feat(auth): add local development environment with Kind and Keycloak for OIDC (containers#354)

* Initial KinD setup

Signed-off-by: Matthias Wessendorf <[email protected]>

* Initial Keycloak container setup

Signed-off-by: Matthias Wessendorf <[email protected]>

* Adding an initial realm setup

Signed-off-by: Matthias Wessendorf <[email protected]>

* Adding OIDC issuer and realm updates, adding cert-manager and handling self-signed certificates

Signed-off-by: Matthias Wessendorf <[email protected]>

* Updates to script b/c of invalid auth config

Signed-off-by: Matthias Wessendorf <[email protected]>

* Adjusting ports and better support for mac/podman

Signed-off-by: Matthias Wessendorf <[email protected]>

* Addressing review comments:
* do not expose all internal tasks, just keep the important targets documents
* remove the keycloak-forward
* move binaries for dev tools to _output
* generate a configuration TOML file into the _output folder

Signed-off-by: Matthias Wessendorf <[email protected]>

---------

Signed-off-by: Matthias Wessendorf <[email protected]>

Author: matzew

Makefile

@@ -113,3 +113,43 @@ lint: golangci-lint ## Lint the code
 .PHONY: update-readme-tools
 update-readme-tools: ## Update the README.md file with the latest toolsets
 	go run ./internal/tools/update-readme/main.go README.md
+
+##@ Tools
+
+.PHONY: tools
+tools: ## Install all required tools (kind) to ./_output/bin/
+	@echo "Checking and installing required tools to ./_output/bin/ ..."
+	@if [ -f _output/bin/kind ]; then echo "[OK] kind already installed"; else echo "Installing kind..."; $(MAKE) -s kind; fi
+	@echo "All tools ready!"
+
+##@ Local Development
+
+.PHONY: local-env-setup
+local-env-setup: ## Setup complete local development environment with Kind cluster
+	@echo "========================================="
+	@echo "Kubernetes MCP Server - Local Setup"
+	@echo "========================================="
+	$(MAKE) tools
+	$(MAKE) kind-create-cluster
+	$(MAKE) keycloak-install
+	$(MAKE) build
+	@echo ""
+	@echo "========================================="
+	@echo "Local environment ready!"
+	@echo "========================================="
+	@echo ""
+	@echo "Configuration file generated:"
+	@echo "  _output/config.toml"
+	@echo ""
+	@echo "Run the MCP server with:"
+	@echo "  ./$(BINARY_NAME) --port 8080 --config _output/config.toml"
+	@echo ""
+	@echo "Or run with MCP inspector:"
+	@echo "  npx @modelcontextprotocol/inspector@latest \$$(pwd)/$(BINARY_NAME) --config _output/config.toml"
+
+.PHONY: local-env-teardown
+local-env-teardown: ## Tear down the local Kind cluster
+	$(MAKE) kind-delete-cluster
+
+# Include build configuration files
+-include build/*.mk

build/keycloak.mk

@@ -0,0 +1,61 @@
+# Kind cluster management
+
+KIND_CLUSTER_NAME ?= kubernetes-mcp-server
+
+# Detect container engine (docker or podman)
+CONTAINER_ENGINE ?= $(shell command -v docker 2>/dev/null || command -v podman 2>/dev/null)
+
+.PHONY: kind-create-certs
+kind-create-certs:
+	@if [ ! -f _output/cert-manager-ca/ca.crt ]; then \
+		echo "Creating placeholder CA certificate for bind mount..."; \
+		./hack/generate-placeholder-ca.sh; \
+	else \
+		echo "✅ Placeholder CA already exists"; \
+	fi
+
+.PHONY: kind-create-cluster
+kind-create-cluster: kind kind-create-certs
+	@# Set KIND provider for podman on Linux
+	@if [ "$(shell uname -s)" != "Darwin" ] && echo "$(CONTAINER_ENGINE)" | grep -q "podman"; then \
+		export KIND_EXPERIMENTAL_PROVIDER=podman; \
+	fi; \
+	if $(KIND) get clusters 2>/dev/null | grep -q "^$(KIND_CLUSTER_NAME)$$"; then \
+		echo "Kind cluster '$(KIND_CLUSTER_NAME)' already exists, skipping creation"; \
+	else \
+		echo "Creating Kind cluster '$(KIND_CLUSTER_NAME)'..."; \
+		$(KIND) create cluster --name $(KIND_CLUSTER_NAME) --config dev/config/kind/cluster.yaml; \
+		echo "Adding ingress-ready label to control-plane node..."; \
+		kubectl label node $(KIND_CLUSTER_NAME)-control-plane ingress-ready=true --overwrite; \
+		echo "Installing nginx ingress controller..."; \
+		kubectl apply -f dev/config/ingress/nginx-ingress.yaml; \
+		echo "Waiting for ingress controller to be ready..."; \
+		kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=90s; \
+		echo "✅ Ingress controller ready"; \
+		echo "Installing cert-manager..."; \
+		kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml; \
+		echo "Waiting for cert-manager to be ready..."; \
+		kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager --timeout=120s; \
+		kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager-cainjector --timeout=120s; \
+		kubectl wait --namespace cert-manager --for=condition=available deployment/cert-manager-webhook --timeout=120s; \
+		echo "✅ cert-manager ready"; \
+		echo "Creating cert-manager ClusterIssuer..."; \
+		sleep 5; \
+		kubectl apply -f dev/config/cert-manager/selfsigned-issuer.yaml; \
+		echo "✅ ClusterIssuer created"; \
+		echo "Adding /etc/hosts entry for Keycloak in control plane..."; \
+		if command -v docker >/dev/null 2>&1 && docker ps --filter "name=$(KIND_CLUSTER_NAME)-control-plane" --format "{{.Names}}" | grep -q "$(KIND_CLUSTER_NAME)-control-plane"; then \
+			docker exec $(KIND_CLUSTER_NAME)-control-plane bash -c 'grep -q "keycloak.127-0-0-1.sslip.io" /etc/hosts || echo "127.0.0.1 keycloak.127-0-0-1.sslip.io" >> /etc/hosts'; \
+		elif command -v podman >/dev/null 2>&1 && podman ps --filter "name=$(KIND_CLUSTER_NAME)-control-plane" --format "{{.Names}}" | grep -q "$(KIND_CLUSTER_NAME)-control-plane"; then \
+			podman exec $(KIND_CLUSTER_NAME)-control-plane bash -c 'grep -q "keycloak.127-0-0-1.sslip.io" /etc/hosts || echo "127.0.0.1 keycloak.127-0-0-1.sslip.io" >> /etc/hosts'; \
+		fi; \
+		echo "✅ /etc/hosts entry added"; \
+	fi
+
+.PHONY: kind-delete-cluster
+kind-delete-cluster: kind
+	@# Set KIND provider for podman on Linux
+	@if [ "$(shell uname -s)" != "Darwin" ] && echo "$(CONTAINER_ENGINE)" | grep -q "podman"; then \
+		export KIND_EXPERIMENTAL_PROVIDER=podman; \
+	fi; \
+	$(KIND) delete cluster --name $(KIND_CLUSTER_NAME)

build/kind.mk

@@ -0,0 +1,20 @@
+# Tools
+
+# Platform detection
+OS := $(shell uname -s | tr '[:upper:]' '[:lower:]')
+ARCH := $(shell uname -m | tr '[:upper:]' '[:lower:]')
+ifeq ($(ARCH),x86_64)
+    ARCH = amd64
+endif
+ifeq ($(ARCH),aarch64)
+    ARCH = arm64
+endif
+
+KIND = _output/bin/kind
+KIND_VERSION = v0.30.0
+$(KIND):
+	@mkdir -p _output/bin
+	GOBIN=$(PWD)/_output/bin go install sigs.k8s.io/kind@$(KIND_VERSION)
+
+.PHONY: kind
+kind: $(KIND) ## Download kind locally if necessary

build/tools.mk

@@ -0,0 +1,31 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: selfsigned-ca
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: selfsigned-ca
+  secretName: selfsigned-ca-secret
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-ca-issuer
+spec:
+  ca:
+    secretName: selfsigned-ca-secret