From 81a3ddac4c40657985ac7ed559f096e40d0f276d Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Thu, 4 Jun 2026 11:03:20 -0500
Subject: [PATCH] fix(auth): mark OIDC healthz probes anonymous

---
 apps/fc-distribution/fc-distribution.yaml          | 1 +
 apps/fc-dns/fc-dns.yaml                            | 1 +
 apps/fc-media/fc-media.yaml                        | 1 +
 tests/bluejay-infra-lint/FleetManifestLintTests.cs | 6 +++---
 4 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/apps/fc-distribution/fc-distribution.yaml b/apps/fc-distribution/fc-distribution.yaml
index e01ef64..1217236 100644
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -109,6 +109,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "8080"
         prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
       # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),
diff --git a/apps/fc-dns/fc-dns.yaml b/apps/fc-dns/fc-dns.yaml
index 22c5192..1d46ed7 100644
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -101,6 +101,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "5320"
         prometheus.io/path: "/metrics/prometheus"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       serviceAccountName: dns-web
       securityContext:
diff --git a/apps/fc-media/fc-media.yaml b/apps/fc-media/fc-media.yaml
index 0ad043e..2f19f42 100644
--- a/apps/fc-media/fc-media.yaml
+++ b/apps/fc-media/fc-media.yaml
@@ -131,6 +131,7 @@ spec:
         prometheus.io/scrape: "true"
         prometheus.io/port: "5200"
         prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
     spec:
       nodeSelector:
         kubernetes.io/hostname: rke2-server
diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
index 3e21938..9c04772 100644
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -487,16 +487,16 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void Distribution_OidcEnforcement_MustStayOffUntilHealthzAllowAnonymousProofLands()
+    public void Distribution_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
     {
         var distribution = Inventory.Documents
             .Single(document => document.Kind == "Deployment" && document.Namespace == "fc-distribution" && document.Name == "fc-distribution");
         var container = distribution.MainContainerMappings().Should().ContainSingle().Subject;
 
         EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
-        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("false");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
         ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
-        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().NotBe("allow-anonymous");
+        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
     }
 
     [Fact]