Adding new Sysdig MCP helm chart and updated release workflows

Signed-off-by: S3B4SZ17 <sebastian.zumbado@sysdig.com>

Author: S3B4SZ17

.github/workflows/publish.yaml

@@ -6,6 +6,11 @@ on:
       - main
     paths:
       - pyproject.toml
+      - Dockerfile
+      - *.py
+      - tests/**
+      - tools/**
+      - utils/**
   workflow_dispatch:
     inputs:
       version:
@@ -15,13 +20,24 @@ on:
         type: string
 
 jobs:
+  tests:
+    permissions:
+      checks: write
+      pull-requests: write
+      contents: write
+    uses: ./.github/workflows/test.yaml
+    secrets: inherit
   push_to_registry:
     name: Push Docker image to GitHub Packages
     runs-on: ubuntu-latest
+    needs: tests
     permissions:
       contents: read # required for actions/checkout
       packages: write # required for pushing to ghcr.io
       id-token: write # required for signing with cosign
+    outputs:
+      version: ${{ steps.extract_version.outputs.VERSION }}
+      tag: ${{ steps.extract_version.outputs.TAG }}
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
@@ -31,6 +47,8 @@ jobs:
         run: |
           VERSION=$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')-$(echo $GITHUB_SHA | cut -c1-7)
           echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
+          TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
+          echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
 
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
@@ -61,3 +79,29 @@ jobs:
             ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ steps.extract_version.outputs.VERSION }}
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+  tag_release:
+    name: Tag Release
+    runs-on: ubuntu-latest
+    needs: push_to_registry
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Get tag version
+        id: semantic_release
+        uses: anothrNick/github-tag-action@1.73.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: "patch"
+          TAG_CONTEXT: ${{ (github.base_ref != 'main') && 'branch' || 'repo' }}
+          PRERELEASE_SUFFIX: "beta"
+          PRERELEASE: ${{ (github.base_ref != 'main') && 'true' || 'false' }}
+          DRY_RUN: false
+          INITIAL_VERSION: ${{ needs.push_to_registry.outputs.tag }}
+
+      - name: Summary
+        run: |
+          echo "## Release Summary
+          - Tag: ${{ steps.semantic_release.outputs.tag }}
+          - Docker Image: ghcr.io/sysdiglabs/sysdig-mcp-server:v${{ needs.push_to_registry.outputs.version }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/test.yaml

@@ -4,7 +4,26 @@ on:
   push:
     branches:
       - main
+      - develop
+      - feature/**
+      - release/**
+      - hotfix/**
+    paths:
+      - pyproject.toml
+      - Dockerfile
+      - *.py
+      - tests/**
+      - tools/**
+      - utils/**
   pull_request:
+    paths:
+      - pyproject.toml
+      - Dockerfile
+      - *.py
+      - tests/**
+      - tools/**
+      - utils/**
+  workflow_call:
 
 jobs:
   test:
@@ -34,3 +53,52 @@ jobs:
 
       - name: Run Unit Tests
         run: make test
+
+  pre_release:
+    name: Tag Release
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: write # required for creating a tag
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.head_ref }}   # checkout the correct branch name
+          fetch-depth: 0   
+
+      - name: Extract current version
+        id: pyproject_version
+        run: |
+          TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
+          echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Get tag version
+        id: semantic_release
+        uses: anothrNick/github-tag-action@1.73.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: "patch"
+          TAG_CONTEXT: ${{ (github.base_ref != 'main') && 'branch' || 'repo' }}
+          PRERELEASE_SUFFIX: "beta"
+          PRERELEASE: ${{ (github.base_ref != 'main') && 'true' || 'false' }}
+          DRY_RUN: true
+          INITIAL_VERSION: ${{ steps.pyproject_version.outputs.TAG }}
+
+      - name: Compare versions
+        run: |
+          echo "Current version: ${{ steps.pyproject_version.outputs.TAG }}"
+          echo "New version: ${{ steps.semantic_release.outputs.tag }}"
+          if [ "${{ steps.pyproject_version.outputs.TAG }}" != "${{ steps.semantic_release.outputs.tag }}" ]; then
+            echo "### Version mismatch detected! :warning:
+            Current pyproject version: ${{ steps.pyproject_version.outputs.TAG }}
+            New Tag version: **${{ steps.semantic_release.outputs.tag }}**
+            Current Tag: ${{ steps.semantic_release.outputs.old_tag }}
+            Please update the version in pyproject.toml." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "### Version match confirmed! :rocket:
+            Current pyproject version: ${{ steps.pyproject_version.outputs.TAG }}
+            New Tag version: **${{ steps.semantic_release.outputs.tag }}**
+            The version is up-to-date." >> $GITHUB_STEP_SUMMARY
+          fi

README.md

@@ -1,5 +1,26 @@
 # MCP Server
 
+## Table of contents
+
+- [MCP Server](#mcp-server)
+  - [Table of contents](#table-of-contents)
+  - [Description](#description)
+  - [Available Tools](#available-tools)
+  - [Requirements](#requirements)
+    - [UV Setup](#uv-setup)
+  - [Configuration](#configuration)
+    - [`app_config.yaml`](#app_configyaml)
+    - [Environment Variables](#environment-variables)
+  - [Running the Server](#running-the-server)
+    - [Docker](#docker)
+    - [K8s Deployment](#k8s-deployment)
+    - [UV](#uv)
+  - [Client Configuration](#client-configuration)
+    - [Authentication](#authentication)
+    - [URL](#url)
+    - [Claude Desktop App](#claude-desktop-app)
+    - [MCP Inspector](#mcp-inspector)
+
 ## Description
 
 This is an implementation of an [MCP (Model Context Protocol) Server](https://modelcontextprotocol.io/quickstart/server) to allow different LLMs to query information from Sysdig Secure platform. **It is still in early development and not yet ready for production use.** New endpoints and functionalities will be added over time. The goal is to provide a simple and easy-to-use interface for querying information from Sysdig Secure platform using LLMs.
@@ -73,10 +94,6 @@ source .venv/bin/activate
 
 This will create a virtual environment using `uv` and install the required dependencies.
 
-### Sysdig SDK
-
-You will need the Sysdig-SDK. You can find it in the `build` directory as a `.tar.gz` file that will be used by UV to install the package.
-
 ## Configuration
 
 The application can be configured via the `app_config.yaml` file and environment variables.
@@ -105,9 +122,11 @@ You can set these variables in your shell or in a `.env` file.
 
 You can also use `MCP_TRANSPORT` to override the transport protocol set in `app_config.yaml`.
 
+> All of this env variables have precedence over the fields configured in the app_config.yaml.
+
 ## Running the Server
 
-You can run the MCP server using either Docker or `uv`.
+You can run the MCP server using either Docker, `uv` or install it in your K8s cluster with helm.
 
 ### Docker
 
@@ -129,6 +148,51 @@ By default, the server will run using the `stdio` transport. To use the `streama
 docker run -e MCP_TRANSPORT=streamable-http -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
 ```
 
+### K8s Deployment
+
+If you want to run the Sysdig MCP server in a K8s cluster you can use the helm chart provided in the `charts/sysdig-mcp` path
+
+Modify the `values.yaml`
+
+```yaml
+# Example values.yaml
+---
+sysdig:
+  secrets:
+    create: true
+    # If enabled, the secrets will be mounted as environment variables
+    secureAPIToken: "<your_sysdig_secure_api_token>"
+  mcp:
+    transport: "streamable-http"
+  # You can set the Sysdig Tenant URL at this level or below in the app_config configmap
+  host: "https://us2.app.sysdig.com" # <your_sysdig_host> "https://eu1.app.sysdig.com"
+
+configMap:
+  enabled: true
+  app_config: |
+    # Sysdig MCP Server Configuration
+    # This file is used to configure the Sysdig MCP server.
+    # You can add your custom configuration here.
+    app:
+      host: "0.0.0.0"
+      port: 8080
+      log_level: "error"
+
+    sysdig:
+      host: "https://us2.app.sysdig.com" # <your_sysdig_host> "https://eu1.app.sysdig.com"
+
+    mcp:
+      transport: streamable-http
+      host: "0.0.0.0"
+      port: 8080
+```
+
+Install the chart
+
+```bash,copy
+helm upgrade --install sysdig-mcp ./charts/sysdig-mcp/ -n sysdig-mcp -f charts/sysdig-mcp/values.yaml
+```
+
 ### UV
 
 To run the server using `uv`, first set up the environment as described in the [UV Setup](#uv-setup) section. Then, run the `main.py` script:
@@ -233,3 +297,11 @@ For the Claude Desktop app, you can manually configure the MCP server by editing
     - Replace `<path_to_your_sysdig_mcp_server_directory>` with the absolute path to the `sysdig-mcp-server` directory.
 
 4. **Save the file** and restart the Claude Desktop app for the changes to take effect.
+
+### MCP Inspector
+
+1. Run the [MCP Inspector](https://modelcontextprotocol.io/docs/tools/inspector) locally
+2. Select the transport type and have the Sysdig MCP server running accordingly.
+3. Pass the Authorization header if using "streamable-http" or the SYSDIG_SECURE_API_TOKEN env var if using "stdio"
+
+![mcp-inspector](./docs/assets/mcp-inspector.png)

charts/sysdig-mcp/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/sysdig-mcp/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: sysdig-mcp
+description: A Helm chart to deploy the Sysdig MCP server
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.1"

charts/sysdig-mcp/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "sysdig-mcp.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "sysdig-mcp.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "sysdig-mcp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "sysdig-mcp.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}