fix(ambient-api-server): run as non-root and add OIDC secret placeholders

[javierpena]

Add USER 1001 to the Dockerfile to satisfy restricted SecurityContext requirements.

Add empty clientId/clientSecret keys to the base ambient-api-server Secret so the ambient-control-plane pod can start in Kind where OIDC is not configured (token auth is used instead).

Summary by CodeRabbit

• Chores
  • Improved runtime security by ensuring the API server process runs with restricted privileges in production, reducing potential attack surface.
  • Prepared platform authentication by adding credential fields for client ID and secret to the API server configuration, enabling future client authentication workflows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: bdeb86c3-e9ab-42b2-8a13-1d55f48a272d

📥 Commits

Reviewing files that changed from the base of the PR and between 3646bfa and 8eb715e.

📒 Files selected for processing (2)

• components/ambient-api-server/Dockerfile
• components/manifests/base/platform/ambient-api-server-secrets.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• components/manifests/base/platform/ambient-api-server-secrets.yml

---

📝 Walkthrough

Walkthrough

Runtime image now runs as non-root (USER 1001) and the Kubernetes Secret for ambient-api-server declares empty clientId and clientSecret stringData fields.

Changes

Ambient API Server: runtime user & secret fields

Layer / File(s)	Summary
Secret: declare client credentials components/manifests/base/platform/ambient-api-server-secrets.yml	Added stringData.clientId: "" and stringData.clientSecret: "" to the ambient-api-server Secret.
Runtime image: non-root user components/ambient-api-server/Dockerfile	Runtime stage now sets USER 1001 (non-root) after EXPOSE 8000 and before ENTRYPOINT/LABEL.

Possibly related PRs

• ambient-code/platform#1445: Adds clientId/clientSecret keys to ambient-api-server Secret and references them for OIDC_CLIENT_ID/OIDC_CLIENT_SECRET via secretKeyRef.

Suggested labels

queued

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Security And Secret Handling	❌ Error	Hardcoded plaintext DB password (TheBlurstOfTimes) in secrets manifest (line 15). Both Kubernetes Secrets missing OwnerReferences—violates custom check blocking criteria.	Use external secrets management instead of hardcoded credentials. Add ownerReferences to both ambient-api-server and ambient-api-server-db Secrets for lifecycle management.
Kubernetes Resource Safety	⚠️ Warning	PostgreSQL container missing resource limits; PVC missing ownerReferences; ambient-api-server-db missing pod security context.	Add resources section to postgres container; add ownerReferences to PVC; add securityContext to ambient-api-server-db deployment.

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format with type 'fix' and scope 'ambient-api-server', accurately summarizing both main changes: non-root user enforcement and OIDC secret placeholders.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	No performance regressions detected. Changes are configuration-only: adding non-root user to Dockerfile and empty OIDC secret placeholders. No algorithms, queries, or unbounded growth.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

components/manifests/base/platform/ambient-api-server-secrets.yml (1)

4-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add ownerReferences to both Secret resources (ambient-api-server-db, ambient-api-server).

Both Secrets are missing metadata.ownerReferences, which violates manifest ownership/lifecycle policy for child resources.

As per coding guidelines "All child resources (Jobs, Secrets, PVCs) must have OwnerReferences set with controller owner refs".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@components/manifests/base/platform/ambient-api-server-secrets.yml` around
lines 4 - 25, Both Secret manifests (metadata.name: ambient-api-server-db and
metadata.name: ambient-api-server) are missing metadata.ownerReferences; add an
ownerReferences array on each Secret pointing to the owning controller (set
apiVersion, kind, name and uid of the parent/controller and set controller: true
and blockOwnerDeletion: true) so they are properly garbage-collected and comply
with the "child resources must have OwnerReferences" guideline; update the
Secret resources with ownerReferences referencing the appropriate parent
Deployment/CustomResource by its name/uid.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@components/manifests/base/platform/ambient-api-server-secrets.yml`:
- Around line 4-25: Both Secret manifests (metadata.name: ambient-api-server-db
and metadata.name: ambient-api-server) are missing metadata.ownerReferences; add
an ownerReferences array on each Secret pointing to the owning controller (set
apiVersion, kind, name and uid of the parent/controller and set controller: true
and blockOwnerDeletion: true) so they are properly garbage-collected and comply
with the "child resources must have OwnerReferences" guideline; update the
Secret resources with ownerReferences referencing the appropriate parent
Deployment/CustomResource by its name/uid.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ec727de-951a-4e47-8703-454ab9b06165

📥 Commits

Reviewing files that changed from the base of the PR and between 136db29 and 3646bfa.

📒 Files selected for processing (2)

• components/ambient-api-server/Dockerfile
• components/manifests/base/platform/ambient-api-server-secrets.yml

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	ca03782
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a05f6fe3a37f0000896d53d