From 3646bfa573ddd7dd4deb9f39decb9866302e2b91 Mon Sep 17 00:00:00 2001 From: Javier Pena Date: Mon, 11 May 2026 17:01:53 +0200 Subject: [PATCH] fix(ambient-api-server): run as non-root and add OIDC secret placeholders Add USER 1001 to the Dockerfile to satisfy restricted SecurityContext requirements. Add empty clientId/clientSecret keys to the base ambient-api-server Secret so the ambient-control-plane pod can start in Kind where OIDC is not configured (token auth is used instead). Co-Authored-By: Claude Sonnet 4.6 --- components/ambient-api-server/Dockerfile | 2 ++ .../manifests/base/platform/ambient-api-server-secrets.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/components/ambient-api-server/Dockerfile b/components/ambient-api-server/Dockerfile index fb32013ac..aea9e7297 100755 --- a/components/ambient-api-server/Dockerfile +++ b/components/ambient-api-server/Dockerfile @@ -30,6 +30,8 @@ COPY --from=builder /workspace/ambient-api-server /usr/local/bin/ EXPOSE 8000 +USER 1001 + ENTRYPOINT ["/usr/local/bin/ambient-api-server", "serve"] LABEL name="ambient-api-server" \ diff --git a/components/manifests/base/platform/ambient-api-server-secrets.yml b/components/manifests/base/platform/ambient-api-server-secrets.yml index 0bea83102..44e917197 100644 --- a/components/manifests/base/platform/ambient-api-server-secrets.yml +++ b/components/manifests/base/platform/ambient-api-server-secrets.yml @@ -25,6 +25,8 @@ metadata: type: Opaque stringData: sentry.key: "" + clientId: "" + clientSecret: "" --- apiVersion: v1