fix(auth): mark OIDC healthz probes anonymous

fix(monitoring): probe OIDC-safe health routes
Sprint 58 Cx-12. Rebased over OIDC GitOps main; YAML parse and focused bluejay-infra lint tests passed.
2026-06-04 11:03:20 -05:00 · 2026-06-04 06:45:34 +00:00
4 changed files with 6 additions and 3 deletions
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -109,6 +109,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      # Synology NFS export `/volume1/kubernetes` ACL only allows rke2-server
      # (10.0.56.11) right now. Until the ACL is widened in DSM (admin only),
--- a/apps/fc-dns/fc-dns.yaml
+++ b/apps/fc-dns/fc-dns.yaml
@@ -101,6 +101,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5320"
        prometheus.io/path: "/metrics/prometheus"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      serviceAccountName: dns-web
      securityContext:
--- a/apps/fc-media/fc-media.yaml
+++ b/apps/fc-media/fc-media.yaml
@@ -131,6 +131,7 @@ spec:
        prometheus.io/scrape: "true"
        prometheus.io/port: "5200"
        prometheus.io/path: "/metrics"
        flowercore.io/healthz-auth-policy: "allow-anonymous"
    spec:
      nodeSelector:
        kubernetes.io/hostname: rke2-server
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -487,16 +487,16 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void Distribution_OidcEnforcement_MustStayOffUntilHealthzAllowAnonymousProofLands()
+    public void Distribution_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest()
    {
        var distribution = Inventory.Documents
            .Single(document => document.Kind == "Deployment" && document.Namespace == "fc-distribution" && document.Name == "fc-distribution");
        var container = distribution.MainContainerMappings().Should().ContainSingle().Subject;
        EnvValue(container, "FlowerCore__Auth__Oidc__Enabled").Should().Be("true");
-        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("false");
+        EnvValue(container, "FlowerCore__Auth__Enabled").Should().Be("true");
        ProbeHttpGetPath(container, "readinessProbe").Should().Be("/healthz");
-        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().NotBe("allow-anonymous");
+        PodAnnotation(distribution, "flowercore.io/healthz-auth-policy").Should().Be("allow-anonymous");
    }
    [Fact]
Author	SHA1	Message	Date
Andrew Stoltz	81a3ddac4c	fix(auth): mark OIDC healthz probes anonymous	2026-06-04 11:03:20 -05:00
bluejay	300f8ad546	fix(monitoring): probe OIDC-safe health routes Sprint 58 Cx-12. Rebased over OIDC GitOps main; YAML parse and focused bluejay-infra lint tests passed.	2026-06-04 06:45:34 +00:00