Conversation
![chatgpt-codex-connector[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| oidcParameters := map[string]interface{}{} | ||
| for _, oidcProperty := range OidcProperties { | ||
| if val, exists := propertiesMap[string(oidcProperty)]; exists { | ||
| oidcParameters[string(oidcProperty)] = val | ||
| } else { |
There was a problem hiding this comment.
The service repo config now iterates over OidcProperties (which includes client_secret, username, password), so those client-only credentials are embedded into the service feature_store.yaml that gets injected into server pods (via TMP_FEATURE_STORE_YAML in the operator). This unnecessarily broadens exposure of end-user credentials and allows any server container/process to read them, even though the server side only needs client_id and auth_discovery_url (per the OIDC server config). Consider keeping the service config limited to OidcServerProperties so client credentials stay out of server pod env/config.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
Codex Task