From 1c7a05318e60dc541e219403473715cb65778b11 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 11 May 2026 12:35:17 +0200
Subject: [PATCH] fix(k8s): route gsc-shell-api through web-proxy for JWKS
 fetch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

KEYCLOAK_DISCOVERY_URL targets the in-cluster Keycloak service, but
the discovery doc returns jwks_uri pointing at auth.gosec.cloud (the
canonical issuer claim). JWKS lookup hung 10s and every bearer-token
validation returned 401, so consumer apps got the empty fallback
ShellConfig — empty sidebar/footer/user-menu.

Cluster convention:
- Label pod template egress-internet=true (allow-web-proxy
  GlobalNetworkPolicy already opens TCP/3128 to the Squid proxy).
- HTTP_PROXY / HTTPS_PROXY / NO_PROXY env. Go's
  http.ProxyFromEnvironment honors these natively — no code change.

Repro: gscCRM /en/dashboard renders with chrome but empty menus
because fetchShellConfig falls back when shell-api 401s.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 k8s/deployment.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index 6f51790..e14c556 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -15,6 +15,11 @@ spec:
     metadata:
       labels:
         app.kubernetes.io/name: gsc-shell-api
+        # KEYCLOAK_DISCOVERY_URL points at the in-cluster service, but the
+        # discovery doc returns jwks_uri = https://auth.gosec.cloud/...
+        # (the canonical issuer claim). JWKS fetch needs public egress.
+        # allow-web-proxy GlobalNetworkPolicy gates on this label.
+        egress-internet: "true"
     spec:
       containers:
         - name: api
@@ -26,6 +31,15 @@ spec:
           env:
             - name: PORT
               value: "8080"
+            # Route public-internet calls (notably JWKS at auth.gosec.cloud)
+            # through the in-cluster Squid proxy. Go's http.ProxyFromEnvironment
+            # picks these up automatically — no code change needed.
+            - name: HTTP_PROXY
+              value: "http://web-proxy.web-proxy.svc.cluster.local:3128"
+            - name: HTTPS_PROXY
+              value: "http://web-proxy.web-proxy.svc.cluster.local:3128"
+            - name: NO_PROXY
+              value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal"
             - name: KEYCLOAK_ISSUER
               value: "https://auth.gosec.cloud/realms/gosecCloud"
             # Discovery hits Keycloak via in-cluster service (pods can't reach