KEYCLOAK_DISCOVERY_URL targets the in-cluster Keycloak service, but
the discovery doc returns jwks_uri pointing at auth.gosec.cloud (the
canonical issuer claim). JWKS lookup hung 10s and every bearer-token
validation returned 401, so consumer apps got the empty fallback
ShellConfig — empty sidebar/footer/user-menu.
Cluster convention:
- Label pod template egress-internet=true (allow-web-proxy
GlobalNetworkPolicy already opens TCP/3128 to the Squid proxy).
- HTTP_PROXY / HTTPS_PROXY / NO_PROXY env. Go's
http.ProxyFromEnvironment honors these natively — no code change.
Repro: gscCRM /en/dashboard renders with chrome but empty menus
because fetchShellConfig falls back when shell-api 401s.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1c7a05318e