fix(k8s): route gsc-shell-api through web-proxy for JWKS fetch

KEYCLOAK_DISCOVERY_URL targets the in-cluster Keycloak service, but the discovery doc returns jwks_uri pointing at auth.gosec.cloud (the canonical issuer claim). JWKS lookup hung 10s and every bearer-token validation returned 401, so consumer apps got the empty fallback ShellConfig — empty sidebar/footer/user-menu. Cluster convention: - Label pod template egress-internet=true (allow-web-proxy GlobalNetworkPolicy already opens TCP/3128 to the Squid proxy). - HTTP_PROXY / HTTPS_PROXY / NO_PROXY env. Go's http.ProxyFromEnvironment honors these natively — no code change. Repro: gscCRM /en/dashboard renders with chrome but empty menus because fetchShellConfig falls back when shell-api 401s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 12:35:17 +02:00
parent bd62fcb599
commit 1c7a05318e
1 changed files with 14 additions and 0 deletions
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -15,6 +15,11 @@ spec:
    metadata:
      labels:
        app.kubernetes.io/name: gsc-shell-api
+        # KEYCLOAK_DISCOVERY_URL points at the in-cluster service, but the
+        # discovery doc returns jwks_uri = https://auth.gosec.cloud/...
+        # (the canonical issuer claim). JWKS fetch needs public egress.
+        # allow-web-proxy GlobalNetworkPolicy gates on this label.
+        egress-internet: "true"
    spec:
      containers:
        - name: api
@@ -26,6 +31,15 @@ spec:
          env:
            - name: PORT
              value: "8080"
+            # Route public-internet calls (notably JWKS at auth.gosec.cloud)
+            # through the in-cluster Squid proxy. Go's http.ProxyFromEnvironment
+            # picks these up automatically — no code change needed.
+            - name: HTTP_PROXY
+              value: "http://web-proxy.web-proxy.svc.cluster.local:3128"
+            - name: HTTPS_PROXY
+              value: "http://web-proxy.web-proxy.svc.cluster.local:3128"
+            - name: NO_PROXY
+              value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal"
            - name: KEYCLOAK_ISSUER
              value: "https://auth.gosec.cloud/realms/gosecCloud"
            # Discovery hits Keycloak via in-cluster service (pods can't reach