From c0547a9964fe0c9453d8f5e54a624b7e8070bd5f Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Wed, 22 Apr 2026 15:21:04 -0500
Subject: [PATCH] =?UTF-8?q?fc-signalcontrol:=20switch=20probes=20to=20tcpS?=
 =?UTF-8?q?ocket=20=E2=80=94=20middleware=20blocks=20/health?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The app's ApiKeyAuthenticationMiddleware runs BEFORE /health is mapped, so
unauthenticated probe requests get 404. tcpSocket probes verify the listener
is up without auth, which is correct for an internal K8s probe (kubelet
talks pod IP directly, not externally).

Real fix is in the app: move /health before the middleware or mark it
[AllowAnonymous]. Tracked separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/fc-signalcontrol/fc-signalcontrol.yaml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/apps/fc-signalcontrol/fc-signalcontrol.yaml b/apps/fc-signalcontrol/fc-signalcontrol.yaml
index 7e5a6de..7f8a97f 100644
--- a/apps/fc-signalcontrol/fc-signalcontrol.yaml
+++ b/apps/fc-signalcontrol/fc-signalcontrol.yaml
@@ -63,17 +63,18 @@ spec:
             limits:
               memory: "512Mi"
               cpu: "500m"
+          # Note: app's ApiKeyAuthenticationMiddleware blocks /health → 404. Until
+          # /health is moved before that middleware (or marked anonymous), use
+          # tcpSocket probes that just check the listener is accepting.
           livenessProbe:
-            httpGet:
-              path: /health
+            tcpSocket:
               port: 8080
-            initialDelaySeconds: 10
+            initialDelaySeconds: 30
             periodSeconds: 30
           readinessProbe:
-            httpGet:
-              path: /health
+            tcpSocket:
               port: 8080
-            initialDelaySeconds: 5
+            initialDelaySeconds: 10
             periodSeconds: 10
       volumes:
         - name: data