From c555f74ffa99e2de2961faaa430884f55ee5b1ea Mon Sep 17 00:00:00 2001 From: user Date: Thu, 23 Apr 2026 18:30:06 -0400 Subject: [PATCH] =?UTF-8?q?fix(manifests):=20reconcile=20base=20manifests?= =?UTF-8?q?=20with=20MPP=20=E2=80=94=20add=20missing=20CP=20and=20api-serv?= =?UTF-8?q?er=20config?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reconcile gaps found by comparing MPP overlay with base manifests: Control-plane Deployment: - Add RUNNER_IMAGE and MCP_IMAGE env vars so CP knows what images to use when creating runner Jobs and MCP sidecars - Add Vertex AI env vars (USE_VERTEX, CLOUD_ML_REGION, ANTHROPIC_VERTEX_PROJECT_ID, GOOGLE_APPLICATION_CREDENTIALS) sourced from the operator-config ConfigMap with optional: true, matching the pattern used by the operator and backend deployments - Add vertex-credentials volume mount (ambient-vertex secret, optional) API server Deployment: - Add pod-level securityContext (runAsNonRoot, seccompProfile: RuntimeDefault) to match project security conventions - Add resource limits to the migration init container (50m/128Mi requests, 500m/512Mi limits) matching the MPP overlay 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .../base/ambient-control-plane-service.yml | 37 +++++++++++++++++++ .../base/core/ambient-api-server-service.yml | 11 ++++++ 2 files changed, 48 insertions(+) diff --git a/components/manifests/base/ambient-control-plane-service.yml b/components/manifests/base/ambient-control-plane-service.yml index 8a7a105ac..288a2f1a1 100644 --- a/components/manifests/base/ambient-control-plane-service.yml +++ b/components/manifests/base/ambient-control-plane-service.yml @@ -55,12 +55,44 @@ spec: value: "kube" - name: LOG_LEVEL value: "info" + - name: RUNNER_IMAGE + value: "quay.io/ambient_code/vteam_claude_runner:latest" + - name: MCP_IMAGE + value: "quay.io/ambient_code/vteam_mcp:latest" + - name: USE_VERTEX + valueFrom: + configMapKeyRef: + name: operator-config + key: USE_VERTEX + optional: true + - name: CLOUD_ML_REGION + valueFrom: + configMapKeyRef: + name: operator-config + key: CLOUD_ML_REGION + optional: true + - name: ANTHROPIC_VERTEX_PROJECT_ID + valueFrom: + configMapKeyRef: + name: operator-config + key: ANTHROPIC_VERTEX_PROJECT_ID + optional: true + - name: GOOGLE_APPLICATION_CREDENTIALS + valueFrom: + configMapKeyRef: + name: operator-config + key: GOOGLE_APPLICATION_CREDENTIALS + optional: true - name: CP_TOKEN_URL value: "http://ambient-control-plane.ambient-code.svc:8080/token" - name: CP_RUNTIME_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace + volumeMounts: + - name: vertex-credentials + mountPath: /app/vertex + readOnly: true resources: requests: cpu: 50m @@ -68,4 +100,9 @@ spec: limits: cpu: 200m memory: 256Mi + volumes: + - name: vertex-credentials + secret: + secretName: ambient-vertex + optional: true restartPolicy: Always diff --git a/components/manifests/base/core/ambient-api-server-service.yml b/components/manifests/base/core/ambient-api-server-service.yml index 3aad19313..d4e118e54 100644 --- a/components/manifests/base/core/ambient-api-server-service.yml +++ b/components/manifests/base/core/ambient-api-server-service.yml @@ -32,6 +32,10 @@ spec: component: api spec: serviceAccountName: ambient-api-server + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault initContainers: - name: migration image: quay.io/ambient_code/vteam_api_server:latest @@ -55,6 +59,13 @@ spec: capabilities: drop: - ALL + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi containers: - name: api-server image: quay.io/ambient_code/vteam_api_server:latest