Skip to content

Security Updates#863

Open
chadmf wants to merge 2 commits intoambient-code:mainfrom
chadmf:secupdates
Open

Security Updates#863
chadmf wants to merge 2 commits intoambient-code:mainfrom
chadmf:secupdates

Conversation

@chadmf
Copy link

@chadmf chadmf commented Mar 9, 2026
edited
Loading

Security overlay for OpenShift

Details

Updates to run securely on openshift
Ensure you have lvmoperator properly configured
Ensure that init containers wait for database to come online and retry up to 5 times

feat(manifests): production overlay for OpenShift (LVM, SCC, credentials, DB init)

Add and wire production overlay resources and patches for deploying the
Ambient Code Platform on OpenShift with LVM Storage,
restricted SCC, and shared PostgreSQL.

Storage (LVM)

  • Add PVC patches for backend, postgresql, minio, and ambient-api-server-db
    to use storageClassName: lvms-vg1 (LVM Storage) instead of default.
  • See README-storage.md for LVMCluster and volume setup.

Credentials

  • postgresql-credentials: db.host=postgresql, postgres/postgres123, db.name=postgres.
  • minio-credentials: MinIO credentials for state sync.
  • unleash-credentials: DATABASE_URL to shared postgresql/unleash, API tokens,
    default admin password, database-ssl.

ServiceAccounts and SCC (nonroot)

  • postgresql-sa, minio-sa, ambient-api-server-db-sa: dedicated SAs for stateful
    workloads so they can use nonroot SCC (no seccomp in patch; nonroot forbids it).
  • postgresql-fsgroup-patch, minio-fsgroup-patch: fsGroup and runAsUser for RHEL
    compatibility and volume permissions.
  • ambient-api-server-db-scc-patch: runAsUser and securityContext for
    ambient-api-server-db to run under nonroot.
  • README-SCC.md: oc adm policy add-scc-to-user nonroot and rollout restart steps.

ambient-api-server

  • ambient-api-server-wait-db-patch: add wait-for-db init container (pg_isready
    loop) and keep migration init so API server starts only after DB is ready.

Unleash

  • unleash-init-db-patch: init container (RHEL postgresql-16 image) that waits
    for shared PostgreSQL, creates database "unleash" if missing, then verifies
    connectivity to the unleash database (retries) before main container starts.
  • kustomization: register credentials resources and all patches (PVC, SA, SCC,
    wait-db, fsgroup, unleash-init-db); postgresql-json-patch removed (use
    postgres:16 with fsGroup/runAsUser instead of RHEL image for shared Postgres).

Docs

  • README-vertex.md: Vertex/Google Cloud notes (unchanged from existing content).

Files changed (18)

README-SCC.md, README-vertex.md, *-sa, *-scc-patch, *-wait-db-patch,
kustomization.yaml, *-credentials, -fsgroup-patch, pvc-patch-,
unleash-init-db-patch.yaml.

ASSISTED BY CURSOR/CLAUDE AI

chadmf added 2 commits March 9, 2026 18:09
@chadmf
feat(manifests): production overlay for OpenShift (LVM, SCC, credenti…
77158b0 
…als, unleash init-db)

Made-with: Cursor
@chadmf
feat(manifests): production overlay for OpenShift (LVM, SCC, credenti…
a18028c 
…als, DB init)

Add and wire production overlay resources and patches for deploying the
Ambient Code Platform on OpenShift (e.g. chadsno2026) with LVM Storage,
restricted SCC, and shared PostgreSQL.

Storage (LVM)
- Add PVC patches for backend, postgresql, minio, and ambient-api-server-db
  to use storageClassName: lvms-vg1 (LVM Storage) instead of default.
- See README-storage.md for LVMCluster and volume setup.

Credentials
- postgresql-credentials: db.host=postgresql, postgres/postgres123, db.name=postgres.
- minio-credentials: MinIO credentials for state sync.
- unleash-credentials: DATABASE_URL to shared postgresql/unleash, API tokens,
  default admin password, database-ssl.

ServiceAccounts and SCC (nonroot)
- postgresql-sa, minio-sa, ambient-api-server-db-sa: dedicated SAs for stateful
  workloads so they can use nonroot SCC (no seccomp in patch; nonroot forbids it).
- postgresql-fsgroup-patch, minio-fsgroup-patch: fsGroup and runAsUser for RHEL
  compatibility and volume permissions.
- ambient-api-server-db-scc-patch: runAsUser and securityContext for
  ambient-api-server-db to run under nonroot.
- README-SCC.md: oc adm policy add-scc-to-user nonroot and rollout restart steps.

ambient-api-server
- ambient-api-server-wait-db-patch: add wait-for-db init container (pg_isready
  loop) and keep migration init so API server starts only after DB is ready.

Unleash
- unleash-init-db-patch: init container (RHEL postgresql-16 image) that waits
  for shared PostgreSQL, creates database "unleash" if missing, then verifies
  connectivity to the unleash database (retries) before main container starts.
- kustomization: register credentials resources and all patches (PVC, SA, SCC,
  wait-db, fsgroup, unleash-init-db); postgresql-json-patch removed (use
  postgres:16 with fsGroup/runAsUser instead of RHEL image for shared Postgres).

Docs
- README-vertex.md: Vertex/Google Cloud notes (unchanged from existing content).

Files changed (18)
README-SCC.md, README-vertex.md, *-sa, *-scc-patch, *-wait-db-patch,
kustomization.yaml, *-credentials, *-fsgroup-patch, pvc-patch-*,
unleash-init-db-patch.yaml.

Made-with: Cursor
@chadmf chadmf changed the title Secupdates Security Updates Mar 10, 2026
@ambient-code
Copy link
Contributor

ambient-code bot commented Mar 11, 2026

Review Queue — Blockers Found

Check Status Detail
CI pass
Merge conflicts FAIL Has merge conflicts
Review comments pass
Jira hygiene warn No Jira reference found
Fork PR warn Fork (chadmf) — no automated agent review
Staleness pass

This comment is auto-generated by the Review Queue workflow and will be updated when the PR changes.

@ambient-code ambient-code bot modified the milestones: Merge Queue, Review Queue Mar 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Review Queue

Development

Successfully merging this pull request may close these issues.

1 participant

@chadmf