feat(manifests): switch control-plane auth from static token to OIDC client credentials

jsell-rh · claude · jsell-rh · commit efb43f6f92f8 · 2026-06-09T11:28:24.000-04:00
Replace AMBIENT_API_TOKEN (static bearer token) with OIDC client
credentials (client_credentials grant) for control-plane → api-server
authentication. The control-plane exchanges a Keycloak client-id and
client-secret for short-lived JWTs, validated by the same JWKS path
the api-server already uses for user tokens.

- Update SaaS template: replace AMBIENT_API_TOKEN with OIDC_TOKEN_URL,
  OIDC_CLIENT_ID, OIDC_CLIENT_SECRET from ambient-control-plane-oidc secret
- Remove AMBIENT_API_TOKEN from api-server env (no longer needed)
- Update hcmais overlay with concrete Keycloak token URL
- Add deployment prerequisites section to manifests README

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/components/manifests/README.md b/components/manifests/README.md
@@ -124,6 +124,32 @@ Components are opt-in kustomize modules included via the `components:` block in
 | `ambient-api-server-db` | Same RHEL patch for the ambient-api-server's dedicated DB | `production`, `local-dev` |
 | `postgresql-init-scripts` | ConfigMap + volume for DB init SQL (vanilla postgres only) | `kind`, `e2e` |
 
+## Prerequisites for New Deployments
+
+Before deploying, create these secrets in the target namespace:
+
+### Control-plane OIDC credentials
+
+The control-plane authenticates to the api-server using Keycloak client credentials (OAuth2 `client_credentials` grant). Create a **confidential** Keycloak client with only the **Service accounts roles** flow enabled, then:
+
+```bash
+oc create secret generic ambient-control-plane-oidc \
+  -n <namespace> \
+  --from-literal=client-id=<keycloak-client-id> \
+  --from-literal=client-secret=<keycloak-client-secret>
+```
+
+### API server auth ConfigMap
+
+The api-server validates JWTs using keys from the Keycloak JWKS endpoint (configured via `--jwk-cert-url`). A local fallback is also loaded from a ConfigMap:
+
+```bash
+oc create configmap ambient-api-server-auth \
+  -n <namespace> \
+  --from-file=jwks.json=<(curl -s <KEYCLOAK_REALM_URL>/protocol/openid-connect/certs) \
+  --from-file=acl.yml=<(echo '- claim: email\n  pattern: ^.*$')
+```
+
 ## Building and Validating
 
 ```bash
diff --git a/components/manifests/overlays/hcmais/control-plane-env-patch.yaml b/components/manifests/overlays/hcmais/control-plane-env-patch.yaml
@@ -16,8 +16,15 @@ spec:
               value: "false"
             - name: CP_TOKEN_URL
               value: "http://ambient-control-plane.ambient-api.svc:8080/token"
-            - name: AMBIENT_API_TOKEN
+            - name: OIDC_TOKEN_URL
+              value: "https://keycloak-ambient-keycloak.apps.rosa.hcmais01ue1.s9m2.p3.openshiftapps.com/realms/ambient-code/protocol/openid-connect/token"
+            - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: ambient-control-plane-token
-                  key: token
+                  name: ambient-control-plane-oidc
+                  key: client-id
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: ambient-control-plane-oidc
+                  key: client-secret
diff --git a/components/manifests/templates/template-services.yaml b/components/manifests/templates/template-services.yaml
@@ -202,11 +202,6 @@ objects:
             env:
               - name: AMBIENT_ENV
                 value: production
-              - name: AMBIENT_API_TOKEN
-                valueFrom:
-                  secretKeyRef:
-                    name: ambient-control-plane-token
-                    key: token
               - name: CREDENTIAL_ENCRYPTION_KEYRING
                 valueFrom:
                   secretKeyRef:
@@ -375,11 +370,18 @@ objects:
                 value: standard
               - name: LOG_LEVEL
                 value: info
-              - name: AMBIENT_API_TOKEN
+              - name: OIDC_TOKEN_URL
+                value: "${KEYCLOAK_REALM_URL}/protocol/openid-connect/token"
+              - name: OIDC_CLIENT_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: ambient-control-plane-oidc
+                    key: client-id
+              - name: OIDC_CLIENT_SECRET
                 valueFrom:
                   secretKeyRef:
-                    name: ambient-control-plane-token
-                    key: token
+                    name: ambient-control-plane-oidc
+                    key: client-secret
               - name: AMBIENT_API_SERVER_URL
                 value: "http://ambient-api-server.${NAMESPACE}.svc:8000"
               - name: AMBIENT_GRPC_SERVER_ADDR
