docs(auth): SecurityPolicy issuer stays in-cluster — investigation result for #112, with tests

[tylerpotts]

Summary

Answers the investigation in #112: SecurityPolicy.spec.oidc.provider.issuer should NOT track KEYCLOAK_EXTERNAL_URL. The in-cluster issuer is correct and the iss-claim mismatch with Keycloak frontendUrl deployments is harmless by construction. This PR records that decision in code comments and docs, and adds tests locking in the invariant that makes it safe.

Investigation findings (verified against Envoy Gateway v1.6.3 and Envoy source)

1. Envoy Gateway uses the issuer only at control-plane time, to fetch /.well-known/openid-configuration — and only when authorizationEndpoint or tokenEndpoint is not explicitly set (internal/gatewayapi/securitypolicy.go, buildOIDCProvider). When KEYCLOAK_EXTERNAL_URL is configured the operator sets both, so EG never contacts the issuer and the IR passed to the data plane does not carry it.
2. The Envoy oauth2 filter never validates iss. Its config proto (api/envoy/extensions/filters/http/oauth2/v3/oauth.proto) has no issuer field at all; the filter's only JWT decode is an unverified exp read for cookie lifetimes (source/extensions/filters/http/oauth2/filter.cc). This holds through Envoy 1.39-dev.
3. EG does not enforce the OIDC Discovery issuer-match rule (OpenID Connect Discovery 1.0 §4.3): it unmarshals only the endpoint fields from the discovery document and ignores issuer. So even the discovery fallback path works when Keycloak returns a public issuer on the internal endpoint.
4. Consumers that DO strictly enforce iss — spec.jwt providers (Envoy jwt_authn), e.g. the one the LLM serving pack's operator generates — already receive the public issuer via the client Secret's issuer-url key, populated from GetExternalIssuerURL(). That key is empty when KEYCLOAK_EXTERNAL_URL is unset, so strict-iss consumers require it to be set.
5. Flipping the issuer to the external URL would be a pure regression: no data-plane effect, but the discovery fallback would then be fetched from the envoy-gateway controller pod against the public URL — reintroducing the public TLS-chain trust and hairpin-routing problems that fix(auth/keycloak): use external Keycloak URL for browser-facing OIDC endpoints #111 deliberately avoided for the token endpoint.

Changes

• GetIssuerURL / GetEndpointOverrides doc comments record the verified semantics and the both-endpoints-set invariant.
• TestKeycloakProvider_GetIssuerURL: new case asserting the issuer stays in-cluster when ExternalURL is set.
• TestBuildSecurityPolicySpec_KeycloakIssuerAndEndpointSplit: reconciler-level test through buildSecurityPolicySpec with the real KeycloakProvider — issuer and token endpoint on the in-cluster host, authorization/end-session on the external URL, plus the no-ExternalURL fallback. This is the reconciler-level endpoint-split test requested in Add reconciler test asserting SecurityPolicy.spec.oidc.provider has Token on in-cluster URL and Authorization on public URL #113.
• docs/reconcilers/authentication.md: new Issuer Semantics (Keycloak) section.

Closes #112
Closes #113

Test plan

• go test ./internal/controller/reconcilers/auth/... passes; new tests verified to execute (-v -run)
• golangci-lint run — 0 issues
• go test ./... — no regressions vs main (pre-existing TestControllers HTTPRoute scheme failure reproduced on main, unrelated)

[github-actions]

Docker Images Built

Images pushed to Quay.io for branch issue-112-issuer-semantics:

Image	Tag	Platforms
Operator	quay.io/nebari/nebari-operator:issue-112-issuer-semantics	linux/amd64 + linux/arm64

Test the operator:

kubectl apply -k https://github.com/nebari-dev/nebari-operator.git/config/default?ref=issue-112-issuer-semantics
kubectl set image deployment/nebari-operator-controller-manager manager=quay.io/nebari/nebari-operator:issue-112-issuer-semantics -n nebari-operator-system