Commit a7255d7
🐛 Fix llm-proxy JWT issuer mismatch on MTA profile (#552)
The llm-proxy configmap template always used keycloak_sso_url for the
JWKS URI and issuer, which resolves to mta-keycloak-rhbk on the MTA
profile. However, the actual RHBK service is mta-rhbk-service, and the
hub already correctly uses rhbk_url for MTA. This caused the llm-proxy
to reject all JWT tokens with "Invalid JWT token" because the issuer in
the token didn't match what the proxy expected.
Add the same app_profile == 'mta' conditional used by the hub and UI
templates so the llm-proxy uses rhbk_url on MTA and keycloak_sso_url on
konveyor.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Improved OAuth2/OpenID Connect configuration: the system now correctly
interprets the authentication-required flag and selects the appropriate
JWKS URI and issuer depending on the deployment profile (including a new
branch for the "mta" profile). This improves authentication behavior
across different environments.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Fabian von Feilitzsch <fabian@fabianism.us>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: David Zager <dzager@redhat.com>
Signed-off-by: Cherry Picker <noreply@github.com>1 parent 66fd0be commit a7255d7
1 file changed
Lines changed: 7 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
104 | 104 | | |
105 | 105 | | |
106 | 106 | | |
107 | | - | |
| 107 | + | |
108 | 108 | | |
109 | 109 | | |
110 | 110 | | |
111 | 111 | | |
112 | 112 | | |
113 | 113 | | |
114 | 114 | | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
115 | 120 | | |
116 | 121 | | |
117 | 122 | | |
| 123 | + | |
118 | 124 | | |
119 | 125 | | |
120 | 126 | | |
| |||
0 commit comments