fix(k8s): drop KEYCLOAK_DISCOVERY_URL so HTTPS_PROXY applies to JWKS

When KEYCLOAK_DISCOVERY_URL is set, internal/auth/keycloak.go builds a custom http.Client whose Transport has no Proxy field. The fresh provider then uses that client for both discovery (internal URL, fine) AND the subsequent JWKS fetch from jwks_uri — which the discovery doc still emits as https://auth.gosec.cloud/... (the canonical issuer URL). With no Proxy on the custom transport, JWKS hit default-deny-external and the verifier never gets a key, so every signed token returned 401 with the empty fallback ShellConfig propagating to consumer apps (empty sidebar/footer/user-menu in gscCRM). Fall through to go-oidc's default client. http.DefaultTransport.Proxy is http.ProxyFromEnvironment so HTTP_PROXY/HTTPS_PROXY are honored for both discovery (auth.gosec.cloud via Squid) and JWKS. Trade-off: discovery now goes out and back through web-proxy instead of hitting the in-cluster Keycloak service directly. Adds a few ms once; result is cached for CACHE_TTL_SECONDS=60. Worth it to actually validate tokens. A code-side fix would set Proxy: http.ProxyFromEnvironment on the custom transport, but that requires a shell-api rebuild + push. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-11 12:41:17 +02:00
parent 1c7a05318e
commit bb110e26af
1 changed files with 7 additions and 5 deletions
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -42,11 +42,13 @@ spec:
              value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal"
            - name: KEYCLOAK_ISSUER
              value: "https://auth.gosec.cloud/realms/gosecCloud"
-            # Discovery hits Keycloak via in-cluster service (pods can't reach
-            # public auth.gosec.cloud over TLS); the issuer claim still has
-            # to match the canonical hostname above.
-            - name: KEYCLOAK_DISCOVERY_URL
-              value: "https://keycloak.keycloak.svc.cluster.local:8443/realms/gosecCloud"
+            # KEYCLOAK_DISCOVERY_URL intentionally NOT set. When set,
+            # keycloak.go builds a custom http.Client with no Proxy field —
+            # which then defeats HTTPS_PROXY for the JWKS fetch (jwks_uri
+            # is the public hostname even when discovery hits an internal
+            # URL). Falling through to go-oidc's default client uses
+            # http.DefaultTransport.Proxy = http.ProxyFromEnvironment, so
+            # both discovery and JWKS go through web-proxy correctly.
            - name: CACHE_TTL_SECONDS
              value: "60"
            - name: DATABASE_URL