feat: MPP-aware pod-status-syncer and kubernetes MCP sidecar (#1632)

## Summary

- **pod-status-syncer**: On MPP clusters (`PLATFORM_MODE=mpp`), lists
`TenantNamespace` resources (`tenant.paas.redhat.com/v1alpha1`) from the
config namespace instead of `v1/Namespace` (which is forbidden). Derives
actual namespace names with the `ambient-code--` prefix.
- **kubeclient**: Adds `ListTenantNamespaces()` method for the
TenantNamespace CRD.
- **kube_reconciler**: Propagates `PLATFORM_MODE` and
`MPP_CONFIG_NAMESPACE` env vars to credential sidecar containers so they
can detect MPP mode at runtime.
- **credential-entrypoint**: When `PLATFORM_MODE=mpp` and
`provider=kubeconfig`, writes a TOML config with `denied_resources`
blocking `v1/Namespace` and injects `--config` into the
`kubernetes-mcp-server` subprocess args.

No regression on vanilla Kubernetes — MPP code paths only activate when
`PLATFORM_MODE=mpp` (set by `mpp-openshift` overlay).

## Files Changed

 < /dev/null |  File | Change |
|------|--------|
| `components/ambient-control-plane/internal/reconciler/pod_sync.go` |
MPP namespace listing via TenantNamespace |
| `components/ambient-control-plane/internal/kubeclient/kubeclient.go` |
`ListTenantNamespaces()` method |
| `components/ambient-control-plane/cmd/ambient-control-plane/main.go` |
Pass platform config to syncer + reconciler |
|
`components/ambient-control-plane/internal/reconciler/kube_reconciler.go`
| Propagate PLATFORM_MODE to sidecar env |
| `components/credential-sidecars/entrypoint/main.go` |
`injectMPPConfig()` for k8s MCP sidecar |

## Test plan

- [x] `go vet ./...` passes for ambient-control-plane
- [x] `go build ./...` passes for ambient-control-plane and
credential-sidecars/entrypoint
- [x] `go test ./...` passes for ambient-control-plane
- [x] All kustomize overlays build (base, production, mpp-openshift)
- [ ] Deploy to MPP cluster and verify pod-status-syncer lists
namespaces via TenantNamespace
- [ ] Verify kubernetes-mcp-server sidecar starts with `--config` and
`denied_resources` on MPP
- [ ] Verify no regression on vanilla Kubernetes cluster

🤖 Generated with [Claude Code](https://claude.ai/code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added multi-platform/multi-tenant (MPP) mode: control plane discovers
and syncs tenant namespaces and supports MPP-aware behavior.
* Credential sidecars receive MPP-aware environment/configuration to
restrict cluster-scoped namespace access.

* **Tests**
* E2E tests updated to improve workspace secret, API key, and
environment-variable input flows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: user <u@example.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Author: 4 people

components/ambient-control-plane/cmd/ambient-control-plane/main.go

@@ -156,6 +156,8 @@ func runKubeMode(ctx context.Context, cfg *config.ControlPlaneConfig) error {
 		HTTPSProxy:            cfg.HTTPSProxy,
 		NoProxy:               cfg.NoProxy,
 		ImagePullSecret:       cfg.ImagePullSecret,
+		PlatformMode:          cfg.PlatformMode,
+		MPPConfigNamespace:    cfg.MPPConfigNamespace,
 	}
 
 	conn, err := grpc.NewClient(cfg.GRPCServerAddr, grpc.WithTransportCredentials(grpcCredentials(cfg.GRPCUseTLS)))
@@ -196,7 +198,7 @@ func runKubeMode(ctx context.Context, cfg *config.ControlPlaneConfig) error {
 		inf.RegisterHandler("sessions", sessionRec.Reconcile)
 	}
 
-	podSyncer := reconciler.NewPodStatusSyncer(factory, provisionerKube, log.Logger)
+	podSyncer := reconciler.NewPodStatusSyncer(factory, provisionerKube, cfg.PlatformMode, cfg.MPPConfigNamespace, log.Logger)
 
 	tsErrCh := make(chan error, 1)
 	go func() {

components/ambient-control-plane/internal/kubeclient/kubeclient.go

@@ -314,6 +314,19 @@ func (kc *KubeClient) UpdateNetworkPolicy(ctx context.Context, obj *unstructured
 	return kc.dynamic.Resource(NetworkPolicyGVR).Namespace(obj.GetNamespace()).Update(ctx, obj, metav1.UpdateOptions{})
 }
 
+func (kc *KubeClient) ListTenantNamespaces(ctx context.Context, namespace, labelSelector string) (*unstructured.UnstructuredList, error) {
+	gvr := schema.GroupVersionResource{
+		Group:    "tenant.paas.redhat.com",
+		Version:  "v1alpha1",
+		Resource: "tenantnamespaces",
+	}
+	opts := metav1.ListOptions{}
+	if labelSelector != "" {
+		opts.LabelSelector = labelSelector
+	}
+	return kc.dynamic.Resource(gvr).Namespace(namespace).List(ctx, opts)
+}
+
 func (kc *KubeClient) GetResource(ctx context.Context, gvr schema.GroupVersionResource, namespace, name string) (*unstructured.Unstructured, error) {
 	return kc.dynamic.Resource(gvr).Namespace(namespace).Get(ctx, name, metav1.GetOptions{})
 }

components/ambient-control-plane/internal/reconciler/kube_reconciler.go

@@ -72,6 +72,8 @@ type KubeReconcilerConfig struct {
 	HTTPSProxy            string
 	NoProxy               string
 	ImagePullSecret       string
+	PlatformMode          string
+	MPPConfigNamespace    string
 }
 
 type SimpleKubeReconciler struct {
@@ -1008,6 +1010,12 @@ func (r *SimpleKubeReconciler) buildCredentialSidecars(sessionID string, namespa
 		if r.cfg.NoProxy != "" {
 			env = append(env, envVar("NO_PROXY", r.cfg.NoProxy))
 		}
+		if r.cfg.PlatformMode != "" {
+			env = append(env, envVar("PLATFORM_MODE", r.cfg.PlatformMode))
+		}
+		if r.cfg.MPPConfigNamespace != "" {
+			env = append(env, envVar("MPP_CONFIG_NAMESPACE", r.cfg.MPPConfigNamespace))
+		}
 
 		sidecar := map[string]interface{}{
 			"name":            spec.Name,

components/ambient-control-plane/internal/reconciler/pod_sync.go

@@ -18,16 +18,20 @@ const (
 )
 
 type PodStatusSyncer struct {
-	factory *SDKClientFactory
-	kube    *kubeclient.KubeClient
-	logger  zerolog.Logger
+	factory            *SDKClientFactory
+	kube               *kubeclient.KubeClient
+	platformMode       string
+	mppConfigNamespace string
+	logger             zerolog.Logger
 }
 
-func NewPodStatusSyncer(factory *SDKClientFactory, kube *kubeclient.KubeClient, logger zerolog.Logger) *PodStatusSyncer {
+func NewPodStatusSyncer(factory *SDKClientFactory, kube *kubeclient.KubeClient, platformMode, mppConfigNamespace string, logger zerolog.Logger) *PodStatusSyncer {
 	return &PodStatusSyncer{
-		factory: factory,
-		kube:    kube,
-		logger:  logger.With().Str("component", "pod-status-syncer").Logger(),
+		factory:            factory,
+		kube:               kube,
+		platformMode:       platformMode,
+		mppConfigNamespace: mppConfigNamespace,
+		logger:             logger.With().Str("component", "pod-status-syncer").Logger(),
 	}
 }
 
@@ -60,6 +64,9 @@ func (s *PodStatusSyncer) syncOnce(ctx context.Context) {
 }
 
 func (s *PodStatusSyncer) listManagedNamespaces(ctx context.Context) ([]string, error) {
+	if s.platformMode == "mpp" {
+		return s.listMPPManagedNamespaces(ctx)
+	}
 	nsList, err := s.kube.ListNamespacesByLabel(ctx, managedLabelFilter)
 	if err != nil {
 		return nil, fmt.Errorf("listing managed namespaces: %w", err)
@@ -72,6 +79,19 @@ func (s *PodStatusSyncer) listManagedNamespaces(ctx context.Context) ([]string,
 	return names, nil
 }
 
+func (s *PodStatusSyncer) listMPPManagedNamespaces(ctx context.Context) ([]string, error) {
+	tnList, err := s.kube.ListTenantNamespaces(ctx, s.mppConfigNamespace, managedLabelFilter)
+	if err != nil {
+		return nil, fmt.Errorf("listing managed TenantNamespaces in %s: %w", s.mppConfigNamespace, err)
+	}
+
+	var names []string
+	for _, tn := range tnList.Items {
+		names = append(names, "ambient-code--"+tn.GetName())
+	}
+	return names, nil
+}
+
 func (s *PodStatusSyncer) syncNamespace(ctx context.Context, namespace string) {
 	pods, err := s.kube.ListPodsByLabel(ctx, namespace, managedLabelFilter)
 	if err != nil {

components/credential-sidecars/entrypoint/main.go

@@ -63,7 +63,11 @@ func main() {
 	exchanger.StartBackgroundRefresh()
 	defer exchanger.Stop()
 
-	runSubprocess(os.Args[1:])
+	args := os.Args[1:]
+	if os.Getenv("PLATFORM_MODE") == "mpp" && provider == "kubeconfig" {
+		args = injectMPPConfig(args)
+	}
+	runSubprocess(args)
 }
 
 func fetchAndSetCredential(bearerToken, apiURL, provider string) error {
@@ -195,6 +199,22 @@ func isValidCredentialID(id string) bool {
 	return len(id) > 0
 }
 
+func injectMPPConfig(args []string) []string {
+	const mppConfig = `
+[[denied_resources]]
+group = ""
+version = "v1"
+kind = "Namespace"
+`
+	configPath := "/tmp/mcp-mpp-config.toml"
+	if err := os.WriteFile(configPath, []byte(mppConfig), 0600); err != nil {
+		fmt.Fprintf(os.Stderr, "failed to write MPP MCP config: %v\n", err)
+		return args
+	}
+	fmt.Fprintf(os.Stderr, "MPP mode: injecting kubernetes-mcp-server config to deny cluster-scoped Namespace access\n")
+	return append([]string{args[0], "--config", configPath}, args[1:]...)
+}
+
 func runSubprocess(args []string) {
 	cmd := exec.Command(args[0], args[1:]...)
 	cmd.Stdout = os.Stdout

e2e/cypress/e2e/sessions.cy.ts

@@ -1243,11 +1243,10 @@ describe('Ambient Session Management Tests', () => {
           cy.contains('Runner API Keys').click({ force: true })
           cy.wait(500)
 
-          // Find any input fields and type
           cy.get('body').then(($inner) => {
-            const inputs = $inner.find('input[type="text"], input[type="password"]')
-            if (inputs.length) {
-              cy.wrap(inputs.first()).clear({ force: true }).type('test-api-key-value', { force: true })
+            if ($inner.find('input[type="text"], input[type="password"]').length) {
+              cy.get('input[type="text"], input[type="password"]').first().clear({ force: true })
+              cy.get('input[type="text"], input[type="password"]').first().type('test-api-key-value', { force: true })
               cy.wait(200)
             }
           })
@@ -1268,15 +1267,12 @@ describe('Ambient Session Management Tests', () => {
           cy.contains('button', 'Add Environment Variable').click({ force: true })
           cy.wait(500)
 
-          // Look for key/value inputs that appear after clicking Add
           cy.get('body').then(($inner) => {
-            const keyInputs = $inner.find('input[placeholder*="key"], input[placeholder*="KEY"], input[placeholder*="name"]')
-            if (keyInputs.length) {
-              cy.wrap(keyInputs.last()).type('E2E_TEST_VAR', { force: true })
+            if ($inner.find('input[placeholder*="key"], input[placeholder*="KEY"], input[placeholder*="name"]').length) {
+              cy.get('input[placeholder*="key"], input[placeholder*="KEY"], input[placeholder*="name"]').last().type('E2E_TEST_VAR', { force: true })
             }
-            const valInputs = $inner.find('input[placeholder*="value"], input[placeholder*="VALUE"]')
-            if (valInputs.length) {
-              cy.wrap(valInputs.last()).type('test-value-123', { force: true })
+            if ($inner.find('input[placeholder*="value"], input[placeholder*="VALUE"]').length) {
+              cy.get('input[placeholder*="value"], input[placeholder*="VALUE"]').last().type('test-value-123', { force: true })
             }
           })
         }