From 4c17d22de6454443a7e9c007834c75404a240374 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sun, 5 Apr 2026 20:54:56 -0300
Subject: [PATCH] startup: stop blocking on broken sso probe in post-start
 checks

---
 configs/hecate.example.yaml  | 1 -
 configs/hecate.tethys.yaml   | 1 -
 configs/hecate.titan-db.yaml | 1 -
 scripts/install.sh           | 7 ++++++-
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/configs/hecate.example.yaml b/configs/hecate.example.yaml
index fd7b5ee..54920d0 100644
--- a/configs/hecate.example.yaml
+++ b/configs/hecate.example.yaml
@@ -67,7 +67,6 @@ startup:
   post_start_probe_wait_seconds: 240
   post_start_probe_poll_seconds: 5
   post_start_probes:
-    - https://sso.bstein.dev/realms/atlas/.well-known/openid-configuration
     - https://scm.bstein.dev/user/login
     - https://metrics.bstein.dev/login
   vault_unseal_key_file: /var/lib/hecate/vault-unseal.key
diff --git a/configs/hecate.tethys.yaml b/configs/hecate.tethys.yaml
index 4573676..0ee8952 100644
--- a/configs/hecate.tethys.yaml
+++ b/configs/hecate.tethys.yaml
@@ -133,7 +133,6 @@ startup:
   post_start_probe_wait_seconds: 240
   post_start_probe_poll_seconds: 5
   post_start_probes:
-    - https://sso.bstein.dev/realms/atlas/.well-known/openid-configuration
     - https://scm.bstein.dev/user/login
     - https://metrics.bstein.dev/login
   vault_unseal_key_file: /var/lib/hecate/vault-unseal.key
diff --git a/configs/hecate.titan-db.yaml b/configs/hecate.titan-db.yaml
index 61277ab..2124347 100644
--- a/configs/hecate.titan-db.yaml
+++ b/configs/hecate.titan-db.yaml
@@ -133,7 +133,6 @@ startup:
   post_start_probe_wait_seconds: 240
   post_start_probe_poll_seconds: 5
   post_start_probes:
-    - https://sso.bstein.dev/realms/atlas/.well-known/openid-configuration
     - https://scm.bstein.dev/user/login
     - https://metrics.bstein.dev/login
   vault_unseal_key_file: /var/lib/hecate/vault-unseal.key
diff --git a/scripts/install.sh b/scripts/install.sh
index 4903860..1cde139 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -278,10 +278,15 @@ migrate_hecate_config() {
   fi
   if grep -Eq '^  storage_critical_pvcs:[[:space:]]*$' "${CONF_DIR}/hecate.yaml" \
     && ! grep -Eq '^  require_post_start_probes:[[:space:]]*(true|false)' "${CONF_DIR}/hecate.yaml"; then
-    sed -Ei '/^    - sso\/keycloak-data$/a\  require_post_start_probes: true\n  post_start_probe_wait_seconds: 240\n  post_start_probe_poll_seconds: 5\n  post_start_probes:\n    - https://sso.bstein.dev/realms/atlas/.well-known/openid-configuration\n    - https://scm.bstein.dev/user/login\n    - https://metrics.bstein.dev/login\n  vault_unseal_key_file: /var/lib/hecate/vault-unseal.key' "${CONF_DIR}/hecate.yaml"
+    sed -Ei '/^    - sso\/keycloak-data$/a\  require_post_start_probes: true\n  post_start_probe_wait_seconds: 240\n  post_start_probe_poll_seconds: 5\n  post_start_probes:\n    - https://scm.bstein.dev/user/login\n    - https://metrics.bstein.dev/login\n  vault_unseal_key_file: /var/lib/hecate/vault-unseal.key' "${CONF_DIR}/hecate.yaml"
     echo "[install] added startup post-start probe + vault key fallback defaults"
     changed=1
   fi
+  if grep -Eq '^    - https://sso.bstein.dev/realms/atlas/.well-known/openid-configuration$' "${CONF_DIR}/hecate.yaml"; then
+    sed -Ei '/^    - https:\/\/sso\.bstein\.dev\/realms\/atlas\/\.well-known\/openid-configuration$/d' "${CONF_DIR}/hecate.yaml"
+    echo "[install] removed sso OIDC probe from startup.post_start_probes (returns 404 in current deployment)"
+    changed=1
+  fi
   if ! grep -Eq '^  vault_unseal_key_file:[[:space:]]*/var/lib/hecate/vault-unseal.key' "${CONF_DIR}/hecate.yaml"; then
     if grep -Eq '^startup:[[:space:]]*$' "${CONF_DIR}/hecate.yaml" && grep -Eq '^  post_start_probes:[[:space:]]*$' "${CONF_DIR}/hecate.yaml"; then
       sed -Ei '/^    - https:\/\/metrics\.bstein\.dev\/login$/a\  vault_unseal_key_file: /var/lib/hecate/vault-unseal.key' "${CONF_DIR}/hecate.yaml"