From f227dfbd3dc1855e74caeeec0a46a7b485e86bb9 Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Sat, 21 Mar 2026 10:41:13 +0000
Subject: [PATCH] fix(privacyidea): add PI_ADDRESS/PI_PORT; switch readiness
 probe to tcpSocket

gpappsoft entrypoint requires PI_ADDRESS and PI_PORT env vars to build
the gunicorn bind argument. Without them the container crashes immediately.

/token/ returns 401 for unauthenticated GET requests so the httpGet
readiness probe was permanently failing. Switch to tcpSocket to match
the startup and liveness probes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 sso-mfa/k8s/privacyidea/deployment.yaml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sso-mfa/k8s/privacyidea/deployment.yaml b/sso-mfa/k8s/privacyidea/deployment.yaml
index a1505d4..7c110fd 100644
--- a/sso-mfa/k8s/privacyidea/deployment.yaml
+++ b/sso-mfa/k8s/privacyidea/deployment.yaml
@@ -70,6 +70,11 @@ spec:
           env:
             - name: PRIVACYIDEA_CONFIGFILE
               value: /etc/privacyidea/pi.cfg
+            # gpappsoft entrypoint passes these to gunicorn as the bind address/port.
+            - name: PI_ADDRESS
+              value: "0.0.0.0"
+            - name: PI_PORT
+              value: "8080"
           # Sensitive values from Secret (PI_SECRET_KEY, PI_PEPPER, PI_SQLALCHEMY_DATABASE_URI)
           envFrom:
             - secretRef:
@@ -104,8 +109,9 @@ spec:
             periodSeconds: 15
             failureThreshold: 3
           readinessProbe:
-            httpGet:
-              path: /token/
+            # /token/ returns 401 for unauthenticated GET; use tcpSocket instead.
+            # Switch to httpGet /healthz or similar once confirmed in the image.
+            tcpSocket:
               port: 8080
             initialDelaySeconds: 0
             periodSeconds: 10