refactor: simplify k8s secret management

Author: mbillow

.env.dev.example

@@ -15,11 +15,10 @@ PINT_IPA_SKIP_TLS_VERIFY=true
 #PINT_IPA_RADSEC_CLIENT_CERT_PROFILE=pint_radsec_client
 #PINT_IPA_RADSEC_SERVER_CERT_PROFILE=pint_radsec_server
 PINT_WIFI_SSID=CSH
-#PINT_NAMESPACE=pint
-#PINT_RADIUS_CLIENTS_SECRET=pint-radius-clients
-#PINT_RADIUS_CONFIG_SECRET=pint-radius-config
-#PINT_RADSEC_CERT_SECRET=pint-radsec-server
-#PINT_FREERADIUS_DEPLOYMENT=pint-freeradius
+PINT_NAMESPACE=pint
+PINT_CONFIG_SECRET=pint-config
+PINT_RADSEC_CERT_SECRET=pint-radsec-server-certificates
+PINT_FREERADIUS_DEPLOYMENT=pint-freeradius
 PINT_RADIUS_SERVER=radius.csh.rit.edu:2083
 # FreeRADIUS status server queries (per-pod auth stats).
 # In dev, pod IPs are unreachable from macOS — use the NodePort exposed on localhost instead.

Makefile

@@ -62,10 +62,11 @@ dev-freeradius:
 	kind load docker-image $(FR_IMAGE) --name $(CLUSTER)
 	kubectl rollout restart deployment/pint-freeradius -n $(NAMESPACE) 2>/dev/null || true
 
-# Create the pint-env K8s Secret from .env.dev so PINT can run in-cluster.
+# Create the envSecret K8s Secret from .env.dev so PINT can run in-cluster.
+# The release name is "pint" so the secret name matches the chart default (envSecret=<fullname>="pint").
 # Only needed if you want to run PINT in kind (pint.enabled=true) rather than locally.
 dev-secret:
-	kubectl create secret generic pint-env \
+	kubectl create secret generic pint \
 		--namespace $(NAMESPACE) \
 		--from-env-file=.env.dev \
 		--dry-run=client -o yaml | kubectl apply -f -

chart/templates/.freeradius-deployment.yaml.swp

@@ -41,6 +41,23 @@ app.kubernetes.io/name: {{ include "pint.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Runtime-managed secret names.
+These default to "<fullname>-<suffix>" so multiple releases in the same namespace
+never collide. Each can be overridden via the corresponding values key.
+*/}}
+{{- define "pint.secretName.config" -}}
+{{- .Values.secrets.config | default (printf "%s-config" (include "pint.fullname" .)) }}
+{{- end }}
+
+{{- define "pint.secretName.radSecCert" -}}
+{{- .Values.secrets.radSecCert | default (printf "%s-radsec-server-certificates" (include "pint.fullname" .)) }}
+{{- end }}
+
+{{- define "pint.envSecret" -}}
+{{- .Values.envSecret | default (include "pint.fullname" .) }}
+{{- end }}
+
 {{/*
 FreeRADIUS labels / selector labels.
 The selector string is also injected into PINT as PINT_FREERADIUS_POD_SELECTOR

chart/templates/_helpers.tpl

@@ -28,20 +28,18 @@ spec:
             - configMapRef:
                 name: {{ include "pint.fullname" . }}
             - secretRef:
-                name: {{ .Values.envSecret }}
+                name: {{ include "pint.envSecret" . }}
           env:
             # Non-sensitive deployment config injected by the chart so it stays
             # consistent with the Role resourceNames and FreeRADIUS volume mounts.
             - name: PINT_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-            - name: PINT_RADIUS_CLIENTS_SECRET
-              value: {{ .Values.secrets.radiusClients | quote }}
-            - name: PINT_RADIUS_CONFIG_SECRET
-              value: {{ .Values.secrets.radiusConfig | quote }}
+            - name: PINT_CONFIG_SECRET
+              value: {{ include "pint.secretName.config" . | quote }}
             - name: PINT_RADSEC_CERT_SECRET
-              value: {{ .Values.secrets.radSecCert | quote }}
+              value: {{ include "pint.secretName.radSecCert" . | quote }}
             {{- if .Values.freeradius.enabled }}
             - name: PINT_FREERADIUS_DEPLOYMENT
               value: {{ include "pint.freeradiusFullname" . | quote }}

chart/templates/deployment.yaml

@@ -31,31 +31,19 @@ spec:
           securityContext:
             {{- toYaml .Values.freeradius.securityContext | nindent 12 }}
           volumeMounts:
-            # Full-directory mount (not subPath) so K8s auto-syncs clients.conf
-            # when the Secret changes; FreeRADIUS picks it up on the next SIGHUP.
-            - name: dynamic-clients
-              mountPath: /etc/freeradius/dynamic
+            - name: pint-config
+              mountPath: /etc/pint/config
               readOnly: true
-            # All TLS material written by PINT: server cert+key, RadSec CA,
-            # WiFi CA.  0444 so the freerad user can read without root.
-            - name: radsec-certs
-              mountPath: /run/secrets/radsec-server
-              readOnly: true
-            - name: radius-status-config
-              mountPath: /run/secrets/radius-status
+            - name: pint-radsec
+              mountPath: /etc/pint/radsec
               readOnly: true
       volumes:
-        - name: dynamic-clients
+        - name: pint-config
           secret:
-            secretName: {{ .Values.secrets.radiusConfig }}
+            secretName: {{ include "pint.secretName.config" . }}
             optional: true
-        - name: radsec-certs
+        - name: pint-radsec
           secret:
-            secretName: {{ .Values.secrets.radSecCert }}
-            optional: true
+            secretName: {{ include "pint.secretName.radSecCert" . }}
             defaultMode: 0444
-        - name: radius-status-config
-          secret:
-            secretName: {{ include "pint.freeradiusFullname" . }}-status-config
-            optional: true
 {{- end }}

chart/templates/freeradius-deployment.yaml

@@ -12,10 +12,9 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     resourceNames:
-      - {{ .Values.secrets.radiusClients | quote }}
-      - {{ .Values.secrets.radiusConfig | quote }}
-      - {{ .Values.secrets.radSecCert | quote }}
-    verbs: ["get", "update"]
+      - {{ include "pint.secretName.config" . | quote }}
+      - {{ include "pint.secretName.radSecCert" . | quote }}
+    verbs: ["get", "patch"]
   - apiGroups: [""]
     resources: ["pods"]
     verbs: ["list"]

chart/templates/freeradius-status-secret.yaml

@@ -24,8 +24,7 @@
     },
     "envSecret": {
       "type": "string",
-      "description": "Name of the pre-existing Secret containing PINT_CLIENT_SECRET and PINT_IPA_PASSWORD.",
-      "default": "pint-env"
+      "description": "Name of the pre-existing Secret containing PINT_CLIENT_SECRET and PINT_IPA_PASSWORD. Defaults to the full release name."
     },
     "config": {
       "type": "object",
@@ -96,22 +95,15 @@
     },
     "secrets": {
       "type": "object",
-      "description": "Names of the Kubernetes Secrets PINT creates and manages at runtime.",
+      "description": "Names of the Kubernetes Secrets PINT creates and manages at runtime. All names default to '<fullname>-<suffix>' so multiple releases in the same namespace never collide.",
       "properties": {
-        "radiusClients": {
+        "config": {
           "type": "string",
-          "description": "Secret storing the RADIUS client list (clients.json).",
-          "default": "pint-radius-clients"
-        },
-        "radiusConfig": {
-          "type": "string",
-          "description": "Secret storing the rendered FreeRADIUS clients.conf.",
-          "default": "pint-radius-config"
+          "description": "Combined config secret (clients.json, clients.conf, status-secret, status). Defaults to '<fullname>-config'."
         },
         "radSecCert": {
           "type": "string",
-          "description": "Secret storing the FreeRADIUS TLS certificate and key.",
-          "default": "pint-radsec-server"
+          "description": "Secret storing the FreeRADIUS TLS certificate and key. Defaults to '<fullname>-radsec-server-certificates'."
         }
       }
     },

chart/templates/role.yaml

@@ -43,15 +43,17 @@ config:
 #   PINT_CLIENT_SECRET  - OIDC client secret
 #   PINT_IPA_PASSWORD   - FreeIPA service account password
 # All other config is rendered into a ConfigMap from the config block above.
-envSecret: pint-env
+# Defaults to "<fullname>" (i.e. the Helm release name) when left empty.
+envSecret: ""
 
 # Names of the K8s Secrets PINT creates and manages at runtime.
 # These are referenced consistently across the Role, PINT env vars, and
-# FreeRADIUS volume mounts - change all three if you rename them.
+# FreeRADIUS volume mounts. All names default to "<fullname>-<suffix>" so
+# multiple releases in the same namespace never collide. Override only when
+# you need to share a secret between releases.
 secrets:
-  radiusClients: pint-radius-clients
-  radiusConfig:  pint-radius-config
-  radSecCert:    pint-radsec-server
+  config:     ""  # default: <fullname>-config  (clients.json, clients.conf, status-secret, status)
+  radSecCert: ""  # default: <fullname>-radsec-server-certificates  (tls.crt, tls.key, ca.pem, wifi-ca.pem)
 
 service:
   type: ClusterIP