1c7a05318e
KEYCLOAK_DISCOVERY_URL targets the in-cluster Keycloak service, but the discovery doc returns jwks_uri pointing at auth.gosec.cloud (the canonical issuer claim). JWKS lookup hung 10s and every bearer-token validation returned 401, so consumer apps got the empty fallback ShellConfig — empty sidebar/footer/user-menu. Cluster convention: - Label pod template egress-internet=true (allow-web-proxy GlobalNetworkPolicy already opens TCP/3128 to the Squid proxy). - HTTP_PROXY / HTTPS_PROXY / NO_PROXY env. Go's http.ProxyFromEnvironment honors these natively — no code change. Repro: gscCRM /en/dashboard renders with chrome but empty menus because fetchShellConfig falls back when shell-api 401s. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>