From 926f3b34ba64983a4bb6b638168af536569cbd5b Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 2 May 2026 22:53:02 +1000 Subject: [PATCH] fix: set Host header on paperclip health probes to bypass hostname guard The privateHostnameGuard middleware blocks requests where the Host header is not in the allowlist. Kubelet httpGet probes use the pod IP as the Host header, which is never in the allowlist. Setting Host: localhost ensures probes are always permitted. --- apps/base/paperclip/deployment.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apps/base/paperclip/deployment.yaml b/apps/base/paperclip/deployment.yaml index 21a6222..39d0616 100644 --- a/apps/base/paperclip/deployment.yaml +++ b/apps/base/paperclip/deployment.yaml @@ -65,6 +65,9 @@ spec: httpGet: path: /api/health port: 3100 + httpHeaders: + - name: Host + value: localhost failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 30 @@ -74,6 +77,9 @@ spec: httpGet: path: /api/health port: 3100 + httpHeaders: + - name: Host + value: localhost failureThreshold: 3 initialDelaySeconds: 10 periodSeconds: 10 -- 2.47.3