From bb110e26afe2b3f67c17a3dd1b892b46ed94d24f Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 11 May 2026 12:41:17 +0200
Subject: [PATCH] fix(k8s): drop KEYCLOAK_DISCOVERY_URL so HTTPS_PROXY applies
 to JWKS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When KEYCLOAK_DISCOVERY_URL is set, internal/auth/keycloak.go builds
a custom http.Client whose Transport has no Proxy field. The fresh
provider then uses that client for both discovery (internal URL,
fine) AND the subsequent JWKS fetch from jwks_uri — which the
discovery doc still emits as https://auth.gosec.cloud/... (the
canonical issuer URL). With no Proxy on the custom transport, JWKS
hit default-deny-external and the verifier never gets a key, so
every signed token returned 401 with the empty fallback ShellConfig
propagating to consumer apps (empty sidebar/footer/user-menu in
gscCRM).

Fall through to go-oidc's default client. http.DefaultTransport.Proxy
is http.ProxyFromEnvironment so HTTP_PROXY/HTTPS_PROXY are honored
for both discovery (auth.gosec.cloud via Squid) and JWKS.

Trade-off: discovery now goes out and back through web-proxy instead
of hitting the in-cluster Keycloak service directly. Adds a few ms
once; result is cached for CACHE_TTL_SECONDS=60. Worth it to actually
validate tokens.

A code-side fix would set Proxy: http.ProxyFromEnvironment on the
custom transport, but that requires a shell-api rebuild + push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 k8s/deployment.yaml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index e14c556..18d9233 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -42,11 +42,13 @@ spec:
               value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal"
             - name: KEYCLOAK_ISSUER
               value: "https://auth.gosec.cloud/realms/gosecCloud"
-            # Discovery hits Keycloak via in-cluster service (pods can't reach
-            # public auth.gosec.cloud over TLS); the issuer claim still has
-            # to match the canonical hostname above.
-            - name: KEYCLOAK_DISCOVERY_URL
-              value: "https://keycloak.keycloak.svc.cluster.local:8443/realms/gosecCloud"
+            # KEYCLOAK_DISCOVERY_URL intentionally NOT set. When set,
+            # keycloak.go builds a custom http.Client with no Proxy field —
+            # which then defeats HTTPS_PROXY for the JWKS fetch (jwks_uri
+            # is the public hostname even when discovery hits an internal
+            # URL). Falling through to go-oidc's default client uses
+            # http.DefaultTransport.Proxy = http.ProxyFromEnvironment, so
+            # both discovery and JWKS go through web-proxy correctly.
             - name: CACHE_TTL_SECONDS
               value: "60"
             - name: DATABASE_URL