feat(infra): add Kubernetes namespaces and workload identity SA (kubernetes.tf)

argocd and aks-mcp namespaces. Workload identity service account for
aks-mcp with UAMI client ID annotation. Federated credential wiring
the SA to the UAMI via the cluster OIDC issuer.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: raykao

infra/identity.tf

@@ -45,6 +45,15 @@ resource "azurerm_federated_identity_credential" "gh_pr" {
   subject             = "repo:${var.github_org}/${var.github_repo}:pull_request"
 }
 
+resource "azurerm_federated_identity_credential" "aks_mcp_sa" {
+  name                = "aks-mcp-service-account"
+  resource_group_name = azurerm_resource_group.main.name
+  parent_id           = azurerm_user_assigned_identity.workload.id
+  audience            = ["api://AzureADTokenExchange"]
+  issuer              = azurerm_kubernetes_cluster.main.oidc_issuer_url
+  subject             = "system:serviceaccount:aks-mcp:aks-mcp"
+}
+
 # Contributor on the resource group (deploy AKS, ACR, etc.)
 resource "azurerm_role_assignment" "workload_rg_contributor" {
   scope                = azurerm_resource_group.main.id

infra/kubernetes.tf

@@ -1 +1,31 @@
-# Kubernetes namespaces + RBAC - see task dark-factory-af1
+resource "kubernetes_namespace" "argocd" {
+  metadata {
+    name = "argocd"
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform"
+    }
+  }
+}
+
+resource "kubernetes_namespace" "aks_mcp" {
+  metadata {
+    name = "aks-mcp"
+    labels = {
+      "app.kubernetes.io/managed-by" = "terraform"
+      "azure.workload.identity/use"  = "true"
+    }
+  }
+}
+
+resource "kubernetes_service_account" "aks_mcp" {
+  metadata {
+    name      = "aks-mcp"
+    namespace = kubernetes_namespace.aks_mcp.metadata[0].name
+    annotations = {
+      "azure.workload.identity/client-id" = azurerm_user_assigned_identity.workload.client_id
+    }
+    labels = {
+      "azure.workload.identity/use" = "true"
+    }
+  }
+}