ROX-31487: Add helm chart

.github/workflows/style.yml

@@ -36,3 +36,33 @@ jobs:
         uses: hadolint/[email protected]
         with:
           dockerfile: Dockerfile
+
+      - name: Create ../results directory for SARIF report files
+        shell: bash
+        run: mkdir -p ../results
+
+      - name: Scan Helm with kube-linter
+        uses: stackrox/[email protected]
+        id: kube-linter-helm-scan
+        with:
+          directory: charts/stackrox-mcp
+          format: sarif
+          output-file: ../results/kube-linter.sarif
+        # This allows the following upload-sarif action to still upload the results to your GitHub repo.
+        continue-on-error: true
+
+      - name: Upload SARIF report files to GitHub
+        uses: github/codeql-action/upload-sarif@v4
+
+      # Ensure the workflow eventually fails if files did not pass kube-linter checks.
+      - name: Verify kube-linter-action succeeded
+        shell: bash
+        run: |
+          echo "If this step fails, kube-linter found issues. Check the output of the scan step above."
+          [[ "${{ steps.kube-linter-helm-scan.outcome }}" == "success" ]]
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (lint)
+        run: ct lint charts/stackrox-mcp --validate-maintainers=false --all

Dockerfile

@@ -50,10 +50,12 @@ WORKDIR /app
 # Copy binary from builder
 COPY --from=builder /tmp/stackrox-mcp /app/stackrox-mcp
 
-# Set ownership to non-root user
-RUN chown -R 4000:4000 /app
+# Set ownership for OpenShift arbitrary UID support
+# Files owned by 4000, group 0 (root), with group permissions matching user
+RUN chown -R 4000:0 /app && \
+    chmod -R g=u /app
 
-# Switch to non-root user
+# Switch to non-root user (can be overridden by OpenShift SCC)
 USER 4000
 
 # Expose port for MCP server

Makefile

@@ -49,6 +49,10 @@ image: ## Build the docker image
 dockerfile-lint: ## Run hadolint for Dockerfile
 	$(DOCKER_CMD) run --rm -i --env HADOLINT_FAILURE_THRESHOLD=info ghcr.io/hadolint/hadolint < Dockerfile
 
+.PHONY: helm-lint
+helm-lint: ## Run helm lint for Helm chart
+	helm lint charts/stackrox-mcp
+
 .PHONY: test
 test: ## Run unit tests
 	$(GOTEST) -v ./...

README.md

@@ -269,6 +269,82 @@ Images are automatically built and pushed on:
 
 See [.github/workflows/build.yml](.github/workflows/build.yml) for build pipeline details.
 
+## Kubernetes Deployment
+
+Deploy the StackRox MCP server to Kubernetes or OpenShift clusters using Helm.
+
+### Prerequisites
+
+- Kubernetes 1.19+ or OpenShift 4.x+
+- Helm 3.0+
+- Access to a StackRox Central instance
+
+### Installing with Helm
+
+**Basic installation:**
+
+```bash
+helm install stackrox-mcp charts/stackrox-mcp \
+  --namespace stackrox-mcp \
+  --create-namespace \
+  --set config.central.url=central.stackrox:8443
+```
+
+**With custom values file:**
+
+Create a `values.yaml` file:
+
+```yaml
+config:
+  central:
+    url: "central.example.com:443"
+```
+
+Install with custom values:
+
+```bash
+helm install stackrox-mcp charts/stackrox-mcp \
+  --namespace stackrox-mcp \
+  --create-namespace \
+  --values values.yaml
+```
+
+**OpenShift deployment with Route:**
+
+```bash
+helm install stackrox-mcp charts/stackrox-mcp \
+  --namespace stackrox-mcp \
+  --create-namespace \
+  --set config.central.url=central.stackrox:8443 \
+  --set openshift.route.host=stackrox-mcp.apps.example.com
+```
+
+### Managing the Deployment
+
+**Upgrade an existing release:**
+
+```bash
+helm upgrade stackrox-mcp charts/stackrox-mcp \
+  --namespace stackrox-mcp \
+  --reuse-values
+```
+
+**Uninstall:**
+
+```bash
+helm uninstall stackrox-mcp --namespace stackrox-mcp
+```
+
+### Configuration
+
+For complete configuration options including:
+- Security contexts and pod security standards
+- Resource limits and requests
+- High availability setup
+- OpenShift-specific configuration
+
+See the [Helm Chart README](charts/stackrox-mcp/README.md).
+
 ## Development
 
 For detailed development guidelines, testing standards, and contribution workflows, see [CONTRIBUTING.md](.github/CONTRIBUTING.md).

charts/stackrox-mcp/.helmignore

@@ -0,0 +1,7 @@
+# Patterns to ignore when packaging
+.git/
+.gitignore
+*.swp
+*.bak
+*.tmp
+.DS_Store

charts/stackrox-mcp/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: stackrox-mcp
+description: A Helm chart for StackRox Model Context Protocol (MCP) Server
+type: application
+version: 0.1.0
+appVersion: "dev"
+home: https://github.com/stackrox/stackrox-mcp
+sources:
+  - https://github.com/stackrox/stackrox-mcp
+keywords:
+  - stackrox
+  - mcp
+  - security
+  - vulnerability