|
| 1 | +--- |
| 2 | +hip: "0028" |
| 3 | +title: "Add MCP Server to Helm CLI" |
| 4 | +authors: [ "nick powell <[email protected]>" ] |
| 5 | +created: "2025-09-03" |
| 6 | +type: "feature" |
| 7 | +status: "draft" |
| 8 | +--- |
| 9 | + |
| 10 | +## Abstract |
| 11 | + |
| 12 | +This HIP proposes adding Model Context Protocol (MCP) server support to the Helm CLI using the Ophis library. By integrating Ophis into Helm, we enable AI assistants to execute read-only Helm commands safely, improving the developer experience for users who work with AI-powered development environments. |
| 13 | + |
| 14 | +At a high level, this HIP proposes the following: |
| 15 | +- Ability for Helm operators to expose read-only Helm commands through MCP |
| 16 | +- Integration with AI assistants (Claude Desktop, VS Code Copilot) via MCP protocol |
| 17 | +- Safety-first approach with explicit filtering of allowed commands |
| 18 | +- Zero impact on existing Helm functionality (fully opt-in feature) |
| 19 | + |
| 20 | +## Motivation |
| 21 | + |
| 22 | +The driving motivator here is to allow developers using AI assistants to interact with Helm in a safe, structured manner through the Model Context Protocol (MCP). |
| 23 | + |
| 24 | +Today, to accomplish AI-assisted Helm operations, there are currently limited options: manually copying and pasting command outputs, using screen sharing, or building custom integrations. The existing approaches are tedious and inefficient for developers who increasingly rely on AI assistants in their workflow. Helm, as a package manager, should provide built-in mechanisms for AI assistant integration, reducing reliance on manual workarounds. This will significantly improve the developer experience. |
| 25 | + |
| 26 | +## Specification |
| 27 | + |
| 28 | +At a high level, allow Helm operators to expose a subset of Helm commands through the Model Context Protocol, enabling AI assistants to query Helm state and search for charts without the ability to modify cluster resources. |
| 29 | + |
| 30 | +### MCP Command Tree |
| 31 | + |
| 32 | +The integration adds the following command hierarchy under `helm mcp`: |
| 33 | + |
| 34 | +``` |
| 35 | +helm mcp |
| 36 | +├── start # Start MCP server on stdio |
| 37 | +├── tools # Export available MCP tools as JSON |
| 38 | +├── claude # Claude Desktop integration |
| 39 | +│ ├── enable # Enable Helm MCP in Claude Desktop |
| 40 | +│ ├── disable # Disable Helm MCP in Claude Desktop |
| 41 | +│ └── list # List MCP configurations in Claude Desktop |
| 42 | +└── vscode # VS Code integration |
| 43 | + ├── enable # Enable Helm MCP in VS Code |
| 44 | + ├── disable # Disable Helm MCP in VS Code |
| 45 | + └── list # List MCP configurations in VS Code |
| 46 | +``` |
| 47 | + |
| 48 | +### Command Filtering |
| 49 | + |
| 50 | +The MCP integration uses Ophis's filtering mechanism to control which commands are exposed: |
| 51 | + |
| 52 | +**Allowed Commands** (explicitly included via allow list): |
| 53 | +- `list` - List releases in a namespace |
| 54 | +- `status` - Display the status of a named release |
| 55 | +- `get` - Download extended information of a named release |
| 56 | +- `history` - Fetch release history |
| 57 | +- `show` - Show information of a chart |
| 58 | + |
| 59 | +### Implementation |
| 60 | + |
| 61 | +[PR #31221](https://github.com/helm/helm/pull/31221) |
| 62 | + |
| 63 | +The implementation uses [Ophis](https://github.com/njayp/ophis), a Go library that automatically converts Cobra CLI commands into MCP servers. The integration is added to `pkg/cmd/root.go`: |
| 64 | + |
| 65 | +```go |
| 66 | +// add mcp server commands |
| 67 | +rootCmd.AddCommand( |
| 68 | + ophis.Command(&ophis.Config{ |
| 69 | + GeneratorOptions: []tools.GeneratorOption{ |
| 70 | + tools.WithFilters(tools.Allow([]string{ |
| 71 | + "list", |
| 72 | + "status", |
| 73 | + "get", |
| 74 | + "history", |
| 75 | + "show", |
| 76 | + })), |
| 77 | + }, |
| 78 | + }), |
| 79 | +) |
| 80 | +``` |
| 81 | + |
| 82 | +### Available MCP Tools |
| 83 | + |
| 84 | +Once enabled, AI assistants will have access to the following Helm operations as MCP tools: |
| 85 | + |
| 86 | +| Tool Name | Helm Command | Description | |
| 87 | +|-----------|--------------|-------------| |
| 88 | +| `helm_list` | `helm list` | List releases in current namespace | |
| 89 | +| `helm_status` | `helm status` | Show the status of a named release | |
| 90 | +| `helm_history` | `helm history` | Fetch release history | |
| 91 | +| `helm_get_all` | `helm get all` | Download all information for a named release | |
| 92 | +| `helm_get_hooks` | `helm get hooks` | Download hooks for a named release | |
| 93 | +| `helm_get_manifest` | `helm get manifest` | Download the manifest for a named release | |
| 94 | +| `helm_get_metadata` | `helm get metadata` | Download metadata for a named release | |
| 95 | +| `helm_get_notes` | `helm get notes` | Download notes for a named release | |
| 96 | +| `helm_get_values` | `helm get values` | Download values for a named release | |
| 97 | +| `helm_show_all` | `helm show all` | Show all information of a chart | |
| 98 | +| `helm_show_chart` | `helm show chart` | Show the chart's metadata | |
| 99 | +| `helm_show_crds` | `helm show crds` | Show the chart's CRDs | |
| 100 | +| `helm_show_readme` | `helm show readme` | Show the chart's README | |
| 101 | +| `helm_show_values` | `helm show values` | Show the chart's default values | |
| 102 | + |
| 103 | +The complete tool definitions with their schemas can be exported by running `helm mcp tools`. |
| 104 | + |
| 105 | +## Backwards compatibility |
| 106 | + |
| 107 | +Heim will continue to function exactly as before for users who do not enable MCP support. The MCP feature is entirely opt-in and does not modify any existing Helm commands or behaviors. |
| 108 | + |
| 109 | +## Security implications |
| 110 | + |
| 111 | +The MCP integration is designed with security as a primary concern: |
| 112 | + |
| 113 | +1. **Read-only Operations**: Only read operations are exposed through MCP. Commands that modify state are excluded by the allow list. |
| 114 | +2. **No Credential Exposure**: The MCP server does not expose or transmit credentials. It uses the existing Helm configuration and kubeconfig. |
| 115 | +3. **Opt-in Model**: Users must explicitly enable MCP support. |
| 116 | +4. **Local Execution**: MCP servers run locally and communicate over stdio, not network ports. |
| 117 | + |
| 118 | +## How to teach this |
| 119 | + |
| 120 | +- Provide a quick start guide showing how to enable MCP in Claude Desktop or VS Code |
| 121 | +- Include examples demonstrating AI-assisted Helm workflows |
| 122 | + |
| 123 | +### Example Usage |
| 124 | + |
| 125 | +```bash |
| 126 | +# Enable for Claude Desktop |
| 127 | +helm mcp claude enable |
| 128 | +``` |
| 129 | +```bash |
| 130 | +# Enable for VS Code |
| 131 | +helm mcp vscode enable |
| 132 | +``` |
| 133 | + |
| 134 | +Users can then ask their AI assistant: |
| 135 | +- "What Helm releases are currently deployed?" |
| 136 | +- "Show me the values used for the nginx release" |
| 137 | +- "What changes were made in the last upgrade of my application?" |
| 138 | + |
| 139 | +The AI assistant will execute the appropriate Helm commands and provide formatted responses. |
| 140 | + |
| 141 | +## Open issues |
| 142 | + |
| 143 | +### Command Granularity |
| 144 | +Should subcommands be filtered more granularly? For example, allowing `helm repo list` but not `helm repo add`? |
| 145 | + |
| 146 | +### Upgrade Path |
| 147 | +Version handoff using upgrade methods like `brew` should be explored |
0 commit comments