feat: gsc-shell-api v0.1 — central chrome data API
Tiny Go service that returns ShellConfig JSON for any registered app.
Backs the runtime-loaded <AppShell> component being added to
@limitless/ui (next).
Endpoints:
GET /api/v1/shell/{appKey} → app + branding + user + menus, ETag-cached
GET /api/v1/apps → registered app inventory
GET /healthz, /readyz → ops probes
Auth:
Keycloak Bearer JWT validated against the gosecCloud realm.
Discovery URL is overridable so pods can hit Keycloak via the
in-cluster service (https://keycloak.keycloak.svc.cluster.local:8443)
while still validating the canonical issuer (auth.gosec.cloud).
Lazy JWKS init — pod stays up if Keycloak is briefly unreachable.
Data model (gsc_core.shell):
apps · menu_items (zone enum: topbar/sidebar/footer/user-menu) ·
menu_role_grants (Keycloak realm roles, OR semantics, empty=all) ·
branding
Seed includes the 8 gsc-crm sidebar items + topbar search +
user-menu (settings/support/logout) + footer (docs).
K8s:
Namespace gsc-shell (ambient mesh).
Deployment 2 replicas, internal-only ingress shell-api.gosec.internal,
EJBCA SERVER cert.
ServiceEntry for auth.gosec.cloud (vestigial — discovery now uses
in-cluster path; keeping for ad-hoc curl from inside pods).
Added to keycloak/allow-keycloak-clients AuthorizationPolicy out of band.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude
49
internal/config/config.go
Normal file
49
internal/config/config.go
Normal file
@@ -0,0 +1,49 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
// Config holds runtime configuration. All values come from env.
|
||||
type Config struct {
|
||||
Port int
|
||||
DatabaseURL string
|
||||
KeycloakIssuer string // e.g. https://auth.gosec.cloud/realms/gosecCloud
|
||||
KeycloakDiscovery string // optional in-cluster discovery URL override
|
||||
KeycloakAudCSV string // comma-separated allowed audiences (client_id values)
|
||||
CacheTTLSeconds int // for client-side Cache-Control hint
|
||||
}
|
||||
|
||||
func Load() (*Config, error) {
|
||||
c := &Config{
|
||||
Port: 8080,
|
||||
KeycloakIssuer: os.Getenv("KEYCLOAK_ISSUER"),
|
||||
KeycloakDiscovery: os.Getenv("KEYCLOAK_DISCOVERY_URL"),
|
||||
KeycloakAudCSV: os.Getenv("KEYCLOAK_AUDIENCES"),
|
||||
DatabaseURL: os.Getenv("DATABASE_URL"),
|
||||
CacheTTLSeconds: 60,
|
||||
}
|
||||
if p := os.Getenv("PORT"); p != "" {
|
||||
v, err := strconv.Atoi(p)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("PORT: %w", err)
|
||||
}
|
||||
c.Port = v
|
||||
}
|
||||
if t := os.Getenv("CACHE_TTL_SECONDS"); t != "" {
|
||||
v, err := strconv.Atoi(t)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("CACHE_TTL_SECONDS: %w", err)
|
||||
}
|
||||
c.CacheTTLSeconds = v
|
||||
}
|
||||
if c.DatabaseURL == "" {
|
||||
return nil, fmt.Errorf("DATABASE_URL is required")
|
||||
}
|
||||
if c.KeycloakIssuer == "" {
|
||||
return nil, fmt.Errorf("KEYCLOAK_ISSUER is required")
|
||||
}
|
||||
return c, nil
|
||||
}
|
||||
Reference in New Issue
Block a user