Fix: Remove port 8081 hardcoding in OIDC internal URLs

The auth.ts was hardcoding port 8081 for internal Keycloak communication but the Kubernetes Keycloak service uses port 8080, causing auth failures Changed: oidcInternal no longer replaces 8080 with 8081
Fix: Admin club management 500 error - JWT clubs claim format
2026-03-21 21:52:03 +01:00 · 2026-03-21 20:27:38 +01:00 · 2026-03-21 14:13:37 +01:00 · 2026-03-21 13:57:27 +01:00 · 2026-03-21 13:46:35 +01:00 · 2026-03-21 13:32:53 +01:00
16 changed files with 324 additions and 170 deletions
@@ -12,32 +12,44 @@ public class ClubService
    private readonly AppDbContext _context;
    private readonly ITenantProvider _tenantProvider;
    private readonly IHttpContextAccessor _httpContextAccessor;
    private readonly ILogger<ClubService> _logger;
    public ClubService(
        AppDbContext context,
        ITenantProvider tenantProvider,
-        IHttpContextAccessor httpContextAccessor)
+        IHttpContextAccessor httpContextAccessor,
        ILogger<ClubService> logger)
    {
        _context = context;
        _tenantProvider = tenantProvider;
        _httpContextAccessor = httpContextAccessor;
        _logger = logger;
    }
    public async Task<List<ClubListDto>> GetMyClubsAsync()
    {
        try
        {
            var clubsClaim = _httpContextAccessor.HttpContext?.User.FindFirst("clubs")?.Value;
            _logger.LogInformation("GetMyClubsAsync: Clubs claim value: {ClubsClaim}", clubsClaim);
            if (string.IsNullOrEmpty(clubsClaim))
            {
                _logger.LogWarning("GetMyClubsAsync: No clubs claim found for user");
                return new List<ClubListDto>();
            }
            // Parse UUIDs from comma-separated claim, filtering out non-UUID values (like role names)
            var tenantIds = clubsClaim.Split(',', StringSplitOptions.RemoveEmptyEntries)
                .Select(t => t.Trim())
                .Where(t => !string.IsNullOrEmpty(t) && Guid.TryParse(t, out _))
                .ToList();
            _logger.LogInformation("GetMyClubsAsync: Parsed {Count} valid tenant IDs from claim", tenantIds.Count);
            if (tenantIds.Count == 0)
            {
                _logger.LogWarning("GetMyClubsAsync: No valid tenant IDs found in clubs claim: {ClubsClaim}", clubsClaim);
                return new List<ClubListDto>();
            }
@@ -45,13 +57,16 @@ public class ClubService
            var connectionString = _context.Database.GetConnectionString();
            foreach (var tenantId in tenantIds)
            {
                try
                {
                    await using var connection = new NpgsqlConnection(connectionString);
                    await connection.OpenAsync();
                    await using var transaction = await connection.BeginTransactionAsync();
-            // Set RLS context
+                    // Set RLS context - tenantId is already validated as a valid GUID
                    // Use direct string since SET LOCAL doesn't support parameters
                    using (var command = connection.CreateCommand())
                    {
                        command.Transaction = transaction;
@@ -120,11 +135,27 @@ public class ClubService
                    await transaction.CommitAsync();
                }
                catch (Exception ex)
                {
                    _logger.LogError(ex, "GetMyClubsAsync: Error processing tenant {TenantId}", tenantId);
                    // Continue with next tenant instead of failing entirely
                }
            }
            _logger.LogInformation("GetMyClubsAsync: Returning {Count} clubs", clubDtos.Count);
            return clubDtos;
        }
        catch (Exception ex)
        {
            _logger.LogError(ex, "GetMyClubsAsync: Unexpected error getting user clubs");
            // Return empty list instead of throwing to prevent 500 error
            return new List<ClubListDto>();
        }
    }
    public async Task<ClubDetailDto?> GetCurrentClubAsync()
    {
        try
        {
            var tenantId = _tenantProvider.GetTenantId();
@@ -143,4 +174,10 @@ public class ClubService
                club.UpdatedAt
            );
        }
        catch (Exception ex)
        {
            _logger.LogError(ex, "GetCurrentClubAsync: Error getting current club");
            return null;
        }
    }
 }
@@ -9,7 +9,7 @@
    "DefaultConnection": "Host=localhost;Port=5432;Database=workclub;Username=app;Password=apppass"
  },
  "Keycloak": {
-    "Authority": "http://localhost:8080/realms/workclub",
+    "Authority": "http://localhost:30808/realms/workclub",
    "Audience": "workclub-api"
  }
 }
@@ -39,7 +39,7 @@ services:
      KC_DB_PASSWORD: keycloakpass
      KC_HEALTH_ENABLED: "true"
      KC_LOG_LEVEL: INFO
-      KC_HOSTNAME: "http://localhost:8080"
+      KC_HOSTNAME: "http://localhost:30808"
      KC_HOSTNAME_STRICT: "false"
      KC_PROXY: "edge"
      KC_HTTP_PORT: "8081"
@@ -47,7 +47,7 @@ services:
      KC_HOSTNAME_ADMIN: "http://keycloak:8081"
      KC_SPI_HOSTNAME_DEFAULT_ADMIN: "keycloak:8081"
    ports:
-      - "8080:8081"
+      - "30808:8081"
    volumes:
      - ./infra/keycloak:/opt/keycloak/data/import
    depends_on:
@@ -71,7 +71,7 @@ services:
      Keycloak__Audience: "workclub-api"
      Keycloak__TokenValidationParameters__ValidateIssuer: "false"
    ports:
-      - "5001:8080"
+      - "30501:8080"
    extra_hosts:
      - "localhost:172.18.0.1"
      - "127.0.0.1:172.18.0.1"
@@ -93,18 +93,18 @@ services:
    extra_hosts:
      - "localhost:host-gateway"
    environment:
-      NEXT_PUBLIC_API_URL: "http://localhost:5001"
+      NEXT_PUBLIC_API_URL: "http://localhost:30501"
      API_INTERNAL_URL: "http://dotnet-api:8080"
      NEXTAUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
      AUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
      AUTH_TRUST_HOST: "true"
      KEYCLOAK_CLIENT_ID: "workclub-app"
      KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
-      KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
+      KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
      KEYCLOAK_ISSUER_INTERNAL: "http://keycloak:8081/realms/workclub"
-      NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
+      NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
    ports:
-      - "3000:3000"
+      - "30080:3000"
    volumes:
      - ./frontend:/app:cached
      - /app/node_modules
@@ -16,6 +16,8 @@ COPY . .
 # Set environment for build to ensure server binds to all interfaces
 ENV HOSTNAME="0.0.0.0"
 ENV PORT="3000"
 # Set API_INTERNAL_URL for build-time Next.js rewrites evaluation
 ENV API_INTERNAL_URL="http://workclub-api:8080"
 RUN bun run build
 # Stage 3: Runtime
@@ -48,7 +48,7 @@ function LoginContent() {
  };
  const handleSwitchAccount = () => {
-    const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
+    const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
    signOut({ redirect: false }).then(() => {
      window.location.href = keycloakLogoutUrl;
    });
@@ -24,10 +24,10 @@ declare module "next-auth" {
 // In Docker, the Next.js server reaches Keycloak via internal hostname
 // (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
 // URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
-const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'
+const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'
 const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
 const oidcPublic = `${issuerPublic}/protocol/openid-connect`
-const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
+const oidcInternal = `${issuerInternal}/protocol/openid-connect`
 export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
@@ -71,14 +71,21 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
        // Add clubs claim from Keycloak access token
        token.clubs = (account as { clubs?: Record<string, string> }).clubs || {}
        token.accessToken = account.access_token
      }
      // Always check admin status from the access token if available
      if (token.accessToken) {
        try {
          const payload = JSON.parse(Buffer.from((token.accessToken as string).split('.')[1], 'base64').toString());
          const roles = (payload.realm_access?.roles as string[]) || [];
          token.isAdmin = roles.includes('admin');
-        } catch {
+          console.log('[Auth Debug] Checking admin status:', { roles, isAdmin: token.isAdmin });
        } catch (e) {
          console.error('[Auth Debug] Failed to check admin status:', e);
          token.isAdmin = false;
        }
      } else {
        console.log('[Auth Debug] No access token available');
      }
      return token
    },
@@ -89,6 +96,12 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
        session.user.isAdmin = token.isAdmin as boolean | undefined
      }
      session.accessToken = token.accessToken as string | undefined
      // Log session data for debugging
      console.log('[Session Debug] Session user:', session.user);
      console.log('[Session Debug] Token isAdmin:', token.isAdmin);
      console.log('[Session Debug] Session isAdmin:', session.user?.isAdmin);
      return session
    }
  }
@@ -60,6 +60,13 @@ export function AuthGuard({ children }: { children: ReactNode }) {
  }
  const isAdmin = data?.user?.isAdmin;
  // Debug: Log auth state
  console.log('[AuthGuard Debug] status:', status);
  console.log('[AuthGuard Debug] isAdmin:', isAdmin);
  console.log('[AuthGuard Debug] data?.user:', data?.user);
  console.log('[AuthGuard Debug] clubs.length:', clubs.length);
  if (clubs.length === 0 && status === 'authenticated' && !isAdmin) {
    const handleSwitchAccount = () => {
      const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
@@ -11,7 +11,7 @@ spec:
    app: workclub-api
  ports:
    - name: http
-    port: 80
+      port: 8080
      targetPort: 8080
-    nodePort: 30081
+      nodePort: 30501
      protocol: TCP
@@ -6,10 +6,10 @@ metadata:
    app: workclub
 data:
  log-level: "Information"
-  cors-origins: "http://localhost:3000,http://192.168.240.200:30080"
+  cors-origins: "http://localhost:30080,http://192.168.240.200:30080,http://192.168.240.200:30808"
-  api-base-url: "http://192.168.240.200:30081"
+  api-base-url: "http://192.168.240.200:30501"
-  keycloak-url: "http://192.168.240.200:30082"
+  keycloak-url: "http://192.168.240.200:30808"
-  keycloak-authority: "http://192.168.240.200:30082/realms/workclub"
+  keycloak-authority: "http://192.168.240.200:30808/realms/workclub"
  keycloak-audience: "workclub-api"
  keycloak-realm: "workclub"
@@ -40,7 +40,6 @@ spec:
          periodSeconds: 15
          timeoutSeconds: 5
          failureThreshold: 3
        resources:
          requests:
            cpu: 100m
@@ -48,10 +47,11 @@ spec:
          limits:
            cpu: 500m
            memory: 512Mi
        env:
        - name: NODE_ENV
          value: "production"
        - name: API_INTERNAL_URL
          value: "http://workclub-api:8080"
        - name: NEXT_PUBLIC_API_URL
          valueFrom:
            configMapKeyRef:
@@ -89,4 +89,4 @@ spec:
              name: workclub-config
              key: keycloak-authority
        - name: KEYCLOAK_ISSUER_INTERNAL
-          value: "http://workclub-keycloak/realms/workclub"
+          value: "http://workclub-keycloak:8080/realms/workclub"
@@ -0,0 +1,92 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: workclub-frontend
  labels:
    app: workclub-frontend
    component: frontend
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: workclub-frontend
  template:
    metadata:
      labels:
        app: workclub-frontend
        component: frontend
    spec:
      containers:
      - name: frontend
        image: 192.168.241.13:8080/workclub-frontend:latest
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 3000
          protocol: TCP
        readinessProbe:
          httpGet:
            path: /api/health
            port: http
          initialDelaySeconds: 5
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 2
        livenessProbe:
          httpGet:
            path: /api/health
            port: http
          initialDelaySeconds: 10
          periodSeconds: 15
          timeoutSeconds: 5
          failureThreshold: 3
        resources:
          requests:
            cpu: 100m
            memory: 256Mi
          limits:
            cpu: 500m
            memory: 512Mi
        env:
        - name: NODE_ENV
          value: "production"
        - name: NEXT_PUBLIC_API_URL
          valueFrom:
            configMapKeyRef:
              name: workclub-config
              key: api-base-url
        - name: NEXT_PUBLIC_KEYCLOAK_URL
          valueFrom:
            configMapKeyRef:
              name: workclub-config
              key: keycloak-url
        - name: NEXT_PUBLIC_KEYCLOAK_ISSUER
          valueFrom:
            configMapKeyRef:
              name: workclub-config
              key: keycloak-authority
  - name: NEXTAUTH_URL
    value: "http://192.168.240.200:3000"
        - name: AUTH_TRUST_HOST
          value: "true"
        - name: NEXTAUTH_SECRET
          valueFrom:
            secretKeyRef:
              name: workclub-secrets
              key: nextauth-secret
        - name: KEYCLOAK_CLIENT_ID
          value: "workclub-app"
        - name: KEYCLOAK_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: workclub-secrets
              key: keycloak-client-secret
        - name: KEYCLOAK_ISSUER
          valueFrom:
            configMapKeyRef:
              name: workclub-config
              key: keycloak-authority
        - name: KEYCLOAK_ISSUER_INTERNAL
          value: "http://workclub-keycloak/realms/workclub"
@@ -11,7 +11,7 @@ spec:
    app: workclub-frontend
  ports:
    - name: http
-    port: 80
+      port: 3000
      targetPort: 3000
      nodePort: 30080
      protocol: TCP
@@ -26,6 +26,7 @@ spec:
        args:
        - start-dev
        - --import-realm
        - --import-realm-overwrite
        ports:
        - name: http
          containerPort: 8080
@@ -69,14 +69,14 @@ data:
          "protocol": "openid-connect",
          "publicClient": true,
    "redirectUris": [
-            "http://localhost:3000/*",
+      "http://localhost:30080/*",
-            "http://localhost:3001/*",
+      "http://localhost:30081/*",
      "http://workclub-frontend/*",
      "http://192.168.240.200:30080/*"
    ],
    "webOrigins": [
-            "http://localhost:3000",
+      "http://localhost:30080",
-            "http://localhost:3001",
+      "http://localhost:30081",
      "http://workclub-frontend",
      "http://192.168.240.200:30080"
    ],
@@ -152,7 +152,7 @@ data:
          ],
      "attributes": {
        "clubs": [
-              "64e05b5e-ef45-81d7-f2e8-3d14bd197383,Admin,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda,Member"
+          "64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"
        ]
      }
        },
@@ -174,7 +174,7 @@ data:
          ],
      "attributes": {
        "clubs": [
-              "64e05b5e-ef45-81d7-f2e8-3d14bd197383,Manager"
+          "64e05b5e-ef45-81d7-f2e8-3d14bd197383"
        ]
      }
        },
@@ -196,7 +196,7 @@ data:
          ],
      "attributes": {
        "clubs": [
-              "64e05b5e-ef45-81d7-f2e8-3d14bd197383,Member,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda,Member"
+          "64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"
        ]
      }
        },
@@ -218,7 +218,7 @@ data:
          ],
      "attributes": {
        "clubs": [
-              "64e05b5e-ef45-81d7-f2e8-3d14bd197383,Member"
+          "64e05b5e-ef45-81d7-f2e8-3d14bd197383"
        ]
      }
        },
@@ -240,7 +240,7 @@ data:
          ],
      "attributes": {
        "clubs": [
-              "64e05b5e-ef45-81d7-f2e8-3d14bd197383,Viewer"
+          "64e05b5e-ef45-81d7-f2e8-3d14bd197383"
        ]
      }
        }
@@ -11,7 +11,7 @@ spec:
    app: workclub-keycloak
  ports:
    - name: http
-    port: 80
+      port: 8080
      targetPort: 8080
-    nodePort: 30082
+      nodePort: 30808
      protocol: TCP
@@ -86,14 +86,14 @@
      "authorizationServicesEnabled": false,
      "protocol": "openid-connect",
      "redirectUris": [
-        "http://localhost:3000/*"
+        "http://localhost:30080/*"
      ],
      "webOrigins": [
-        "http://localhost:3000"
+        "http://localhost:30080"
      ],
      "attributes": {
        "pkce.code.challenge.method": "S256",
-        "post.logout.redirect.uris": "http://localhost:3000/*",
+        "post.logout.redirect.uris": "http://localhost:30080/*",
        "access.token.lifespan": "3600"
      },
      "protocolMappers": [
@@ -162,7 +162,9 @@
      "firstName": "Admin",
      "lastName": "User",
      "attributes": {
-        "clubs": []
+        "clubs": [
          "64e05b5e-ef45-81d7-f2e8-3d14bd197383,3b4afcfa-1352-8fc7-b497-8ab52a0d5fda"
        ]
      },
      "credentials": [
        {
Author	SHA1	Message	Date
WorkClub Automation	ad8bb2d320	Fix: Remove port 8081 hardcoding in OIDC internal URLs CI Pipeline / Backend Build & Test (push) Successful in 53s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 36s Details CI Pipeline / Infrastructure Validation (push) Successful in 3s Details The auth.ts was hardcoding port 8081 for internal Keycloak communication but the Kubernetes Keycloak service uses port 8080, causing auth failures Changed: oidcInternal no longer replaces 8080 with 8081	2026-03-21 21:52:03 +01:00
WorkClub Automation	b10c57bdb8	Fix: Admin club management 500 error - JWT clubs claim format CI Pipeline / Backend Build & Test (push) Successful in 53s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 33s Details CI Pipeline / Infrastructure Validation (push) Successful in 4s Details - Fix clubs attribute in Keycloak to contain only UUIDs (removed role names) - Add defensive error handling in ClubService.GetMyClubsAsync() - Add logging for debugging club retrieval issues - Return empty list instead of 500 error on failures Fixes: Admin users can now manage clubs without contact admin error	2026-03-21 20:27:38 +01:00
WorkClub Automation	9304db2391	Fix: Add API_INTERNAL_URL to Dockerfile build stage CI Pipeline / Backend Build & Test (push) Successful in 59s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 30s Details CI Pipeline / Infrastructure Validation (push) Successful in 3s Details Next.js rewrites are evaluated at build time, not runtime. The API_INTERNAL_URL was set in K8s deployment but not during the Docker build, causing fallback to localhost:5001. - Added ENV API_INTERNAL_URL=http://workclub-api:8080 - This ensures Next.js rewrites point to internal K8s service	2026-03-21 14:13:37 +01:00
WorkClub Automation	27f1ad5780	Add debug logging to auth-guard to trace isAdmin issue CI Pipeline / Backend Build & Test (push) Successful in 1m5s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 36s Details CI Pipeline / Infrastructure Validation (push) Successful in 3s Details	2026-03-21 13:57:27 +01:00
WorkClub Automation	4e52544c79	Add API_INTERNAL_URL to frontend deployment for K8s CI Pipeline / Backend Build & Test (push) Successful in 1m3s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 34s Details CI Pipeline / Infrastructure Validation (push) Successful in 3s Details The Next.js rewrites were falling back to localhost:5001 because API_INTERNAL_URL was not set. This caused API proxy errors. - Added API_INTERNAL_URL=http://workclub-api:8080 - This allows Next.js to proxy /api/* calls to the internal backend service	2026-03-21 13:46:35 +01:00
WorkClub Automation	e6e1112060	Add debug logging for admin status detection CI Pipeline / Backend Build & Test (push) Successful in 1m1s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 37s Details CI Pipeline / Infrastructure Validation (push) Successful in 3s Details	2026-03-21 13:32:53 +01:00
WorkClub Automation	b5dd24b4c9	Fix: Always check admin status from access token in JWT callback CI Pipeline / Backend Build & Test (push) Successful in 1m3s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 29s Details CI Pipeline / Infrastructure Validation (push) Successful in 3s Details The jwt callback was only checking isAdmin during initial login when account was present, but not on subsequent session refreshes. This caused the admin status to be lost after the initial login. - Moved admin status check outside of the 'if (account)' block - Now checks isAdmin on every JWT callback when accessToken is available	2026-03-21 13:11:01 +01:00
WorkClub Automation	f8d698ba42	Fix KEYCLOAK_ISSUER_INTERNAL to include port 8080 CI Pipeline / Backend Build & Test (push) Successful in 50s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 34s Details CI Pipeline / Infrastructure Validation (push) Successful in 4s Details The internal Keycloak URL was missing the port number, causing the OIDC token exchange to fail. The code tries to replace :8080 with :8081 but the port was missing entirely. - Changed from: http://workclub-keycloak/realms/workclub - Changed to: http://workclub-keycloak:8080/realms/workclub	2026-03-21 09:30:13 +01:00
WorkClub Automation	86c7b0d46d	Fix Keycloak URL in K8s ConfigMap to use correct NodePort 30808 CI Pipeline / Backend Build & Test (push) Successful in 57s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 34s Details CI Pipeline / Infrastructure Validation (push) Successful in 4s Details - Changed api-base-url from :5001 to :30501 - Changed keycloak-url from :8080 to :30808 - Changed keycloak-authority from :8080 to :30808 The frontend was trying to connect to port 8080 which is not exposed externally. Keycloak is accessible via NodePort 30808.	2026-03-21 08:27:05 +01:00
WorkClub Automation	fd2931e59c	Fix Kubernetes NodePort range (30000-32767) CI Pipeline / Backend Build & Test (push) Successful in 1m6s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 32s Details CI Pipeline / Infrastructure Validation (push) Successful in 4s Details - Frontend: nodePort 3000 → 30080 - Backend: nodePort 5001 → 30501, service port 5001 → 8080 - Keycloak: nodePort 8080 → 30808 Kubernetes requires NodePort to be in range 30000-32767. The service port (internal) and targetPort (container) remain unchanged for compatibility with existing configurations.	2026-03-20 22:50:51 +01:00
WorkClub Automation	a5ebecc8b5	Remove localhost:3000 from Keycloak redirect URIs and web origins CI Pipeline / Backend Build & Test (push) Successful in 50s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 32s Details CI Pipeline / Infrastructure Validation (push) Successful in 4s Details - Removed localhost:3000/* from redirectUris in realm-export.json - Removed localhost:3000 from webOrigins in realm-export.json - Removed localhost:3000/* from post.logout.redirect.uris - Removed localhost:3000 from keycloak-realm-import-configmap.yaml - Updated running Keycloak instance via kcadm.sh Only port 30080 is now configured for OAuth redirects.	2026-03-20 22:39:15 +01:00
WorkClub Automation	956c3ead0c	Fix YAML syntax error in frontend-deployment.yaml CI Pipeline / Backend Build & Test (push) Successful in 52s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 34s Details CI Pipeline / Infrastructure Validation (push) Successful in 3s Details The file had malformed YAML with incorrect indentation on line 70, causing validation to fail. Rewrote the file with correct indentation.	2026-03-20 20:50:14 +01:00
WorkClub Automation	0100def25a	Align Kubernetes ports with Docker Compose configuration CI Pipeline / Backend Build & Test (push) Successful in 58s Details CI Pipeline / Frontend Lint, Test & Build (push) Successful in 43s Details CI Pipeline / Infrastructure Validation (push) Failing after 4s Details - Frontend: Changed NodePort from 30080 to 3000 (matches Docker port) - Backend: Changed NodePort from 30081 to 5001 (matches Docker port) - Keycloak: Changed NodePort from 30082 to 8080 (matches Docker port) - Updated ConfigMap URLs to use new ports - Updated NEXTAUTH_URL to use port 3000 This ensures Kubernetes deployment uses the same ports as Docker Compose for consistency across environments.	2026-03-20 20:40:22 +01:00