diff --git a/components/ambient-control-plane/internal/reconciler/kube_reconciler.go b/components/ambient-control-plane/internal/reconciler/kube_reconciler.go
index 4a492609e..cf2d739f1 100644
--- a/components/ambient-control-plane/internal/reconciler/kube_reconciler.go
+++ b/components/ambient-control-plane/internal/reconciler/kube_reconciler.go
@@ -840,6 +840,7 @@ func (r *SimpleKubeReconciler) buildMCPSidecar(sessionID string) interface{} {
 		envVar("AMBIENT_CP_TOKEN_URL", r.cfg.CPTokenURL),
 		envVar("AMBIENT_CP_TOKEN_PUBLIC_KEY", r.cfg.CPTokenPublicKey),
 		envVar("SESSION_ID", sessionID),
+		envVar("SSL_CERT_FILE", "/etc/pki/ca-trust/extracted/pem/service-ca.crt"),
 	}
 	if r.cfg.HTTPProxy != "" {
 		env = append(env, envVar("HTTP_PROXY", r.cfg.HTTPProxy))
@@ -862,6 +863,14 @@ func (r *SimpleKubeReconciler) buildMCPSidecar(sessionID string) interface{} {
 			},
 		},
 		"env": env,
+		"volumeMounts": []interface{}{
+			map[string]interface{}{
+				"name":      "service-ca",
+				"mountPath": "/etc/pki/ca-trust/extracted/pem/service-ca.crt",
+				"subPath":   "service-ca.crt",
+				"readOnly":  true,
+			},
+		},
 		"resources": map[string]interface{}{
 			"requests": map[string]interface{}{
 				"cpu":    "100m",
diff --git a/components/manifests/overlays/production/ambient-api-server-env-patch.yaml b/components/manifests/overlays/production/ambient-api-server-env-patch.yaml
index b16ef2cf5..6df1c41dc 100644
--- a/components/manifests/overlays/production/ambient-api-server-env-patch.yaml
+++ b/components/manifests/overlays/production/ambient-api-server-env-patch.yaml
@@ -10,3 +10,5 @@ spec:
           env:
             - name: AMBIENT_ENV
               value: production
+            - name: BACKEND_URL
+              value: "http://backend-service.ambient-code.svc:8080"