feat: add device map secret to helm chart

mbillow · mbillow · commit d5b97f1a3c86 · 2026-05-16T19:01:23.000-05:00
Add pint.secretName.deviceMap helper, secrets.deviceMap value, PINT_DEVICE_MAP_SECRET
env var in the deployment, RBAC permission on the secret, and schema entries for
both deviceMap and the previously missing scepRACert.
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -62,6 +62,10 @@ never collide. Each can be overridden via the corresponding values key.
 {{- .Values.secrets.scepRACert | default (printf "%s-scep-ra-cert" (include "pint.fullname" .)) }}
 {{- end }}
 
+{{- define "pint.secretName.deviceMap" -}}
+{{- .Values.secrets.deviceMap | default (printf "%s-device-map" (include "pint.fullname" .)) }}
+{{- end }}
+
 {{- define "pint.envSecret" -}}
 {{- .Values.envSecret | default (include "pint.fullname" .) }}
 {{- end }}
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -96,6 +96,8 @@ spec:
               value: {{ include "pint.secretName.radSecCert" . | quote }}
             - name: PINT_SCEP_RA_CERT_SECRET
               value: {{ include "pint.secretName.scepRACert" . | quote }}
+            - name: PINT_DEVICE_MAP_SECRET
+              value: {{ include "pint.secretName.deviceMap" . | quote }}
             {{- if .Values.freeradius.enabled }}
             - name: PINT_FREERADIUS_DEPLOYMENT
               value: {{ include "pint.freeradiusFullname" . | quote }}
diff --git a/chart/templates/role.yaml b/chart/templates/role.yaml
@@ -16,6 +16,7 @@ rules:
       - {{ include "pint.secretName.radSecCert" . | quote }}
       - {{ include "pint.secretName.scepRACert" . | quote }}
       - {{ include "pint.secretName.profileSigningCert" . | quote }}
+      - {{ include "pint.secretName.deviceMap" . | quote }}
     verbs: ["get", "patch", "update"]
   - apiGroups: ["apps"]
     resources: ["deployments"]
diff --git a/chart/values.schema.json b/chart/values.schema.json
@@ -135,6 +135,14 @@
         "profileSigningCert": {
           "type": "string",
           "description": "Secret storing the iOS mobileconfig signing certificate and key. Defaults to '<fullname>-profile-signing-cert'."
+        },
+        "scepRACert": {
+          "type": "string",
+          "description": "Secret storing the SCEP RA certificate and key. Defaults to '<fullname>-scep-ra-cert'."
+        },
+        "deviceMap": {
+          "type": "string",
+          "description": "Secret storing the cert serial to device info map. Defaults to '<fullname>-device-map'."
         }
       }
     },
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -66,6 +66,7 @@ secrets:
   radSecCert:          ""  # default: <fullname>-radsec-server-certificates  (tls.crt, tls.key, ca.pem, wifi-ca.pem)
   profileSigningCert:  ""  # default: <fullname>-profile-signing-cert  (tls.crt, tls.key)
   scepRACert:          ""  # default: <fullname>-scep-ra-cert  (tls.crt, tls.key); auto-generated on first startup
+  deviceMap:           ""  # default: <fullname>-device-map  (device-map.json); auto-created on first SCEP enrollment
 
 service:
   type: ClusterIP
