fix(privacyidea): add PI_ADDRESS/PI_PORT; switch readiness probe to tcpSocket

gpappsoft entrypoint requires PI_ADDRESS and PI_PORT env vars to build the gunicorn bind argument. Without them the container crashes immediately. /token/ returns 401 for unauthenticated GET requests so the httpGet readiness probe was permanently failing. Switch to tcpSocket to match the startup and liveness probes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 10:41:13 +00:00
parent 9587d14803
commit f227dfbd3d
1 changed files with 8 additions and 2 deletions
--- a/sso-mfa/k8s/privacyidea/deployment.yaml
+++ b/sso-mfa/k8s/privacyidea/deployment.yaml
@@ -70,6 +70,11 @@ spec:
          env:
            - name: PRIVACYIDEA_CONFIGFILE
              value: /etc/privacyidea/pi.cfg
+            # gpappsoft entrypoint passes these to gunicorn as the bind address/port.
+            - name: PI_ADDRESS
+              value: "0.0.0.0"
+            - name: PI_PORT
+              value: "8080"
          # Sensitive values from Secret (PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI)
          envFrom:
            - secretRef:
@@ -104,8 +109,9 @@ spec:
            periodSeconds: 15
            failureThreshold: 3
          readinessProbe:
-            httpGet:
-              path: /token/
+            # /token/ returns 401 for unauthenticated GET; use tcpSocket instead.
+            # Switch to httpGet /healthz or similar once confirmed in the image.
+            tcpSocket:
              port: 8080
            initialDelaySeconds: 0
            periodSeconds: 10