Skip to content

FastMCP Server

Deploy FastMCP Server on Kubernetes as a streamable HTTP MCP server. The chart runs the official docker.io/helmforge/fastmcp-server image and loads tools, resources, prompts, and knowledge from inline ConfigMaps, S3-compatible object storage, or Git repositories.

Key Features

  • Inline, S3, and Git sources — combine local ConfigMaps with external source stores.
  • Documented merge precedence — inline content overrides S3, and S3 overrides Git.
  • Bearer and JWT auth — use an existing Kubernetes secret for bearer tokens or configure JWT issuer, audience, and JWKS URI.
  • Read-only inline mounts — tools, resources, prompts, and knowledge are mounted as separate ConfigMaps.
  • Optional init sync — run source synchronization before the main container starts.
  • Web UI and metrics/ui is enabled by default; /metrics and ServiceMonitor are opt-in.
  • Gateway API and Ingress — expose the MCP endpoint through an existing Gateway or a classic Ingress.
  • Restricted pod defaults — non-root UID/GID 1000, dropped capabilities, RuntimeDefault seccomp, and no service account token automount.
  • Runtime controls — rate limiting, result caching, sandbox output limits, HPA, PDB, persistence, and JSON logs.

Installation

HTTPS Repository

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install fastmcp-server helmforge/fastmcp-server

OCI Registry

helm install fastmcp-server oci://ghcr.io/helmforgedev/helm/fastmcp-server

Architecture

The chart renders one Deployment and one Service by default. The server listens on server.port and serves the MCP endpoint at server.path.

Area Default Notes
Workload Deployment with replicaCount: 1 autoscaling.enabled=true delegates replicas to HPA.
Strategy Recreate Avoids overlapping writers when a ReadWriteOnce workspace PVC is used.
Workspace emptyDir at /app/workspace Set persistence.enabled=true for a PVC.
UI enabled at /ui Disable with ui.enabled=false.
Auth none Use bearer or JWT before exposing outside a trusted network.
Service ClusterIP on port 8000 Dual-stack fields are opt-in.

Inline source ConfigMaps are mounted read-only at:

Values key Mount path
sources.inline.tools /app/inline/tools
sources.inline.resources /app/inline/resources
sources.inline.prompts /app/inline/prompts
sources.inline.knowledge /app/inline/knowledge

Examples

Inline Tools

sources:
  inline:
    tools:
      greet.py: |
        def greet(name: str) -> str:
            """Greet someone by name."""
            return f"Hello, {name}!"
    knowledge:
      overview.md: |
        # Product Overview
        Context document for MCP clients.

S3-Compatible Source

sources:
  s3:
    enabled: true
    endpoint: 'https://minio.example.com'
    bucket: mcp-tools
    region: us-east-1
    prefix: production
    existingSecret: mcp-s3-credentials

The secret should contain the configured key names:

apiVersion: v1
kind: Secret
metadata:
  name: mcp-s3-credentials
stringData:
  access-key: replace-me
  secret-key: replace-me

Git Source

sources:
  git:
    enabled: true
    repository: 'https://github.com/your-org/mcp-tools.git'
    branch: main
    path: tools
    existingSecret: mcp-git-token

Production Profile

server:
  name: production-mcp
  logLevel: WARNING
  logFormat: json
  strictLoading: true

auth:
  type: bearer
  bearer:
    existingSecret: mcp-auth-token

sources:
  s3:
    enabled: true
    bucket: mcp-production
    region: us-east-1
    existingSecret: mcp-s3-credentials

initSync:
  enabled: true

persistence:
  enabled: true
  size: 5Gi

metrics:
  enabled: true
  serviceMonitor:
    enabled: true

ingress:
  enabled: true
  ingressClassName: nginx
  hosts:
    - host: mcp.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - mcp.example.com
      secretName: mcp-tls

networkPolicy:
  enabled: true

resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 512Mi

Authentication

Bearer auth creates or references a Kubernetes secret:

auth:
  type: bearer
  bearer:
    existingSecret: mcp-auth-token
    existingSecretKey: token

JWT auth is configured through issuer metadata:

auth:
  type: jwt
  jwt:
    issuer: 'https://auth.example.com'
    audience: 'mcp-server'
    jwksUri: 'https://auth.example.com/.well-known/jwks.json'

When using JWT with NetworkPolicy or cluster egress controls, allow the JWKS endpoint.

Gateway API

Gateway API renders only an HTTPRoute; the Gateway itself is owned by the platform.

gatewayAPI:
  enabled: true
  parentRefs:
    - name: public-gateway
      namespace: gateway-system
      sectionName: https
  hostnames:
    - mcp.example.com
  paths:
    - type: PathPrefix
      value: /mcp

Operations

Enable JSON logs and metrics for production observability:

server:
  logFormat: json

metrics:
  enabled: true
  serviceMonitor:
    enabled: true

Use port-forwarding for local checks:

kubectl port-forward svc/fastmcp-server-fastmcp-server 8000:8000
curl http://localhost:8000/healthz
curl http://localhost:8000/mcp

Key Values

Key Default Description
image.repository docker.io/helmforge/fastmcp-server Container image.
image.tag 0.11.2 Image tag.
server.name fastmcp-server Server name announced in MCP responses.
server.port 8000 HTTP port.
server.path /mcp MCP endpoint path.
server.logLevel INFO Log level.
server.logFormat text Log format.
server.strictLoading false Fail on boot if source loading has errors.
ui.enabled true Enable Web UI at /ui.
metrics.enabled false Enable Prometheus metrics at /metrics.
metrics.serviceMonitor.enabled false Render a ServiceMonitor.
auth.type none Authentication mode: none, bearer, or jwt.
sources.inline.tools {} Inline Python tool files.
sources.inline.resources {} Inline Python resource files.
sources.inline.prompts {} Inline Python prompt files.
sources.inline.knowledge {} Inline knowledge files.
sources.s3.enabled false Enable S3-compatible source loading.
sources.s3.existingSecret "" Existing S3 credential secret.
sources.git.enabled false Enable Git source loading.
sources.git.existingSecret "" Existing Git token secret.
extraPipPackages [] Extra pip packages installed at startup.
initSync.enabled false Run source sync in an init container.
persistence.enabled false Use a PVC for /app/workspace.
serviceAccount.automountServiceAccountToken false Mount the Kubernetes API token.
service.ipFamilyPolicy "" Optional Service IP family policy.
gatewayAPI.enabled false Render an HTTPRoute.
ingress.enabled false Render an Ingress.
networkPolicy.enabled false Render a NetworkPolicy for the MCP port.
autoscaling.enabled false Render an HPA.
pdb.enabled false Render a PodDisruptionBudget.

Chart Documentation

More Information