Skip to content

Add local development environment with Kind and Keycloak for OIDC #354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 22, 2025
Merged

Add local development environment with Kind and Keycloak for OIDC #354

merged 7 commits into from
Oct 22, 2025

Conversation

@matzew
Copy link
Collaborator

@matzew matzew commented Oct 2, 2025
edited
Loading

Adds local development environment using KIND with Keycloak as an OIDC provider and cert-manager for automated TLS certificate provisioning for testing the Kubernetes-mcp-server server with OIDC authentication flows against a (local) Kubernetes cluster.

The PR adds make targets for KIND cluster setup with Keycloak OIDC provider, including automated realm configuration with test user (mcp/mcp) and RBAC authorization.

Testing can be done with these commands:

make local-env-setup       # Setup of KIND, Keycloak (as oidc-issuer) and Cert-Manager 
make keycloak-setup-realm  # Creates a realm and adds RBAC for "mcp" user

The realm has one test user: mcp / mcp

Remove the environment with:

make local-env-teardown  # tears it all down...

@matzew matzew changed the title Local kind keycloak env WIP: Local kind keycloak env Oct 2, 2025
@matzew matzew force-pushed the local_kind_keycloak_env branch 2 times, most recently from 06b0bd2 to 0a2325e Compare October 6, 2025 15:03
matzew
matzew commented Oct 7, 2025
View reviewed changes
@Cali0707
Copy link
Collaborator

Cali0707 commented Oct 7, 2025

@matzew can you add some kind of wait for pods to be ready? I ran into this error:

make keycloak-forward
Forwarding Keycloak to http://localhost:8090
Login: admin / admin
kubectl port-forward -n keycloak svc/keycloak 8090:80
error: unable to forward port because pod is not running. Current status=Pending
make: *** [keycloak-forward] Error 1

@matzew matzew force-pushed the local_kind_keycloak_env branch 2 times, most recently from 5636c7b to 0b77d92 Compare October 10, 2025 13:59
@matzew matzew force-pushed the local_kind_keycloak_env branch 5 times, most recently from 46ab14a to 1f409a0 Compare October 20, 2025 15:22
@matzew matzew changed the title WIP: Local kind keycloak env Local kind keycloak env Oct 20, 2025
@matzew matzew changed the title Local kind keycloak env Add local development environment with Kind and Keycloak for OIDC Oct 20, 2025
@matzew matzew marked this pull request as ready for review October 20, 2025 15:39
@matzew matzew force-pushed the local_kind_keycloak_env branch from ccc5779 to 1e24059 Compare October 21, 2025 15:52
Cali0707
Cali0707 approved these changes Oct 21, 2025
View reviewed changes
Copy link
Collaborator

@Cali0707 Cali0707 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These most recent changes work on my machine

LGTM!

Thanks @matzew

Leaving final review/approval to @manusa

@manusa
Copy link
Member

manusa commented Oct 22, 2025

This looks great @matzew, thx!

Leaving here some comments and nitpicks:

  1. I'm not sure why the realm is not set up as part of the keycloak-install or more generic local-env-setup target.
    What's the reasoning behind the isolated/granular target?
  2. I think there are ~13 new publicly documented (make help) make targets, I find it kind of overwhelming user-wise.
    It's my understanding that most of these targets are used internally by other more global targets.
    I think we should hide/undocument the targets that are not relevant for developer flows or that will be called by others.
    Maybe just keep:
    • local-env-setup
    • local-env-teardown
    • keycloak-status
    • keycloak-logs
    • Regarding keycloak-setup-realm see (1) and only expose if necessary
  3. Not sure of the current purpose of keycloak-forward, given the current implementation (just an informative message), maybe we should just remove it.
  4. Directory structure:
    • build seems fine for the nested makefiles (At some point we could extract some of the current targets in the main file to this directory too).
    • config is used to host dev environment files, which might be confusing, I'd propose to move them somewhere else, or maybe move this config directory under a dev/dev-env (or something like that) directory
    • bin, hack/cert-manager-ca maybe move those to _output (golangci-lint is currently downloaded there) -- The directory can be renamed to .work or something more generic if needed.
  5. Considering (4), the TOML configuration files could be created for the user within the _output directory instead of just printing their contents.

The local test with @modelcontextprotocol/inspector@latest and a browser with disabled CORS is working great 🎉

matzew added 7 commits October 22, 2025 13:57
@matzew
Initial KinD setup
7354805 
Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew
Initial Keycloak container setup
d8fd7cd 
Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew
Adding an initial realm setup
6e0285e 
Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew
Adding OIDC issuer and realm updates, adding cert-manager and handlin…
203cec8 
…g self-signed certificates

Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew
Updates to script b/c of invalid auth config
163d44a 
Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew
Adjusting ports and better support for mac/podman
488ccee 
Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew
Addressing review comments:
7302df0 
* do not expose all internal tasks, just keep the important targets documents
* remove the keycloak-forward
* move binaries for dev tools to _output
* generate a configuration TOML file into the _output folder

Signed-off-by: Matthias Wessendorf <[email protected]>
@matzew matzew force-pushed the local_kind_keycloak_env branch from 1e24059 to 7302df0 Compare October 22, 2025 11:58
@matzew
Copy link
Collaborator Author

matzew commented Oct 22, 2025

Thx for review, I pushed the updates!

manusa
manusa approved these changes Oct 22, 2025
View reviewed changes
Copy link
Member

@manusa manusa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thx!

TIL that the creator of nip.io had died last year (was wondering why sslip.io was used instead of nip.io)

This service is dedicated to the late, great Roopinder Singh, who created & ran nip.io
https://sslip.io/

@manusa manusa added this to the 0.1.0 milestone Oct 22, 2025
@manusa manusa merged commit 7fe604e into containers:main Oct 22, 2025
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manusa manusa manusa approved these changes

@Cali0707 Cali0707 Cali0707 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@matzew @Cali0707 @manusa