KEYCLOAK_DISCOVERY_URL targets the in-cluster Keycloak service, but
the discovery doc returns jwks_uri pointing at auth.gosec.cloud (the
canonical issuer claim). JWKS lookup hung 10s and every bearer-token
validation returned 401, so consumer apps got the empty fallback
ShellConfig — empty sidebar/footer/user-menu.
Cluster convention:
- Label pod template egress-internet=true (allow-web-proxy
GlobalNetworkPolicy already opens TCP/3128 to the Squid proxy).
- HTTP_PROXY / HTTPS_PROXY / NO_PROXY env. Go's
http.ProxyFromEnvironment honors these natively — no code change.
Repro: gscCRM /en/dashboard renders with chrome but empty menus
because fetchShellConfig falls back when shell-api 401s.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Apps run on different hostnames (crm.gosec.internal,
chronos.gosec.internal, …) so the browser fetch from <AppShell> to
shell-api.gosec.internal is cross-origin and was being blocked.
Add Fiber's cors middleware. Allowlist: any *.gosec.internal or
*.gosec.cloud origin (override via CORS_ORIGINS env if a tighter
list is needed). Allow Authorization + Content-Type + If-None-Match
on the request side; expose ETag on the response side. Methods
limited to GET + OPTIONS.
Image: v0.1.4
Verified:
curl -X OPTIONS https://shell-api.gosec.internal/api/v1/shell/gsc-crm
-H "Origin: https://crm.gosec.internal" → 204 with
access-control-allow-origin: https://crm.gosec.internal
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tiny Go service that returns ShellConfig JSON for any registered app.
Backs the runtime-loaded <AppShell> component being added to
@limitless/ui (next).
Endpoints:
GET /api/v1/shell/{appKey} → app + branding + user + menus, ETag-cached
GET /api/v1/apps → registered app inventory
GET /healthz, /readyz → ops probes
Auth:
Keycloak Bearer JWT validated against the gosecCloud realm.
Discovery URL is overridable so pods can hit Keycloak via the
in-cluster service (https://keycloak.keycloak.svc.cluster.local:8443)
while still validating the canonical issuer (auth.gosec.cloud).
Lazy JWKS init — pod stays up if Keycloak is briefly unreachable.
Data model (gsc_core.shell):
apps · menu_items (zone enum: topbar/sidebar/footer/user-menu) ·
menu_role_grants (Keycloak realm roles, OR semantics, empty=all) ·
branding
Seed includes the 8 gsc-crm sidebar items + topbar search +
user-menu (settings/support/logout) + footer (docs).
K8s:
Namespace gsc-shell (ambient mesh).
Deployment 2 replicas, internal-only ingress shell-api.gosec.internal,
EJBCA SERVER cert.
ServiceEntry for auth.gosec.cloud (vestigial — discovery now uses
in-cluster path; keeping for ad-hoc curl from inside pods).
Added to keycloak/allow-keycloak-clients AuthorizationPolicy out of band.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
