fix(monitoring): probe OIDC-safe health routes #35

bluejay · 2026-06-04T05:25:15Z

bluejay commented

2026-06-04 05:25:15 +00:00

Summary

Repoints OIDC-sensitive blackbox probes to anonymous health routes where the route already exists.
Adds Knowledge's explicit flowercore.io/healthz-auth-policy: allow-anonymous manifest contract for enforced OIDC plus /healthz probes.
Adds lint coverage so future OIDC-enforced /healthz probes must declare the anonymous health contract, and Distribution stays auth-disabled until that proof lands.

Validation

dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj -c Release --no-restore --filter "FullyQualifiedName~Monitoring_GenericKubernetesAlerts_MustExcludeEphemeralGithubRunnerNamespace|FullyQualifiedName~Monitoring_BlackboxTargetsForOidcSensitiveServices_MustUseAnonymousHealthRoutesWhenAvailable|FullyQualifiedName~OidcEnforcedDeployments_WithHttpHealthzProbes_MustDeclareAnonymousHealthzContract|FullyQualifiedName~Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest|FullyQualifiedName~Distribution_OidcEnforcement_MustStayOffUntilHealthzAllowAnonymousProofLands" -v minimal => 5 passed.
Full FleetManifestLintTests run remains 21/25 because of four pre-existing baseline failures: public read/write ingress method allowlist, fc-devicemgmt app discovery/manifest set, and github-runner-sharedpos replica count.
Parsed apps/monitoring/noc-monitoring.yaml and apps/knowledge/knowledge.yaml with PyYAML.

Proof Notes

Live probe snapshot on 2026-06-04: print /healthz 200, chat /healthz 200, dist /healthz 200, dms /healthz 200, knowledge /healthz 200, dns /healthz 404, media /healthz 404.
This branch does not flip OIDC enforcement for DNS, Media, or Distribution.

## Summary - Repoints OIDC-sensitive blackbox probes to anonymous health routes where the route already exists. - Adds Knowledge's explicit `flowercore.io/healthz-auth-policy: allow-anonymous` manifest contract for enforced OIDC plus `/healthz` probes. - Adds lint coverage so future OIDC-enforced `/healthz` probes must declare the anonymous health contract, and Distribution stays auth-disabled until that proof lands. ## Validation - `dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj -c Release --no-restore --filter "FullyQualifiedName~Monitoring_GenericKubernetesAlerts_MustExcludeEphemeralGithubRunnerNamespace|FullyQualifiedName~Monitoring_BlackboxTargetsForOidcSensitiveServices_MustUseAnonymousHealthRoutesWhenAvailable|FullyQualifiedName~OidcEnforcedDeployments_WithHttpHealthzProbes_MustDeclareAnonymousHealthzContract|FullyQualifiedName~Knowledge_OidcEnforcement_MustKeepHealthzAnonymousContractVisibleInManifest|FullyQualifiedName~Distribution_OidcEnforcement_MustStayOffUntilHealthzAllowAnonymousProofLands" -v minimal` => 5 passed. - Full `FleetManifestLintTests` run remains 21/25 because of four pre-existing baseline failures: public read/write ingress method allowlist, fc-devicemgmt app discovery/manifest set, and github-runner-sharedpos replica count. - Parsed `apps/monitoring/noc-monitoring.yaml` and `apps/knowledge/knowledge.yaml` with PyYAML. ## Proof Notes - Live probe snapshot on 2026-06-04: print `/healthz` 200, chat `/healthz` 200, dist `/healthz` 200, dms `/healthz` 200, knowledge `/healthz` 200, dns `/healthz` 404, media `/healthz` 404. - This branch does not flip OIDC enforcement for DNS, Media, or Distribution.

bluejay added 1 commit 2026-06-04 05:25:16 +00:00

fix(monitoring): probe OIDC-safe health routes 735f998197

bluejay force-pushed codex/s58-monitoring-oidc-probes from 735f998197 to b87df27844

2026-06-04 06:45:17 +00:00

Compare

bluejay merged commit 300f8ad546 into main

2026-06-04 06:45:34 +00:00

bluejay deleted branch codex/s58-monitoring-oidc-probes

2026-06-04 06:45:34 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: bluejay/bluejay-infra#35