feat(manifests): enable RBAC authorization in SaaS template (#1667)

## Summary
- Flip `--enable-authz` from `false` to `true` in the SaaS template now
that RBAC enforcement middleware has landed (#1660)
- Already live-patched and running on hcmais cluster

## Test plan
- [x] Live-patched on hcmais — api-server running with
`--enable-authz=true`
- [ ] Verify RBAC-protected endpoints return 403 for unauthorized users
- [ ] Verify role-bound users can access their scoped resources

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* API server authorization is now enabled and the control plane uses
OIDC-based credentials instead of the legacy API token.

* **Security**
* Credential handling now relies on the identity provider's JWKS/token
endpoints; plaintext credential option removed.

* **Hardening**
  * Key runtime containers now run with read-only root filesystems.

* **Documentation**
* Added deployment prerequisites: create OIDC client credentials and an
API-server auth config before deploying.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jsell-rh

components/ambient-api-server/plugins/sessions/message_model.go

@@ -5,7 +5,7 @@ import "time"
 type SessionMessage struct {
 	ID        string    `gorm:"column:id;primaryKey;type:varchar(36)" json:"id"`
 	SessionID string    `gorm:"column:session_id;type:varchar(36)" json:"session_id"`
-	Seq       int64     `gorm:"column:seq" json:"seq"`
+	Seq       int64     `gorm:"column:seq;->" json:"seq"`
 	EventType string    `gorm:"column:event_type;type:varchar(255)" json:"event_type"`
 	Payload   string    `gorm:"column:payload;type:text" json:"payload"`
 	CreatedAt time.Time `gorm:"column:created_at;type:timestamptz" json:"created_at"`

components/manifests/README.md

@@ -124,6 +124,32 @@ Components are opt-in kustomize modules included via the `components:` block in
 | `ambient-api-server-db` | Same RHEL patch for the ambient-api-server's dedicated DB | `production`, `local-dev` |
 | `postgresql-init-scripts` | ConfigMap + volume for DB init SQL (vanilla postgres only) | `kind`, `e2e` |
 
+## Prerequisites for New Deployments
+
+Before deploying, create these secrets in the target namespace:
+
+### Control-plane OIDC credentials
+
+The control-plane authenticates to the api-server using Keycloak client credentials (OAuth2 `client_credentials` grant). Create a **confidential** Keycloak client with only the **Service accounts roles** flow enabled, then:
+
+```bash
+oc create secret generic ambient-control-plane-oidc \
+  -n <namespace> \
+  --from-literal=client-id=<keycloak-client-id> \
+  --from-literal=client-secret=<keycloak-client-secret>
+```
+
+### API server auth ConfigMap
+
+The api-server validates JWTs using keys from the Keycloak JWKS endpoint (configured via `--jwk-cert-url`). A local fallback is also loaded from a ConfigMap:
+
+```bash
+oc create configmap ambient-api-server-auth \
+  -n <namespace> \
+  --from-file=jwks.json=<(curl -s <KEYCLOAK_REALM_URL>/protocol/openid-connect/certs) \
+  --from-file=acl.yml=<(echo '- claim: email\n  pattern: ^.*$')
+```
+
 ## Building and Validating
 
 ```bash

components/manifests/overlays/hcmais/control-plane-env-patch.yaml

@@ -16,8 +16,15 @@ spec:
               value: "false"
             - name: CP_TOKEN_URL
               value: "http://ambient-control-plane.ambient-api.svc:8080/token"
-            - name: AMBIENT_API_TOKEN
+            - name: OIDC_TOKEN_URL
+              value: "https://keycloak-ambient-keycloak.apps.rosa.hcmais01ue1.s9m2.p3.openshiftapps.com/realms/ambient-code/protocol/openid-connect/token"
+            - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: ambient-control-plane-token
-                  key: token
+                  name: ambient-control-plane-oidc
+                  key: client-id
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: ambient-control-plane-oidc
+                  key: client-secret

components/manifests/templates/template-services.yaml

@@ -105,6 +105,7 @@ objects:
               initialDelaySeconds: 30
               periodSeconds: 30
             securityContext:
+              readOnlyRootFilesystem: true
               allowPrivilegeEscalation: false
               capabilities:
                 drop:
@@ -189,6 +190,7 @@ objects:
                 cpu: 500m
                 memory: 512Mi
             securityContext:
+              readOnlyRootFilesystem: true
               allowPrivilegeEscalation: false
               capabilities:
                 drop:
@@ -200,13 +202,11 @@ objects:
             env:
               - name: AMBIENT_ENV
                 value: production
-              - name: AMBIENT_API_TOKEN
+              - name: GRPC_SERVICE_ACCOUNT
                 valueFrom:
                   secretKeyRef:
-                    name: ambient-control-plane-token
-                    key: token
-              - name: JWK_CERT_URL
-                value: "${KEYCLOAK_REALM_URL}/protocol/openid-connect/certs"
+                    name: ambient-control-plane-oidc
+                    key: client-id
               - name: CREDENTIAL_ENCRYPTION_KEYRING
                 valueFrom:
                   secretKeyRef:
@@ -219,8 +219,6 @@ objects:
                     name: credential-encryption-key
                     key: version
                     optional: true
-              - name: CREDENTIAL_ENCRYPTION_ALLOW_PLAINTEXT
-                value: "true"
             command:
               - /usr/local/bin/ambient-api-server
               - serve
@@ -230,8 +228,9 @@ objects:
               - --db-password-file=/secrets/db/db.password
               - --db-name-file=/secrets/db/db.name
               - --enable-jwt=true
-              - --enable-authz=false
+              - --enable-authz=true
               - --jwk-cert-file=/configs/authentication/jwks.json
+              - --jwk-cert-url=${KEYCLOAK_REALM_URL}/protocol/openid-connect/certs
               - --enable-https=false
               - --enable-grpc=true
               - --grpc-enable-tls=false
@@ -295,6 +294,7 @@ objects:
               initialDelaySeconds: 20
               periodSeconds: 10
             securityContext:
+              readOnlyRootFilesystem: true
               allowPrivilegeEscalation: false
               capabilities:
                 drop:
@@ -375,11 +375,18 @@ objects:
                 value: standard
               - name: LOG_LEVEL
                 value: info
-              - name: AMBIENT_API_TOKEN
+              - name: OIDC_TOKEN_URL
+                value: "${KEYCLOAK_REALM_URL}/protocol/openid-connect/token"
+              - name: OIDC_CLIENT_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: ambient-control-plane-oidc
+                    key: client-id
+              - name: OIDC_CLIENT_SECRET
                 valueFrom:
                   secretKeyRef:
-                    name: ambient-control-plane-token
-                    key: token
+                    name: ambient-control-plane-oidc
+                    key: client-secret
               - name: AMBIENT_API_SERVER_URL
                 value: "http://ambient-api-server.${NAMESPACE}.svc:8000"
               - name: AMBIENT_GRPC_SERVER_ADDR