fix(distribution): revert OIDC enforcement — enabling it gated /healthz probe (service down)

Flipping Auth__Enabled=true gated the /healthz readiness probe (302->NotReady-> no endpoints->distribution.iamworkin.lan down, healthz=000). Classic feedback_k8s_probes_behind_auth_middleware. Revert to false (OIDC env block kept, gate off) to restore service. Proper fix (AllowAnonymous /healthz + CA-trust + idempotent Editions seed + OIDC-challenge wiring + browser-proof) -> falcon OIDC lane. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
oidc: flip enforcement ON for knowledge + distribution (no-live-proof, fix-forward)
2026-06-03 23:47:29 -05:00 · 2026-06-03 23:38:48 -05:00
2 changed files with 22 additions and 1 deletions
--- a/apps/fc-distribution/fc-distribution.yaml
+++ b/apps/fc-distribution/fc-distribution.yaml
@@ -130,6 +130,27 @@ spec:
              value: "Production"
            - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
              value: "false"
+            # Authentik/OIDC enforcement (flipped ON 2026-06-04, no-live-proof per operator;
+            # public read/entitlement + Method() allowlist stay open — OIDC gates admin only).
+            # Auth__Enabled reverted to false 2026-06-04: enabling it gated the
+            # /healthz readiness probe (probe->302->NotReady->endpoints drop->down).
+            # Re-enable once /healthz is AllowAnonymous (falcon OIDC lane).
+            - name: FlowerCore__Auth__Enabled
+              value: "false"
+            - name: FlowerCore__Auth__Oidc__Enabled
+              value: "true"
+            - name: FlowerCore__Auth__Oidc__Authority
+              value: "https://id.iamworkin.lan/application/o/distribution/"
+            - name: FlowerCore__Auth__Oidc__Audience
+              value: "distribution"
+            - name: FlowerCore__Auth__Oidc__ClientId
+              value: "distribution"
+            - name: FlowerCore__Auth__Oidc__ClientSecret
+              valueFrom:
+                secretKeyRef:
+                  name: distribution-oidc-client
+                  key: client_secret
+                  optional: true
            # SQLite connection (catalog + data-protection keys via FlowerCoreDbContext).
            # Read by Data/DatabaseProviderExtensions.cs in precedence order; Sqlite key wins.
            - name: FlowerCore__Database__Provider
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -127,7 +127,7 @@ spec:
            # knowledge-oidc-client Secret is provisioned and
            # FlowerCore__Auth__Enabled is flipped to true.
            - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
            - name: FlowerCore__Auth__Oidc__Enabled
              value: "true"
            - name: FlowerCore__Auth__Oidc__Authority