fc-signalcontrol: switch probes to tcpSocket — middleware blocks /health

The app's ApiKeyAuthenticationMiddleware runs BEFORE /health is mapped, so
unauthenticated probe requests get 404. tcpSocket probes verify the listener
is up without auth, which is correct for an internal K8s probe (kubelet
talks pod IP directly, not externally).

Real fix is in the app: move /health before the middleware or mark it
[AllowAnonymous]. Tracked separately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/fc-signalcontrol/fc-signalcontrol.yaml

@@ -63,17 +63,18 @@ spec:
             limits:
               memory: "512Mi"
               cpu: "500m"
+          # Note: app's ApiKeyAuthenticationMiddleware blocks /health → 404. Until
+          # /health is moved before that middleware (or marked anonymous), use
+          # tcpSocket probes that just check the listener is accepting.
           livenessProbe:
-            httpGet:
+            tcpSocket:
-              path: /health
               port: 8080
-            initialDelaySeconds: 10
+            initialDelaySeconds: 30
             periodSeconds: 30
           readinessProbe:
-            httpGet:
+            tcpSocket:
-              path: /health
               port: 8080
-            initialDelaySeconds: 5
+            initialDelaySeconds: 10
             periodSeconds: 10
       volumes:
         - name: data