Configure remote kubectl access with 1Password credentials

Step 0.10 implementation:
- Recreate minikube with --apiserver-names=indri --listen-address=0.0.0.0
- Add kubectl-credential-1password exec plugin for 1Password integration
- Client certs fetched from 1Password on-demand (no private keys on disk)
- CA cert stored locally (not secret - public key for server verification)

Minikube role updates:
- Add minikube_apiserver_names and minikube_listen_address variables
- Update tasks to include remote access flags

This mirrors the 1Password SSH agent pattern - biometric auth required
for each kubectl command that needs credentials.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

bin/kubectl-credential-1password

@@ -0,0 +1,31 @@
+#!/bin/bash
+# kubectl exec credential plugin for 1Password
+# Usage: kubectl-credential-1password <vault-id> <item-id> <cert-field> <key-field>
+#
+# Fetches client certificate and key from 1Password and outputs
+# ExecCredential JSON for kubectl authentication.
+
+set -euo pipefail
+
+VAULT_ID="$1"
+ITEM_ID="$2"
+CERT_FIELD="$3"
+KEY_FIELD="$4"
+
+# Fetch credentials from 1Password (strips surrounding quotes from text fields)
+CLIENT_CERT=$(op --vault "$VAULT_ID" item get "$ITEM_ID" --fields "$CERT_FIELD" | sed 's/^"//; s/"$//')
+CLIENT_KEY=$(op --vault "$VAULT_ID" item get "$ITEM_ID" --fields "$KEY_FIELD" | sed 's/^"//; s/"$//')
+
+# Output ExecCredential JSON
+# Note: jq is used to properly escape the PEM data for JSON
+jq -n \
+  --arg cert "$CLIENT_CERT" \
+  --arg key "$CLIENT_KEY" \
+  '{
+    "apiVersion": "client.authentication.k8s.io/v1beta1",
+    "kind": "ExecCredential",
+    "status": {
+      "clientCertificateData": $cert,
+      "clientKeyData": $key
+    }
+  }'