fix(manifests): add OIDC client credentials to control-plane deployment

[markturansky]

Summary

• Add OIDC_CLIENT_ID and OIDC_CLIENT_SECRET env vars to the base control-plane deployment manifest, sourced from the ambient-api-server secret
• The control-plane was getting 401 errors because it sent K8s SA tokens that fail JWT verification against SSO JWKS keys. With OIDC client credentials, the CP obtains real SSO JWTs via the OIDC client credentials flow — matching the working MPP configuration
• Verified on Stage: CP acquires OIDC tokens and all gRPC watch streams establish successfully with no auth errors

Root Cause

The rh-trex-ai framework's AuthStreamInterceptor unconditionally runs JWT verification after pre-auth interceptors, even when the pre-auth bearer token interceptor already authenticated the caller. This means K8s SA tokens (set via AMBIENT_API_TOKEN) fail with invalid token: unknown kid because their kid is not in the SSO JWKS. The OIDC approach bypasses this by providing actual SSO-issued JWTs.

Test plan

• Deployed to Stage and verified CP logs show using OIDC client credentials token provider and OIDC token acquired
• All gRPC watch streams (sessions, projects, project_settings, users) established successfully
• No 401 auth errors in CP or API server logs
• Release to UAT/production via Release button after merge

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • The ambient-control-plane container now receives OIDC-related configuration: OIDC_CLIENT_ID and OIDC_CLIENT_SECRET are injected from the ambient-api-server secret (clientId and clientSecret keys).
  • No other environment variables or container settings were changed.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	4a8b09c
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ea8e646753570008e33bee

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 845edd8e-73fa-497f-bd74-66a69ecf0ce8

📥 Commits

Reviewing files that changed from the base of the PR and between 127b08c and 4a8b09c.

📒 Files selected for processing (1)

• components/manifests/base/ambient-control-plane-service.yml

✅ Files skipped from review due to trivial changes (1)

• components/manifests/base/ambient-control-plane-service.yml

---

📝 Walkthrough

Walkthrough

Added two OIDC environment variables—OIDC_CLIENT_ID and OIDC_CLIENT_SECRET—to the ambient-control-plane container, sourced from the ambient-api-server Secret (clientId, clientSecret).

Changes

Cohort / File(s)	Summary
OIDC Configuration components/manifests/base/ambient-control-plane-service.yml	Injected OIDC_CLIENT_ID and OIDC_CLIENT_SECRET env vars into the ambient-control-plane container via secretKeyRef from the ambient-api-server Secret (keys: clientId, clientSecret).

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Security And Secret Handling	❌ Error	PR references non-existent Secret keys clientId and clientSecret in ambient-api-server manifest; keypair Secret lacks ownerReferences for cascading deletion.	Add missing clientId and clientSecret keys to ambient-api-server-secrets.yml; add ownerReferences to keypair Secret via controllerutil.SetControllerReference().

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format with type 'fix', scope 'manifests', and clearly describes adding OIDC credentials to the deployment, directly matching the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	PR adds two environment variable declarations sourced from Kubernetes secrets in manifest. No algorithmic complexity, loops, unbounded structures, or performance-sensitive operations introduced.
Kubernetes Resource Safety	✅ Passed	PR adds only two environment variable declarations sourced from existing secrets with proper resource limits, pod/container security contexts enforcing non-root and read-only filesystem, and RBAC with specific resource verbs.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/control-plane-oidc-auth

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/control-plane-oidc-auth

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/manifests/base/ambient-control-plane-service.yml`:
- Around line 38-47: The manifest references env vars OIDC_CLIENT_ID and
OIDC_CLIENT_SECRET via secretKeyRef name ambient-api-server keys clientId and
clientSecret, but that Secret only contains sentry.key; update the
ambient-api-server Secret (the resource defined in
ambient-api-server-secrets.yml) to include clientId and clientSecret (or change
the env var references to point to existing secret keys) so the
OIDC_CLIENT_ID/OIDC_CLIENT_SECRET env vars can be resolved at pod startup;
ensure the Secret uses the same key names (clientId, clientSecret) and
appropriate base64-encoded values to match the env var references.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 94ce32d4-4486-4898-8a77-3c0a60963868

📥 Commits

Reviewing files that changed from the base of the PR and between 47e770f and 127b08c.

📒 Files selected for processing (1)

• components/manifests/base/ambient-control-plane-service.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: referenced Secret keys do not exist in the base ambient-api-server Secret

Line 41/42 and Line 46/47 reference ambient-api-server keys clientId and clientSecret, but components/manifests/base/platform/ambient-api-server-secrets.yml currently defines only sentry.key. This will break env var resolution and block pod startup.

Suggested fix

# components/manifests/base/platform/ambient-api-server-secrets.yml
 stringData:
+  clientId: ""
+  clientSecret: ""
   sentry.key: ""

As per coding guidelines, "Prioritize Critical and Major severity issues. Minimize Minor and Trivial findings."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/manifests/base/ambient-control-plane-service.yml` around lines 38
- 47, The manifest references env vars OIDC_CLIENT_ID and OIDC_CLIENT_SECRET via
secretKeyRef name ambient-api-server keys clientId and clientSecret, but that
Secret only contains sentry.key; update the ambient-api-server Secret (the
resource defined in ambient-api-server-secrets.yml) to include clientId and
clientSecret (or change the env var references to point to existing secret keys)
so the OIDC_CLIENT_ID/OIDC_CLIENT_SECRET env vars can be resolved at pod
startup; ensure the Secret uses the same key names (clientId, clientSecret) and
appropriate base64-encoded values to match the env var references.