fix(ambient-api-server): run as non-root and add OIDC secret placeholders

[javierpena]

Add USER 1001 to the Dockerfile to satisfy restricted SecurityContext requirements.

Add empty clientId/clientSecret keys to the base ambient-api-server Secret so the ambient-control-plane pod can start in Kind where OIDC is not configured (token auth is used instead).

Summary by CodeRabbit

• Chores
  • API server runtime now runs as a non-root user in production.
  • Added clientId and clientSecret fields (empty by default) to the API server secrets for future credential configuration.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 147b79d8-7e61-4e35-ae2e-8501ba15bd6a

📥 Commits

Reviewing files that changed from the base of the PR and between 45e8a6a and 38808b2.

📒 Files selected for processing (2)

• components/ambient-api-server/Dockerfile
• components/manifests/base/platform/ambient-api-server-secrets.yml

✅ Files skipped from review due to trivial changes (1)

• components/manifests/base/platform/ambient-api-server-secrets.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• components/ambient-api-server/Dockerfile

---

📝 Walkthrough

Walkthrough

Runtime image now runs as non-root (USER 1001) and the Kubernetes Secret for ambient-api-server declares empty clientId and clientSecret stringData fields.

Changes

Ambient API Server: runtime user & secret fields

Layer / File(s)	Summary
Secret: declare client credentials components/manifests/base/platform/ambient-api-server-secrets.yml	Added stringData.clientId: "" and stringData.clientSecret: "" to the ambient-api-server Secret.
Runtime image: non-root user components/ambient-api-server/Dockerfile	Runtime stage now sets USER 1001 (non-root) after EXPOSE 8000 and before ENTRYPOINT/LABEL.

Possibly related PRs

• ambient-code/platform#1445: Adds clientId/clientSecret keys to ambient-api-server Secret and references them for OIDC_CLIENT_ID/OIDC_CLIENT_SECRET via secretKeyRef.

Suggested labels

queued

🚥 Pre-merge checks | ✅ 8

✅ Passed checks (8 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix scope) and accurately describes both main changes: non-root user addition and OIDC secret placeholders.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR contains only infrastructure changes: Docker USER directive and Kubernetes Secret fields. No algorithmic code, loops, API patterns, or performance-impacting runtime logic.
Security And Secret Handling	✅ Passed	PR adds empty placeholder secrets and non-root USER in Dockerfile. No new credential logging or auth vulnerabilities introduced.
Kubernetes Resource Safety	✅ Passed	PR changes (USER 1001, empty secret keys) do not introduce resource safety violations. Pre-existing issues were not modified by this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

components/manifests/base/platform/ambient-api-server-secrets.yml (1)

4-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add ownerReferences to both Secret resources (ambient-api-server-db, ambient-api-server).

Both Secrets are missing metadata.ownerReferences, which violates manifest ownership/lifecycle policy for child resources.

As per coding guidelines "All child resources (Jobs, Secrets, PVCs) must have OwnerReferences set with controller owner refs".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@components/manifests/base/platform/ambient-api-server-secrets.yml` around
lines 4 - 25, Both Secret manifests (metadata.name: ambient-api-server-db and
metadata.name: ambient-api-server) are missing metadata.ownerReferences; add an
ownerReferences array on each Secret pointing to the owning controller (set
apiVersion, kind, name and uid of the parent/controller and set controller: true
and blockOwnerDeletion: true) so they are properly garbage-collected and comply
with the "child resources must have OwnerReferences" guideline; update the
Secret resources with ownerReferences referencing the appropriate parent
Deployment/CustomResource by its name/uid.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@components/manifests/base/platform/ambient-api-server-secrets.yml`:
- Around line 4-25: Both Secret manifests (metadata.name: ambient-api-server-db
and metadata.name: ambient-api-server) are missing metadata.ownerReferences; add
an ownerReferences array on each Secret pointing to the owning controller (set
apiVersion, kind, name and uid of the parent/controller and set controller: true
and blockOwnerDeletion: true) so they are properly garbage-collected and comply
with the "child resources must have OwnerReferences" guideline; update the
Secret resources with ownerReferences referencing the appropriate parent
Deployment/CustomResource by its name/uid.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4ec727de-951a-4e47-8703-454ab9b06165

📥 Commits

Reviewing files that changed from the base of the PR and between 136db29 and 3646bfa.

📒 Files selected for processing (2)

• components/ambient-api-server/Dockerfile
• components/manifests/base/platform/ambient-api-server-secrets.yml

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	38808b2
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/6a168ca2f7480500087a3e28