From 551ea5e253564799eb6f9d7ad51c468176fd0afe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Capucho?= Date: Mon, 4 Aug 2025 16:21:57 +0100 Subject: [PATCH 1/2] fix: Remove oauth client secret values These values despite the name don't actually configure client secrets for use in openslice but instead the client secret displayed in the API documentation. So at best they are not useful and at worst a terrible footgun to leak client secrets. --- kubernetes/helm/openslice/templates/mcp-server.yaml | 2 -- kubernetes/helm/openslice/templates/oasapi.yaml | 2 -- kubernetes/helm/openslice/templates/osportalapi.yaml | 2 -- kubernetes/helm/openslice/templates/osscapi.yaml | 2 -- kubernetes/helm/openslice/values.yaml | 5 ----- 5 files changed, 13 deletions(-) diff --git a/kubernetes/helm/openslice/templates/mcp-server.yaml b/kubernetes/helm/openslice/templates/mcp-server.yaml index b5bb331..d834a8d 100644 --- a/kubernetes/helm/openslice/templates/mcp-server.yaml +++ b/kubernetes/helm/openslice/templates/mcp-server.yaml @@ -40,8 +40,6 @@ spec: "spring.security.oauth2.resourceserver.jwt.issuer-uri": "{{ .Values.rooturl }}/auth/realms/openslice", "springdoc.oAuthFlow.authorizationUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", - "springdoc.oauth.client-id": "osapiWebClientId", - "springdoc.oauth.clientsecret": "{{ .Values.mcpserver.springdoc.clientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework": "{{ .Values.mcpserver.spring.logLevel | default "INFO" }}" } diff --git a/kubernetes/helm/openslice/templates/oasapi.yaml b/kubernetes/helm/openslice/templates/oasapi.yaml index 3cb458c..871bf76 100644 --- a/kubernetes/helm/openslice/templates/oasapi.yaml +++ b/kubernetes/helm/openslice/templates/oasapi.yaml @@ -50,8 +50,6 @@ spec: "spring.security.oauth2.resourceserver.jwt.issuer-uri": "{{ .Values.rooturl }}/auth/realms/openslice", "springdoc.oAuthFlow.authorizationUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", - "springdoc.oauth.client-id" : "osapiWebClientId", - "springdoc.oauth.clientsecret" : "{{ .Values.spring.oauthClientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework" : "{{ .Values.oasapi.spring.logLevel | default "INFO" }}", "server.forward-headers-strategy":"FRAMEWORK" diff --git a/kubernetes/helm/openslice/templates/osportalapi.yaml b/kubernetes/helm/openslice/templates/osportalapi.yaml index afe161a..4a68160 100644 --- a/kubernetes/helm/openslice/templates/osportalapi.yaml +++ b/kubernetes/helm/openslice/templates/osportalapi.yaml @@ -51,8 +51,6 @@ spec: "spring.security.oauth2.resourceserver.jwt.issuer-uri": "{{ .Values.rooturl }}/auth/realms/openslice", "springdoc.oAuthFlow.authorizationUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", - "springdoc.oauth.client-id" : "osapiWebClientId", - "springdoc.oauth.clientsecret" : "{{ .Values.spring.oauthClientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework" : "{{ .Values.portalapi.spring.logLevel | default "INFO" }}", "logging.level.org.etsi.osl.portal.api": "{{ .Values.portalapi.logLevel | default "INFO" }}", diff --git a/kubernetes/helm/openslice/templates/osscapi.yaml b/kubernetes/helm/openslice/templates/osscapi.yaml index 2b3be8e..2a0b703 100644 --- a/kubernetes/helm/openslice/templates/osscapi.yaml +++ b/kubernetes/helm/openslice/templates/osscapi.yaml @@ -51,8 +51,6 @@ spec: "spring.security.oauth2.resourceserver.jwt.jwk-set-uri":"{{ .Values.rooturl }}/auth/realms/openslice/.well-known/openid-configuration", "springdoc.oAuthFlow.authorizationUrl":"{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", "springdoc.oAuthFlow.tokenUrl":"{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", - "springdoc.oauth.client-id":"osapiWebClientId", - "springdoc.oauth.clientsecret" : "{{ .Values.spring.oauthClientSecret }}", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework": "{{ .Values.osscapi.spring.logLevel | default "INFO" }}", "kroki.serverurl":"{{ .Values.rooturl }}/kroki", diff --git a/kubernetes/helm/openslice/values.yaml b/kubernetes/helm/openslice/values.yaml index 405de62..2155e86 100644 --- a/kubernetes/helm/openslice/values.yaml +++ b/kubernetes/helm/openslice/values.yaml @@ -119,9 +119,6 @@ oscreds: username: metricouser password: "12345" -spring: - oauthClientSecret: secret - mysql: storage: 10Gi @@ -165,8 +162,6 @@ osscapi: mcpserver: enabled: true - springdoc: - clientSecret: secret spring: logLevel: INFO -- GitLab From e62987433cdb5ba05bd5a6dd1992ea90d940ef65 Mon Sep 17 00:00:00 2001 From: Kostis Trantzas Date: Fri, 21 Nov 2025 15:20:04 +0000 Subject: [PATCH 2/2] Reverting the prepopulation of the oauth client id --- kubernetes/helm/openslice/templates/mcp-server.yaml | 3 ++- kubernetes/helm/openslice/templates/oasapi.yaml | 3 ++- kubernetes/helm/openslice/templates/osportalapi.yaml | 1 + kubernetes/helm/openslice/templates/osscapi.yaml | 1 + 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/kubernetes/helm/openslice/templates/mcp-server.yaml b/kubernetes/helm/openslice/templates/mcp-server.yaml index d834a8d..4b2e44a 100644 --- a/kubernetes/helm/openslice/templates/mcp-server.yaml +++ b/kubernetes/helm/openslice/templates/mcp-server.yaml @@ -39,7 +39,8 @@ spec: "spring-addons.issuers[0].claims[1].jsonPath":"$.resource_access.*.roles", "spring.security.oauth2.resourceserver.jwt.issuer-uri": "{{ .Values.rooturl }}/auth/realms/openslice", "springdoc.oAuthFlow.authorizationUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", - "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", + "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", + "springdoc.oauth.client-id": "osapiWebClientId", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework": "{{ .Values.mcpserver.spring.logLevel | default "INFO" }}" } diff --git a/kubernetes/helm/openslice/templates/oasapi.yaml b/kubernetes/helm/openslice/templates/oasapi.yaml index 871bf76..11d547c 100644 --- a/kubernetes/helm/openslice/templates/oasapi.yaml +++ b/kubernetes/helm/openslice/templates/oasapi.yaml @@ -49,7 +49,8 @@ spec: "spring-addons.issuers[0].claims[1].jsonPath":"$.resource_access.*.roles", "spring.security.oauth2.resourceserver.jwt.issuer-uri": "{{ .Values.rooturl }}/auth/realms/openslice", "springdoc.oAuthFlow.authorizationUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", - "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", + "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", + "springdoc.oauth.client-id": "osapiWebClientId", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework" : "{{ .Values.oasapi.spring.logLevel | default "INFO" }}", "server.forward-headers-strategy":"FRAMEWORK" diff --git a/kubernetes/helm/openslice/templates/osportalapi.yaml b/kubernetes/helm/openslice/templates/osportalapi.yaml index 4a68160..7cae88e 100644 --- a/kubernetes/helm/openslice/templates/osportalapi.yaml +++ b/kubernetes/helm/openslice/templates/osportalapi.yaml @@ -51,6 +51,7 @@ spec: "spring.security.oauth2.resourceserver.jwt.issuer-uri": "{{ .Values.rooturl }}/auth/realms/openslice", "springdoc.oAuthFlow.authorizationUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", "springdoc.oAuthFlow.tokenUrl": "{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", + "springdoc.oauth.client-id": "osapiWebClientId", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework" : "{{ .Values.portalapi.spring.logLevel | default "INFO" }}", "logging.level.org.etsi.osl.portal.api": "{{ .Values.portalapi.logLevel | default "INFO" }}", diff --git a/kubernetes/helm/openslice/templates/osscapi.yaml b/kubernetes/helm/openslice/templates/osscapi.yaml index 2a0b703..abfcbba 100644 --- a/kubernetes/helm/openslice/templates/osscapi.yaml +++ b/kubernetes/helm/openslice/templates/osscapi.yaml @@ -51,6 +51,7 @@ spec: "spring.security.oauth2.resourceserver.jwt.jwk-set-uri":"{{ .Values.rooturl }}/auth/realms/openslice/.well-known/openid-configuration", "springdoc.oAuthFlow.authorizationUrl":"{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/auth", "springdoc.oAuthFlow.tokenUrl":"{{ .Values.rooturl }}/auth/realms/openslice/protocol/openid-connect/token", + "springdoc.oauth.client-id": "osapiWebClientId", "spring.activemq.brokerUrl": "tcp://{{ include "openslice.fullname" . }}-artemis:61616?jms.watchTopicAdvisories=false", "logging.level.org.springframework": "{{ .Values.osscapi.spring.logLevel | default "INFO" }}", "kroki.serverurl":"{{ .Values.rooturl }}/kroki", -- GitLab