7fb24e0452
Tiny Go service that returns ShellConfig JSON for any registered app.
Backs the runtime-loaded <AppShell> component being added to
@limitless/ui (next).
Endpoints:
GET /api/v1/shell/{appKey} → app + branding + user + menus, ETag-cached
GET /api/v1/apps → registered app inventory
GET /healthz, /readyz → ops probes
Auth:
Keycloak Bearer JWT validated against the gosecCloud realm.
Discovery URL is overridable so pods can hit Keycloak via the
in-cluster service (https://keycloak.keycloak.svc.cluster.local:8443)
while still validating the canonical issuer (auth.gosec.cloud).
Lazy JWKS init — pod stays up if Keycloak is briefly unreachable.
Data model (gsc_core.shell):
apps · menu_items (zone enum: topbar/sidebar/footer/user-menu) ·
menu_role_grants (Keycloak realm roles, OR semantics, empty=all) ·
branding
Seed includes the 8 gsc-crm sidebar items + topbar search +
user-menu (settings/support/logout) + footer (docs).
K8s:
Namespace gsc-shell (ambient mesh).
Deployment 2 replicas, internal-only ingress shell-api.gosec.internal,
EJBCA SERVER cert.
ServiceEntry for auth.gosec.cloud (vestigial — discovery now uses
in-cluster path; keeping for ad-hoc curl from inside pods).
Added to keycloak/allow-keycloak-clients AuthorizationPolicy out of band.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
50 lines
1.3 KiB
Go
50 lines
1.3 KiB
Go
package config
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"strconv"
|
|
)
|
|
|
|
// Config holds runtime configuration. All values come from env.
|
|
type Config struct {
|
|
Port int
|
|
DatabaseURL string
|
|
KeycloakIssuer string // e.g. https://auth.gosec.cloud/realms/gosecCloud
|
|
KeycloakDiscovery string // optional in-cluster discovery URL override
|
|
KeycloakAudCSV string // comma-separated allowed audiences (client_id values)
|
|
CacheTTLSeconds int // for client-side Cache-Control hint
|
|
}
|
|
|
|
func Load() (*Config, error) {
|
|
c := &Config{
|
|
Port: 8080,
|
|
KeycloakIssuer: os.Getenv("KEYCLOAK_ISSUER"),
|
|
KeycloakDiscovery: os.Getenv("KEYCLOAK_DISCOVERY_URL"),
|
|
KeycloakAudCSV: os.Getenv("KEYCLOAK_AUDIENCES"),
|
|
DatabaseURL: os.Getenv("DATABASE_URL"),
|
|
CacheTTLSeconds: 60,
|
|
}
|
|
if p := os.Getenv("PORT"); p != "" {
|
|
v, err := strconv.Atoi(p)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("PORT: %w", err)
|
|
}
|
|
c.Port = v
|
|
}
|
|
if t := os.Getenv("CACHE_TTL_SECONDS"); t != "" {
|
|
v, err := strconv.Atoi(t)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("CACHE_TTL_SECONDS: %w", err)
|
|
}
|
|
c.CacheTTLSeconds = v
|
|
}
|
|
if c.DatabaseURL == "" {
|
|
return nil, fmt.Errorf("DATABASE_URL is required")
|
|
}
|
|
if c.KeycloakIssuer == "" {
|
|
return nil, fmt.Errorf("KEYCLOAK_ISSUER is required")
|
|
}
|
|
return c, nil
|
|
}
|