From 4a8b09ca3c30fde3319a193d3bf808830fe4fc21 Mon Sep 17 00:00:00 2001
From: user <u@example.com>
Date: Thu, 23 Apr 2026 17:18:21 -0400
Subject: [PATCH] fix(manifests): add OIDC client credentials to control-plane
 deployment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The control-plane was failing to authenticate to the API server with 401
errors because it was sending K8s SA tokens that fail JWT verification
against SSO JWKS keys. Add OIDC_CLIENT_ID and OIDC_CLIENT_SECRET env
vars (from the ambient-api-server secret) so the CP uses OIDC client
credentials flow to obtain SSO JWTs — matching the working MPP approach.

Verified on Stage: CP acquires OIDC tokens and all gRPC watch streams
establish successfully with no auth errors.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../manifests/base/ambient-control-plane-service.yml   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/components/manifests/base/ambient-control-plane-service.yml b/components/manifests/base/ambient-control-plane-service.yml
index 3799ed8dc..1f1e58f51 100644
--- a/components/manifests/base/ambient-control-plane-service.yml
+++ b/components/manifests/base/ambient-control-plane-service.yml
@@ -35,6 +35,16 @@ spec:
             secretKeyRef:
               name: ambient-control-plane-token
               key: token
+        - name: OIDC_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: ambient-api-server
+              key: clientId
+        - name: OIDC_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: ambient-api-server
+              key: clientSecret
         - name: AMBIENT_API_SERVER_URL
           value: "https://ambient-api-server.ambient-code.svc:8000"
         - name: AMBIENT_GRPC_SERVER_ADDR