feat(toolsets): add kiali support

README.md

@@ -204,7 +204,7 @@ Enabling only the toolsets you need can help reduce the context size and improve
 
 ### Available Toolsets
 
-The following sets of tools are available (all on by default):
+The following sets of tools are available (all on by default).
 
 <!-- AVAILABLE-TOOLSETS-START -->
 
@@ -213,9 +213,12 @@ The following sets of tools are available (all on by default):
 | config  | View and manage the current local Kubernetes configuration (kubeconfig)             |
 | core    | Most common tools for Kubernetes management (Pods, Generic Resources, Events, etc.) |
 | helm    | Tools for managing Helm charts and releases                                         |
+| kiali   | Most common tools for managing Kiali                                                |
 
 <!-- AVAILABLE-TOOLSETS-END -->
 
+See more info about Kiali integration in [docs/KIALI_INTEGRATION.md](docs/KIALI_INTEGRATION.md).
+
 ### Tools
 
 In case multi-cluster support is enabled (default) and you have access to multiple clusters, all applicable tools will include an additional `context` argument to specify the Kubernetes context (cluster) to use for that operation.
@@ -343,6 +346,14 @@ In case multi-cluster support is enabled (default) and you have access to multip
 
 </details>
 
+<details>
+
+<summary>kiali</summary>
+
+- **mesh_status** - Get the status of mesh components including Istio, Kiali, Grafana, Prometheus and their interactions, versions, and health status
+
+</details>
+
 
 <!-- AVAILABLE-TOOLSETS-TOOLS-END -->
 

docs/KIALI_INTEGRATION.md

@@ -0,0 +1,44 @@
+## Kiali integration
+
+This server can expose Kiali tools so assistants can query mesh information (e.g., mesh status/graph).
+
+### Enable the Kiali toolset
+
+You can enable the Kiali tools via config or flags.
+
+Config (TOML):
+
+```toml
+toolsets = ["core", "kiali"]
+
+[kiali]
+url = "https://kiali.example"
+# insecure = true  # optional: allow insecure TLS
+```
+
+Flags:
+
+```bash
+kubernetes-mcp-server \
+  --toolsets core,kiali \
+  --kiali-url https://kiali.example \
+  [--kiali-insecure]
+```
+
+When the `kiali` toolset is enabled, a Kiali URL is required. Without it, the server will refuse to start.
+
+### How authentication works
+
+- The server uses your existing Kubernetes credentials (from kubeconfig or in-cluster) to set a bearer token for Kiali calls.
+- If you pass an HTTP Authorization header to the MCP HTTP endpoint, that is not required for Kiali; Kiali calls use the server's configured token.
+
+### Available tools (initial)
+
+- `mesh_status`: retrieves mesh components status from Kiali’s mesh graph endpoint.
+
+### Troubleshooting
+
+- Error: "kiali-url is required when kiali tools are enabled" → provide `--kiali-url` or set `[kiali].url` in the config TOML.
+- TLS issues against Kiali → try `--kiali-insecure` or `[kiali].insecure = true` for non-production environments.
+
+

internal/tools/update-readme/main.go

@@ -15,6 +15,7 @@ import (
 	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/config"
 	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/core"
 	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/helm"
+	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/kiali"
 )
 
 type OpenShift struct{}

pkg/config/config.go

@@ -16,6 +16,12 @@ const (
 	ClusterProviderDisabled   = "disabled"
 )
 
+// KialiOptions is the configuration for the kiali toolset.
+type KialiOptions struct {
+	Url      string `toml:"url,omitempty"`
+	Insecure bool   `toml:"insecure,omitempty"`
+}
+
 // StaticConfig is the configuration for the server.
 // It allows to configure server specific settings and tools to be enabled or disabled.
 type StaticConfig struct {
@@ -68,6 +74,9 @@ type StaticConfig struct {
 	// This map holds raw TOML primitives that will be parsed by registered provider parsers
 	ClusterProviderConfigs map[string]toml.Primitive `toml:"cluster_provider_configs,omitempty"`
 
+	// KialiOptions is the configuration for the kiali toolset.
+	KialiOptions KialiOptions `toml:"kiali,omitempty"`
+
 	// Internal: parsed provider configs (not exposed to TOML package)
 	parsedClusterProviderConfigs map[string]ProviderConfig
 

pkg/kiali/endpoints.go

@@ -0,0 +1,8 @@
+package kiali
+
+// Kiali API endpoint paths shared across this package.
+const (
+	// MeshGraph is the Kiali API path that returns the mesh graph/status.
+	MeshGraph = "/api/mesh/graph"
+	AuthInfo  = "/api/auth/info"
+)

pkg/kiali/kiali.go

@@ -0,0 +1,109 @@
+package kiali
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"k8s.io/klog/v2"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type Kiali struct {
+	manager *Manager
+}
+
+func (m *Manager) GetKiali() *Kiali {
+	return &Kiali{manager: m}
+}
+
+func (k *Kiali) GetKiali() *Kiali {
+	return k
+}
+
+// validateAndGetURL validates the Kiali client configuration and returns the full URL
+// by safely concatenating the base URL with the provided endpoint, avoiding duplicate
+// or missing slashes regardless of trailing/leading slashes.
+func (k *Kiali) validateAndGetURL(endpoint string) (string, error) {
+	if k == nil || k.manager == nil || k.manager.KialiURL == "" {
+		return "", fmt.Errorf("kiali client not initialized")
+	}
+	baseStr := strings.TrimSpace(k.manager.KialiURL)
+	if baseStr == "" {
+		return "", fmt.Errorf("kiali server URL not configured")
+	}
+	baseURL, err := url.Parse(baseStr)
+	if err != nil {
+		return "", fmt.Errorf("invalid kiali base URL: %w", err)
+	}
+	if endpoint == "" {
+		return baseURL.String(), nil
+	}
+	ref, err := url.Parse(endpoint)
+	if err != nil {
+		return "", fmt.Errorf("invalid endpoint path: %w", err)
+	}
+	return baseURL.ResolveReference(ref).String(), nil
+}
+
+func (k *Kiali) createHTTPClient() *http.Client {
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: k.manager.KialiInsecure,
+			},
+		},
+	}
+}
+
+// CurrentAuthorizationHeader returns the Authorization header value that the
+// Kiali client is currently configured to use (Bearer <token>), or empty
+// if no bearer token is configured.
+func (k *Kiali) authorizationHeader() string {
+	if k == nil || k.manager == nil {
+		return ""
+	}
+	token := strings.TrimSpace(k.manager.BearerToken)
+	if token == "" {
+		return ""
+	}
+	lower := strings.ToLower(token)
+	if strings.HasPrefix(lower, "bearer ") {
+		return "Bearer " + strings.TrimSpace(token[7:])
+	}
+	return "Bearer " + token
+}
+
+// executeRequest executes an HTTP request and handles common error scenarios.
+func (k *Kiali) executeRequest(ctx context.Context, endpoint string) (string, error) {
+	ApiCallURL, err := k.validateAndGetURL(endpoint)
+	if err != nil {
+		return "", err
+	}
+
+	klog.V(0).Infof("Kiali Call URL: %s", ApiCallURL)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, ApiCallURL, nil)
+	if err != nil {
+		return "", err
+	}
+	authHeader := k.authorizationHeader()
+	if authHeader != "" {
+		req.Header.Set("Authorization", authHeader)
+	}
+	client := k.createHTTPClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer func() { _ = resp.Body.Close() }()
+	body, _ := io.ReadAll(resp.Body)
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		if len(body) > 0 {
+			return "", fmt.Errorf("kiali API error: %s", strings.TrimSpace(string(body)))
+		}
+		return "", fmt.Errorf("kiali API error: status %d", resp.StatusCode)
+	}
+	return string(body), nil
+}

pkg/kiali/kiali_test.go

@@ -0,0 +1,75 @@
+package kiali
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/containers/kubernetes-mcp-server/pkg/config"
+)
+
+func TestValidateAndGetURL_JoinsProperly(t *testing.T) {
+	m := NewManager(&config.StaticConfig{KialiOptions: config.KialiOptions{Url: "https://kiali.example/"}})
+	k := m.GetKiali()
+
+	full, err := k.validateAndGetURL("/api/path")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if full != "https://kiali.example/api/path" {
+		t.Fatalf("unexpected url: %s", full)
+	}
+
+	m.KialiURL = "https://kiali.example"
+	full, err = k.validateAndGetURL("api/path")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if full != "https://kiali.example/api/path" {
+		t.Fatalf("unexpected url: %s", full)
+	}
+
+	// preserve query
+	m.KialiURL = "https://kiali.example"
+	full, err = k.validateAndGetURL("/api/path?x=1&y=2")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	u, _ := url.Parse(full)
+	if u.Path != "/api/path" || u.Query().Get("x") != "1" || u.Query().Get("y") != "2" {
+		t.Fatalf("unexpected parsed url: %s", full)
+	}
+}
+
+// CurrentAuthorizationHeader behavior is now implicit via executeRequest using Manager.BearerToken
+
+func TestExecuteRequest_SetsAuthAndCallsServer(t *testing.T) {
+	// setup test server to assert path and auth header
+	var seenAuth string
+	var seenPath string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		seenAuth = r.Header.Get("Authorization")
+		seenPath = r.URL.String()
+		_, _ = w.Write([]byte("ok"))
+	}))
+	defer srv.Close()
+
+	m := NewManager(&config.StaticConfig{KialiOptions: config.KialiOptions{Url: srv.URL}})
+	m.BearerToken = "token-xyz"
+	k := m.GetKiali()
+	out, err := k.executeRequest(context.Background(), "/api/ping?q=1")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if out != "ok" {
+		t.Fatalf("unexpected body: %s", out)
+	}
+	if seenAuth != "Bearer token-xyz" {
+		t.Fatalf("expected auth header to be set, got '%s'", seenAuth)
+	}
+	if seenPath != "/api/ping?q=1" {
+		t.Fatalf("unexpected path: %s", seenPath)
+	}
+}

pkg/kiali/manager.go

@@ -0,0 +1,25 @@
+package kiali
+
+import (
+	"context"
+
+	"github.com/containers/kubernetes-mcp-server/pkg/config"
+)
+
+type Manager struct {
+	BearerToken   string
+	KialiURL      string
+	KialiInsecure bool
+}
+
+func NewManager(config *config.StaticConfig) *Manager {
+	return &Manager{
+		BearerToken:   "",
+		KialiURL:      config.KialiOptions.Url,
+		KialiInsecure: config.KialiOptions.Insecure,
+	}
+}
+
+func (m *Manager) Derived(_ context.Context) (*Kiali, error) {
+	return &Kiali{manager: m}, nil
+}

pkg/kiali/manager_test.go

@@ -0,0 +1,53 @@
+package kiali
+
+import (
+	"context"
+	"testing"
+
+	"github.com/containers/kubernetes-mcp-server/pkg/config"
+)
+
+func TestNewManagerUsesConfigFields(t *testing.T) {
+	cfg := &config.StaticConfig{KialiOptions: config.KialiOptions{Url: "https://kiali.example", Insecure: true}}
+	m := NewManager(cfg)
+	if m == nil {
+		t.Fatalf("expected manager, got nil")
+	}
+	if m.KialiURL != cfg.KialiOptions.Url {
+		t.Fatalf("expected KialiURL %s, got %s", cfg.KialiOptions.Url, m.KialiURL)
+	}
+	if m.KialiInsecure != cfg.KialiOptions.Insecure {
+		t.Fatalf("expected KialiInsecure %v, got %v", cfg.KialiOptions.Insecure, m.KialiInsecure)
+	}
+}
+
+func TestDerivedWithoutAuthorizationReturnsOriginalManager(t *testing.T) {
+	cfg := &config.StaticConfig{KialiOptions: config.KialiOptions{Url: "https://kiali.example"}}
+	m := NewManager(cfg)
+	k, err := m.Derived(context.Background())
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if k == nil || k.manager != m {
+		t.Fatalf("expected derived Kiali to keep original manager")
+	}
+}
+
+func TestDerivedPreservesURLAndToken(t *testing.T) {
+	cfg := &config.StaticConfig{KialiOptions: config.KialiOptions{Url: "https://kiali.example", Insecure: true}}
+	m := NewManager(cfg)
+	m.BearerToken = "token-abc"
+	k, err := m.Derived(context.Background())
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if k == nil || k.manager == nil {
+		t.Fatalf("expected derived Kiali with manager")
+	}
+	if k.manager.BearerToken != "token-abc" {
+		t.Fatalf("expected bearer token 'token-abc', got '%s'", k.manager.BearerToken)
+	}
+	if k.manager.KialiURL != m.KialiURL || k.manager.KialiInsecure != m.KialiInsecure {
+		t.Fatalf("expected Kiali URL/insecure preserved")
+	}
+}