diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index e14c556..18d9233 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -42,11 +42,13 @@ spec:
               value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal"
             - name: KEYCLOAK_ISSUER
               value: "https://auth.gosec.cloud/realms/gosecCloud"
-            # Discovery hits Keycloak via in-cluster service (pods can't reach
-            # public auth.gosec.cloud over TLS); the issuer claim still has
-            # to match the canonical hostname above.
-            - name: KEYCLOAK_DISCOVERY_URL
-              value: "https://keycloak.keycloak.svc.cluster.local:8443/realms/gosecCloud"
+            # KEYCLOAK_DISCOVERY_URL intentionally NOT set. When set,
+            # keycloak.go builds a custom http.Client with no Proxy field —
+            # which then defeats HTTPS_PROXY for the JWKS fetch (jwks_uri
+            # is the public hostname even when discovery hits an internal
+            # URL). Falling through to go-oidc's default client uses
+            # http.DefaultTransport.Proxy = http.ProxyFromEnvironment, so
+            # both discovery and JWKS go through web-proxy correctly.
             - name: CACHE_TTL_SECONDS
               value: "60"
             - name: DATABASE_URL