feat: local init and bootstrap setup for cloud provider independent testing

[tuunit]

📝 Summary

This change introduces a new "local evaluation" mode for kubara, making it easier for users to try out the platform on their local environment. The main changes include new CLI flags and logic for both init and bootstrap commands, improved documentation, and a new quick start guide tailored for local evaluation.

Collectively this hopefully makes it much easier for users to evaluate kubara locally, while keeping production and evaluation workflows clearly separated.

Furthermore, for ease of use this PR makes the following .env variables entirely optional and introduces cross validation for the ArgoCD credentials:

• DOCKERCONFIG_BASE64
• ARGOCD_GIT_USERNAME
• ARGOCD_GIT_PAT_OR_PASSWORD

🧩 Type of change

• 🔧 CLI / Go code
• 📦 Helm chart
• 🧱 Terraform module
• 📝 Documentation
• 🧪 Test or CI change
• ♻️ Refactor / cleanup

⚠️ Is this a breaking change?

• Yes, this change breaks existing functionality (explain in summary)

🧪 Testing

• CI passed
• Manually tested (local/dev cluster)
• Unit tested
• Not tested (explain why below)

🔗 Related Issues / Tickets

✅ Checklist

• Code compiles and passes all tests
• Linting and style checks pass
• Comments added for complex logic
• Documentation updated (if applicable)

📎 Additional Context (optional)

[Copilot]

Pull request overview

This PR introduces a local evaluation workflow for kubara, adding --local support to init and bootstrap, plus documentation for a quick-start local setup. It also relaxes some previously-required env vars to be optional (to better support local runs) and extends the cert-manager chart to allow custom ClusterIssuer definitions.

Changes:

• Add --local mode: initialize local defaults, generate local .env, and bootstrap a local kind cluster (including OpenBao + ingress wiring).
• Make selected env values optional (Docker registry + Git credentials) and add utilities to render a .env from current values.
• Extend cert-manager chart values/templates to support a user-provided clusterIssuer.customDefinition, and add local setup docs/nav.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/internal/utils/utils.go	Add .kubara/ and .local/ to gitignore template entries.
src/internal/localmode/localmode.go	Define local-eval defaults and apply a local cluster service profile.
src/internal/localmode/localmode_test.go	Unit test for local cluster profile service enable/disable behavior.
src/internal/envconfig/store.go	Add rendering of .env from current values (used by local init/bootstrap).
src/internal/envconfig/store_test.go	Update tests to reflect optional env defaults and output changes.
src/internal/envconfig/env.go	Mark registry + Git credential env vars as optional with empty defaults.
src/internal/envconfig/env_test.go	Update validation/default tests for newly-optional env fields.
src/internal/cmd/bootstrap/secrets.go	Make image pull secret optional + improve git repo secret population logic.
src/internal/cmd/bootstrap/local.go	Implement local bootstrap orchestration (kind, Traefik LB, OpenBao, overrides).
src/internal/cmd/bootstrap/bootstrap.go	Wire --local bootstrap preparation and local completion message output.
src/internal/cmd/bootstrap/bootstrap_test.go	Add tests for local completion message + Traefik bootstrap service metadata.
src/internal/catalog/built-in/managed-service-catalog/helm/cert-manager/values.yaml	Add clusterIssuer.* fields including customDefinition.
src/internal/catalog/built-in/managed-service-catalog/helm/cert-manager/templates/clusterissuer.yaml	Render an extra manifest from clusterIssuer.customDefinition.
src/internal/catalog/built-in/managed-service-catalog/helm/cert-manager/Chart.yaml	Bump cert-manager chart version to 0.3.0.
src/internal/catalog/built-in/managed-service-catalog/helm/cert-manager/CHANGELOG.md	Document 0.3.0 change for custom cluster issuer definitions.
src/cmd/init.go	Add --local flag to init and generate a local-eval .env from current values.
src/cmd/bootstrap.go	Add --local flag, local env preparation, and local-default timeout adjustment.
docs/mkdocs.yml	Add Quick Start page to navigation.
docs/content/1_getting_started/quick_start.md	New local-evaluation quick start guide (kind + cloud-provider-kind + bootstrap).
docs/content/1_getting_started/commands.md	Update CLI command docs to include --local flags.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Matthiator]

Thanks for this! The local evaluation flow is really useful, the separation into localmode keeps the profile logic nicely contained, and the idempotent bootstrap steps (kind cluster, OpenBao mounts/auth) are much appreciated.

One cross-cutting point I'd like to see called out before merge, plus a few smaller things as inline comments:

Env validation is relaxed globally, not only for --local: DOCKERCONFIG_BASE64, ARGOCD_GIT_USERNAME, and ARGOCD_GIT_PAT_OR_PASSWORD are now optional for all workflows. That may well be intentional (public repos, no registry auth), but it should be mentioned in the PR description and the docs for these variables, because missing registry credentials now silently skip the image pull secret instead of failing validation — a typo in one of these env names only surfaces later as ImagePullBackOff. Related: please add cross-field validation for the Git credentials so partial configuration (username without password, or vice versa) fails early with a clear message instead of surfacing as a confusing Argo CD repo connection error.

Non-blocking follow-ups, fine to defer (partly depends on #370):

• Align the local OpenBao setup with the model introduced in #370 (KV mount path, auth mount path, namespace-scoped roles, namespace-prefixed secret layout) so both converge on one "OpenBao contract" — might be worth a short ADR.
• Consider standalone OpenBao with file storage instead of dev mode so local state survives Docker/pod restarts (see inline comment on the docs).
• Avoid passing secret values as CLI args to bao kv put — stdin via the existing kubectlExecWithInput would keep them out of the process lists on the host and in the pod.
• Escape values in the generated .env (a single quote in a value currently breaks the file).
• Consider downgrading the hard sudo prerequisite check to a warning or doc note.

[Matthiator]

lgtm