{"type":"RuntimeDefault"}}` | Default Security Context for the Pod when one is not provided |
 | defaultSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true}` | Default Security Context for the Container when one is not provided |
+| extraArgs | list | `[]` | Useful for passing TLS keys or other configuration options. |
 | extraContainers | list | `[]` | Each container is defined as a complete container spec. |
 | extraVolumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. |
 | extraVolumes | list | `[]` | Additional volumes on the output Deployment definition. |
@@ -92,6 +87,24 @@ Each container accepts any valid Kubernetes container field including `image`, `
 | imagePullSecrets | list | `[]` | This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
 | ingress | object | `{"annotations":{},"className":"","enabled":true,"host":"","hosts":null,"path":"/","pathType":"ImplementationSpecific","termination":"edge","tls":null}` | This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ |
 | livenessProbe | object | `{"httpGet":{"path":"/healthz","port":"http"}}` | Liveness and readiness probes for the container. |
+| metrics | object | `{"prometheusRule":{"additionalRules":[],"annotations":{},"defaultRules":{"enabled":true},"enabled":false,"labels":{}},"serviceMonitor":{"annotations":{},"enabled":false,"interval":"","labels":{},"metricRelabelings":[],"relabelings":[],"scheme":"","scrapeTimeout":"","tlsConfig":{}}}` | Metrics and monitoring configuration |
+| metrics.prometheusRule | object | `{"additionalRules":[],"annotations":{},"defaultRules":{"enabled":true},"enabled":false,"labels":{}}` | PrometheusRule configuration for recording rules Recording rules aggregate high-cardinality metrics for efficient querying and Telemeter compatibility |
+| metrics.prometheusRule.additionalRules | list | `[]` | Additional custom recording rules (appended to default rules if enabled) Example: additionalRules:   - name: custom-mcp-rules     rules:       - record: my_custom_metric         expr: sum(some_metric) |
+| metrics.prometheusRule.annotations | object | `{}` | Annotations for the PrometheusRule |
+| metrics.prometheusRule.defaultRules | object | `{"enabled":true}` | Default recording rules configuration |
+| metrics.prometheusRule.defaultRules.enabled | bool | `true` | Enable default recording rules that aggregate MCP metrics These rules create aggregates at two levels:  Cluster-level (for Telemeter): - cluster:mcp_tool_calls:sum - Total tool calls across all tools - cluster:mcp_tool_errors:sum - Total tool errors across all tools - cluster:mcp_tool_error_rate:ratio - Error rate (errors/calls) - cluster:mcp_http_requests:sum - Total HTTP requests - cluster:mcp_http_requests_by_status:sum - HTTP requests by status class - cluster:mcp_server_info:count - Server instance count  Namespace-level (for multi-tenant RBAC, grouped by k8s_namespace_name label): - namespace:mcp_tool_calls:sum - Tool calls by k8s_namespace_name - namespace:mcp_tool_errors:sum - Tool errors by k8s_namespace_name - namespace:mcp_tool_error_rate:ratio - Error rate by k8s_namespace_name - namespace:mcp_http_requests:sum - HTTP requests by k8s_namespace_name |
+| metrics.prometheusRule.enabled | bool | `false` | Enable PrometheusRule for recording rules |
+| metrics.prometheusRule.labels | object | `{}` | Additional labels for the PrometheusRule |
+| metrics.serviceMonitor | object | `{"annotations":{},"enabled":false,"interval":"","labels":{},"metricRelabelings":[],"relabelings":[],"scheme":"","scrapeTimeout":"","tlsConfig":{}}` | ServiceMonitor configuration for Prometheus Operator monitoring |
+| metrics.serviceMonitor.annotations | object | `{}` | Annotations for the ServiceMonitor |
+| metrics.serviceMonitor.enabled | bool | `false` | Enable ServiceMonitor for Prometheus scraping |
+| metrics.serviceMonitor.interval | string | `""` | Scrape interval (e.g., "30s", "1m") |
+| metrics.serviceMonitor.labels | object | `{}` | Additional labels for the ServiceMonitor (useful for prometheus-operator serviceMonitorSelector) |
+| metrics.serviceMonitor.metricRelabelings | list | `[]` | Metric relabeling rules |
+| metrics.serviceMonitor.relabelings | list | `[]` | Relabeling rules for metrics |
+| metrics.serviceMonitor.scheme | string | `""` | Scheme to use for scraping (http or https) |
+| metrics.serviceMonitor.scrapeTimeout | string | `""` | Scrape timeout (e.g., "10s") |
+| metrics.serviceMonitor.tlsConfig | object | `{}` | TLS configuration for scraping |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | openshift | bool | `false` | Enable OpenShift specific features |
@@ -109,8 +122,10 @@ Each container accepts any valid Kubernetes container field including `image`, `
 | replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ |
 | resources | object | `{"limits":{"cpu":"100m","memory":"128Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Resource requests and limits for the container. |
 | securityContext | object | `{}` | Define the Security Context for the Container |
-| service | object | `{"port":8080,"type":"ClusterIP"}` | This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ |
+| service | object | `{"annotations":{},"port":8080,"targetPort":"http","type":"ClusterIP"}` | This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ |
+| service.annotations | object | `{}` | Annotations to add to the service |
 | service.port | int | `8080` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports |
+| service.targetPort | string | `"http"` | Use this to remap the service port to a different container port. |
 | service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
@@ -120,7 +135,7 @@ Each container accepts any valid Kubernetes container field including `image`, `
 
 ## Updating the README
 
-The contents of the README.md file is generated using [helm-docs](https://github.com/norwoodj/helm-docs). Whenever changes are introduced to the Chart and its _Values_, the documentation should be regenerated. 
+The contents of the README.md file is generated using [helm-docs](https://github.com/norwoodj/helm-docs). Whenever changes are introduced to the Chart and its _Values_, the documentation should be regenerated.
 
 Execute the following command to regenerate the documentation from within the Helm Chart directory.
 
diff --git a/charts/kubernetes-mcp-server/templates/deployment.yaml b/charts/kubernetes-mcp-server/templates/deployment.yaml
@@ -43,6 +43,9 @@ spec:
           args:
             - "--config"
             - "{{ .Values.configFilePath }}"
+          {{- with .Values.extraArgs }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           env:
             - name: POD_NAMESPACE
               valueFrom:
diff --git a/charts/kubernetes-mcp-server/templates/service.yaml b/charts/kubernetes-mcp-server/templates/service.yaml
@@ -5,11 +5,15 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "kubernetes-mcp-server.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: http
+      targetPort: {{ .Values.service.targetPort | default "http" }}
       protocol: TCP
       name: http
   selector:
diff --git a/charts/kubernetes-mcp-server/values.yaml b/charts/kubernetes-mcp-server/values.yaml
@@ -118,6 +118,11 @@ service:
   type: ClusterIP
   # -- This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
   port: 8080
+  # -- This sets the target port on the pod. Defaults to "http" (the container port name).
+  # -- Use this to remap the service port to a different container port.
+  targetPort: http
+  # -- Annotations to add to the service
+  annotations: {}
 
 # -- This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
@@ -164,6 +169,12 @@ extraVolumeMounts: []
 #   mountPath: "/etc/foo"
 #   readOnly: true
 
+# -- Extra arguments to pass to the kubernetes-mcp-server command line.
+# -- Useful for passing TLS keys or other configuration options.
+extraArgs: []
+# - "--tls-cert=/etc/tls/tls.crt"
+# - "--tls-key=/etc/tls/tls.key"
+
 # -- Additional containers to add to the pod (sidecars).
 # -- Each container is defined as a complete container spec.
 extraContainers: []
diff --git a/pkg/config/config_default.go b/pkg/config/config_default.go
@@ -10,6 +10,7 @@ func Default() *StaticConfig {
 	defaultConfig := StaticConfig{
 		ListOutput: "table",
 		Toolsets:   []string{"core", "config", "helm"},
+		Port:       "8080",
 	}
 	overrides := defaultOverrides()
 	mergedConfig := mergeConfig(defaultConfig, overrides)
diff --git a/pkg/http/http.go b/pkg/http/http.go
@@ -4,9 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"io"
+	"log"
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
@@ -18,6 +21,21 @@ import (
 	"github.com/containers/kubernetes-mcp-server/pkg/mcp"
 )
 
+// tlsErrorFilterWriter filters out noisy TLS handshake errors from health checks
+type tlsErrorFilterWriter struct {
+	underlying io.Writer
+}
+
+func (w *tlsErrorFilterWriter) Write(p []byte) (n int, err error) {
+	msg := string(p)
+	// Filter out TLS handshake EOF errors - these are typically from
+	// load balancer health checks that just do TCP connects
+	if strings.Contains(msg, "TLS handshake error") && strings.Contains(msg, "EOF") {
+		return len(p), nil // Silently discard
+	}
+	return w.underlying.Write(p)
+}
+
 const (
 	healthEndpoint     = "/healthz"
 	statsEndpoint      = "/stats"
@@ -87,9 +105,14 @@ func Serve(ctx context.Context, mcpServer *mcp.Server, staticConfig *config.Stat
 	// Wrap with metrics middleware
 	instrumentedHandler := metricsMiddleware(wrappedMux, mcpServer)
 
+	// Use a custom error logger to filter out noisy TLS handshake errors
+	// from load balancer health checks
+	errorLog := log.New(&tlsErrorFilterWriter{underlying: os.Stderr}, "", 0)
+
 	httpServer := &http.Server{
-		Addr:    ":" + staticConfig.Port,
-		Handler: instrumentedHandler,
+		Addr:     ":" + staticConfig.Port,
+		Handler:  instrumentedHandler,
+		ErrorLog: errorLog,
 	}
 
 	sseServer := mcpServer.ServeSse()

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ func Default() *StaticConfig {`
`10`	`10`	`defaultConfig := StaticConfig{`
`11`	`11`	`ListOutput: "table",`
`12`	`12`	`Toolsets: []string{"core", "config", "helm"},`
	`13`	`+ Port: "8080",`
`13`	`14`	`}`
`14`	`15`	`overrides := defaultOverrides()`
`15`	`16`	`mergedConfig := mergeConfig(defaultConfig, overrides)`