Adding OIDC issuer and realm updates, adding cert-manager and handling self-signed certificates

Signed-off-by: Matthias Wessendorf <[email protected]>

Author: matzew

.gitignore

@@ -29,3 +29,5 @@ python/kubernetes_mcp_server.egg-info/
 !python/kubernetes-mcp-server
 
 /bin/
+hack/cert-manager-ca/
+hack/keycloak-certs/ca.crt

build/keycloak.mk

@@ -5,8 +5,19 @@ KIND_CLUSTER_NAME ?= kubernetes-mcp-server
 # Detect container engine (docker or podman)
 CONTAINER_ENGINE ?= $(shell command -v docker 2>/dev/null || command -v podman 2>/dev/null)
 
+.PHONY: kind-create-certs
+kind-create-certs: ## Generate placeholder CA certificate for KIND bind mount
+	@if [ ! -f hack/cert-manager-ca/ca.crt ]; then \
+		echo "Creating placeholder CA certificate for bind mount..."; \
+		mkdir -p hack/cert-manager-ca; \
+		echo "placeholder" > hack/cert-manager-ca/ca.crt; \
+		echo "⚠️  Placeholder CA created - will be replaced with cert-manager CA after cluster creation"; \
+	else \
+		echo "✅ Placeholder CA already exists"; \
+	fi
+
 .PHONY: kind-create-cluster
-kind-create-cluster: kind ## Create the kind cluster for development
+kind-create-cluster: kind kind-create-certs ## Create the kind cluster for development
 	@# Set KIND provider for podman on Linux
 	@if [ "$(shell uname -s)" != "Darwin" ] && echo "$(CONTAINER_ENGINE)" | grep -q "podman"; then \
 		export KIND_EXPERIMENTAL_PROVIDER=podman; \
@@ -16,6 +27,23 @@ kind-create-cluster: kind ## Create the kind cluster for development
 	else \
 		echo "Creating Kind cluster '$(KIND_CLUSTER_NAME)'..."; \
 		$(KIND) create cluster --name $(KIND_CLUSTER_NAME) --config config/kind/cluster.yaml; \
+		echo "Adding ingress-ready label to control-plane node..."; \
+		kubectl label node $(KIND_CLUSTER_NAME)-control-plane ingress-ready=true --overwrite; \
+		echo "Installing nginx ingress controller..."; \
+		kubectl apply -f config/ingress/nginx-ingress.yaml; \
+		echo "Waiting for ingress controller to be ready..."; \
+		kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s; \
+		echo "✅ Ingress controller ready"; \
+		echo "Installing cert-manager..."; \
+		kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml; \
+		echo "Waiting for cert-manager to be ready..."; \
+		kubectl wait --namespace cert-manager --for=condition=ready pod --selector=app.kubernetes.io/instance=cert-manager --timeout=120s; \
+		kubectl wait --namespace cert-manager --for=condition=ready pod --selector=app.kubernetes.io/name=webhook --timeout=120s; \
+		echo "✅ cert-manager ready"; \
+		echo "Creating cert-manager ClusterIssuer..."; \
+		sleep 5; \
+		kubectl apply -f config/cert-manager/selfsigned-issuer.yaml; \
+		echo "✅ ClusterIssuer created"; \
 	fi
 
 .PHONY: kind-delete-cluster

build/kind.mk

@@ -0,0 +1,31 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-ca
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: selfsigned-ca
+  secretName: selfsigned-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-ca-issuer
+spec:
+  ca:
+    secretName: selfsigned-ca-secret