feat: Updating docs and k8s related resources

Signed-off-by: S3B4SZ17 <[email protected]>

Author: S3B4SZ17

.github/workflows/helm_test.yaml

@@ -57,10 +57,10 @@ jobs:
       run: ct lint --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts
 
     - name: Create kind cluster
-      if: steps.list-changed.outputs.changed == 'true'
+      if: steps.list-changed.outputs.changed == 'true' && github.event_name != 'pull_request'
       uses: helm/[email protected]
 
     - name: Run chart-testing (install)
-      if: steps.list-changed.outputs.changed == 'true'
+      if: steps.list-changed.outputs.changed == 'true' && github.event_name != 'pull_request'
       run: |
           ct install --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts

Dockerfile

@@ -29,7 +29,6 @@ WORKDIR /app
 RUN apt update && apt install -y git
 # Copy the application from the builder
 COPY --from=builder --chown=app:app /tmp/sysdig_mcp_server.tar.gz /app
-COPY --from=builder --chown=app:app /app/app_config.yaml /app
 
 RUN pip install /app/sysdig_mcp_server.tar.gz
 

README.md

@@ -17,7 +17,6 @@
   - [Requirements](#requirements)
     - [UV Setup](#uv-setup)
   - [Configuration](#configuration)
-    - [Environment Variables](#environment-variables)
   - [Running the Server](#running-the-server)
     - [Docker](#docker)
     - [K8s Deployment](#k8s-deployment)
@@ -27,6 +26,7 @@
     - [URL](#url)
     - [Claude Desktop App](#claude-desktop-app)
     - [MCP Inspector](#mcp-inspector)
+    - [Goose Agent](#goose-agent)
 
 ## Description
 
@@ -65,17 +65,17 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
                 "-i",
                 "--rm",
                 "-e",
-                "SYSDIG_HOST",
+                "SYSDIG_MCP_API_HOST",
                 "-e",
-                "MCP_TRANSPORT",
+                "SYSDIG_MCP_TRANSPORT",
                 "-e",
-                "SYSDIG_SECURE_TOKEN",
+                "SYSDIG_MCP_API_SECURE_TOKEN",
                 "ghcr.io/sysdiglabs/sysdig-mcp-server:latest"
             ],
             "env": {
-              "SYSDIG_HOST": "<your_sysdig_host>",
-              "SYSDIG_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
-              "MCP_TRANSPORT": "stdio"
+              "SYSDIG_MCP_API_HOST": "<your_sysdig_host>",
+              "SYSDIG_MCP_API_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
+              "SYSDIG_MCP_TRANSPORT": "stdio"
             }
           }
         }
@@ -167,14 +167,14 @@ This will create a virtual environment using `uv` and install the required depen
 
 The following environment variables are **required** for configuring the Sysdig SDK:
 
-- `SYSDIG_HOST`: The URL of your Sysdig Secure instance (e.g., `https://us2.app.sysdig.com`).
-- `SYSDIG_SECURE_TOKEN`: Your Sysdig Secure API token.
+- `SYSDIG_MCP_API_HOST`: The URL of your Sysdig Secure instance (e.g., `https://us2.app.sysdig.com`).
+- `SYSDIG_MCP_API_SECURE_TOKEN`: Your Sysdig Secure API token.
 
 You can also set the following variables to override the default configuration:
 
-- `MCP_TRANSPORT`: The transport protocol for the MCP Server (`stdio`, `streamable-http`, `sse`). Defaults to: `stdio`.
-- `MCP_MOUNT_PATH`:  The URL prefix for the Streamable-http/sse deployment. Defaults to: `/sysdig-mcp-server`
-- `LOGLEVEL`: Log Level of the application (`DEBUG`, `INFO`, `WARNING`, `ERROR`). Defaults to: `INFO`
+- `SYSDIG_MCP_TRANSPORT`: The transport protocol for the MCP Server (`stdio`, `streamable-http`, `sse`). Defaults to: `stdio`.
+- `SYSDIG_MCP_MOUNT_PATH`:  The URL prefix for the Streamable-http/sse deployment. Defaults to: `/sysdig-mcp-server`
+- `SYSDIG_MCP_LOGLEVEL`: Log Level of the application (`DEBUG`, `INFO`, `WARNING`, `ERROR`). Defaults to: `INFO`
 - `SYSDIG_MCP_LISTENING_PORT`: The port for the server when it is deployed using remote protocols (`steamable-http`, `sse`). Defaults to: `8080`
 - `SYSDIG_MCP_LISTENING_HOST`: The host for the server when it is deployed using remote protocols (`steamable-http`, `sse`). Defaults to: `localhost`
 
@@ -203,7 +203,7 @@ Then, you can run the container, making sure to pass the required environment va
 docker run -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
 ```
 
-By default, the server will run using the `stdio` transport. To use the `streamable-http` or `sse` transports, set the `MCP_TRANSPORT` environment variable to `streamable-http` or `sse`:
+By default, the server will run using the `stdio` transport. To use the `streamable-http` or `sse` transports, set the `SYSDIG_MCP_TRANSPORT` environment variable to `streamable-http` or `sse`:
 
 ```bash
 docker run -e MCP_TRANSPORT=streamable-http -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
@@ -267,7 +267,7 @@ To run the server using `uv`, first set up the environment as described in the [
 uv run main.py
 ```
 
-By default, the server will run using the `stdio` transport. To use the `streamable-http` or `sse` transports, set the `MCP_TRANSPORT` environment variable to `streamable-http` or `sse`:
+By default, the server will run using the `stdio` transport. To use the `streamable-http` or `sse` transports, set the `SYSDIG_MCP_TRANSPORT` environment variable to `streamable-http` or `sse`:
 
 ```bash
 MCP_TRANSPORT=streamable-http uv run main.py
@@ -279,9 +279,9 @@ To use the MCP server with a client like Claude or Cursor, you need to provide t
 
 ### Authentication
 
-When using the `sse` or `streamable-http` transport, the server requires a Bearer token for authentication. The token is passed in the `Authorization` header of the HTTP request.
+When using the `sse` or `streamable-http` transport, the server requires a Bearer token for authentication. The token is passed in the `X-Sysdig-Token` or default to `Authorization` header of the HTTP request (i.e `Bearer SYSDIG_SECURE_API_TOKEN`).
 
-Additionally, you can specify the Sysdig Secure host by providing the `X-Sysdig-Host` header. If this header is not present, the server will use the value from the env variable.
+Additionally, you can specify the Sysdig Secure host by providing the `X-Sysdig-Host` header. If this header is not present, the server will use the value from the env variable `SYSDIG_MCP_API_HOST`.
 
 Example headers:
 
@@ -319,9 +319,9 @@ For the Claude Desktop app, you can manually configure the MCP server by editing
             "main.py"
             ],
           "env": {
-            "SYSDIG_HOST": "<your_sysdig_host>",
-            "SYSDIG_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
-            "MCP_TRANSPORT": "stdio"
+            "SYSDIG_MCP_API_HOST": "<your_sysdig_host>",
+            "SYSDIG_MCP_API_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
+            "SYSDIG_MCP_TRANSPORT": "stdio"
           }
         }
       }
@@ -340,17 +340,17 @@ For the Claude Desktop app, you can manually configure the MCP server by editing
               "-i",
               "--rm",
               "-e",
-              "SYSDIG_HOST",
+              "SYSDIG_MCP_API_HOST",
               "-e",
-              "MCP_TRANSPORT",
+              "SYSDIG_MCP_TRANSPORT",
               "-e",
-              "SYSDIG_SECURE_TOKEN",
+              "SYSDIG_MCP_API_SECURE_TOKEN",
               "ghcr.io/sysdiglabs/sysdig-mcp-server"
           ],
           "env": {
-            "SYSDIG_HOST": "<your_sysdig_host>",
-            "SYSDIG_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
-            "MCP_TRANSPORT": "stdio"
+            "SYSDIG_MCP_API_HOST": "<your_sysdig_host>",
+            "SYSDIG_MCP_API_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
+            "SYSDIG_MCP_TRANSPORT": "stdio"
           }
         }
       }
@@ -371,3 +371,32 @@ For the Claude Desktop app, you can manually configure the MCP server by editing
 3. Pass the Authorization header if using "streamable-http" or the SYSDIG_SECURE_API_TOKEN env var if using "stdio"
 
 ![mcp-inspector](./docs/assets/mcp-inspector.png)
+
+
+### Goose Agent
+
+1. In your terminal run `goose configure` and follow the steps to add the extension (more info on the [goose docs](https://block.github.io/goose/docs/getting-started/using-extensions/)), again could be using docker or uv as shown in the above examples.
+2. Your `~/.config/goose/config.yaml` config file should have one config like this one, check out the env vars
+
+  ```yaml
+  extensions:
+  ...
+    sysdig-mcp-server:
+      args: []
+      bundled: null
+      cmd: sysdig-mcp-server
+      description: Sysdig MCP server
+      enabled: true
+      env_keys:
+      - SYSDIG_MCP_TRANSPORT
+      - SYSDIG_MCP_API_HOST
+      - SYSDIG_MCP_API_SECURE_TOKEN
+      envs:
+        SYSDIG_MCP_TRANSPORT: stdio
+      name: sysdig-mcp-server
+      timeout: 300
+      type: stdio
+  ```
+3. Have fun
+
+![goose_results](./docs/assets/goose_results.png)

charts/sysdig-mcp/Chart.yaml

@@ -20,10 +20,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.1.3"
+appVersion: "v0.2.0"

charts/sysdig-mcp/templates/configmap.yaml

@@ -37,28 +37,28 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
-          - name: SYSDIG_HOST
+          - name: SYSDIG_MCP_API_HOST
             value: {{ .Values.sysdig.host | quote }}
           {{- if .Values.sysdig.secrets.create }}
-          - name: SYSDIG_SECURE_API_TOKEN
+          - name: SYSDIG_MCP_API_SECURE_TOKEN
             valueFrom:
               secretKeyRef:
                 name: "{{ include "sysdig-mcp.fullname" . }}-sysdig-secrets"
-                key: SYSDIG_SECURE_API_TOKEN
+                key: SYSDIG_MCP_API_SECURE_TOKEN
           {{- end }}
           {{- if .Values.oauth.secrets.create }}
-          - name: MCP_OAUTH_OAUTH_CLIENT_ID
+          - name: SYSDIG_MCP_OAUTH_CLIENT_ID
             valueFrom:
               secretKeyRef:
                 name: "{{ include "sysdig-mcp.fullname" . }}-oauth-secrets"
                 key: clientId
-          - name: MCP_OAUTH_OAUTH_CLIENT_SECRET
+          - name: SYSDIG_MCP_OAUTH_CLIENT_SECRET
             valueFrom:
               secretKeyRef:
                 name: "{{ include "sysdig-mcp.fullname" . }}-oauth-secrets"
                 key: clientSecret
           {{- end }}
-          - name: MCP_TRANSPORT
+          - name: SYSDIG_MCP_TRANSPORT
             value: {{ .Values.sysdig.mcp.transport | quote }}
           ports:
             - name: http
@@ -77,17 +77,10 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
-            - name: config
-              mountPath: "/app/app_config.yaml"
-              subPath: "app_config.yaml"
             {{- with .Values.volumeMounts }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
       volumes:
-        - name: config
-          configMap:
-            # Provide the name of the ConfigMap you want to mount.
-            name: {{ include "sysdig-mcp.fullname" . }}-config
       {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}

charts/sysdig-mcp/templates/deployment.yaml

@@ -8,7 +8,7 @@ metadata:
     release: {{ .Release.Name }}
 type: Opaque
 data:
-  SYSDIG_SECURE_API_TOKEN: {{ .Values.sysdig.secrets.secureAPIToken | b64enc }}
+  SYSDIG_MCP_API_SECURE_TOKEN: {{ .Values.sysdig.secrets.secureAPIToken | b64enc }}
 {{- end }}
 ---
 {{- if .Values.oauth.secrets.create -}}

charts/sysdig-mcp/templates/secrets.yaml

@@ -11,7 +11,6 @@
     }
   },
   "required": [
-    "configMap",
     "sysdig"
   ],
   "$defs": {
@@ -116,26 +115,6 @@
         "secrets"
       ],
       "additionalProperties": false
-    },
-    "AppConfig": {
-      "type": "object",
-      "properties": {
-        "enabled": {
-          "type": "boolean",
-            "description": "Whether to create the application configuration"
-        },
-        "app_config": {
-          "type": [
-            "string",
-            "null"
-          ],
-          "description": "The application configuration in YAML format"
-        }
-      },
-      "required": [
-        "secrets"
-      ],
-      "additionalProperties": false
     }
   }
 }

charts/sysdig-mcp/values.schema.json

@@ -8,7 +8,7 @@ image:
   repository: ghcr.io/sysdiglabs/sysdig-mcp-server
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "v0.1.3"
+  tag: "v0.2.0"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -107,28 +107,3 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
-
-configMap:
-  enabled: true
-  app_config: |
-    # Sysdig MCP Server Configuration
-    # This file is used to configure the Sysdig MCP server.
-    # You can add your custom configuration here.
-    app:
-      host: "0.0.0.0"
-      port: 8080
-      log_level: "ERROR"
-
-    sysdig:
-      host: "https://us2.app.sysdig.com"
-
-    mcp:
-      transport: streamable-http
-      host: "0.0.0.0"
-      port: 8080
-      allowed_tools:
-      - "events-feed"
-      - "sysdig-cli-scanner" # You need the sysdig-cli-scanner binary installed in your server to use this tool
-      - "vulnerability-management"
-      - "inventory"
-      - "sysdig-sage"