refactor: move config values to templated config map

Author: mbillow

chart/templates/configmap.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.pint.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "pint.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "pint.labels" . | nindent 4 }}
+data:
+  PINT_CLIENT_ID:          {{ .Values.config.clientID | quote }}
+  PINT_SERVER_URL:         {{ .Values.config.serverURL | quote }}
+  PINT_IPA_HOST:           {{ .Values.config.ipaHost | quote }}
+  PINT_IPA_SERVICE_ACCOUNT: {{ .Values.config.ipaServiceAccount | quote }}
+  PINT_IPA_CA_NAME:        {{ .Values.config.ipaCAName | quote }}
+  PINT_IPA_RADSEC_CA_NAME: {{ .Values.config.ipaRadSecCAName | quote }}
+  PINT_IPA_ROOT_CA_NAME:   {{ .Values.config.ipaRootCAName | quote }}
+  PINT_WIFI_SSID:          {{ .Values.config.wifiSSID | quote }}
+  PINT_RADIUS_SERVER:      {{ .Values.config.radiusServer | quote }}
+  {{- if .Values.config.ipaCertProfile }}
+  PINT_IPA_CERT_PROFILE:                    {{ .Values.config.ipaCertProfile | quote }}
+  {{- end }}
+  {{- if .Values.config.ipaRadSecClientCertProfile }}
+  PINT_IPA_RADSEC_CLIENT_CERT_PROFILE:      {{ .Values.config.ipaRadSecClientCertProfile | quote }}
+  {{- end }}
+  {{- if .Values.config.ipaRadSecServerCertProfile }}
+  PINT_IPA_RADSEC_SERVER_CERT_PROFILE:      {{ .Values.config.ipaRadSecServerCertProfile | quote }}
+  {{- end }}
+  {{- if .Values.config.ipaSkipTLSVerify }}
+  PINT_IPA_SKIP_TLS_VERIFY: "true"
+  {{- end }}
+{{- end }}

chart/templates/deployment.yaml

@@ -25,6 +25,8 @@ spec:
             - containerPort: 8080
               name: http
           envFrom:
+            - configMapRef:
+                name: {{ include "pint.fullname" . }}
             - secretRef:
                 name: {{ .Values.envSecret }}
           env:

chart/values-dev.yaml

@@ -5,6 +5,20 @@
 pint:
   enabled: false
 
+# Stub config values for dev; PINT itself runs locally so these are unused,
+# but they keep 'helm lint' and 'helm template' happy.
+config:
+  clientID: pint-dev
+  serverURL: http://localhost:8080
+  ipaHost: localhost:8088
+  ipaServiceAccount: pint
+  ipaCAName: ipa
+  ipaRadSecCAName: radsec
+  ipaRootCAName: ipa
+  ipaSkipTLSVerify: true
+  wifiSSID: CSH
+  radiusServer: localhost:2083
+
 freeradius:
   image:
     tag: dev

chart/values.yaml

@@ -14,15 +14,37 @@ pint:
     tag: ""  # defaults to Chart.appVersion
     pullPolicy: IfNotPresent
 
-# Pre-existing Secret containing sensitive PINT environment variables.
-# Required when pint.enabled=true.  Must contain:
-#   PINT_CLIENT_ID, PINT_CLIENT_SECRET, PINT_SERVER_URL,
-#   PINT_LOGIN_URL, PINT_CALLBACK_URL,
-#   PINT_IPA_HOST, PINT_IPA_SERVICE_ACCOUNT, PINT_IPA_PASSWORD,
-#   PINT_IPA_CA_NAME, PINT_IPA_RADSEC_CA_NAME, PINT_IPA_ROOT_CA_NAME,
-#   PINT_WIFI_SSID, PINT_RADIUS_SERVER
-# Non-sensitive config (namespace, secret names, pod selector) is injected
-# directly by the chart and does not need to be in this Secret.
+# Non-sensitive PINT application configuration rendered into a ConfigMap.
+# Sensitive values (PINT_CLIENT_SECRET, PINT_IPA_PASSWORD) must still be
+# provided in the Secret named by envSecret below.
+config:
+  # OIDC
+  clientID: ""
+  serverURL: ""
+
+  # FreeIPA
+  ipaHost: ""
+  ipaServiceAccount: ""
+  ipaCAName: ""
+  ipaRadSecCAName: ""
+  ipaRootCAName: "ipa"
+  # Optional Dogtag cert profiles; leave blank to use CA defaults.
+  ipaCertProfile: ""
+  ipaRadSecClientCertProfile: ""
+  ipaRadSecServerCertProfile: ""
+  ipaSkipTLSVerify: false
+
+  # WiFi
+  wifiSSID: ""
+
+  # RADIUS
+  radiusServer: ""
+
+# Pre-existing Secret containing sensitive PINT credentials.
+# Required when pint.enabled=true. Must contain only:
+#   PINT_CLIENT_SECRET  - OIDC client secret
+#   PINT_IPA_PASSWORD   - FreeIPA service account password
+# All other config is rendered into a ConfigMap from the config block above.
 envSecret: pint-env
 
 # Names of the K8s Secrets PINT creates and manages at runtime.

internal/config/config.go

@@ -57,8 +57,6 @@ func Load() (*Config, error) {
 	cfg.ClientID = require("PINT_CLIENT_ID")
 	cfg.ClientSecret = require("PINT_CLIENT_SECRET")
 	cfg.ServerURL = require("PINT_SERVER_URL")
-	cfg.LoginURL = require("PINT_LOGIN_URL")
-	cfg.CallbackURL = require("PINT_CALLBACK_URL")
 	cfg.IPAHost = require("PINT_IPA_HOST")
 	cfg.IPAServiceAccount = require("PINT_IPA_SERVICE_ACCOUNT")
 	cfg.IPAPassword = require("PINT_IPA_PASSWORD")
@@ -85,6 +83,8 @@ func Load() (*Config, error) {
 	cfg.IPACertProfile = os.Getenv("PINT_IPA_CERT_PROFILE")
 	cfg.RadSecClientCertProfile = os.Getenv("PINT_IPA_RADSEC_CLIENT_CERT_PROFILE")
 	cfg.RadSecServerCertProfile = os.Getenv("PINT_IPA_RADSEC_SERVER_CERT_PROFILE")
+	cfg.LoginURL = cfg.ServerURL + "/auth/login"
+	cfg.CallbackURL = cfg.ServerURL + "/auth/callback"
 	cfg.IPAPrincipal = principalFromDN(cfg.IPAServiceAccount)
 	cfg.IPAServiceHostname = hostnameFromPrincipal(cfg.IPAPrincipal)
 

internal/config/config_test.go

@@ -19,8 +19,6 @@ func fullEnv() map[string]string {
 		"PINT_CLIENT_ID":               "test-client",
 		"PINT_CLIENT_SECRET":           "test-secret",
 		"PINT_SERVER_URL":              "http://localhost:8080",
-		"PINT_LOGIN_URL":               "http://localhost:8080/auth/login",
-		"PINT_CALLBACK_URL":            "http://localhost:8080/auth/callback",
 		"PINT_IPA_HOST":                "ipa.example.com",
 		"PINT_IPA_SERVICE_ACCOUNT":     "pint",
 		"PINT_IPA_PASSWORD":            "hunter2",