From ffee18607dba86244f07169187eb247ddcfebd2d Mon Sep 17 00:00:00 2001 From: Jeferson Catarina Date: Thu, 2 Oct 2025 15:10:54 -0300 Subject: [PATCH] feat: let devs specify an existing secret --- .../jit-k8s-agent/templates/_job_helper.tpl | 5 ++- .../jit-k8s-agent/templates/_validation.tpl | 40 +++++++++++++++++++ charts/jit-k8s-agent/templates/secret.yaml | 5 ++- charts/jit-k8s-agent/values.schema.json | 16 +++++--- charts/jit-k8s-agent/values.yaml | 7 +++- 5 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 charts/jit-k8s-agent/templates/_validation.tpl diff --git a/charts/jit-k8s-agent/templates/_job_helper.tpl b/charts/jit-k8s-agent/templates/_job_helper.tpl index 9ec1554..2cbc40f 100644 --- a/charts/jit-k8s-agent/templates/_job_helper.tpl +++ b/charts/jit-k8s-agent/templates/_job_helper.tpl @@ -1,4 +1,5 @@ {{- define "jit-job-spec" -}} +{{- $jitCredentialsSecret := .Values.jit.existingSecret | default (printf "%s-jit-credentials" .Chart.Name) -}} spec: serviceAccountName: {{ .Values.serviceAccount.name }} restartPolicy: OnFailure @@ -19,12 +20,12 @@ spec: - name: JIT_CLIENT_ID valueFrom: secretKeyRef: - name: {{ .Chart.Name }}-jit-credentials + name: {{ $jitCredentialsSecret }} key: JIT_CLIENT_ID - name: JIT_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ .Chart.Name }}-jit-credentials + name: {{ $jitCredentialsSecret }} key: JIT_CLIENT_SECRET - name: JIT_API_URL value: {{ .Values.jit.apiUrl }} diff --git a/charts/jit-k8s-agent/templates/_validation.tpl b/charts/jit-k8s-agent/templates/_validation.tpl new file mode 100644 index 0000000..cf2f488 --- /dev/null +++ b/charts/jit-k8s-agent/templates/_validation.tpl @@ -0,0 +1,40 @@ +{{/* +Validate required values and provide clear error messages +*/}} +{{- define "jit-k8s-agent.validateValues" -}} +{{- $errors := list -}} + +{{- if not .Values.cluster.name -}} +{{- $errors = append $errors "cluster.name is required and cannot be empty" -}} +{{- end -}} + +{{- if .Values.jit -}} + {{- if and .Values.jit.clientId .Values.jit.clientSecret -}} + {{- if .Values.jit.existingSecret -}} +{{- $errors = append $errors "Cannot specify both direct credentials (clientId/clientSecret) and existingSecret. Choose one authentication method." -}} + {{- end -}} + {{- else if .Values.jit.existingSecret -}} + {{- /* Valid: using existingSecret */ -}} + {{- else -}} +{{- $errors = append $errors "Jit authentication requires either: 1) Both 'clientId' and 'clientSecret' for direct authentication, or 2) 'existingSecret' to reference an existing Kubernetes secret" -}} + {{- end -}} +{{- else -}} +{{- $errors = append $errors "Jit configuration is required. Please provide either clientId/clientSecret or existingSecret" -}} +{{- end -}} + +{{- if $errors -}} +{{- $errorMsg := printf "Configuration validation failed:\n" -}} +{{- range $errors -}} +{{- $errorMsg = printf "%s • %s\n" $errorMsg . -}} +{{- end -}} +{{- $errorMsg = printf "%s\nExample configurations:\n" $errorMsg -}} +{{- $errorMsg = printf "%s # Option 1: Direct credentials\n" $errorMsg -}} +{{- $errorMsg = printf "%s jit:\n" $errorMsg -}} +{{- $errorMsg = printf "%s clientId: \"your-client-id\"\n" $errorMsg -}} +{{- $errorMsg = printf "%s clientSecret: \"your-client-secret\"\n" $errorMsg -}} +{{- $errorMsg = printf "%s\n # Option 2: Existing secret\n" $errorMsg -}} +{{- $errorMsg = printf "%s jit:\n" $errorMsg -}} +{{- $errorMsg = printf "%s existingSecret: \"jit-credentials\"\n" $errorMsg -}} +{{- fail $errorMsg -}} +{{- end -}} +{{- end -}} diff --git a/charts/jit-k8s-agent/templates/secret.yaml b/charts/jit-k8s-agent/templates/secret.yaml index e331003..3d24569 100644 --- a/charts/jit-k8s-agent/templates/secret.yaml +++ b/charts/jit-k8s-agent/templates/secret.yaml @@ -1,3 +1,5 @@ +{{- include "jit-k8s-agent.validateValues" . -}} +{{- if not .Values.jit.existingSecret }} apiVersion: v1 kind: Secret metadata: @@ -8,4 +10,5 @@ metadata: type: Opaque data: JIT_CLIENT_ID: {{ .Values.jit.clientId | b64enc }} - JIT_CLIENT_SECRET: {{ .Values.jit.clientSecret | b64enc }} \ No newline at end of file + JIT_CLIENT_SECRET: {{ .Values.jit.clientSecret | b64enc }} +{{- end }} diff --git a/charts/jit-k8s-agent/values.schema.json b/charts/jit-k8s-agent/values.schema.json index c9df71a..b946d73 100644 --- a/charts/jit-k8s-agent/values.schema.json +++ b/charts/jit-k8s-agent/values.schema.json @@ -18,16 +18,22 @@ "properties": { "clientId": { "type": "string", - "minLength": 1, - "description": "The client ID for Jit. This field is required." + "description": "The client ID for Jit. This field is required when not using an existing secret." }, "clientSecret": { "type": "string", - "minLength": 1, - "description": "The client secret for Jit. This field is required." + "description": "The client secret for Jit. This field is required when not using an existing secret." + }, + "existingSecret": { + "type": "string", + "description": "The name of an existing secret to use for Jit credentials. If provided, clientId and clientSecret will be ignored." + }, + "apiUrl": { + "type": "string", + "description": "The Jit API URL" } }, - "required": ["clientId", "clientSecret"] + "description": "Jit authentication requires either: 1) Both 'clientId' and 'clientSecret' for direct authentication, or 2) 'existingSecret' to reference an existing Kubernetes secret containing the credentials." } } } diff --git a/charts/jit-k8s-agent/values.yaml b/charts/jit-k8s-agent/values.yaml index 3742f29..062911f 100644 --- a/charts/jit-k8s-agent/values.yaml +++ b/charts/jit-k8s-agent/values.yaml @@ -7,8 +7,11 @@ cluster: name: "" # Required, set it while installing the chart. Should be unique across all clusters. jit: - clientId: "" # Required, set it while installing the chart - clientSecret: "" # Required, set it while installing the chart + # clientId and clientSecret are required when not using an existing secret + # clientId: "" + # clientSecret: "" + # existingSecret prevents storing clientId and clientSecret as plain text in the values.yaml file + # existingSecret: "" apiUrl: https://api.jit.io kubescape: