GoSec_Cloud/gsc-shell-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(k8s): drop KEYCLOAK_DISCOVERY_URL so HTTPS_PROXY applies to JWKS

Browse Source 
When KEYCLOAK_DISCOVERY_URL is set, internal/auth/keycloak.go builds
a custom http.Client whose Transport has no Proxy field. The fresh
provider then uses that client for both discovery (internal URL,
fine) AND the subsequent JWKS fetch from jwks_uri — which the
discovery doc still emits as https://auth.gosec.cloud/... (the
canonical issuer URL). With no Proxy on the custom transport, JWKS
hit default-deny-external and the verifier never gets a key, so
every signed token returned 401 with the empty fallback ShellConfig
propagating to consumer apps (empty sidebar/footer/user-menu in
gscCRM).

Fall through to go-oidc's default client. http.DefaultTransport.Proxy
is http.ProxyFromEnvironment so HTTP_PROXY/HTTPS_PROXY are honored
for both discovery (auth.gosec.cloud via Squid) and JWKS.

Trade-off: discovery now goes out and back through web-proxy instead
of hitting the in-cluster Keycloak service directly. Adds a few ms
once; result is cached for CACHE_TTL_SECONDS=60. Worth it to actually
validate tokens.

A code-side fix would set Proxy: http.ProxyFromEnvironment on the
custom transport, but that requires a shell-api rebuild + push.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude
2026-05-11 12:41:17 +02:00
parent 1c7a05318e
commit bb110e26af
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
k8s/deployment.yaml
View File

@@ -42,11 +42,13 @@ spec:
value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal" value: "localhost,127.0.0.1,.cluster.local,.svc,.gosec.internal"
- name: KEYCLOAK_ISSUER - name: KEYCLOAK_ISSUER
value: "https://auth.gosec.cloud/realms/gosecCloud" value: "https://auth.gosec.cloud/realms/gosecCloud"
# Discovery hits Keycloak via in-cluster service (pods can't reach # KEYCLOAK_DISCOVERY_URL intentionally NOT set. When set,
# public auth.gosec.cloud over TLS); the issuer claim still has # keycloak.go builds a custom http.Client with no Proxy field —
# to match the canonical hostname above. # which then defeats HTTPS_PROXY for the JWKS fetch (jwks_uri
- name: KEYCLOAK_DISCOVERY_URL # is the public hostname even when discovery hits an internal
value: "https://keycloak.keycloak.svc.cluster.local:8443/realms/gosecCloud" # URL). Falling through to go-oidc's default client uses
# http.DefaultTransport.Proxy = http.ProxyFromEnvironment, so
# both discovery and JWKS go through web-proxy correctly.
- name: CACHE_TTL_SECONDS - name: CACHE_TTL_SECONDS
value: "60" value: "60"
- name: DATABASE_URL - name: DATABASE_URL