refactor: split EAP server cert into its own K8s secret

eap.crt/eap.key move from the radsec-server-certificates secret into a
dedicated eap-server-cert secret.  The RadSec cert secret holds outer-
tunnel material (tls.crt, tls.key, ca.pem, wifi-ca.pem) verified by
routers; the EAP cert secret holds what iOS devices verify during
EAP-TLS.  Mixing them in one secret named radsec-server-certificates
was confusing.

The FreeRADIUS pod mounts both secrets at /etc/pint/radsec via a
projected volume, so no cert paths change in the EAP config.

Author: mbillow

chart/templates/_helpers.tpl

@@ -66,6 +66,10 @@ never collide. Each can be overridden via the corresponding values key.
 {{- .Values.secrets.deviceMap | default (printf "%s-device-map" (include "pint.fullname" .)) }}
 {{- end }}
 
+{{- define "pint.secretName.eapCert" -}}
+{{- .Values.secrets.eapCert | default (printf "%s-eap-server-cert" (include "pint.fullname" .)) }}
+{{- end }}
+
 {{- define "pint.envSecret" -}}
 {{- .Values.envSecret | default (include "pint.fullname" .) }}
 {{- end }}

chart/templates/deployment.yaml

@@ -98,6 +98,8 @@ spec:
               value: {{ include "pint.secretName.config" . | quote }}
             - name: PINT_RADSEC_CERT_SECRET
               value: {{ include "pint.secretName.radSecCert" . | quote }}
+            - name: PINT_EAP_CERT_SECRET
+              value: {{ include "pint.secretName.eapCert" . | quote }}
             - name: PINT_SCEP_RA_CERT_SECRET
               value: {{ include "pint.secretName.scepRACert" . | quote }}
             - name: PINT_DEVICE_MAP_SECRET

chart/templates/freeradius-deployment.yaml

@@ -43,7 +43,13 @@ spec:
             secretName: {{ include "pint.secretName.config" . }}
             optional: true
         - name: pint-radsec
-          secret:
-            secretName: {{ include "pint.secretName.radSecCert" . }}
+          projected:
             defaultMode: 0444
+            sources:
+              - secret:
+                  name: {{ include "pint.secretName.radSecCert" . }}
+                  optional: true
+              - secret:
+                  name: {{ include "pint.secretName.eapCert" . }}
+                  optional: true
 {{- end }}

chart/templates/role.yaml

@@ -17,6 +17,7 @@ rules:
       - {{ include "pint.secretName.scepRACert" . | quote }}
       - {{ include "pint.secretName.profileSigningCert" . | quote }}
       - {{ include "pint.secretName.deviceMap" . | quote }}
+      - {{ include "pint.secretName.eapCert" . | quote }}
     verbs: ["get", "patch", "update"]
   - apiGroups: ["apps"]
     resources: ["deployments"]

chart/values.schema.json

@@ -148,6 +148,10 @@
         "deviceMap": {
           "type": "string",
           "description": "Secret storing the cert serial to device info map. Defaults to '<fullname>-device-map'."
+        },
+        "eapCert": {
+          "type": "string",
+          "description": "Secret storing the FreeRADIUS EAP-TLS server cert and key (eap.crt, eap.key). Wireless CA-issued; verified by iOS devices via mobileconfig anchor. Defaults to '<fullname>-eap-server-cert'."
         }
       }
     },

chart/values.yaml

@@ -64,6 +64,7 @@ envSecret: ""
 secrets:
   config:              ""  # default: <fullname>-config  (clients.json, clients.conf, status-secret, status)
   radSecCert:          ""  # default: <fullname>-radsec-server-certificates  (tls.crt, tls.key, ca.pem, wifi-ca.pem)
+  eapCert:             ""  # default: <fullname>-eap-server-cert  (eap.crt, eap.key); wireless CA-issued, verified by iOS devices
   profileSigningCert:  ""  # default: <fullname>-profile-signing-cert  (tls.crt, tls.key)
   scepRACert:          ""  # default: <fullname>-scep-ra-cert  (tls.crt, tls.key); auto-generated on first startup
   deviceMap:           ""  # default: <fullname>-device-map  (device-map.json); auto-created on first SCEP enrollment

cmd/pint/main.go

@@ -381,7 +381,7 @@ func watchRadSecServerCert(log *zap.Logger, k8sClient kubernetes.Interface, ipaC
 // cert secret. If the cert is missing or within radSecRenewBefore of expiry, a new one is
 // issued from the wireless CA so that iOS devices can verify it via their mobileconfig anchor.
 func loadOrRenewEAPServerCert(ctx context.Context, log *zap.Logger, k8sClient kubernetes.Interface, ipaClient *freeipa.Client, cfg *config.Config) error {
-	secret, err := k8sClient.CoreV1().Secrets(cfg.Namespace).Get(ctx, cfg.RadSecCertSecret, metav1.GetOptions{})
+	secret, err := k8sClient.CoreV1().Secrets(cfg.Namespace).Get(ctx, cfg.EAPCertSecret, metav1.GetOptions{})
 	if err == nil {
 		existing := secret.Data["eap.crt"]
 		key := secret.Data["eap.key"]
@@ -414,7 +414,7 @@ func loadOrRenewEAPServerCert(ctx context.Context, log *zap.Logger, k8sClient ku
 	}
 	newKeyPEM := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: ecKeyBytes})
 
-	if writeErr := radius.WriteEAPServerCert(ctx, k8sClient, cfg.Namespace, cfg.RadSecCertSecret, cfg.FreeRADIUSDeployment, newCertPEM, newKeyPEM); writeErr != nil {
+	if writeErr := radius.WriteEAPServerCert(ctx, k8sClient, cfg.Namespace, cfg.EAPCertSecret, cfg.FreeRADIUSDeployment, newCertPEM, newKeyPEM); writeErr != nil {
 		return fmt.Errorf("write eap cert: %w", writeErr)
 	}
 	log.Info("issued and stored new EAP server cert")

internal/config/config.go

@@ -35,7 +35,8 @@ type Config struct {
 	// Kubernetes
 	Namespace            string
 	ConfigSecret         string // PINT_CONFIG_SECRET:K8s Secret holding clients.json, clients.conf, status-secret, and status config
-	RadSecCertSecret     string // PINT_RADSEC_CERT_SECRET:K8s Secret storing FreeRADIUS TLS cert+key
+	RadSecCertSecret     string // PINT_RADSEC_CERT_SECRET:K8s Secret storing FreeRADIUS outer RadSec TLS cert+key (tls.crt, tls.key, ca.pem, wifi-ca.pem)
+	EAPCertSecret        string // PINT_EAP_CERT_SECRET:K8s Secret storing FreeRADIUS EAP-TLS server cert+key (eap.crt, eap.key); wireless CA-issued
 	FreeRADIUSDeployment string
 
 	// FreeRADIUS status virtual server
@@ -94,6 +95,7 @@ func Load() (*Config, error) {
 	cfg.Namespace = optional("PINT_NAMESPACE", "pint")
 	cfg.ConfigSecret = optional("PINT_CONFIG_SECRET", "pint-config")
 	cfg.RadSecCertSecret = optional("PINT_RADSEC_CERT_SECRET", "pint-radsec-server-certificates")
+	cfg.EAPCertSecret = optional("PINT_EAP_CERT_SECRET", "pint-eap-server-cert")
 	cfg.FreeRADIUSDeployment = optional("PINT_FREERADIUS_DEPLOYMENT", "pint-freeradius")
 	cfg.RadiusServer = require("PINT_RADIUS_SERVER")
 	cfg.RADIUSStatusPort = optional("PINT_RADIUS_STATUS_PORT", "18121")

internal/radius/reload.go

@@ -49,13 +49,13 @@ func WriteRadSecTLS(ctx context.Context, k8s kubernetes.Interface, namespace, se
 // WriteEAPServerCert writes the FreeRADIUS EAP-TLS server cert and key to the named K8s
 // Secret (eap.crt / eap.key) and triggers a FreeRADIUS rollout restart.
 // The EAP cert is issued by the wireless CA so that iOS devices can verify it using the
-// CA anchor embedded in their mobileconfig profile. This is separate from tls.crt / tls.key,
-// which is the outer RadSec TLS cert issued by the RadSec CA and verified by routers.
+// CA anchor embedded in their mobileconfig profile. This is separate from the RadSec cert
+// secret (tls.crt / tls.key), which is the outer RadSec TLS cert verified by routers.
 func WriteEAPServerCert(ctx context.Context, k8s kubernetes.Interface, namespace, secretName, deployment string, certPEM, keyPEM []byte) error {
-	if err := patchSecretKey(ctx, k8s, namespace, secretName, "eap.crt", certPEM); err != nil {
-		return err
-	}
-	if err := patchSecretKey(ctx, k8s, namespace, secretName, "eap.key", keyPEM); err != nil {
+	if err := UpsertSecret(ctx, k8s, &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace: namespace},
+		Data:       map[string][]byte{"eap.crt": certPEM, "eap.key": keyPEM},
+	}); err != nil {
 		return err
 	}
 	return Reload(ctx, k8s, namespace, deployment)