Scheduled maintenance on Saturday, 27 September 2025, from 07:00 AM to 4:00 PM GMT (09:00 AM to 6:00 PM CEST) - some services may be unavailable -

Skip to content

Helm chart `spring.oauthClientSecret` value can be misleading and dangerous

Currently the Openslice chart in kubernetes/helm/openslice defines a value spring.oauthClientSecret (the definition is shown below, Link to the referenced code)

spring:
  oauthClientSecret: secret

A regular user without checking the chart internals probably assumes that this value is required if using a confidential oauth client and sets its value. However, this value is only used in the springdoc.oauth.clientsecret property (example below taken from the osscapi template, Link to the referenced code)

                  "springdoc.oauth.clientsecret" : "{{ .Values.spring.oauthClientSecret }}",

This property is supposed to set the oauth credentials shown in the Swagger UI of the API, this means that setting this value wouldn't allow confidential oauth clients to work but it would also leak the client secret through the API documentation.

However, the property is wrong and should instead be springdoc.swagger-ui.oauth.clientSecret (ref), as is now the property does nothing so the secret doesn't leak.

I think the value should be removed as currently it does nothing, and if it did what was supposed it would be a footgun for users of the helm chart.