feat: HAProxy PROXY protocol, externalTrafficPolicy, and chart env var fixes

- Add PROXY protocol support to the RadSec TLS listener (proxy_protocol = true)
- Set externalTrafficPolicy: Local on the FreeRADIUS Service so HAProxy-proxied
  traffic preserves the real client IP
- Remove the Helm ConfigMap and inline all config as env vars on the Deployment;
  pod restart was already required for config changes so the ConfigMap added no value
- Fix pre-existing bug: chart rendered PINT_IPA_CA_NAME but PINT reads
  PINT_IPA_WIRELESS_CA_NAME; rename ipaCAName -> ipaWirelessCAName throughout
- Add missing env vars: PINT_IPA_RADSEC_CA_NAME, PINT_IPA_ROOT_CA_NAME,
  PINT_IPA_CERT_PROFILE, PINT_IPA_RADSEC_CLIENT/SERVER_CERT_PROFILE,
  PINT_RADIUS_RADSEC_CHECK_CRL, PINT_RADIUS_RADSEC_PROXY_PROTOCOL,
  PINT_RADIUS_STATUS_PORT, PINT_RADIUS_STATUS_ADDR,
  PINT_IPA_CODE_SIGNING_CA_NAME, PINT_PROFILE_SIGNING_CERT_SECRET,
  PINT_IPA_CODE_SIGNING_CERT_PROFILE
- Update values.schema.json to match all renamed and new values fields

Author: mbillow

.env.dev.example

@@ -37,3 +37,4 @@ PINT_RADIUS_SERVER=127.0.0.1:32083
 PINT_RADIUS_STATUS_ADDR=127.0.0.1:31181
 #PINT_RADIUS_STATUS_PORT=18121
 PINT_RADIUS_RADSEC_CHECK_CRL=false
+#PINT_RADIUS_RADSEC_PROXY_PROTOCOL=true

README.md

@@ -291,18 +291,15 @@ helm repo update
 
 ### Credentials Secret
 
-PINT splits config into two Kubernetes objects:
-
-- **ConfigMap**: rendered automatically by the chart from the `config:` values block. Contains all non-sensitive settings (`PINT_IPA_HOST`, `PINT_WIFI_SSID`, etc.).
-- **Secret**: must be created manually before deploying. Contains only the two sensitive credentials:
+All non-sensitive PINT configuration is rendered directly into the Deployment's `env` block from the `config:` values. Sensitive credentials must be provided in a pre-existing Secret:
 
 ```bash
 kubectl create secret generic <release-name> -n pint \
   --from-literal=PINT_CLIENT_SECRET=<oidc-secret> \
   --from-literal=PINT_IPA_PASSWORD=<ipa-password>
 ```
 
-Set `envSecret` in your values to the name of this Secret. The chart's PINT Deployment mounts both objects as environment variables.
+Set `envSecret` in your values to the name of this Secret. The chart mounts it via `envFrom` on the PINT Deployment.
 
 ---
 
@@ -394,6 +391,7 @@ All configuration is via environment variables. Copy `.env.dev.example` to `.env
 | `PINT_FREERADIUS_DEPLOYMENT` | `pint-freeradius` | FreeRADIUS Deployment name |
 | `PINT_RADIUS_STATUS_PORT` | `18121` | FreeRADIUS status server port |
 | `PINT_RADIUS_RADSEC_CHECK_CRL` | `true` | Enable CRL checking in the RadSec TLS listener |
+| `PINT_RADIUS_RADSEC_PROXY_PROTOCOL` | `false` | Expect HAProxy PROXY protocol header on RadSec connections; set `true` when HAProxy fronts FreeRADIUS |
 | `PINT_IPA_SKIP_TLS_VERIFY` | `false` | Skip FreeIPA TLS verification (dev only) |
 | `PINT_DISABLE_OIDC` | `false` | Bypass OIDC and inject a static dev user |
 | `PINT_DEV_RTP` | `false` | Inject `rtp` group into dev user (requires `PINT_DISABLE_OIDC=true`) |

chart/templates/_helpers.tpl

@@ -54,6 +54,10 @@ never collide. Each can be overridden via the corresponding values key.
 {{- .Values.secrets.radSecCert | default (printf "%s-radsec-server-certificates" (include "pint.fullname" .)) }}
 {{- end }}
 
+{{- define "pint.secretName.profileSigningCert" -}}
+{{- .Values.secrets.profileSigningCert | default (printf "%s-profile-signing-cert" (include "pint.fullname" .)) }}
+{{- end }}
+
 {{- define "pint.envSecret" -}}
 {{- .Values.envSecret | default (include "pint.fullname" .) }}
 {{- end }}

chart/templates/configmap.yaml

@@ -25,13 +25,69 @@ spec:
             - containerPort: 8080
               name: http
           envFrom:
-            - configMapRef:
-                name: {{ include "pint.fullname" . }}
             - secretRef:
                 name: {{ include "pint.envSecret" . }}
           env:
-            # Non-sensitive deployment config injected by the chart so it stays
-            # consistent with the Role resourceNames and FreeRADIUS volume mounts.
+            - name: PINT_CLIENT_ID
+              value: {{ .Values.config.clientID | quote }}
+            - name: PINT_SERVER_URL
+              value: {{ .Values.config.serverURL | quote }}
+            - name: PINT_IPA_HOST
+              value: {{ .Values.config.ipaHost | quote }}
+            - name: PINT_IPA_SERVICE_ACCOUNT
+              value: {{ .Values.config.ipaServiceAccount | quote }}
+            - name: PINT_IPA_WIRELESS_CA_NAME
+              value: {{ .Values.config.ipaWirelessCAName | quote }}
+            - name: PINT_IPA_RADSEC_CA_NAME
+              value: {{ .Values.config.ipaRadSecCAName | quote }}
+            - name: PINT_IPA_ROOT_CA_NAME
+              value: {{ .Values.config.ipaRootCAName | quote }}
+            - name: PINT_WIFI_SSID
+              value: {{ .Values.config.wifiSSID | quote }}
+            - name: PINT_RADIUS_SERVER
+              value: {{ .Values.config.radiusServer | quote }}
+            {{- if .Values.config.ipaCertProfile }}
+            - name: PINT_IPA_CERT_PROFILE
+              value: {{ .Values.config.ipaCertProfile | quote }}
+            {{- end }}
+            {{- if .Values.config.ipaRadSecClientCertProfile }}
+            - name: PINT_IPA_RADSEC_CLIENT_CERT_PROFILE
+              value: {{ .Values.config.ipaRadSecClientCertProfile | quote }}
+            {{- end }}
+            {{- if .Values.config.ipaRadSecServerCertProfile }}
+            - name: PINT_IPA_RADSEC_SERVER_CERT_PROFILE
+              value: {{ .Values.config.ipaRadSecServerCertProfile | quote }}
+            {{- end }}
+            {{- if .Values.config.ipaSkipTLSVerify }}
+            - name: PINT_IPA_SKIP_TLS_VERIFY
+              value: "true"
+            {{- end }}
+            {{- if not .Values.config.radSecCheckCRL }}
+            - name: PINT_RADIUS_RADSEC_CHECK_CRL
+              value: "false"
+            {{- end }}
+            {{- if .Values.config.radSecProxyProtocol }}
+            - name: PINT_RADIUS_RADSEC_PROXY_PROTOCOL
+              value: "true"
+            {{- end }}
+            {{- if .Values.config.radSecStatusPort }}
+            - name: PINT_RADIUS_STATUS_PORT
+              value: {{ .Values.config.radSecStatusPort | quote }}
+            {{- end }}
+            {{- if .Values.config.radSecStatusAddr }}
+            - name: PINT_RADIUS_STATUS_ADDR
+              value: {{ .Values.config.radSecStatusAddr | quote }}
+            {{- end }}
+            {{- if .Values.config.codeSigningCAName }}
+            - name: PINT_IPA_CODE_SIGNING_CA_NAME
+              value: {{ .Values.config.codeSigningCAName | quote }}
+            - name: PINT_PROFILE_SIGNING_CERT_SECRET
+              value: {{ include "pint.secretName.profileSigningCert" . | quote }}
+            {{- if .Values.config.codeSigningCertProfile }}
+            - name: PINT_IPA_CODE_SIGNING_CERT_PROFILE
+              value: {{ .Values.config.codeSigningCertProfile | quote }}
+            {{- end }}
+            {{- end }}
             - name: PINT_NAMESPACE
               valueFrom:
                 fieldRef:

chart/templates/deployment.yaml

@@ -8,6 +8,9 @@ metadata:
     {{- include "pint.freeradiusLabels" . | nindent 4 }}
 spec:
   type: {{ .Values.freeradius.service.type }}
+  {{- if and (ne .Values.freeradius.service.type "ClusterIP") .Values.freeradius.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.freeradius.service.externalTrafficPolicy }}
+  {{- end }}
   selector:
     {{- include "pint.freeradiusSelectorLabels" . | nindent 4 }}
   ports:

chart/templates/freeradius-service.yaml

@@ -14,6 +14,9 @@ rules:
     resourceNames:
       - {{ include "pint.secretName.config" . | quote }}
       - {{ include "pint.secretName.radSecCert" . | quote }}
+      {{- if .Values.config.codeSigningCAName }}
+      - {{ include "pint.secretName.profileSigningCert" . | quote }}
+      {{- end }}
     verbs: ["get", "patch", "update"]
   - apiGroups: ["apps"]
     resources: ["deployments"]

chart/templates/role.yaml

@@ -12,7 +12,7 @@ config:
   serverURL: http://localhost:8080
   ipaHost: localhost:8088
   ipaServiceAccount: pint
-  ipaCAName: ipa
+  ipaWirelessCAName: wireless
   ipaRadSecCAName: radsec
   ipaRootCAName: ipa
   ipaSkipTLSVerify: true

chart/values-dev.yaml

@@ -28,7 +28,7 @@
     },
     "config": {
       "type": "object",
-      "description": "Non-sensitive PINT application configuration, rendered into a ConfigMap.",
+      "description": "Non-sensitive PINT application configuration, rendered as env vars on the Deployment.",
       "properties": {
         "clientID": {
           "type": "string",
@@ -46,10 +46,10 @@
           "type": "string",
           "description": "FreeIPA service account DN used to issue certificates."
         },
-        "ipaCAName": {
+        "ipaWirelessCAName": {
           "type": "string",
           "description": "FreeIPA CA name for WiFi client certificates.",
-          "default": "ipa"
+          "default": "wireless"
         },
         "ipaRadSecCAName": {
           "type": "string",
@@ -81,6 +81,33 @@
           "description": "Skip TLS verification when connecting to FreeIPA. For development only.",
           "default": false
         },
+        "radSecCheckCRL": {
+          "type": "boolean",
+          "description": "Enable CRL checking in the RadSec TLS listener. Set false to disable.",
+          "default": true
+        },
+        "radSecProxyProtocol": {
+          "type": "boolean",
+          "description": "Enable PROXY protocol on the RadSec listener. Required when HAProxy fronts FreeRADIUS.",
+          "default": false
+        },
+        "radSecStatusPort": {
+          "type": "string",
+          "description": "Override the FreeRADIUS status server port (default: 18121)."
+        },
+        "radSecStatusAddr": {
+          "type": "string",
+          "description": "Override the status server address (host:port). Useful in dev when pod IPs are unreachable."
+        },
+        "codeSigningCAName": {
+          "type": "string",
+          "description": "FreeIPA CA name for the iOS mobileconfig code signing certificate. Leave empty to disable profile signing."
+        },
+        "codeSigningCertProfile": {
+          "type": "string",
+          "description": "Dogtag certificate profile for the mobileconfig signing cert.",
+          "default": "pint_profile_signing"
+        },
         "wifiSSID": {
           "type": "string",
           "description": "WiFi SSID embedded in generated device profiles.",
@@ -91,7 +118,7 @@
           "description": "RadSec server address shown to users (e.g. radius.csh.rit.edu:2083)."
         }
       },
-      "required": ["clientID", "serverURL", "ipaHost", "ipaServiceAccount", "ipaCAName", "ipaRadSecCAName", "wifiSSID", "radiusServer"]
+      "required": ["clientID", "serverURL", "ipaHost", "ipaServiceAccount", "ipaWirelessCAName", "ipaRadSecCAName", "wifiSSID", "radiusServer"]
     },
     "secrets": {
       "type": "object",
@@ -104,6 +131,10 @@
         "radSecCert": {
           "type": "string",
           "description": "Secret storing the FreeRADIUS TLS certificate and key. Defaults to '<fullname>-radsec-server-certificates'."
+        },
+        "profileSigningCert": {
+          "type": "string",
+          "description": "Secret storing the iOS mobileconfig signing certificate and key. Defaults to '<fullname>-profile-signing-cert'. Only created when codeSigningCAName is set."
         }
       }
     },
@@ -190,6 +221,12 @@
             "nodePort": {
               "type": ["integer", "null"],
               "description": "NodePort number. Only used when service.type is NodePort."
+            },
+            "externalTrafficPolicy": {
+              "type": "string",
+              "enum": ["Cluster", "Local"],
+              "description": "ExternalTrafficPolicy for NodePort/LoadBalancer services. Use Local to preserve client IPs (required for HAProxy PROXY protocol).",
+              "default": "Local"
             }
           }
         },
@@ -206,6 +243,10 @@
               "type": "string",
               "description": "Source CIDR allowed to query the status server.",
               "default": "0.0.0.0/0"
+            },
+            "nodePort": {
+              "type": ["integer", "null"],
+              "description": "NodePort for the status server port. Dev only; PINT queries pods directly in production."
             }
           }
         }

chart/values.schema.json

@@ -24,14 +24,24 @@ config:
   # FreeIPA
   ipaHost: ""
   ipaServiceAccount: ""
-  ipaCAName: "ipa"
+  ipaWirelessCAName: "wireless"
   ipaRadSecCAName: "radsec"
   ipaRootCAName: "ipa"
   ipaCertProfile: "pint_wifi"
   ipaRadSecClientCertProfile: "pint_radsec_client"
   ipaRadSecServerCertProfile: "pint_radsec_server"
   ipaSkipTLSVerify: false
 
+  # RADIUS / RadSec
+  radSecCheckCRL: true          # set false to disable CRL checking in the RadSec TLS listener
+  radSecProxyProtocol: false    # set true when HAProxy fronts FreeRADIUS and sends PROXY protocol headers
+  radSecStatusPort: ""          # overrides the FreeRADIUS status server port (default: 18121)
+  radSecStatusAddr: ""          # overrides the status server address (host:port); useful in dev when pod IPs are unreachable
+
+  # iOS mobileconfig signing (optional — leave codeSigningCAName empty to disable)
+  codeSigningCAName: ""
+  codeSigningCertProfile: ""    # default: pint_profile_signing
+
   # WiFi
   wifiSSID: "CSH"
 
@@ -52,8 +62,9 @@ envSecret: ""
 # multiple releases in the same namespace never collide. Override only when
 # you need to share a secret between releases.
 secrets:
-  config:     ""  # default: <fullname>-config  (clients.json, clients.conf, status-secret, status)
-  radSecCert: ""  # default: <fullname>-radsec-server-certificates  (tls.crt, tls.key, ca.pem, wifi-ca.pem)
+  config:              ""  # default: <fullname>-config  (clients.json, clients.conf, status-secret, status)
+  radSecCert:          ""  # default: <fullname>-radsec-server-certificates  (tls.crt, tls.key, ca.pem, wifi-ca.pem)
+  profileSigningCert:  ""  # default: <fullname>-profile-signing-cert  (tls.crt, tls.key); only created when codeSigningCAName is set
 
 service:
   type: ClusterIP
@@ -69,6 +80,7 @@ freeradius:
   service:
     type: NodePort
     nodePort: null
+    externalTrafficPolicy: Local  # Local preserves the client's real IP; required when using HAProxy PROXY protocol
   # FreeRADIUS status virtual server — used by PINT to surface per-pod auth statistics.
   # Managed automatically by PINT at startup.
   statusServer: