fix(runner): allow short-form .svc DNS in credential fetch allowlist

[markturansky]

Human Edit

The MPP service is ambient-api-server.ambient-code--ambient-s0.svc, so the change to the runner makes sense.

Summary

• The runner's cluster-local security check for BACKEND_API_URL only allowed .svc.cluster.local hostnames
• OSD deployments set AMBIENT_API_SERVER_URL (and thus BACKEND_API_URL) using short-form DNS: ambient-api-server.ambient-code--<ns>.svc:8000
• Short-form .svc DNS resolves only within the cluster — equivalent to .svc.cluster.local for security purposes
• All credential fetches were silently rejected with Refusing to send credentials to external host

Test plan

• Deploy new runner image to OSD ambient-s0
• Start agent session in credential-test project
• Verify runner logs show Fetching fresh github credentials from: http://ambient-api-server.ambient-code--ambient-s0.svc:8000/api/ambient/v1/credentials/{id}/token
• Verify Successfully fetched github credentials from backend

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Fixed an issue where Kubernetes service DNS names ending in .svc were incorrectly treated as external hosts, preventing credential transmission. These hostnames are now properly recognized as internal.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the backend API hostname allowlist in credential fetching logic to recognize .svc hostnames as internal, preventing credential rejection for Kubernetes service DNS entries that end in .svc.

Changes

Cohort / File(s)	Summary
Kubernetes Hostname Allowlist Update components/runners/ambient-runner/ambient_runner/platform/auth.py	Extended internal hostname allowlist to include .svc domains alongside existing .svc.cluster.local, localhost, and 127.0.0.1 entries in the credential validation logic.

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits format (fix scope) and accurately describes the main change: allowing short-form .svc DNS hostnames in the credential fetch allowlist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Performance And Algorithmic Complexity	✅ Passed	The change adds a single endswith(".svc") string comparison to a hostname allowlist check with O(1) constant-time overhead and no performance implications.
Security And Secret Handling	✅ Passed	No secrets logged, hardcoded credentials, injection vulnerabilities, or authorization bypasses. Hostname allowlist expansion to .svc is cluster-internal only.
Kubernetes Resource Safety	✅ Passed	PR modifies only Python application code (auth.py) with zero Kubernetes manifest changes. The custom check targets YAML resource definitions.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/runner-svc-dns-allowlist

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/runner-svc-dns-allowlist

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}