feat(infra): deploy AKS MCP Server via Helm (aks-mcp.tf)

Uses pre-created workload identity SA (kubernetes.tf). Workload
identity pod label set so Azure SDK picks up federated token.
Port 8000 — matches .copilot/mcp-config.json localhost reference.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: raykao

infra/aks-mcp.tf

@@ -1 +1,45 @@
-# AKS MCP Server via Helm - see task dark-factory-71d
+resource "helm_release" "aks_mcp" {
+  name             = "aks-mcp"
+  repository       = "oci://ghcr.io/azure/aks-mcp/charts"
+  chart            = "aks-mcp"
+  version          = var.aks_mcp_chart_version
+  namespace        = kubernetes_namespace.aks_mcp.metadata[0].name
+  create_namespace = false
+  wait             = true
+  timeout          = 300
+
+  set {
+    name  = "serviceAccount.create"
+    value = "false"
+  }
+
+  set {
+    name  = "serviceAccount.name"
+    value = kubernetes_service_account.aks_mcp.metadata[0].name
+  }
+
+  set {
+    name  = "podLabels.azure\\.workload\\.identity/use"
+    value = "true"
+  }
+
+  set {
+    name  = "env.AZURE_CLIENT_ID"
+    value = azurerm_user_assigned_identity.workload.client_id
+  }
+
+  set {
+    name  = "env.AZURE_TENANT_ID"
+    value = data.azurerm_client_config.current.tenant_id
+  }
+
+  set {
+    name  = "service.port"
+    value = "8000"
+  }
+
+  depends_on = [
+    kubernetes_namespace.aks_mcp,
+    kubernetes_service_account.aks_mcp
+  ]
+}

infra/outputs.tf

@@ -69,3 +69,8 @@ output "argocd_admin_password" {
   value       = random_password.argocd_admin.result
   sensitive   = true
 }
+
+output "aks_mcp_port_forward_command" {
+  description = "Command to port-forward AKS MCP server locally"
+  value       = "kubectl port-forward -n aks-mcp svc/aks-mcp 8000:8000"
+}