fix(manifests): reconcile base manifests with MPP — add missing CP and api-server config

[markturansky]

Summary

Gaps found by comparing the MPP overlay (which works) with base+production manifests:

• Control-plane: Add RUNNER_IMAGE and MCP_IMAGE env vars so CP can create runner Jobs and MCP sidecars. Add Vertex AI env vars (USE_VERTEX, CLOUD_ML_REGION, ANTHROPIC_VERTEX_PROJECT_ID, GOOGLE_APPLICATION_CREDENTIALS) from the operator-config ConfigMap (all optional: true), plus ambient-vertex secret volume mount
• API server: Add pod-level securityContext (runAsNonRoot, seccompProfile: RuntimeDefault) per project conventions. Add resource limits to the migration init container (50m/128Mi → 500m/512Mi)

Test plan

• After merge + deploy to Stage, verify CP logs show runner image config and Vertex settings (if operator-config ConfigMap exists)
• Verify api-server pod starts successfully with new securityContext
• Verify migration init container completes within resource limits

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added support for Vertex AI integration with credential configuration capabilities.

• Chores

  • Enhanced container security by enforcing non-root execution and runtime seccomp profiles.
  • Added resource request and limit constraints for improved deployment reliability.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	074fde6
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ea9e522f88d6000896878a

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5eebac87-4786-4beb-98ba-017d3f890faf

📥 Commits

Reviewing files that changed from the base of the PR and between ab0b389 and c555f74.

📒 Files selected for processing (2)

• components/manifests/base/ambient-control-plane-service.yml
• components/manifests/base/core/ambient-api-server-service.yml

---

📝 Walkthrough

Walkthrough

Two Kubernetes Deployment manifests receive configuration updates: the ambient control plane service gains environment variables for Vertex integration and a secret-backed volume mount, while the ambient API server service hardens its pod security context and constrains initContainer resources.

Changes

Cohort / File(s)	Summary
Ambient Control Plane Configuration components/manifests/base/ambient-control-plane-service.yml	Adds environment variables for runner/MCP container image configuration and optional Vertex/ML parameters from the operator-config ConfigMap. Introduces a secret-backed volume (ambient-vertex) mounted read-only at /app/vertex for runtime credential/config access.
Ambient API Server Security components/manifests/base/core/ambient-api-server-service.yml	Enforces pod-level security hardening with non-root execution and RuntimeDefault seccomp profile. Adds explicit CPU/memory resource requests and limits to the migration initContainer.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Security And Secret Handling	❌ Error	GOOGLE_APPLICATION_CREDENTIALS exposed as environment variable instead of mounted secret file, violating least-privilege credential handling.	Replace GOOGLE_APPLICATION_CREDENTIALS env var with mounted secret file path (e.g., /app/vertex/credentials.json). Move sensitive cloud credentials from env vars to volume mounts.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix type with scope) and accurately describes the main changes: reconciling manifests and adding missing control-plane/api-server configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	Kubernetes manifest files contain only static declarative YAML configuration (env vars, volume mounts, security context, resource limits) with no algorithms, loops, or performance-impacting logic.
Kubernetes Resource Safety	✅ Passed	Modified manifests pass all four Kubernetes resource safety criteria: explicit resource requests/limits, safe RBAC configuration, pod/container-level security hardening, and proper namespace scoping.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/reconcile-base-manifests-with-mpp

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/reconcile-base-manifests-with-mpp

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}