From 13f9bb7710741174ff84fb28c20f94f5d557686c Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <astoltz@iamwork.in>
Date: Wed, 3 Jun 2026 23:47:29 -0500
Subject: [PATCH] =?UTF-8?q?fix(distribution):=20revert=20OIDC=20enforcemen?=
 =?UTF-8?q?t=20=E2=80=94=20enabling=20it=20gated=20/healthz=20probe=20(ser?=
 =?UTF-8?q?vice=20down)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flipping Auth__Enabled=true gated the /healthz readiness probe (302->NotReady->
no endpoints->distribution.iamworkin.lan down, healthz=000). Classic
feedback_k8s_probes_behind_auth_middleware. Revert to false (OIDC env block kept,
gate off) to restore service. Proper fix (AllowAnonymous /healthz + CA-trust +
idempotent Editions seed + OIDC-challenge wiring + browser-proof) -> falcon OIDC lane.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 apps/fc-distribution/fc-distribution.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apps/fc-distribution/fc-distribution.yaml b/apps/fc-distribution/fc-distribution.yaml
index 88e0618..29b75af 100644
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -132,8 +132,11 @@ spec:
               value: "false"
             # Authentik/OIDC enforcement (flipped ON 2026-06-04, no-live-proof per operator;
             # public read/entitlement + Method() allowlist stay open — OIDC gates admin only).
+            # Auth__Enabled reverted to false 2026-06-04: enabling it gated the
+            # /healthz readiness probe (probe->302->NotReady->endpoints drop->down).
+            # Re-enable once /healthz is AllowAnonymous (falcon OIDC lane).
             - name: FlowerCore__Auth__Enabled
-              value: "true"
+              value: "false"
             - name: FlowerCore__Auth__Oidc__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Authority