feat(deployments): add MCP support for EKS and Istio routing

[topher-lo]

Motivation

• Make Tracecat MCP (MCP/OIDC endpoints) enable-able for EKS Terraform deployments and ensure MCP is routed correctly under both ALB ingress (split-ingress) and Istio VirtualService networking.
• Prevent MCP from falling through to the UI (fix missing VirtualService routes) and ensure publicMcp is set when TLS is terminated at ALB so OIDC callbacks work.

Description

• Added Terraform inputs tracecat_mcp_enabled and tracecat_mcp_replicas to both the root deployments/eks/variables.tf and module deployments/eks/modules/eks/variables.tf and passed them through in deployments/eks/main.tf.
• Wired Helm values in deployments/eks/modules/eks/helm.tf to set mcp.enabled, mcp.replicas, and explicit urls.publicMcp, and added ALB split-ingress annotations for MCP (alb.ingress.kubernetes.io/group.order and alb.ingress.kubernetes.io/healthcheck-path).
• Extended Helm virtualservice.yaml (deployments/helm/tracecat/templates/virtualservice.yaml) to render Istio VirtualService HTTP matches that route /mcp, OIDC discovery endpoints and auth routes (/.well-known/*, /authorize, /token, /register, /consent, /auth/callback) to the MCP service when mcp.enabled=true.
• Updated docs with examples and guidance: deployments/eks/README.md (how to enable via TF_VAR_*), and deployments/helm/README.md (values and VirtualService notes for MCP/OIDC).
• Commit message: feat(deployments): add MCP support for EKS and Istio routing.

Testing

• Ran git diff --check and it succeeded with no whitespace errors. (passed)
• Attempted terraform fmt -recursive deployments/eks but Terraform CLI is not available in this environment, so formatting could not be validated here. (not run)
• Attempted helm template ... to validate chart rendering with mcp.enabled=true, but Helm CLI is not available in this environment, so template rendering could not be validated here. (not run)
• Verified repository changes were committed successfully (git commit). (passed)

---

Codex Task

---

Summary by cubic

Adds MCP support to EKS deployments and fixes routing so MCP and OIDC endpoints go to the MCP service under both ALB split-ingress and Istio. Also sets urls.publicMcp for proper OIDC callbacks when TLS terminates at ALB.

• New Features

  • Added Terraform inputs: tracecat_mcp_enabled and tracecat_mcp_replicas (root and module), passed through in main.tf.
  • Wired Helm values: mcp.enabled, mcp.replicas, urls.publicMcp.
  • Added ALB split-ingress annotations for MCP (group.order=15, healthcheck-path=/mcp).
  • Updated EKS and Helm docs with enable steps and MCP/OIDC notes.

• Bug Fixes

  • Extended Istio VirtualService to route /mcp and OIDC endpoints (/.well-known/*, /authorize, /token, /register, /consent, /auth/callback) to the MCP service when enabled.
  • Prevents MCP traffic from falling through to the UI and ensures OIDC callbacks work.

^{Written for commit d3e587a. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 7 files