fix(mcp): preserve JWT issuer URL for token validation

Do not transform server.Issuer to internal FQDN. The issuer must match
the JWT iss claim, which uses the external hostname (OBOT_SERVER_HOSTNAME).
The issuer URL is only used for string comparison during JWT validation,
not for network communication.

Without this fix, MCP server pods reject valid JWT tokens with error:
'token has invalid claims: token has invalid issuer'

Author: johannhartmann

pkg/mcp/kubernetes.go

@@ -98,7 +98,9 @@ func (k *kubernetesBackend) ensureServerDeployment(ctx context.Context, server S
 	// Transform URLs to use internal service FQDN (for cluster-internal communication)
 	server.TokenExchangeEndpoint = k.replaceHostWithServiceFQDN(server.TokenExchangeEndpoint)
 	server.AuditLogEndpoint = k.replaceHostWithServiceFQDN(server.AuditLogEndpoint)
-	server.Issuer = k.replaceHostWithServiceFQDN(server.Issuer)
+	// NOTE: Do NOT transform server.Issuer - it must match the JWT issuer claim,
+	// which uses the external hostname (OBOT_SERVER_HOSTNAME). The issuer is only
+	// used for string comparison during JWT validation, not for network calls.
 
 	// Transform audiences to use internal service FQDN
 	for i, audience := range server.Audiences {