feat: let devs specify an existing secret

[JeferCatarina]

Motivation: prevent storing clientId and Secret in Gitops repos

Tests:

$ helm template charts/jit-k8s-agent
Error: values don't meet the specifications of the schema(s) in the following chart(s):
jit-k8s-agent:
- cluster.name: String length must be greater than or equal to 1

$ helm template charts/jit-k8s-agent --set cluster.name=test
Error: execution error at (jit-k8s-agent/templates/secret.yaml:1:4): Configuration validation failed:
  • Jit authentication requires either: 1) Both 'clientId' and 'clientSecret' for direct authentication, or 2) 'existingSecret' to reference an existing Kubernetes secret

Example configurations:
  # Option 1: Direct credentials
  jit:
    clientId: "your-client-id"
    clientSecret: "your-client-secret"

  # Option 2: Existing secret
  jit:
    existingSecret: "jit-credentials"


Use --debug flag to render out invalid YAML

$ helm template charts/jit-k8s-agent --set cluster.name=test --set jit.clientId=test --set jit.clientSe
cret=test
---
# Source: jit-k8s-agent/templates/serviceaccount.yaml
[...]
                - name: JIT_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
                      name: jit-k8s-agent-jit-credentials
                      key: JIT_CLIENT_ID
                - name: JIT_CLIENT_SECRET
                  valueFrom:
                    secretKeyRef:
                      name: jit-k8s-agent-jit-credentials
                      key: JIT_CLIENT_SECRET
[...]

$ helm template charts/jit-k8s-agent --set cluster.name=test --set jit.existingSecret=existing-secret
---
# Source: jit-k8s-agent/templates/serviceaccount.yaml
[...]
                - name: JIT_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
                      name: existing-secret
                      key: JIT_CLIENT_ID
                - name: JIT_CLIENT_SECRET
                  valueFrom:
                    secretKeyRef:
                      name: existing-secret
                      key: JIT_CLIENT_SECRET
[...]

Summary by CodeRabbit

• New Features
  • Added support to use an existing Kubernetes secret for JIT credentials.
  • Secret creation is now conditional and skipped when an existing secret is provided.
  • Introduced configuration validation with clear error messages and guidance for required fields.
• Documentation
  • Updated values and schema descriptions to clarify authentication options (clientId/clientSecret vs existingSecret) and apiUrl.
  • Provided commented examples in values.yaml to guide secure configuration.

[coderabbitai]

Walkthrough

Adds Helm validation for required JIT settings, introduces optional use of an existing Kubernetes Secret, updates secret rendering to be conditional on that option, and centralizes secret name resolution via a helper. Values and schema are updated to document and support both authentication modes.

Changes

Cohort / File(s)	Summary
Templates: validation and secret handling charts/jit-k8s-agent/templates/_validation.tpl, charts/jit-k8s-agent/templates/secret.yaml, charts/jit-k8s-agent/templates/_job_helper.tpl	Adds value validation block enforcing cluster.name and JIT auth mode rules; makes Secret creation conditional on .Values.jit.existingSecret; introduces jitCredentialsSecret helper to resolve secret name and replaces hard-coded references.
Values and schema charts/jit-k8s-agent/values.schema.json, charts/jit-k8s-agent/values.yaml	Documents two auth modes (credentials vs. existingSecret), adds existingSecret and apiUrl descriptions, relaxes required constraints for clientId/clientSecret, and updates example values to comment out direct credentials.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as User Values
  participant H as Helm Template Engine
  participant V as validateValues
  participant S as Secret Template
  participant J as _job_helper.tpl

  U->>H: Provide .Values (jit.clientId/Secret or jit.existingSecret)
  H->>V: include "jit-k8s-agent.validateValues"
  alt Invalid configuration
    V-->>H: fail with guidance
  else Valid configuration
    V-->>H: continue
    H->>S: Render secret.yaml
    alt existingSecret set
      S-->>H: Skip Secret creation
    else existingSecret not set
      S-->>H: Create Secret with JIT_CLIENT_ID/SECRET
    end
    H->>J: Resolve {{ $jitCredentialsSecret }}
    J-->>H: Use existingSecret or default {{ .Chart.Name }}-jit-credentials
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

Review effort 3/5

Suggested reviewers

• LironJit

Poem

I hop through charts with tidy cheer,
A secret appears—or won’t, this year.
If values align, we’re good to go,
Else validation shouts “no-no!”
A helper whispers the name to seek—
Credentials tucked, secure and sleek.
Thump-thump, release this week! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly describes the key feature introduced by the pull request—allowing developers to reference an existing Kubernetes secret for JIT authentication—without extraneous details, making it clear and specific to the main change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f158b13 and ffee186.

📒 Files selected for processing (5)

• charts/jit-k8s-agent/templates/_job_helper.tpl (2 hunks)
• charts/jit-k8s-agent/templates/_validation.tpl (1 hunks)
• charts/jit-k8s-agent/templates/secret.yaml (2 hunks)
• charts/jit-k8s-agent/values.schema.json (1 hunks)
• charts/jit-k8s-agent/values.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

charts/jit-k8s-agent/templates/secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Jit Security

🔇 Additional comments (7)

charts/jit-k8s-agent/templates/_job_helper.tpl (2)

2-2: LGTM! Clean secret name resolution.

The dynamic secret name computation correctly handles both the existingSecret case and the default chart-based secret name.

---

23-23: LGTM! Consistent secret reference.

The secret name is now dynamically resolved and used consistently for both JIT_CLIENT_ID and JIT_CLIENT_SECRET environment variables.

Also applies to: 28-28

charts/jit-k8s-agent/values.yaml (1)

10-14: LGTM! Clear documentation for authentication options.

The comments effectively guide users on the two authentication modes and emphasize the security benefit of using existingSecret to avoid storing credentials in values files.

charts/jit-k8s-agent/values.schema.json (1)

19-36: LGTM! Schema correctly documents both authentication modes.

The schema update properly describes the two authentication paths and the relationship between clientId/clientSecret and existingSecret. The validation is appropriately delegated to the validation template rather than enforced at the schema level, which provides clearer error messages to users.

charts/jit-k8s-agent/templates/secret.yaml (2)

1-1: Note: Static analysis error is a false positive.

The YAMLlint syntax error on line 1 is expected and can be ignored. YAMLlint does not understand Helm template directives (which begin with {{-), so it incorrectly reports the template include as a syntax error. This is a well-known limitation when linting Helm templates.

---

1-14: LGTM! Conditional secret creation works correctly.

The secret is now only created when existingSecret is not provided, and validation is invoked at the beginning to ensure proper configuration. The conditional block correctly wraps both secret data fields.

charts/jit-k8s-agent/templates/_validation.tpl (1)

4-40: LGTM! Comprehensive validation with clear error messages.

The validation logic correctly handles all authentication configuration scenarios:

• Requires cluster.name to be present
• Validates that exactly one authentication mode is configured (either direct credentials OR existing secret)
• Detects conflicts when both modes are specified
• Provides helpful error messages with examples for each failure case

The logic flow is sound: checking for both clientId and clientSecret together ensures partial credentials are caught and reported as errors.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jit-ci]

Hi, I’m Jit, a friendly security platform designed to help developers build secure applications from day zero with an MVS (Minimal viable security) mindset.

In case there are security findings, they will be communicated to you as a comment inside the PR.

Hope you’ll enjoy using Jit.

Questions? Comments? Want to learn more? Get in touch with us.

[jit-ci]

❌ The following Jit checks failed to run:

• secret-detection

#jit_bypass_commit in this PR to bypass, Jit Admin privileges required.

More info in the Jit platform.

[psokolinski]

Changes look good. There is one helm-lint that we should fix - https://github.com/jitsecurity/helm-charts/actions/runs/18201751540/job/52218011560?pr=14.

Moreover, let's update the README as well to indicate that the chart supports existing secret.

[psokolinski]

Implemented in - #15.