fc-signalcontrol: switch probes to tcpSocket — middleware blocks /health

The app's ApiKeyAuthenticationMiddleware runs BEFORE /health is mapped, so unauthenticated probe requests get 404. tcpSocket probes verify the listener is up without auth, which is correct for an internal K8s probe (kubelet talks pod IP directly, not externally). Real fix is in the app: move /health before the middleware or mark it [AllowAnonymous]. Tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 15:21:04 -05:00
parent 973c1dae72
commit c0547a9964
1 changed files with 7 additions and 6 deletions
--- a/apps/fc-signalcontrol/fc-signalcontrol.yaml
+++ b/apps/fc-signalcontrol/fc-signalcontrol.yaml
@@ -63,17 +63,18 @@ spec:
            limits:
              memory: "512Mi"
              cpu: "500m"
+          # Note: app's ApiKeyAuthenticationMiddleware blocks /health → 404. Until
+          # /health is moved before that middleware (or marked anonymous), use
+          # tcpSocket probes that just check the listener is accepting.
          livenessProbe:
-            httpGet:
-              path: /health
+            tcpSocket:
              port: 8080
-            initialDelaySeconds: 10
+            initialDelaySeconds: 30
            periodSeconds: 30
          readinessProbe:
-            httpGet:
-              path: /health
+            tcpSocket:
              port: 8080
-            initialDelaySeconds: 5
+            initialDelaySeconds: 10
            periodSeconds: 10
      volumes:
        - name: data