Skip to content

Delegate urls flag #1591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
maknop wants to merge 78 commits into
base: main
Choose a base branch
from
Open

Delegate urls flag #1591

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
78 commits
Select commit Hold shift + click to select a range
6031ec7
Red Hat Konflux update ambient-code-backend-main
Apr 6, 2026
606ce90
Red Hat Konflux update ambient-code-frontend-main
Apr 6, 2026
6c55b40
Red Hat Konflux update ambient-code-operator-main
Apr 6, 2026
f0c83d1
Red Hat Konflux update ambient-code-public-api-main
Apr 6, 2026
27ca356
Red Hat Konflux update ambient-code-ambient-api-server-main
Apr 6, 2026
ecc111f
Red Hat Konflux update ambient-code-ambient-runner-main
Apr 8, 2026
423fe26
Add app-interface overlay for AppSRE platform deployment
wcmitchell Apr 10, 2026
5a526ef
Add OpenShift Templates for AppSRE deployment
wcmitchell Apr 11, 2026
05d3dad
Add app-interface overlay for AppSRE platform deployment
wcmitchell Apr 10, 2026
2cf0e26
fix: correct OpenShift Template objects array format
wcmitchell Apr 13, 2026
c608bd0
refactor: remove in-cluster services from template
wcmitchell Apr 13, 2026
813c4e6
updating postgresql db name
maknop Apr 13, 2026
9d1e6c0
enabling ssl mode for rds
maknop Apr 15, 2026
4c0ee4b
fix: disable OpenTelemetry metrics export in operator
maknop Apr 15, 2026
85b6476
enabling ssl mode for rds
maknop Apr 15, 2026
9b27e17
Add OAuth proxy and SSL/TLS configuration for app-interface overlay
wcmitchell Apr 17, 2026
76e9181
Remove in-cluster services from template-services.yaml
wcmitchell Apr 17, 2026
5fb4711
Fix OAuth proxy configuration to use OpenShift service account auth
wcmitchell Apr 20, 2026
12d027e
Exclude ambient-code-rds secret from services template
wcmitchell Apr 20, 2026
e252262
fix: fix frontent route termination
wcmitchell Apr 20, 2026
b673993
fix: revert https changes for oauth pods
wcmitchell Apr 20, 2026
07c771f
Change TLS termination from reencrypt to edge
wcmitchell Apr 20, 2026
3b12dbc
Change health check scheme from HTTPS to HTTP
wcmitchell Apr 20, 2026
cd29d3e
Update upstream URL to use frontend service
wcmitchell Apr 20, 2026
19cae2a
Enable request logging in OAuth proxy configuration
wcmitchell Apr 20, 2026
eea6dbf
Update OAuth redirect reference for frontend service account
wcmitchell Apr 20, 2026
d8ca236
Update Vertex AI credentials to use app-interface Vault secret
wcmitchell Apr 21, 2026
aca8627
Fix OAuth proxy to pass access token to backend API
wcmitchell Apr 21, 2026
da9e091
Update OAuth proxy configuration options
wcmitchell Apr 21, 2026
59db0de
Remove authorization header setting from template
wcmitchell Apr 21, 2026
f7c264f
updating ambient env to production
maknop Apr 21, 2026
fc506ef
Add pass-user-bearer-token option to template-services.yaml
wcmitchell Apr 21, 2026
88d2738
Update template-services.yaml
wcmitchell Apr 21, 2026
ab195e8
Fix OAuth proxy to forward user tokens to frontend/backend
wcmitchell Apr 21, 2026
bc7a893
Update openshift-delegate-urls configuration
wcmitchell Apr 21, 2026
81be018
removing openshift-delegate-urls
maknop Apr 21, 2026
8409458
Revert "removing openshift-delegate-urls"
maknop Apr 21, 2026
4a337c6
Update openshift-delegate-urls path in template-services.yaml
wcmitchell Apr 22, 2026
f946eb2
Remove scope option from OAuth proxy configuration
wcmitchell Apr 22, 2026
58123c5
chore: Update konflux deps
wcmitchell Apr 22, 2026
3731512
Merge pull request #56 from RedHatInsights/update_rpm_sig_scan_ref
wcmitchell Apr 22, 2026
04290ab
Configure OAuth proxy with IT-provided SSO client credentials
wcmitchell Apr 28, 2026
8e365a1
Remove ClusterRoleBinding from operator template
wcmitchell Apr 30, 2026
fabbc95
Merge pull request #60 from RedHatInsights/oauth_client_updates
wcmitchell Apr 30, 2026
5d31cec
fix(ci): correct Tekton pathChanged glob patterns
wcmitchell Apr 30, 2026
d292964
Merge pull request #62 from RedHatInsights/fix/tekton-path-glob-patterns
wcmitchell Apr 30, 2026
336a759
fix: initialize no-op metrics instruments when OTEL is disabled
wcmitchell Apr 30, 2026
f190ae5
Merge pull request #61 from RedHatInsights/noop_reporter_init_otel
wcmitchell Apr 30, 2026
2af8216
fix: add MLflow CRD permissions to operator ClusterRole
wcmitchell May 1, 2026
f0cafaf
Merge pull request #63 from RedHatInsights/add_mlflow_perms
wcmitchell May 1, 2026
a96106f
fix: add MLflow permissions to agentic-operator ClusterRole
wcmitchell May 4, 2026
9a63f96
Merge pull request #64 from RedHatInsights/add_mlflow_to_operator_clu…
wcmitchell May 4, 2026
93927f7
Add NetworkPolicy permissions to agentic-operator ClusterRole
maknop May 6, 2026
6e294e7
fix: add backend API routing to oauth-proxy upstream
wcmitchell May 6, 2026
622f62f
Merge pull request #65 from RedHatInsights/fix-oauth-proxy-api-routing
wcmitchell May 6, 2026
db6bdd3
fix: remove overly restrictive openshift-delegate-urls check
wcmitchell May 6, 2026
0d7e8c0
Merge pull request #66 from RedHatInsights/fix-remove-oauth-delegate-…
wcmitchell May 6, 2026
a3ede83
increased initial prompt deploy seconds to 10 seconds
maknop May 7, 2026
1b05e80
Merge pull request #67 from RedHatInsights/inital_prompt_time_increase
maknop May 7, 2026
0a4d259
fix(runner): add health probes and improve INITIAL_PROMPT error logging
maknop May 8, 2026
2bf0dd5
feat: parameterize ANTHROPIC_VERTEX_PROJECT_ID
wcmitchell May 8, 2026
ae273be
Merge pull request #69 from RedHatInsights/update_operator_template_v…
wcmitchell May 8, 2026
393378a
Merge pull request #68 from RedHatInsights/fix/add-health-probes-and-…
maknop May 8, 2026
5c6a9d3
feat: add NetworkPolicy to allow runner pod ingress
maknop May 11, 2026
3e2ebcf
Merge pull request #70 from RedHatInsights/add-runner-networkpolicy-t…
maknop May 11, 2026
b5c3b0b
updated resouces requests for operator/runner
maknop May 11, 2026
259ca05
Merge pull request #71 from RedHatInsights/resource_request_adjustment
maknop May 11, 2026
f180dbe
fix: add OAuth proxy cookie refresh to prevent token expiration
maknop May 12, 2026
a584836
Merge pull request #72 from RedHatInsights/fix-token-expiration-cooki…
wcmitchell May 12, 2026
a4ced8e
fix: update oauth proxy upstream to localhost:3000
maknop May 12, 2026
4896c26
Merge pull request #73 from RedHatInsights/fix/oauth-proxy-upstream-c…
maknop May 12, 2026
61b41a7
Merge remote-tracking branch 'upstream/main'
wcmitchell May 14, 2026
f120bf9
chore(konflux): update task bundle SHAs to latest versions
wcmitchell May 14, 2026
1920c92
Merge pull request #74 from RedHatInsights/update_konflux_deps_yet_again
wcmitchell May 14, 2026
0082943
chore(deps): Update to nodejs 24
wcmitchell May 14, 2026
21ce5df
chore: Also update package-lock.json
wcmitchell May 14, 2026
4459daf
Merge pull request #75 from RedHatInsights/update_nodejs_version
wcmitchell May 14, 2026
a9ac6d9
adding openshift-delegate-urls flag
maknop May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
585 changes: 585 additions & 0 deletions .tekton/ambient-code-ambient-api-server-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-ambient-api-server-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

581 changes: 581 additions & 0 deletions .tekton/ambient-code-ambient-runner-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

578 changes: 578 additions & 0 deletions .tekton/ambient-code-ambient-runner-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-backend-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-backend-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-frontend-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-frontend-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-operator-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-operator-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-public-api-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-public-api-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion components/ambient-api-server/templates/db-template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ parameters:
description: The name of the OpenShift Service exposed for the database.
displayName: Database Service Name
required: true
value: ambient-api-server-db
value: ambient-code-rds

- name: DATABASE_USER
description: Username for PostgreSQL user that will be used for accessing the database.
Expand Down
6 changes: 3 additions & 3 deletions components/frontend/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Use Red Hat UBI Node.js 20 minimal image for dependencies
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Stale Node.js 20 references in comments.

The image tags are now nodejs-24/nodejs-24-minimal but the surrounding comments still say "Node.js 20" / "nodejs-20". Quick cleanup to keep the docs honest.

📝 Proposed fix 
-# Use Red Hat UBI Node.js 20 minimal image for dependencies
+# Use Red Hat UBI Node.js 24 minimal image for dependencies
 FROM registry.access.redhat.com/ubi9/nodejs-24-minimal AS deps
@@
 # Rebuild the source code only when needed
-# Use the full nodejs-20 image (not minimal) for the build stage because
+# Use the full nodejs-24 image (not minimal) for the build stage because
 # Next.js 16 Turbopack requires native SWC binaries that depend on glibc.
 FROM registry.access.redhat.com/ubi9/nodejs-24 AS builder

Also applies to: 13-15

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@components/frontend/Dockerfile` at line 1, Update stale Node.js 20 comments
to Node.js 24: replace the comment string "# Use Red Hat UBI Node.js 20 minimal
image for dependencies" and any other occurrences of "Node.js 20", "nodejs-20"
or "nodejs-20-minimal" in this Dockerfile (notably the comment blocks around the
base image references) with "Node.js 24" and the correct tags "nodejs-24" /
"nodejs-24-minimal" so the comments match the actual image tags.

FROM registry.access.redhat.com/ubi9/nodejs-20-minimal AS deps
FROM registry.access.redhat.com/ubi9/nodejs-24-minimal AS deps

WORKDIR /app

Expand All @@ -12,7 +12,7 @@ RUN npm ci
# Rebuild the source code only when needed
# Use the full nodejs-20 image (not minimal) for the build stage because
# Next.js 16 Turbopack requires native SWC binaries that depend on glibc.
FROM registry.access.redhat.com/ubi9/nodejs-20 AS builder
FROM registry.access.redhat.com/ubi9/nodejs-24 AS builder

USER 0

Expand All @@ -30,7 +30,7 @@ ENV NEXT_TELEMETRY_DISABLED=1
RUN npm run build

# Production image, copy all the files and run next
FROM registry.access.redhat.com/ubi9/nodejs-20-minimal AS runner
FROM registry.access.redhat.com/ubi9/nodejs-24-minimal AS runner

ARG GIT_COMMIT=unknown

Expand Down
16 changes: 8 additions & 8 deletions components/frontend/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion components/frontend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@
"@testing-library/jest-dom": "^6.9.1",
"@testing-library/react": "^16.3.2",
"@types/dompurify": "^3.0.5",
"@types/node": "^20",
"@types/node": "^24",
"@types/react": "^19",
"@types/react-dom": "^19",
"@vitest/coverage-istanbul": "^4.0.18",
Expand Down
4 changes: 2 additions & 2 deletions components/manifests/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ manifests/
│ ├── platform/ # Cluster-level resources
│ │ ├── namespace.yaml
│ │ ├── ambient-api-server-db.yml # ambient-api-server PostgreSQL deployment
│ │ └── ambient-api-server-secrets.yml # Secret template (values injected per-env)
│ │ └── ambient-api-server-secrets.yml # Secret template (ambient-code-rds secret for DB)
│ ├── crds/ # Custom Resource Definitions
│ │ ├── agenticsessions-crd.yaml
│ │ └── projectsettings-crd.yaml
Expand Down Expand Up @@ -121,7 +121,7 @@ Components are opt-in kustomize modules included via the `components:` block in
|---|---|---|
| `oauth-proxy` | Adds OpenShift OAuth proxy sidecar to frontend | `production` |
| `postgresql-rhel` | Patches PostgreSQL to use `registry.redhat.io/rhel10/postgresql-16` | `production`, `local-dev` |
| `ambient-api-server-db` | Same RHEL patch for the ambient-api-server's dedicated DB | `production`, `local-dev` |
| `ambient-api-server-db` | RHEL patch for ambient-api-server DB (updates ambient-code-rds secret refs) | `production`, `local-dev` |
| `postgresql-init-scripts` | ConfigMap + volume for DB init SQL (vanilla postgres only) | `kind`, `e2e` |

## Building and Validating
Expand Down
2 changes: 1 addition & 1 deletion components/manifests/base/core/ambient-api-server-service.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ spec:
volumes:
- name: db-secrets
secret:
secretName: ambient-api-server-db
secretName: ambient-code-rds
- name: app-secrets
secret:
secretName: ambient-api-server
Expand Down
5 changes: 3 additions & 2 deletions components/manifests/base/core/operator-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,8 +144,9 @@ spec:
# - name: DEFAULT_INACTIVITY_TIMEOUT
# value: "86400" # Default inactivity timeout in seconds (24h). Set to 0 to disable.
# OpenTelemetry configuration
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: "otel-collector.ambient-code.svc:4317" # Deploy OTel collector separately
# Disabled: OTel collector not deployed. Uncomment when collector is available.
# - name: OTEL_EXPORTER_OTLP_ENDPOINT
# value: "otel-collector.ambient-code.svc:4317" # Deploy OTel collector separately
- name: DEPLOYMENT_ENV
value: "production"
- name: VERSION
Expand Down
6 changes: 3 additions & 3 deletions components/manifests/base/platform/ambient-api-server-db.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,17 +65,17 @@ spec:
valueFrom:
secretKeyRef:
key: db.user
name: ambient-api-server-db
name: ambient-code-rds
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: db.password
name: ambient-api-server-db
name: ambient-code-rds
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: db.name
name: ambient-api-server-db
name: ambient-code-rds
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
Expand Down
2 changes: 1 addition & 1 deletion components/manifests/base/platform/ambient-api-server-secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
apiVersion: v1
kind: Secret
metadata:
name: ambient-api-server-db
name: ambient-code-rds
labels:
app: ambient-api-server
component: database
Expand Down
15 changes: 15 additions & 0 deletions components/manifests/base/rbac/frontend-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ kind: ServiceAccount
metadata:
name: frontend
namespace: ambient-code
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.frontend: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"frontend"}}'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -28,3 +30,16 @@ subjects:
- kind: ServiceAccount
name: frontend
namespace: ambient-code
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ambient-frontend-oauth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: frontend
namespace: ambient-code
6 changes: 3 additions & 3 deletions components/manifests/components/ambient-api-server-db/ambient-api-server-db-json-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,17 @@
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.user
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.password
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.name
- op: replace
path: /spec/template/spec/containers/0/volumeMounts
Expand Down
8 changes: 4 additions & 4 deletions components/manifests/components/ambient-api-server-db/ambient-api-server-init-db-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,20 +41,20 @@ spec:
- name: PGHOST
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.host
- name: PGUSER
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.user
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.password
- name: PGDATABASE
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.name
2 changes: 1 addition & 1 deletion components/manifests/components/ambient-api-server-db/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

# Requires: ambient-api-server-db Secret in the target namespace
# Requires: ambient-code-rds Secret in the target namespace

patches:
- path: ambient-api-server-db-json-patch.yaml
Expand Down
47 changes: 23 additions & 24 deletions components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Patch for production frontend deployment
# - Adds OAuth proxy sidecar for authentication
# - Adds OAuth proxy sidecar for authentication using OpenShift OAuth
# - Uses service account token for cookie secret (no vault secret needed)
# - Overrides resource limits to prevent OOMKills (sawtooth memory pattern)
apiVersion: apps/v1
kind: Deployment
Expand All @@ -20,20 +21,23 @@ spec:
cpu: 1000m
# OAuth proxy sidecar
- name: oauth-proxy
image: quay.io/openshift/origin-oauth-proxy:4.14
image: registry.redhat.io/openshift4/ose-oauth-proxy-rhel9:v4.18.0-202506230505.p0.gcbd44ad.assembly.stream.el9
imagePullPolicy: IfNotPresent
args:
- --http-address=:8443
- --https-address=
- --provider=openshift
- --client-id=ambient-code
- --client-secret-file=/etc/oauth-client/client_secret
- --upstream=http://localhost:3000
- --client-id=ambient-frontend
- --client-secret-file=/etc/oauth/config/client-secret
- --cookie-secret-file=/etc/oauth/config/cookie_secret
- --cookie-expire=23h0m0s
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --cookie-secret-file=/etc/oauth-cookie/cookie_secret
Comment on lines +31 to +35
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Locate the base frontend Deployment to confirm oauth-client/oauth-cookie volumes & securityContext exist.
fd -t f -e yaml -e yml | xargs rg -lP '^\s*name:\s*frontend\s*$' | xargs -I{} rg -nP -C5 '(oauth-client|oauth-cookie|securityContext|volumes:|volumeMounts:)' {}

# Also check the kustomize component for any companion volumes definition.
fd -t f . components/manifests/components/oauth-proxy

Repository: ambient-code/platform

Length of output: 6354

🏁 Script executed:

fd -t f -e yaml -e yml -path "*/components/manifests/*" | head -20

Repository: ambient-code/platform

Length of output: 234

🏁 Script executed:

cat -n components/manifests/components/oauth-proxy/kustomization.yaml

Repository: ambient-code/platform

Length of output: 412

🏁 Script executed:

rg -n "name.*frontend" components/manifests -A2 -B2 -t yaml | grep -E "(kind:|name:|Deployment)" | head -20

Repository: ambient-code/platform

Length of output: 1800

🏁 Script executed:

sed -n '620,800p' components/manifests/templates/template-services.yaml | cat -n

Repository: ambient-code/platform

Length of output: 6474

🏁 Script executed:

rg -n "kind: Deployment" components/manifests/templates/template-services.yaml -A100 | grep -A100 "name: frontend$" | head -120

Repository: ambient-code/platform

Length of output: 3901

🏁 Script executed:

cat -n components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml

Repository: ambient-code/platform

Length of output: 3013

🏁 Script executed:

rg -n "securityContext" components/manifests/components/oauth-proxy/ -B2 -A5

Repository: ambient-code/platform

Length of output: 47

🏁 Script executed:

rg -n "containers:" components/manifests/templates/template-services.yaml -A50 | grep -A40 "name: oauth-proxy" | grep -i "securitycontext"

Repository: ambient-code/platform

Length of output: 47

🏁 Script executed:

sed -n '678,750p' components/manifests/templates/template-services.yaml | cat -n

Repository: ambient-code/platform

Length of output: 2949

🏁 Script executed:

rg -n "oauth-proxy" components/manifests/templates/template-services.yaml -B5 -A30 | grep -A30 "name: oauth-proxy" | head -40

Repository: ambient-code/platform

Length of output: 1112

Strategic merge patch will lose oauth-client and oauth-cookie secret mounts, causing oauth-proxy startup failure.

The patch replaces the entire volumeMounts and volumes lists instead of merging them. This removes the oauth-cookie-secret and oauth-client-secret mounts (lines 731-734 in the base), leaving only frontend-proxy-tls. Since the oauth-proxy args reference /etc/oauth-client/client_secret and /etc/oauth-cookie/cookie_secret, the container will crash with "file not found" at startup.

Either:

  • Add the missing volumeMounts/volumes to the patch (lines 72-78), or
  • Switch to a patchesJson6902 patch with merge directives to preserve existing mounts

Additionally, oauth-proxy lacks a securityContext. Per coding guidelines, add:

securityContext:
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml`
around lines 31 - 35, The patch currently replaces the container's
volumeMounts/volumes and drops the oauth-client-secret and oauth-cookie-secret
mounts referenced by the oauth-proxy args (paths /etc/oauth-client/client_secret
and /etc/oauth-cookie/cookie_secret), causing startup failures; fix by either
adding the missing volumeMounts (oauth-client-secret, oauth-cookie-secret) and
corresponding volumes back into the patch alongside frontend-proxy-tls, or
convert this manifest patch to a patchesJson6902 with merge directives so
existing mounts are preserved; also add the securityContext block to the
oauth-proxy container with runAsNonRoot: true, allowPrivilegeEscalation: false,
capabilities.drop: [ALL], and readOnlyRootFilesystem: true.

- --cookie-expire=24h
- --cookie-refresh=1h
- --pass-access-token
- --scope=user:full
- --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}}
- --upstream-timeout=5m
- --skip-auth-regex=^/metrics
ports:
- containerPort: 8443
Expand All @@ -42,38 +46,33 @@ spec:
httpGet:
path: /oauth/healthz
port: dashboard-ui
scheme: HTTP
initialDelaySeconds: 30
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 1
periodSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /oauth/healthz
port: dashboard-ui
scheme: HTTP
initialDelaySeconds: 5
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 1
periodSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
resources:
requests:
memory: 256Mi
cpu: 50m
memory: 50Mi
cpu: 10m
limits:
memory: 512Mi
memory: 200Mi
cpu: 200m
volumeMounts:
- mountPath: /etc/oauth/config
name: oauth-config
- mountPath: /etc/tls/private
name: proxy-tls
name: frontend-proxy-tls
volumes:
- name: oauth-config
secret:
secretName: frontend-oauth-config
- name: proxy-tls
- name: frontend-proxy-tls
secret:
secretName: dashboard-proxy-tls
secretName: frontend-proxy-tls
4 changes: 3 additions & 1 deletion components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
# Patch to add OAuth port to frontend service
# - Adds HTTPS port for OAuth proxy sidecar
# - Uses service.alpha annotation for auto-generated TLS cert
apiVersion: v1
kind: Service
metadata:
name: frontend-service
annotations:
service.beta.openshift.io/serving-cert-secret-name: dashboard-proxy-tls
service.alpha.openshift.io/serving-cert-secret-name: frontend-proxy-tls
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Compare existing usage across the repo to confirm beta is the prevailing convention.
rg -nP 'service\.(alpha|beta)\.openshift\.io/serving-cert-secret-name'

Repository: ambient-code/platform

Length of output: 2213

Use service.beta.openshift.io/... for consistency with codebase convention.

The file uses service.alpha.openshift.io/serving-cert-secret-name, but beta is the standard across the repository (10+ instances in manifests and templates). Change to service.beta.openshift.io/serving-cert-secret-name: frontend-proxy-tls.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml`
at line 9, The annotation key used in this manifest is the alpha variant
"service.alpha.openshift.io/serving-cert-secret-name: frontend-proxy-tls" which
is inconsistent with the repo convention; update that annotation to the beta
variant "service.beta.openshift.io/serving-cert-secret-name" while preserving
the secret name value (frontend-proxy-tls) so the annotation reads
service.beta.openshift.io/serving-cert-secret-name: frontend-proxy-tls; locate
the entry by the exact annotation key and the value "frontend-proxy-tls" in this
manifest (frontend-oauth-service-patch.yaml) or other similar manifests and
replace alpha with beta.

spec:
ports:
- port: 8443
Expand Down
21 changes: 21 additions & 0 deletions components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
apiVersion: v1
kind: Secret
metadata:
name: ambient-code-rds
labels:
app: ambient-api-server
component: database
annotations:
# External RDS connection managed via Vault secrets from app-interface Phase 2
# These values will be injected by vault-secret-manager from Vault path:
# app-interface/data/ambient-code-platform/stage/rds-credentials
qontract.recycle: "true"
type: Opaque
Comment on lines +4 to +14
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add ownerReferences to this Secret resource.

This new Secret is missing metadata.ownerReferences, so it can become orphaned and drift from its controller lifecycle.

As per coding guidelines **/{k8s,kubernetes,manifests,deploy,config}/**/*secret*.{yaml,yml,json}: Flag Kubernetes Secrets missing OwnerReferences.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml`
around lines 4 - 14, Add a metadata.ownerReferences entry to the Secret named
ambient-code-rds so it is owned by its managing controller; populate
ownerReferences with the owning resource's apiVersion, kind, name and uid and
set controller: true and blockOwnerDeletion: true. Locate the Secret resource
(metadata.name: ambient-code-rds, labels app: ambient-api-server / component:
database) and add the ownerReferences array referencing the correct controller
object (fill in the controller's apiVersion/kind/name/uid from the controller
resource) to ensure proper lifecycle and garbage collection.

stringData:
# Placeholders - actual values injected from Vault at runtime
db.host: "VAULT_INJECTED"
db.port: "5432"
db.name: "ambient_code"
db.user: "VAULT_INJECTED"
db.password: "VAULT_INJECTED"
13 changes: 13 additions & 0 deletions components/manifests/overlays/app-interface/ambient-api-server-env-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# App-interface: set environment to stage
apiVersion: apps/v1
kind: Deployment
metadata:
name: ambient-api-server
spec:
template:
spec:
containers:
- name: api-server
env:
- name: AMBIENT_ENV
value: stage
Loading