fix(manifests): add CP token Service and wire CP_RUNTIME_NAMESPACE + CP_TOKEN_URL

[markturansky]

Summary

Follow-up to #1213. The CP token endpoint was running but unreachable because:

1. No Service — port 8080 (token server) had no ClusterIP Service, so runner pods had no DNS target and the NetworkPolicy peer had no stable reference
2. Wrong CP_RUNTIME_NAMESPACE — defaulted to ambient-code--runtime-int but the actual deployed namespace is ambient-code--ambient-s0, so ensureAPIServerNetworkPolicy() was creating a NetworkPolicy that matched the wrong namespace selector — causing acpctl session events to still 502

Changes

• ambient-control-plane-svc.yaml — new ClusterIP Service exposing port 8080 on the CP pod
• ambient-control-plane.yaml — inject CP_RUNTIME_NAMESPACE via downward API (metadata.namespace) so the NetworkPolicy peer label matches the actual runtime namespace; set CP_TOKEN_URL to the FQDN of the new Service

Test plan

• Deploy to int spoke
• Verify oc get svc ambient-control-plane -n ambient-code--ambient-s0 exists with port 8080
• Start new session; verify allow-ambient-api-server NetworkPolicy in session namespace uses correct namespace selector (ambient-code--ambient-s0)
• acpctl session events <id> streams without 502

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added ambient control plane service with token authentication capability
  • Configured control plane to integrate with token service endpoint for runtime authentication

[coderabbitai]

📝 Walkthrough

Walkthrough

Added a Kubernetes Service manifest for ambient-control-plane in the mpp-openshift overlay, exposing port 8080 for token requests. Updated the control plane deployment to configure the runtime namespace and token service URL via environment variables. Registered the new service resource in kustomization.

Changes

Cohort / File(s)	Summary
Control Plane Service Infrastructure components/manifests/overlays/mpp-openshift/ambient-control-plane-svc.yaml, components/manifests/overlays/mpp-openshift/ambient-control-plane.yaml, components/manifests/overlays/mpp-openshift/kustomization.yaml	Added Service resource exposing token endpoint on port 8080; injected CP_RUNTIME_NAMESPACE (from pod metadata) and CP_TOKEN_URL environment variables into the control plane deployment; registered the new manifest in kustomization resources.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Security And Secret Handling	❌ Error	CP_TOKEN_URL uses plaintext HTTP instead of HTTPS and points to wrong namespace, making token endpoint unreachable and violating secure credential transmission.	Change CP_TOKEN_URL to https://ambient-control-plane.ambient-code--runtime-int.svc:8080/token and enable TLS via OpenShift service-ca injection.
Kubernetes Resource Safety	⚠️ Warning	Deployment manifests lack container resource limits and requests, violating Kubernetes resource safety best practices and preventing proper scheduling.	Add resources section with both limits and requests (CPU/memory) to container spec. Typical: requests: {cpu: 100m, memory: 128Mi}, limits: {cpu: 500m, memory: 512Mi}.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format with type 'fix' and scope 'manifests', accurately describing the main changes: adding a Service and injecting environment variables.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Performance And Algorithmic Complexity	✅ Passed	PR modifies only Kubernetes YAML manifests with declarative configuration, no executable code or performance-critical logic that could introduce regressions.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cp-token-service-and-netpol-namespace

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/cp-token-service-and-netpol-namespace

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/manifests/overlays/mpp-openshift/ambient-control-plane-svc.yaml`:
- Around line 1-15: The CP_TOKEN_URL environment variable is pointing to the
wrong namespace; update the CP_TOKEN_URL value to use the service in the
ambient-code--runtime-int namespace so it resolves to the Service defined by
metadata.name ambient-control-plane; locate the CP_TOKEN_URL entry in
ambient-control-plane.yaml (around the env block containing CP_TOKEN_URL) and
change its value to reference
http://ambient-control-plane.ambient-code--runtime-int.svc:8080/token so it
matches the Service selector and port defined for the ambient-control-plane
Service.

In `@components/manifests/overlays/mpp-openshift/ambient-control-plane.yaml`:
- Around line 79-84: CP_TOKEN_URL currently hardcodes the wrong namespace;
update it so the token host uses the deployment runtime namespace instead of
"ambient-code--ambient-s0". Replace the static value for CP_TOKEN_URL with a
reference that uses the CP_RUNTIME_NAMESPACE env var (e.g.
"http://ambient-control-plane.$(CP_RUNTIME_NAMESPACE).svc:8080/token") so the
service DNS resolves to the same namespace as CP_RUNTIME_NAMESPACE; adjust the
CP_TOKEN_URL env entry in the same container spec where CP_RUNTIME_NAMESPACE is
defined.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4ec5b080-2163-4103-9e3d-a0ecbcdc6ad8

📥 Commits

Reviewing files that changed from the base of the PR and between 00c1a24 and 7852d58.

📒 Files selected for processing (3)

• components/manifests/overlays/mpp-openshift/ambient-control-plane-svc.yaml
• components/manifests/overlays/mpp-openshift/ambient-control-plane.yaml
• components/manifests/overlays/mpp-openshift/kustomization.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify namespace consistency across manifests
echo "=== Service namespace ==="
grep -n 'namespace:' components/manifests/overlays/mpp-openshift/ambient-control-plane-svc.yaml

echo "=== CP_TOKEN_URL value ==="
grep -n 'CP_TOKEN_URL' -A1 components/manifests/overlays/mpp-openshift/ambient-control-plane.yaml

echo "=== Deployment namespace ==="
grep -n 'namespace:' components/manifests/overlays/mpp-openshift/ambient-control-plane.yaml | head -1

Repository: ambient-code/platform

Length of output: 359

---

Fix namespace mismatch: CP_TOKEN_URL points to wrong namespace.

Service ambient-control-plane is deployed to namespace ambient-code--runtime-int (line 5), but CP_TOKEN_URL in ambient-control-plane.yaml:84 references ambient-code--ambient-s0.svc:8080. The token endpoint will fail to resolve. Update the CP_TOKEN_URL to match the Service namespace:

value: "http://ambient-control-plane.ambient-code--runtime-int.svc:8080/token"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/manifests/overlays/mpp-openshift/ambient-control-plane-svc.yaml`
around lines 1 - 15, The CP_TOKEN_URL environment variable is pointing to the
wrong namespace; update the CP_TOKEN_URL value to use the service in the
ambient-code--runtime-int namespace so it resolves to the Service defined by
metadata.name ambient-control-plane; locate the CP_TOKEN_URL entry in
ambient-control-plane.yaml (around the env block containing CP_TOKEN_URL) and
change its value to reference
http://ambient-control-plane.ambient-code--runtime-int.svc:8080/token so it
matches the Service selector and port defined for the ambient-control-plane
Service.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

CP_RUNTIME_NAMESPACE fix looks correct; CP_TOKEN_URL namespace needs verification.

Using fieldRef: metadata.namespace ensures NetworkPolicy targets the actual deployment namespace — good fix.

However, CP_TOKEN_URL hardcodes ambient-code--ambient-s0 while this Deployment and the new Service are both in ambient-code--runtime-int. See comment on the Service file for the mismatch.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/manifests/overlays/mpp-openshift/ambient-control-plane.yaml`
around lines 79 - 84, CP_TOKEN_URL currently hardcodes the wrong namespace;
update it so the token host uses the deployment runtime namespace instead of
"ambient-code--ambient-s0". Replace the static value for CP_TOKEN_URL with a
reference that uses the CP_RUNTIME_NAMESPACE env var (e.g.
"http://ambient-control-plane.$(CP_RUNTIME_NAMESPACE).svc:8080/token") so the
service DNS resolves to the same namespace as CP_RUNTIME_NAMESPACE; adjust the
CP_TOKEN_URL env entry in the same container spec where CP_RUNTIME_NAMESPACE is
defined.