OAPE-392: Adds toolset to manage External Secrets Operator

[bharath-b-rh]

Add External Secrets Operator toolset for Red Hat OpenShift

Description

This PR adds a new external-secrets toolset to the Kubernetes MCP Server, providing comprehensive support for managing the External Secrets Operator for Red Hat OpenShift.

The External Secrets Operator synchronizes secrets from external secret management systems (AWS Secrets Manager, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, etc.) into Kubernetes Secrets.

Features

Operator Lifecycle Management

• external_secrets_operator_install - Install the operator via OLM (Operator Lifecycle Manager)
• external_secrets_operator_status - Check operator installation status (Subscription, CSV, deployments)
• external_secrets_operator_uninstall - Uninstall the operator
• external_secrets_config_get - Get ExternalSecretsConfig resource
• external_secrets_config_apply - Apply/update ExternalSecretsConfig

SecretStore Management

• external_secrets_store_list - List SecretStores/ClusterSecretStores
• external_secrets_store_get - Get store details
• external_secrets_store_create - Create/update stores
• external_secrets_store_delete - Delete stores
• external_secrets_store_validate - Validate store health and capabilities

ExternalSecret Management

• external_secrets_list - List ExternalSecrets/ClusterExternalSecrets
• external_secrets_get - Get secret details
• external_secrets_create - Create/update external secrets
• external_secrets_delete - Delete external secrets
• external_secrets_sync_status - Check synchronization status
• external_secrets_refresh - Trigger immediate refresh from provider

Debugging & Monitoring

• external_secrets_debug - Comprehensive debugging (operator status, store validation, sync status, events, logs)
• external_secrets_events - View related Kubernetes events
• external_secrets_logs - Get operator pod logs
• external_secrets_health - Quick health check summary

Built-in Documentation

• external_secrets_guide - Provider-specific examples and best practices for AWS, GCP, Azure, Vault, Kubernetes providers, troubleshooting, and security

Usage

Enable the toolset with:
kubernetes-mcp-server --toolsets core,config,helm,external-secrets Or in MCP client configuration:

{
  "mcpServers": {
    "kubernetes": {
      "command": "npx",
      "args": ["-y", "kubernetes-mcp-server@latest", "--toolsets", "core,config,helm,external-secrets"]
    }
  }
}

[openshift-ci-robot]

@bharath-b-rh: This pull request references OAPE-392 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Add External Secrets Operator toolset for Red Hat OpenShift

Description

This PR adds a new external-secrets toolset to the Kubernetes MCP Server, providing comprehensive support for managing the External Secrets Operator for Red Hat OpenShift.

The External Secrets Operator synchronizes secrets from external secret management systems (AWS Secrets Manager, HashiCorp Vault, Google Cloud Secret Manager, Azure Key Vault, etc.) into Kubernetes Secrets.

Features

Operator Lifecycle Management

• external_secrets_operator_install - Install the operator via OLM (Operator Lifecycle Manager)
• external_secrets_operator_status - Check operator installation status (Subscription, CSV, deployments)
• external_secrets_operator_uninstall - Uninstall the operator
• external_secrets_config_get - Get ExternalSecretsConfig resource
• external_secrets_config_apply - Apply/update ExternalSecretsConfig

SecretStore Management

• external_secrets_store_list - List SecretStores/ClusterSecretStores
• external_secrets_store_get - Get store details
• external_secrets_store_create - Create/update stores
• external_secrets_store_delete - Delete stores
• external_secrets_store_validate - Validate store health and capabilities

ExternalSecret Management

• external_secrets_list - List ExternalSecrets/ClusterExternalSecrets
• external_secrets_get - Get secret details
• external_secrets_create - Create/update external secrets
• external_secrets_delete - Delete external secrets
• external_secrets_sync_status - Check synchronization status
• external_secrets_refresh - Trigger immediate refresh from provider

Debugging & Monitoring

• external_secrets_debug - Comprehensive debugging (operator status, store validation, sync status, events, logs)
• external_secrets_events - View related Kubernetes events
• external_secrets_logs - Get operator pod logs
• external_secrets_health - Quick health check summary

Built-in Documentation

• external_secrets_guide - Provider-specific examples and best practices for AWS, GCP, Azure, Vault, Kubernetes providers, troubleshooting, and security

Usage

Enable the toolset with:
kubernetes-mcp-server --toolsets core,config,helm,external-secrets Or in MCP client configuration:

{
 "mcpServers": {
   "kubernetes": {
     "command": "npx",
     "args": ["-y", "kubernetes-mcp-server@latest", "--toolsets", "core,config,helm,external-secrets"]
   }
 }
}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bharath-b-rh
Once this PR has been reviewed and has the lgtm label, please assign matzew for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2f1f91b3-7ba5-468c-81ef-025494590e62

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}