From af8c4fd0daef5153c85f264b53a033a4f477c1a4 Mon Sep 17 00:00:00 2001
From: Super User <root@gsc-dc-admin-01.gosec.internal>
Date: Mon, 18 May 2026 13:47:59 +0200
Subject: [PATCH] fix(auth): add undici instrumentation for Squid proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without it, NextAuth's Keycloak issuer-discovery fetch goes direct
and Calico default-deny drops it → /access-denied?error=Configuration.
EnvHttpProxyAgent reads HTTP(S)_PROXY at startup.

Mirrors gscAdmin/src/instrumentation.ts. + undici ^6.25.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 k8s/deployment.yaml    |  2 +-
 package.json           |  1 +
 src/instrumentation.ts | 24 ++++++++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 src/instrumentation.ts

diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index 811857b..bfd53b5 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -31,7 +31,7 @@ spec:
     spec:
       containers:
         - name: my-ui
-          image: registry.gosec.internal/gsc-my/ui:v0.1.0
+          image: registry.gosec.internal/gsc-my/ui:v0.1.1
           imagePullPolicy: Always
           ports:
             - containerPort: 3000
diff --git a/package.json b/package.json
index 6484330..cdc36d4 100644
--- a/package.json
+++ b/package.json
@@ -25,6 +25,7 @@
     "pg": "^8.20.0",
     "react": "^19.2.3",
     "react-dom": "^19.2.3",
+    "undici": "^6.25.0",
     "zod": "^3.23.0"
   },
   "devDependencies": {
diff --git a/src/instrumentation.ts b/src/instrumentation.ts
new file mode 100644
index 0000000..cfeae3d
--- /dev/null
+++ b/src/instrumentation.ts
@@ -0,0 +1,24 @@
+/**
+ * Server startup hook. Next.js calls register() once per Node process
+ * when the server boots (App Router convention).
+ *
+ * We use this to install undici's ProxyAgent as the global dispatcher
+ * so the in-cluster web-proxy (Squid at web-proxy.web-proxy.svc:3128)
+ * is honored by Node's built-in `fetch()`. Without this, fetch() goes
+ * direct → Calico default-deny-external drops outbound TCP → NextAuth
+ * issuer discovery times out → /api/auth/error?error=Configuration.
+ *
+ * HTTP_PROXY / HTTPS_PROXY / NO_PROXY env vars are read by EnvHttpProxyAgent.
+ * If neither is set (e.g., local `next dev`), no proxy is configured.
+ */
+export async function register() {
+  if (process.env.NEXT_RUNTIME !== "nodejs") return;
+  if (!process.env.HTTPS_PROXY && !process.env.HTTP_PROXY) return;
+
+  const { setGlobalDispatcher, EnvHttpProxyAgent } = await import("undici");
+  setGlobalDispatcher(new EnvHttpProxyAgent());
+  // eslint-disable-next-line no-console
+  console.log(
+    `[instrumentation] undici proxy via ${process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY}`,
+  );
+}