fix: move OpenShift Route out of kustomize base

[jeremyeder]

Summary

• Remove ambient-api-server-route.yml (OpenShift Route) from the base kustomization
• Add it as a local resource in the production and local-dev overlays where OpenShift CRDs are available
• Kind and e2e overlays no longer inherit the Route, so kubectl apply completes without error

Root cause

The base kustomization included an route.openshift.io/v1 Route resource. On kind/e2e clusters (no OpenShift CRDs), kubectl apply fails with:

error: resource mapping not found for name: "ambient-api-server"
  no matches for kind "Route" in version "route.openshift.io/v1"

This aborted make kind-up at the kubectl apply step, preventing all subsequent steps from running:

• wait-for-ready.sh (pod readiness checks)
• init-minio.sh (bucket creation)
• extract-token.sh (test user token)

Sessions then failed because the MinIO bucket was never created.

Verification

All four overlays build cleanly with kubectl kustomize:

Overlay	Routes	Status
kind	0	OK
e2e	0	OK
production	5	OK
local-dev	4	OK

Test plan

• make kind-up completes without errors (full pipeline including MinIO init)
• make kind-down && make kind-up from scratch
• Verify production overlay still renders all Routes

🤖 Generated with Claude Code

[github-actions]

Claude Code Review

Summary

This PR correctly fixes a real blocker: the base kustomization included a route.openshift.io/v1 Route, which is an OpenShift-specific CRD unavailable on kind/e2e clusters. Removing it from base and placing it in only the OpenShift-aware overlays (production, local-dev) is the right architectural fix. The change is minimal, well-scoped, and the PR description is clear. No security, backend, or frontend concerns — this is a pure manifest organization fix.

Issues by Severity

🚫 Blocker Issues

None.

🔴 Critical Issues

None.

🟡 Major Issues

Orphaned file: components/manifests/base/ambient-api-server-route.yml is not deleted

The PR removes the route from base/kustomization.yaml but leaves the original .yml file on disk. Kustomize only processes files explicitly listed in kustomization.yaml, so this causes no functional breakage — but the file becomes dead code that can mislead developers:

• A future contributor may see the file, assume it is active, and be confused why changes to it have no effect.
• It creates a discrepancy: the source-of-truth route is now in the overlays, but an unmanaged copy remains in base.

Recommendation: Delete components/manifests/base/ambient-api-server-route.yml in this PR.

🔵 Minor Issues

1. Duplicated identical content between overlays

overlays/production/ambient-api-server-route.yaml and overlays/local-dev/ambient-api-server-route.yaml are byte-for-byte identical. This is an acceptable Kustomize pattern, but worth a comment in each file noting that they are intentionally in sync and should be updated together if the Route spec changes.

2. File extension inconsistency

The original base file used .yml; both new overlay files use .yaml. This matches the majority of the overlay directory convention (route.yaml, backend-route.yaml, etc.), so the new .yaml extension is actually the better choice — but the old base file should be deleted (see Major issue above) rather than left alongside the new files.

3. Missing wildcardPolicy: None

Other routes in the production overlay (e.g. route.yaml for frontend-route) explicitly declare wildcardPolicy: None. The new ambient-api-server-route.yaml omits it. The default is None so this is not a functional gap, but consistency with the other route files in the overlay would be cleaner.

Positive Highlights

• Architecturally correct fix: Platform-specific CRDs belong in environment-specific overlays, not the shared base. This is exactly how Kustomize layering is intended to work.
• Zero regression risk: The Route spec is preserved verbatim from the original; only its location changes.
• Kind and e2e correctly unaffected: Neither overlay references the Route, confirmed in the diff and the PR's kustomize build verification table.
• namePrefix handled correctly: The local-dev overlay applies namePrefix: vteam- to all resources. Moving the Route from base (where it was already subject to this prefix) to an explicit overlay resource entry produces identical behavior.
• without-rbac-kustomization.yaml unaffected: That alternate base file never included the Route; no change needed there.
• Well-written PR description with root-cause analysis and a clear verification matrix.

Recommendations

1. Delete components/manifests/base/ambient-api-server-route.yml — the most important follow-up to prevent confusion.
2. (Optional) Add a sync comment to both overlay route files, e.g. # NOTE: Keep in sync with overlays/production/ambient-api-server-route.yaml.
3. (Optional) Add wildcardPolicy: None to both overlay route files for parity with other production routes.

The PR is good to merge once the orphaned base file is removed.

🤖 Reviewed by Claude Code

---

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

1. CLAUDE.md - Master project instructions, development standards
2. backend-development.md - Go backend, K8s integration patterns
3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
4. security-standards.md - Auth, RBAC, token handling
5. k8s-client-usage.md - User token vs service account patterns
6. error-handling.md - Consistent error patterns
7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs #359, #360) - not just generic code review guidelines.