fix(ambient-api-server): run as non-root and add OIDC secret placeholders

[javierpena]

Add USER 1001 to the Dockerfile to satisfy restricted SecurityContext requirements.

Add empty clientId/clientSecret keys to the base ambient-api-server Secret so the ambient-control-plane pod can start in Kind where OIDC is not configured (token auth is used instead).

Summary by CodeRabbit

Release Notes

• Chores
  • Enhanced container security by configuring the service runtime environment to execute with restricted user privileges, reducing the potential attack surface in production deployments.
  • Prepared platform authentication infrastructure with updated credential configuration fields to support client authentication workflows for the API server.

[coderabbitai]

📝 Walkthrough

Walkthrough

The ambient-api-server component is hardened with a non-root user in its container image and updated to declare client credential fields (empty) in its Kubernetes Secret manifest.

Changes

Ambient API Server Security & Configuration

Layer / File(s)	Summary
Configuration components/manifests/base/platform/ambient-api-server-secrets.yml	Added clientId and clientSecret as empty string entries under stringData in the ambient-api-server Secret.
Runtime Security components/ambient-api-server/Dockerfile	Set container user to USER 1001 (non-root) in the runtime stage before port exposure and entrypoint.

Suggested labels

queued

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Kubernetes Resource Safety	⚠️ Warning	Kubernetes resource safety violations: Secrets and PVC missing ownerReferences; database container missing resource limits; database pod missing securityContext.	Add ownerReferences to child resources; add resource requests/limits to postgresql container; add pod securityContext with runAsNonRoot to database Deployment.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title follows Conventional Commits format with type 'fix' and scope 'ambient-api-server', and directly summarizes both main changes: adding non-root user and OIDC secret placeholders.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR introduces only infrastructure changes (Dockerfile USER directive and Kubernetes Secret placeholders). No algorithmic complexity, loops, expensive operations, or performance-related code detected.
Security And Secret Handling	✅ Passed	PR adds USER 1001 to Dockerfile (non-root security improvement) and empty clientId/clientSecret placeholders (safe). No plaintext secrets or auth vulnerabilities introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

components/manifests/base/platform/ambient-api-server-secrets.yml (1)

4-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add ownerReferences to both Secret resources (ambient-api-server-db, ambient-api-server).

Both Secrets are missing metadata.ownerReferences, which violates manifest ownership/lifecycle policy for child resources.

As per coding guidelines "All child resources (Jobs, Secrets, PVCs) must have OwnerReferences set with controller owner refs".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@components/manifests/base/platform/ambient-api-server-secrets.yml` around
lines 4 - 25, Both Secret manifests (metadata.name: ambient-api-server-db and
metadata.name: ambient-api-server) are missing metadata.ownerReferences; add an
ownerReferences array on each Secret pointing to the owning controller (set
apiVersion, kind, name and uid of the parent/controller and set controller: true
and blockOwnerDeletion: true) so they are properly garbage-collected and comply
with the "child resources must have OwnerReferences" guideline; update the
Secret resources with ownerReferences referencing the appropriate parent
Deployment/CustomResource by its name/uid.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@components/manifests/base/platform/ambient-api-server-secrets.yml`:
- Around line 4-25: Both Secret manifests (metadata.name: ambient-api-server-db
and metadata.name: ambient-api-server) are missing metadata.ownerReferences; add
an ownerReferences array on each Secret pointing to the owning controller (set
apiVersion, kind, name and uid of the parent/controller and set controller: true
and blockOwnerDeletion: true) so they are properly garbage-collected and comply
with the "child resources must have OwnerReferences" guideline; update the
Secret resources with ownerReferences referencing the appropriate parent
Deployment/CustomResource by its name/uid.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ec727de-951a-4e47-8703-454ab9b06165

📥 Commits

Reviewing files that changed from the base of the PR and between 136db29 and 3646bfa.

📒 Files selected for processing (2)

• components/ambient-api-server/Dockerfile
• components/manifests/base/platform/ambient-api-server-secrets.yml

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	b185e32
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a0387cce0ba1a0007ea6863