refactor: clean up chart interface

mbillow · mbillow · commit 7abefabadca7 · 2026-05-10T23:45:53.000-05:00
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "pint.labels" . | nindent 4 }}
 spec:
-  replicas: {{ .Values.pint.replicaCount }}
+  replicas: 1
   selector:
     matchLabels:
       {{- include "pint.selectorLabels" . | nindent 6 }}
diff --git a/chart/templates/freeradius-deployment.yaml b/chart/templates/freeradius-deployment.yaml
@@ -23,10 +23,11 @@ spec:
           ports:
             - containerPort: 2083
               name: radsec
-          {{- with .Values.freeradius.securityContext }}
           securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: [ALL]
           volumeMounts:
             # Full-directory mount (not subPath) so K8s auto-syncs clients.conf
             # when the Secret changes; FreeRADIUS picks it up on the next SIGHUP.
diff --git a/chart/templates/freeradius-service.yaml b/chart/templates/freeradius-service.yaml
@@ -11,7 +11,7 @@ spec:
   selector:
     {{- include "pint.freeradiusSelectorLabels" . | nindent 4 }}
   ports:
-    - port: {{ .Values.freeradius.service.port }}
+    - port: 2083
       targetPort: radsec
       name: radsec
       {{- if and (eq .Values.freeradius.service.type "NodePort") .Values.freeradius.service.nodePort }}
diff --git a/chart/templates/route.yaml b/chart/templates/route.yaml
@@ -17,6 +17,6 @@ spec:
   port:
     targetPort: http
   tls:
-    termination: {{ .Values.openshift.route.tls.termination }}
-    insecureEdgeTerminationPolicy: {{ .Values.openshift.route.tls.insecureEdgeTerminationPolicy }}
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
 {{- end }}
diff --git a/chart/values-dev.yaml b/chart/values-dev.yaml
@@ -26,5 +26,3 @@ freeradius:
   service:
     type: NodePort
     nodePort: 32083
-  # kind has no SCC restrictions; default permissions are fine.
-  securityContext: {}
diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -49,11 +49,13 @@
         },
         "ipaCAName": {
           "type": "string",
-          "description": "FreeIPA CA name for WiFi client certificates."
+          "description": "FreeIPA CA name for WiFi client certificates.",
+          "default": "ipa"
         },
         "ipaRadSecCAName": {
           "type": "string",
-          "description": "FreeIPA CA name for RadSec certificates."
+          "description": "FreeIPA CA name for RadSec certificates.",
+          "default": "radsec"
         },
         "ipaRootCAName": {
           "type": "string",
@@ -62,15 +64,18 @@
         },
         "ipaCertProfile": {
           "type": "string",
-          "description": "Dogtag certificate profile for WiFi client certs. Leave blank to use the CA default."
+          "description": "Dogtag certificate profile for WiFi client certs.",
+          "default": "pint_wifi"
         },
         "ipaRadSecClientCertProfile": {
           "type": "string",
-          "description": "Dogtag certificate profile for RadSec router client certs. Leave blank to use the CA default."
+          "description": "Dogtag certificate profile for RadSec router client certs.",
+          "default": "pint_radsec_client"
         },
         "ipaRadSecServerCertProfile": {
           "type": "string",
-          "description": "Dogtag certificate profile for the FreeRADIUS server cert. Leave blank to use the CA default."
+          "description": "Dogtag certificate profile for the FreeRADIUS server cert.",
+          "default": "pint_radsec_server"
         },
         "ipaSkipTLSVerify": {
           "type": "boolean",
@@ -79,7 +84,8 @@
         },
         "wifiSSID": {
           "type": "string",
-          "description": "WiFi SSID embedded in generated device profiles."
+          "description": "WiFi SSID embedded in generated device profiles.",
+          "default": "CSH"
         },
         "radiusServer": {
           "type": "string",
@@ -118,12 +124,6 @@
           "description": "Deploy the PINT pod. Set false to run PINT as a local process instead.",
           "default": true
         },
-        "replicaCount": {
-          "type": "integer",
-          "minimum": 1,
-          "description": "Number of PINT replicas.",
-          "default": 1
-        },
         "image": {
           "type": "object",
           "properties": {
@@ -195,19 +195,11 @@
               "enum": ["ClusterIP", "NodePort", "LoadBalancer"],
               "default": "LoadBalancer"
             },
-            "port": {
-              "type": "integer",
-              "default": 2083
-            },
             "nodePort": {
               "type": ["integer", "null"],
               "description": "NodePort number. Only used when service.type is NodePort."
             }
           }
-        },
-        "securityContext": {
-          "type": "object",
-          "description": "Pod security context for FreeRADIUS. Override to {} for environments without pod security enforcement."
         }
       }
     },
@@ -225,22 +217,7 @@
           "properties": {
             "host": {
               "type": "string",
-              "description": "Route hostname. Leave blank for an auto-assigned hostname."
-            },
-            "tls": {
-              "type": "object",
-              "properties": {
-                "termination": {
-                  "type": "string",
-                  "enum": ["edge", "reencrypt", "passthrough"],
-                  "default": "edge"
-                },
-                "insecureEdgeTerminationPolicy": {
-                  "type": "string",
-                  "enum": ["Allow", "Redirect", "None"],
-                  "default": "Redirect"
-                }
-              }
+              "description": "Route hostname. Omit for an auto-assigned hostname."
             }
           }
         }
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -8,7 +8,6 @@ serviceAccount:
 # Set enabled=false in dev to run PINT as a local process (make dev) instead.
 pint:
   enabled: true
-  replicaCount: 1
   image:
     repository: pint
     tag: ""  # defaults to Chart.appVersion
@@ -25,17 +24,16 @@ config:
   # FreeIPA
   ipaHost: ""
   ipaServiceAccount: ""
-  ipaCAName: ""
-  ipaRadSecCAName: ""
+  ipaCAName: "ipa"
+  ipaRadSecCAName: "radsec"
   ipaRootCAName: "ipa"
-  # Optional Dogtag cert profiles; leave blank to use CA defaults.
-  ipaCertProfile: ""
-  ipaRadSecClientCertProfile: ""
-  ipaRadSecServerCertProfile: ""
+  ipaCertProfile: "pint_wifi"
+  ipaRadSecClientCertProfile: "pint_radsec_client"
+  ipaRadSecServerCertProfile: "pint_radsec_server"
   ipaSkipTLSVerify: false
 
   # WiFi
-  wifiSSID: ""
+  wifiSSID: "CSH"
 
   # RADIUS
   radiusServer: ""
@@ -68,23 +66,10 @@ freeradius:
     pullPolicy: IfNotPresent
   service:
     type: LoadBalancer
-    port: 2083
     nodePort: null  # only used when type=NodePort
-  # Run as the freerad user (UID 101); Secret defaultMode 0444 ensures cert
-  # files are readable without root.  Override to {} for environments without
-  # pod security enforcement (e.g. local kind).
-  securityContext:
-    runAsNonRoot: true
-    runAsUser: 101
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop: [ALL]
 
 # OpenShift-specific resources.
 openshift:
   enabled: false
   route:
-    host: ""  # leave blank for an auto-assigned hostname
-    tls:
-      termination: edge
-      insecureEdgeTerminationPolicy: Redirect
+    host: ""
