fix(manifests): add CP token server Service and CP_TOKEN_URL for runner gRPC auth

[markturansky]

Summary

• Add a K8s Service (ambient-control-plane, port 8080) to expose the control-plane's token server
• Add CP_TOKEN_URL env var to the CP Deployment so it injects the token endpoint URL into runner pods
• Without these, runners start with an empty auth token and get UNAUTHENTICATED errors on all gRPC streams

Root Cause

The control-plane runs a token server on :8080 that runner pods call to exchange an RSA-encrypted session ID for an OIDC access token. The base manifests had neither a Service to make this endpoint reachable nor the CP_TOKEN_URL env var that tells the CP what URL to pass to runners. The MPP overlay already had both (with MPP-specific namespaces), but the base/production overlay did not.

Test plan

• Verified on Stage that runners get UNAUTHENTICATED without these changes
• MPP overlay already uses this pattern successfully (self-contained, no deduplication needed)
• After merge + deploy to Stage, verify runner pods receive a non-empty AMBIENT_CP_TOKEN_URL and gRPC streams authenticate successfully

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added a token service endpoint for the control plane accessible within the cluster for internal authentication and communication.

[netlify]

✅ Deploy Preview for cheerful-kitten-f556a0 canceled.

Name	Link
🔨 Latest commit	0b45d17
🔍 Latest deploy log	https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69ea95293963d200099a323c

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new Kubernetes Service to expose the ambient control plane's token endpoint on port 8080 and introduces a corresponding CP_TOKEN_URL environment variable configuration to the control plane deployment. Updates Kustomize base resources to include the new service manifest.

Changes

Cohort / File(s)	Summary
Ambient Control Plane Token Service components/manifests/base/ambient-control-plane-token-svc.yaml, components/manifests/base/ambient-control-plane-service.yml, components/manifests/base/kustomization.yaml	Introduces new Service manifest exposing the token endpoint on port 8080, adds CP_TOKEN_URL environment variable to the control plane container pointing to the /token endpoint, and registers the service in Kustomize base resources.

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Security And Secret Handling	❌ Error	Base manifests expose token endpoint on port 8080 without NetworkPolicy; MPP overlay includes proper ingress restrictions via ambient-cp-token-netpol.yaml.	Add NetworkPolicy to base manifests restricting port 8080 ingress to authorized pods; adapt MPP overlay's ambient-cp-token-netpol.yaml template for base context.
Kubernetes Resource Safety	⚠️ Warning	Service manifest lacks explicit metadata.namespace specification, creating implicit namespace dependency inconsistent with hardcoded FQDN reference and other scoped resources.	Add metadata.namespace: ambient-code to Service manifest to match explicit namespace scoping of related resources (ServiceAccount, Secrets, ClusterRoleBinding).

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title follows Conventional Commits format (fix(manifests): ...) and accurately summarizes the main changes: adding a CP token server Service and CP_TOKEN_URL environment variable for runner gRPC authentication.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity	✅ Passed	Pull request contains only static Kubernetes manifests (YAML) with no executable code, algorithms, or computational operations. Resource limits are explicitly bounded.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/control-plane-token-server-service

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/control-plane-token-server-service

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

components/manifests/base/ambient-control-plane-service.yml (1)

58-59: Avoid hardcoding namespace in CP_TOKEN_URL

CP_TOKEN_URL is pinned to ambient-code, which breaks namespace portability for this base manifest. Use same-namespace DNS (ambient-control-plane) or derive namespace dynamically to avoid auth regressions outside that namespace.

Proposed change

-        - name: CP_TOKEN_URL
-          value: "http://ambient-control-plane.ambient-code.svc:8080/token"
+        - name: CP_TOKEN_URL
+          value: "http://ambient-control-plane:8080/token"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/manifests/base/ambient-control-plane-service.yml` around lines 58
- 59, CP_TOKEN_URL is hardcoded to the ambient-code namespace; change the
manifest to derive the namespace dynamically by adding an env var (e.g.
CP_TOKEN_NAMESPACE) that uses valueFrom.fieldRef.metadata.namespace and then set
CP_TOKEN_URL to use that var (e.g.
"http://ambient-control-plane.$(CP_TOKEN_NAMESPACE):8080/token") so the URL uses
same-namespace DNS (service name ambient-control-plane) and remains portable
across namespaces.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/manifests/base/ambient-control-plane-token-svc.yaml`:
- Around line 8-15: The Service defined in ambient-control-plane-token-svc.yaml
exposes port "token" (8080) without a matching NetworkPolicy, allowing any
in-namespace pod to call :8080/token; add a base NetworkPolicy (similar to
components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml) that
targets the same backend pods (podSelector: matchLabels: app:
ambient-control-plane) and restricts ingress (policyTypes: ["Ingress"]) to only
the expected callers by using specific podSelector and/or namespaceSelector
rules (e.g., allow from pods with the caller label or a namespace with a known
label) so only authorized pods/namespaces can reach port 8080 (name: token).

---

Nitpick comments:
In `@components/manifests/base/ambient-control-plane-service.yml`:
- Around line 58-59: CP_TOKEN_URL is hardcoded to the ambient-code namespace;
change the manifest to derive the namespace dynamically by adding an env var
(e.g. CP_TOKEN_NAMESPACE) that uses valueFrom.fieldRef.metadata.namespace and
then set CP_TOKEN_URL to use that var (e.g.
"http://ambient-control-plane.$(CP_TOKEN_NAMESPACE):8080/token") so the URL uses
same-namespace DNS (service name ambient-control-plane) and remains portable
across namespaces.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f8ba71cc-d848-4b82-82ad-7f53259f98a9

📥 Commits

Reviewing files that changed from the base of the PR and between 720bad8 and 0b45d17.

📒 Files selected for processing (3)

• components/manifests/base/ambient-control-plane-service.yml
• components/manifests/base/ambient-control-plane-token-svc.yaml
• components/manifests/base/kustomization.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Token service is exposed without a base ingress guard

This new Service exposes the token-minting endpoint, but base manifests do not add a matching NetworkPolicy. In clusters without default-deny, any pod in-namespace can hit :8080/token. Add a base policy limiting ingress to expected caller pods/namespaces (similar to components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/manifests/base/ambient-control-plane-token-svc.yaml` around lines
8 - 15, The Service defined in ambient-control-plane-token-svc.yaml exposes port
"token" (8080) without a matching NetworkPolicy, allowing any in-namespace pod
to call :8080/token; add a base NetworkPolicy (similar to
components/manifests/overlays/mpp-openshift/ambient-cp-token-netpol.yaml) that
targets the same backend pods (podSelector: matchLabels: app:
ambient-control-plane) and restricts ingress (policyTypes: ["Ingress"]) to only
the expected callers by using specific podSelector and/or namespaceSelector
rules (e.g., allow from pods with the caller label or a namespace with a known
label) so only authorized pods/namespaces can reach port 8080 (name: token).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-04-23 22:04 UTC · Rule: default
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-04-23 22:05 UTC · at 0b45d1745766ae567dc93e942199502669b00b8b · squash

This pull request spent 10 seconds in the queue, including 1 second running CI.

Required conditions to merge