From 76dea43be13bbdee9d7bfcdf5ff0b9be2b205f1c Mon Sep 17 00:00:00 2001
From: Rafael Poyiadzi <rafael@futuresearch.ai>
Date: Wed, 25 Feb 2026 15:18:57 +0000
Subject: [PATCH 1/2] Add startup probe and increase health check timeouts

Redis Sentinel discovery can take >5s on cold start, causing the
liveness probe (5s timeout) to kill the pod before it establishes a
connection. Add a startup probe (60s budget) to protect the boot
phase, and increase liveness timeout to 10s with higher failure
threshold.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../deploy/chart/templates/deployment.yaml        | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/everyrow-mcp/deploy/chart/templates/deployment.yaml b/everyrow-mcp/deploy/chart/templates/deployment.yaml
index 295abb84..caf0fc60 100644
--- a/everyrow-mcp/deploy/chart/templates/deployment.yaml
+++ b/everyrow-mcp/deploy/chart/templates/deployment.yaml
@@ -42,22 +42,29 @@ spec:
               type: RuntimeDefault
           ports:
             - containerPort: 8000
+          startupProbe:
+            httpGet:
+              path: /health
+              port: 8000
+            periodSeconds: 5
+            timeoutSeconds: 10
+            failureThreshold: 12
           readinessProbe:
             httpGet:
               path: /health
               port: 8000
             initialDelaySeconds: 5
             periodSeconds: 10
-            timeoutSeconds: 5
+            timeoutSeconds: 10
             failureThreshold: 3
           livenessProbe:
             httpGet:
               path: /health
               port: 8000
-            initialDelaySeconds: 10
+            initialDelaySeconds: 30
             periodSeconds: 30
-            timeoutSeconds: 5
-            failureThreshold: 3
+            timeoutSeconds: 10
+            failureThreshold: 5
           env:
             {{- range $key, $value := .Values.env }}
             - name: {{ $key }}

From 7dc8c044cdbc2b07f8909210d31cbd2b15290d80 Mon Sep 17 00:00:00 2001
From: Rafael Poyiadzi <rafael@futuresearch.ai>
Date: Wed, 25 Feb 2026 15:27:42 +0000
Subject: [PATCH 2/2] =?UTF-8?q?Disable=20network=20policy=20=E2=80=94=20GK?=
 =?UTF-8?q?E=20service=20CIDR=20breaks=20DNS?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GKE assigns ClusterIPs from a non-RFC1918 range (34.118.x.x). The
network policy's DNS egress rule uses podSelector for kube-dns pods,
but GKE evaluates egress against the ClusterIP (34.118.224.10), not
the pod IP. This blocks all DNS resolution from the MCP pods.

Disable until we can properly handle GKE's service CIDR in egress
rules (may require CIDR-based DNS rules instead of podSelector).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 everyrow-mcp/deploy/chart/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/everyrow-mcp/deploy/chart/values.yaml b/everyrow-mcp/deploy/chart/values.yaml
index d84ef0cb..ef492734 100644
--- a/everyrow-mcp/deploy/chart/values.yaml
+++ b/everyrow-mcp/deploy/chart/values.yaml
@@ -49,7 +49,7 @@ secrets:
 # List every Sentinel + master IP here. Use "kubectl get endpoints" or
 # check REDIS_SENTINEL_ENDPOINTS to find the IPs, then narrow the CIDRs.
 networkPolicy:
-  enabled: true
+  enabled: false
   gatewayNamespace: gke-managed-system
   redisPort: 6379
   redisSentinelPort: 26379