User scope update

components/ambient-api-server/templates/db-template.yml

@@ -14,7 +14,7 @@ parameters:
     description: The name of the OpenShift Service exposed for the database.
     displayName: Database Service Name
     required: true
-    value: ambient-api-server-db
+    value: ambient-code-rds
 
   - name: DATABASE_USER
     description: Username for PostgreSQL user that will be used for accessing the database.

components/manifests/README.md

@@ -26,7 +26,7 @@ manifests/
 │   ├── platform/                          # Cluster-level resources
 │   │   ├── namespace.yaml
 │   │   ├── ambient-api-server-db.yml      # ambient-api-server PostgreSQL deployment
-│   │   └── ambient-api-server-secrets.yml # Secret template (values injected per-env)
+│   │   └── ambient-api-server-secrets.yml # Secret template (ambient-code-rds secret for DB)
 │   ├── crds/                              # Custom Resource Definitions
 │   │   ├── agenticsessions-crd.yaml
 │   │   └── projectsettings-crd.yaml
@@ -121,7 +121,7 @@ Components are opt-in kustomize modules included via the `components:` block in
 |---|---|---|
 | `oauth-proxy` | Adds OpenShift OAuth proxy sidecar to frontend | `production` |
 | `postgresql-rhel` | Patches PostgreSQL to use `registry.redhat.io/rhel10/postgresql-16` | `production`, `local-dev` |
-| `ambient-api-server-db` | Same RHEL patch for the ambient-api-server's dedicated DB | `production`, `local-dev` |
+| `ambient-api-server-db` | RHEL patch for ambient-api-server DB (updates ambient-code-rds secret refs) | `production`, `local-dev` |
 | `postgresql-init-scripts` | ConfigMap + volume for DB init SQL (vanilla postgres only) | `kind`, `e2e` |
 
 ## Building and Validating

components/manifests/base/core/ambient-api-server-service.yml

@@ -146,7 +146,7 @@ spec:
       volumes:
         - name: db-secrets
           secret:
-            secretName: ambient-api-server-db
+            secretName: ambient-code-rds
         - name: app-secrets
           secret:
             secretName: ambient-api-server

components/manifests/base/core/operator-deployment.yaml

@@ -136,8 +136,9 @@ spec:
         # - name: DEFAULT_INACTIVITY_TIMEOUT
         #   value: "86400"  # Default inactivity timeout in seconds (24h). Set to 0 to disable.
         # OpenTelemetry configuration
-        - name: OTEL_EXPORTER_OTLP_ENDPOINT
-          value: "otel-collector.ambient-code.svc:4317"  # Deploy OTel collector separately
+        # Disabled: OTel collector not deployed. Uncomment when collector is available.
+        # - name: OTEL_EXPORTER_OTLP_ENDPOINT
+        #   value: "otel-collector.ambient-code.svc:4317"  # Deploy OTel collector separately
         - name: DEPLOYMENT_ENV
           value: "production"
         - name: VERSION

components/manifests/base/platform/ambient-api-server-db.yml

@@ -65,17 +65,17 @@ spec:
               valueFrom:
                 secretKeyRef:
                   key: db.user
-                  name: ambient-api-server-db
+                  name: ambient-code-rds
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   key: db.password
-                  name: ambient-api-server-db
+                  name: ambient-code-rds
             - name: POSTGRES_DB
               valueFrom:
                 secretKeyRef:
                   key: db.name
-                  name: ambient-api-server-db
+                  name: ambient-code-rds
             - name: PGDATA
               value: /var/lib/postgresql/data/pgdata
           volumeMounts:

components/manifests/base/platform/ambient-api-server-secrets.yml

@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: ambient-api-server-db
+  name: ambient-code-rds
   labels:
     app: ambient-api-server
     component: database

components/manifests/base/rbac/frontend-rbac.yaml

@@ -3,6 +3,8 @@ kind: ServiceAccount
 metadata:
   name: frontend
   namespace: ambient-code
+  annotations:
+    serviceaccounts.openshift.io/oauth-redirectreference.frontend: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"frontend"}}'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -28,3 +30,16 @@ subjects:
 - kind: ServiceAccount
   name: frontend
   namespace: ambient-code
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ambient-frontend-oauth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: frontend
+  namespace: ambient-code

components/manifests/components/ambient-api-server-db/ambient-api-server-db-json-patch.yaml

@@ -11,17 +11,17 @@
   - name: POSTGRESQL_USER
     valueFrom:
       secretKeyRef:
-        name: ambient-api-server-db
+        name: ambient-code-rds
         key: db.user
   - name: POSTGRESQL_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: ambient-api-server-db
+        name: ambient-code-rds
         key: db.password
   - name: POSTGRESQL_DATABASE
     valueFrom:
       secretKeyRef:
-        name: ambient-api-server-db
+        name: ambient-code-rds
         key: db.name
 - op: replace
   path: /spec/template/spec/containers/0/volumeMounts

components/manifests/components/ambient-api-server-db/ambient-api-server-init-db-patch.yaml

@@ -41,20 +41,20 @@ spec:
         - name: PGHOST
           valueFrom:
             secretKeyRef:
-              name: ambient-api-server-db
+              name: ambient-code-rds
               key: db.host
         - name: PGUSER
           valueFrom:
             secretKeyRef:
-              name: ambient-api-server-db
+              name: ambient-code-rds
               key: db.user
         - name: PGPASSWORD
           valueFrom:
             secretKeyRef:
-              name: ambient-api-server-db
+              name: ambient-code-rds
               key: db.password
         - name: PGDATABASE
           valueFrom:
             secretKeyRef:
-              name: ambient-api-server-db
+              name: ambient-code-rds
               key: db.name

components/manifests/components/ambient-api-server-db/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
-# Requires: ambient-api-server-db Secret in the target namespace
+# Requires: ambient-code-rds Secret in the target namespace
 
 patches:
 - path: ambient-api-server-db-json-patch.yaml

components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml

@@ -1,5 +1,6 @@
 # Patch for production frontend deployment
-# - Adds OAuth proxy sidecar for authentication
+# - Adds OAuth proxy sidecar for authentication using OpenShift OAuth
+# - Uses service account token for cookie secret (no vault secret needed)
 # - Overrides resource limits to prevent OOMKills (sawtooth memory pattern)
 apiVersion: apps/v1
 kind: Deployment
@@ -20,19 +21,18 @@ spec:
             cpu: 1000m
       # OAuth proxy sidecar
       - name: oauth-proxy
-        image: quay.io/openshift/origin-oauth-proxy:4.14
+        image: registry.redhat.io/openshift4/ose-oauth-proxy-rhel9:v4.18.0-202506230505.p0.gcbd44ad.assembly.stream.el9
+        imagePullPolicy: IfNotPresent
         args:
-        - --http-address=:8443
-        - --https-address=
+        - --https-address=:8443
         - --provider=openshift
+        - --openshift-service-account=frontend
         - --upstream=http://localhost:3000
-        - --client-id=ambient-frontend
-        - --client-secret-file=/etc/oauth/config/client-secret
-        - --cookie-secret-file=/etc/oauth/config/cookie_secret
-        - --cookie-expire=23h0m0s
-        - --pass-access-token
-        - --scope=user:full
-        - --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}}
+        - --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}}
+        - --tls-cert=/etc/tls/private/tls.crt
+        - --tls-key=/etc/tls/private/tls.key
+        - --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+        - --upstream-timeout=5m
         - --skip-auth-regex=^/metrics
         ports:
         - containerPort: 8443
@@ -41,38 +41,33 @@ spec:
           httpGet:
             path: /oauth/healthz
             port: dashboard-ui
-            scheme: HTTP
-          initialDelaySeconds: 30
+            scheme: HTTPS
+          initialDelaySeconds: 10
           timeoutSeconds: 1
-          periodSeconds: 5
+          periodSeconds: 10
           successThreshold: 1
           failureThreshold: 3
         readinessProbe:
           httpGet:
             path: /oauth/healthz
             port: dashboard-ui
-            scheme: HTTP
-          initialDelaySeconds: 5
+            scheme: HTTPS
+          initialDelaySeconds: 10
           timeoutSeconds: 1
-          periodSeconds: 5
+          periodSeconds: 10
           successThreshold: 1
           failureThreshold: 3
         resources:
           requests:
-            memory: 256Mi
-            cpu: 50m
+            memory: 50Mi
+            cpu: 10m
           limits:
-            memory: 512Mi
+            memory: 200Mi
             cpu: 200m
         volumeMounts:
-        - mountPath: /etc/oauth/config
-          name: oauth-config
         - mountPath: /etc/tls/private
-          name: proxy-tls
+          name: frontend-proxy-tls
       volumes:
-      - name: oauth-config
-        secret:
-          secretName: frontend-oauth-config
-      - name: proxy-tls
+      - name: frontend-proxy-tls
         secret:
-          secretName: dashboard-proxy-tls
+          secretName: frontend-proxy-tls

components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml

@@ -1,10 +1,12 @@
 # Patch to add OAuth port to frontend service
+# - Adds HTTPS port for OAuth proxy sidecar
+# - Uses service.alpha annotation for auto-generated TLS cert
 apiVersion: v1
 kind: Service
 metadata:
   name: frontend-service
   annotations:
-    service.beta.openshift.io/serving-cert-secret-name: dashboard-proxy-tls
+    service.alpha.openshift.io/serving-cert-secret-name: frontend-proxy-tls
 spec:
   ports:
   - port: 8443

components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ambient-code-rds
+  labels:
+    app: ambient-api-server
+    component: database
+  annotations:
+    # External RDS connection managed via Vault secrets from app-interface Phase 2
+    # These values will be injected by vault-secret-manager from Vault path:
+    # app-interface/data/ambient-code-platform/stage/rds-credentials
+    qontract.recycle: "true"
+type: Opaque
+stringData:
+  # Placeholders - actual values injected from Vault at runtime
+  db.host: "VAULT_INJECTED"
+  db.port: "5432"
+  db.name: "ambient_code"
+  db.user: "VAULT_INJECTED"
+  db.password: "VAULT_INJECTED"

components/manifests/overlays/app-interface/ambient-api-server-env-patch.yaml

@@ -0,0 +1,13 @@
+# App-interface: set environment to stage
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ambient-api-server
+spec:
+  template:
+    spec:
+      containers:
+        - name: api-server
+          env:
+            - name: AMBIENT_ENV
+              value: stage

components/manifests/overlays/app-interface/ambient-api-server-route.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: ambient-api-server
+  labels:
+    app: ambient-api-server
+    component: api
+spec:
+  to:
+    kind: Service
+    name: ambient-api-server
+  port:
+    targetPort: api
+  tls:
+    termination: reencrypt
+    insecureEdgeTerminationPolicy: Redirect
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: ambient-api-server-grpc
+  labels:
+    app: ambient-api-server
+    component: grpc
+spec:
+  to:
+    kind: Service
+    name: ambient-api-server
+  port:
+    targetPort: grpc
+  tls:
+    termination: reencrypt
+    insecureEdgeTerminationPolicy: Redirect

components/manifests/overlays/app-interface/ambient-api-server-service-ca-patch.yaml

@@ -0,0 +1,7 @@
+# OpenShift service-ca: auto-provision and rotate TLS certs for ambient-api-server
+apiVersion: v1
+kind: Service
+metadata:
+  name: ambient-api-server
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: ambient-api-server-tls

components/manifests/overlays/app-interface/ambient-api-server-ssl-patch.yaml

@@ -0,0 +1,52 @@
+# App-interface (stage): enable SSL for external RDS connection
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ambient-api-server
+spec:
+  template:
+    spec:
+      # Migration init container: add SSL mode
+      initContainers:
+        - name: migration
+          command:
+            - /usr/local/bin/ambient-api-server
+            - migrate
+            - --db-host-file=/secrets/db/db.host
+            - --db-port-file=/secrets/db/db.port
+            - --db-user-file=/secrets/db/db.user
+            - --db-password-file=/secrets/db/db.password
+            - --db-name-file=/secrets/db/db.name
+            - --db-sslmode=require
+            - --alsologtostderr
+            - -v=4
+      # API server container: add SSL mode
+      containers:
+        - name: api-server
+          command:
+            - /usr/local/bin/ambient-api-server
+            - serve
+            - --db-host-file=/secrets/db/db.host
+            - --db-port-file=/secrets/db/db.port
+            - --db-user-file=/secrets/db/db.user
+            - --db-password-file=/secrets/db/db.password
+            - --db-name-file=/secrets/db/db.name
+            - --enable-jwt=true
+            - --enable-authz=false
+            - --jwk-cert-file=/configs/authentication/jwks.json
+            - --enable-https=false
+            - --api-server-bindaddress=:8000
+            - --metrics-server-bindaddress=:4433
+            - --health-check-server-bindaddress=:4434
+            - --db-sslmode=require
+            - --db-max-open-connections=50
+            - --enable-db-debug=false
+            - --enable-metrics-https=false
+            - --http-read-timeout=5s
+            - --http-write-timeout=30s
+            - --cors-allowed-origins=*
+            - --cors-allowed-headers=X-Ambient-Project
+            - --enable-grpc=true
+            - --grpc-server-bindaddress=:9000
+            - --alsologtostderr
+            - -v=4