fix(auth): mark OIDC healthz probes anonymous

2026-06-04 11:03:20 -05:00
parent 300f8ad546
commit 81a3ddac4c
4 changed files with 6 additions and 3 deletions
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -109,6 +109,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
      # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -101,6 +101,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5320"
        prometheus.io/path: "/metrics/prometheus"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      serviceAccountName: dns-web
      securityContext:
--- a/apps/fc-media/fc-media.yaml
+++ b/apps/fc-media/fc-media.yaml
@@ -131,6 +131,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5200"
        prometheus.io/path: "/metrics"
+        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      nodeSelector:
        kubernetes.io/hostname: rke2-server
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -487,16 +487,16 @@ public sealed class FleetManifestLintTests
    }

    [Fact]
-    public void Distribution_OidcEnforcement_MustStayOffUntilHealthzAllowAnonymousProofLands()
+    public void Distribution_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
    {
        var distribution = Inventory.Documents
            .Single(document => document.Kind == "Deployment" && document.Namespace == "fc-distribution" && document.Name == "fc-distribution");
        var container = distribution.MainContainerMappings().Should().ContainSingle().Subject;

        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
-        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("false");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
-        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().NotBe("allow-anonymous");
+        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
    }

    [Fact]