Security Model
jhelm exposes Helm operations over two network surfaces — the REST API
and the MCP server — which share a single, unified security model under
jhelm.security.*.
The standalone CLI honors the same jhelm.security.mode, but with a helm-like default: it
runs in FULL (read-write) mode out of the box, so install / upgrade / uninstall /
rollback / test work immediately, gated only by your kubeconfig and the cluster’s RBAC — exactly as helm behaves. Set jhelm.security.mode=READ_ONLY (via -Djhelm.security.mode or
the JHELM_SECURITY_MODE env var) to lock a CLI down — for a shared workstation or an
AI-agent guardrail — and those five commands are then refused with a non-zero exit. The CLI
needs no api-key: that credential is validated against an HTTP header, which a local CLI never
presents, so it applies only to the network-exposed REST/MCP adapters below.
The design in one line: MCP runs local-first, the REST API is deny-by-default behind an API key, read-only is the default everywhere, and Spring Security is the bring-your-own upgrade path for real auth.
1. Principles
-
Read-only by default. Out of the box, only non-mutating operations (template, show, lint, list, status, history, get) are available. They are safe to expose and never touch a cluster.
-
Deny-by-default for mutating operations. Cluster-mutating operations (install, upgrade, uninstall, rollback, test) are enabled only when both conditions hold:
mode=FULLand anapi-keyis configured.FULLwithout a key leaves mutating operations disabled. -
The API key is the floor, not the ceiling. The built-in key protects the network-exposed HTTP transport. For real multi-user auth (OAuth, mTLS, an upstream gateway), layer Spring Security on top — see Upgrade path: Spring Security.
2. Configuration (jhelm.security.*)
| Property | Default | Description |
|---|---|---|
|
|
Access mode. |
|
(none) |
Shared secret required to call mutating operations. With no key set, mutating operations
stay disabled regardless of |
|
|
Name of the HTTP header that carries the API key. |
|
|
SSRF hardening for outbound chart/repository fetches. When |
jhelm:
security:
mode: FULL # READ_ONLY (default) or FULL
api-key: changeme # required to actually enable mutating operations
api-key-header: X-API-Key
|
The mutating gate is the logical AND of both settings:
|
3. REST behaviour
The REST API always serves read-only endpoints. For a mutating endpoint, the outcome depends on the gate and the request’s API-key header:
| Status | When |
|---|---|
|
Mutating is disabled — |
|
Mutating is enabled, but the request is missing the |
proceeds |
Mutating is enabled and a valid |
Read-only endpoints are always allowed and never require a key.
4. MCP behaviour
The MCP server applies the same model, with two transport-aware twists:
-
Tool gating. The cluster-mutating tools (
helm_install,helm_upgrade,helm_uninstall,helm_rollback,helm_test) are only registered whenmode=FULLand anapi-keyis set. When the gate is closed they do not exist at all — an agent never sees them. -
HTTP filter. When an
api-keyis configured, an HTTP filter requires a validX-API-Keyheader on the MCP HTTP endpoints (/mcp,/sse). -
stdio / local bypass. A locally launched MCP server (stdio / localhost) never passes through the servlet filter, so it is not forced to present a key. The key protects the network-exposed HTTP transport, not a trusted local launch.
This matches how MCP is normally used: the server runs on the same machine as the agent, and the key only matters once the transport is exposed over the network. See the MCP security section for details.
5. Upgrade path: Spring Security
The built-in API key is a deliberately simple floor. For production multi-user authentication and authorization — OAuth2 / OIDC, mTLS, or delegating to an upstream API gateway — wire Spring Security into your application. Because both the REST and MCP surfaces are ordinary Spring MVC / web endpoints, standard Spring Security configuration applies on top of them.
| Spring Security is configured in the embedding application, not baked into the starters. A fully secured sample is forthcoming. |