From b57393448c37535968bc27c28a1da7896045f570 Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 6 May 2026 13:05:06 +0300
Subject: [PATCH 1/3] fix(scripts): pin kind bootstrap to kind context

setup-kind.sh and setup-metallb.sh used `kubectl apply` (and rollout/wait)
without `--context`, so they targeted whatever the active kubeconfig
context happened to be. Running `make create-kind-cluster` while pointed
at a remote cluster would silently push the local-registry-hosting
ConfigMap and the entire MetalLB stack onto that cluster.

Pin both scripts to `kind-${KIND_CLUSTER_NAME}` so they only ever touch
the kind cluster they are setting up.
---
 scripts/kind/setup-kind.sh    |  2 +-
 scripts/kind/setup-metallb.sh | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/scripts/kind/setup-kind.sh b/scripts/kind/setup-kind.sh
index ed8a63f83..aeeb11906 100755
--- a/scripts/kind/setup-kind.sh
+++ b/scripts/kind/setup-kind.sh
@@ -57,7 +57,7 @@ fi
 
 # 5. Document the local registry
 # https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
-cat <<EOF | kubectl apply -f -
+cat <<EOF | kubectl --context "kind-${KIND_CLUSTER_NAME}" apply -f -
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/scripts/kind/setup-metallb.sh b/scripts/kind/setup-metallb.sh
index a195b2f5e..cc3dc4fb8 100755
--- a/scripts/kind/setup-metallb.sh
+++ b/scripts/kind/setup-metallb.sh
@@ -5,13 +5,14 @@ set -o pipefail
 set -o nounset
 
 METALLB_VERSION=${METALLB_VERSION:-v0.15.3}
+KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-kagent}
 
-kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/${METALLB_VERSION}/config/manifests/metallb-native.yaml
+kubectl --context "kind-${KIND_CLUSTER_NAME}" apply -f https://raw.githubusercontent.com/metallb/metallb/${METALLB_VERSION}/config/manifests/metallb-native.yaml
 
 # Wait for MetalLB to become available.
-kubectl rollout status -n metallb-system deployment/controller --timeout 5m
-kubectl rollout status -n metallb-system daemonset/speaker --timeout 5m
-kubectl wait -n metallb-system  pod -l app=metallb --for=condition=Ready --timeout=10s
+kubectl --context "kind-${KIND_CLUSTER_NAME}" rollout status -n metallb-system deployment/controller --timeout 5m
+kubectl --context "kind-${KIND_CLUSTER_NAME}" rollout status -n metallb-system daemonset/speaker --timeout 5m
+kubectl --context "kind-${KIND_CLUSTER_NAME}" wait -n metallb-system  pod -l app=metallb --for=condition=Ready --timeout=10s
 
 SUBNET=$(docker network inspect kind | jq -r '.[].IPAM.Config[].Subnet | select(contains(":") | not)' | cut -d '.' -f1,2)
 MIN=${SUBNET}.255.0
@@ -20,7 +21,7 @@ MAX=${SUBNET}.255.231
 # Note: each line below must begin with one tab character; this is to get EOF working within
 # an if block. The `-` in the `<<-EOF`` strips out the leading tab from each line, see
 # https://tldp.org/LDP/abs/html/here-docs.html
-kubectl apply -f - <<-EOF
+kubectl --context "kind-${KIND_CLUSTER_NAME}" apply -f - <<-EOF
 apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:

From ef24b860fd11c7ba7a5580302ae4440ccbf2814a Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 6 May 2026 13:05:17 +0300
Subject: [PATCH 2/3] fix(make): pin kind-related targets to kind context

Several Make targets ran kubectl/istioctl against the active kubeconfig
context with no `--context` flag:

- `use-kind-cluster` did `kubectl create namespace kagent` and
  `kubectl config set-context --current --namespace kagent`. If invoked
  while another cluster was active, both lines would mutate that
  cluster's state (and the user's kubeconfig) instead of kind.
- `kagent-cli-port-forward` and `kagent-ui-port-forward` would forward
  ports from whichever cluster happened to be current.
- `kagent-addon-install` pinned its `kubectl apply` lines but left
  `istioctl install` unscoped, so Istio could land on the wrong cluster.

Pin every kubectl/istioctl invocation to `kind-$(KIND_CLUSTER_NAME)`.
`use-kind-cluster` now sets the namespace on the kind context by name
rather than `--current`, leaving any other context untouched.
---
 Makefile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 8be88640a..759fb74e9 100644
--- a/Makefile
+++ b/Makefile
@@ -194,8 +194,8 @@ create-kind-cluster:
 use-kind-cluster:
 	kind get kubeconfig --name $(KIND_CLUSTER_NAME) > /tmp/kind-config
 	KUBECONFIG=~/.kube/config:/tmp/kind-config kubectl config view --merge --flatten > ~/.kube/config.tmp && mv ~/.kube/config.tmp ~/.kube/config && chmod $(KUBECONFIG_PERM) ~/.kube/config
-	kubectl create namespace kagent || true
-	kubectl config set-context --current --namespace kagent || true
+	kubectl --context kind-$(KIND_CLUSTER_NAME) create namespace kagent || true
+	kubectl config set-context kind-$(KIND_CLUSTER_NAME) --namespace kagent || true
 
 .PHONY: delete-kind-cluster
 delete-kind-cluster:
@@ -425,17 +425,17 @@ kagent-cli-install: use-kind-cluster build-cli-local helm-version helm-install-p
 .PHONY: kagent-cli-port-forward
 kagent-cli-port-forward: use-kind-cluster
 	@echo "Port forwarding to kagent CLI..."
-	kubectl port-forward -n kagent service/kagent-controller 8083:8083
+	kubectl --context kind-$(KIND_CLUSTER_NAME) port-forward -n kagent service/kagent-controller 8083:8083
 
 .PHONY: kagent-ui-port-forward
 kagent-ui-port-forward: use-kind-cluster
 	open http://localhost:8082/
-	kubectl port-forward -n kagent service/kagent-ui 8082:8080
+	kubectl --context kind-$(KIND_CLUSTER_NAME) port-forward -n kagent service/kagent-ui 8082:8080
 
 .PHONY: kagent-addon-install
 kagent-addon-install: use-kind-cluster
 	# to test the kagent addons - installing istio, grafana, prometheus, metrics-server
-	istioctl install --set profile=demo -y
+	istioctl install --context kind-$(KIND_CLUSTER_NAME) --set profile=demo -y
 	kubectl apply --context kind-$(KIND_CLUSTER_NAME) -f contrib/addons/grafana.yaml
 	kubectl apply --context kind-$(KIND_CLUSTER_NAME) -f contrib/addons/prometheus.yaml
 	kubectl apply --context kind-$(KIND_CLUSTER_NAME) -f contrib/addons/metrics-server.yaml

From 51be010cfb289fa2840b40ce2a34e69b506c2ef0 Mon Sep 17 00:00:00 2001
From: Daniel Orbach <ddorbach@gmail.com>
Date: Wed, 6 May 2026 13:05:38 +0300
Subject: [PATCH 3/3] fix(make): isolate e2e tests with kind-only KUBECONFIG

The e2e test code calls controller-runtime's `config.GetConfig()` and
also `exec.Command("kubectl", ...)`, both of which honor the active
kubeconfig context. Running `make -C go e2e` while pointed at a remote
cluster would create Agents, MCPServers and ModelConfigs in that
cluster's `kagent` namespace.

Materialize the kind cluster's kubeconfig to a temp file and run the
test binary with KUBECONFIG pinned to it, so the tests cannot reach any
cluster other than the one they were designed for. Abort early with a
clear message if the kind cluster is missing.
---
 go/Makefile | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/go/Makefile b/go/Makefile
index eb3cb918f..3e2e7b279 100644
--- a/go/Makefile
+++ b/go/Makefile
@@ -111,9 +111,19 @@ run: fmt vet ## Run a controller from your host.
 test: ## Run all unit tests.
 	UPDATE_GOLDEN=$(UPDATE_GOLDEN) go test -race -skip 'TestE2E.*' -v ./...
 
+# Pin e2e tests to the kind cluster so a stray current-context (or an
+# ambient KUBECONFIG) can't leak resources onto a remote cluster. Override
+# KIND_CLUSTER_NAME to target a differently-named kind cluster.
+KIND_CLUSTER_NAME ?= kagent
+
 .PHONY: e2e
 e2e: ## Run end-to-end tests.
-	go test -v github.com/kagent-dev/kagent/go/core/test/e2e -failfast
+	@kind get clusters 2>/dev/null | grep -qx '$(KIND_CLUSTER_NAME)' || { \
+	  echo "Error: kind cluster '$(KIND_CLUSTER_NAME)' not found. Run 'make create-kind-cluster' first." >&2; \
+	  exit 1; \
+	}
+	@kind get kubeconfig --name $(KIND_CLUSTER_NAME) > /tmp/kind-config-e2e
+	KUBECONFIG=/tmp/kind-config-e2e go test -v github.com/kagent-dev/kagent/go/core/test/e2e -failfast
 
 ##@ Dependencies