Merge pull request #19 from startechnica/freeradius

Freeradius
startechnica · Jun 8, 2022 · 1c9ebc8 · 1c9ebc8
2 parents 251b27a + aaccf73
commit 1c9ebc8
Show file tree

Hide file tree

Showing 6 changed files with 288 additions and 72 deletions.
diff --git a/charts/freeradius/Chart.yaml b/charts/freeradius/Chart.yaml
@@ -36,4 +36,4 @@ name: freeradius
 sources:
   - https://freeradius.org/
 type: application
-version: 0.1.6
+version: 0.1.6
diff --git a/charts/freeradius/templates/Deployment.yaml b/charts/freeradius/templates/Deployment.yaml
@@ -67,24 +67,31 @@ spec:
       {{- if .Values.topologySpreadConstraints }}
       topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
       {{- end }}
+      {{- if or (and .Values.volumePermissions.enabled .Values.persistence.enabled) .Values.initContainers }}
       initContainers:
-        - name: take-data-dir-ownership
-          image: busybox:latest
-          command: 
-            - sh
-            - -c
-            - |-
-              whoami
-              ls -liah /startechnica/freeradius/mods-enabled
-              ls -liah /startechnica/freeradius/sites-enabled
-              sleep 2
+        {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
+        - name: volume-permissions
+          image: {{ include "freeradius.volumePermissions.image" . }}
+          imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
+          command:
+            - /bin/bash
+          args:
+            - -ec
+            - |
+              mkdir -p /etc/freeradius
+              chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" /etc/freeradius
+          {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+          securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }}
+          {{- else }}
+          securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }}
+          {{- end }}
+          {{- if .Values.volumePermissions.resources }}
+          resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
+          {{- end }}
           volumeMounts:
-            - name: freeradius-mods
-              mountPath: /startechnica/freeradius/mods-enabled
-            - name: freeradius-sites
-              mountPath: /startechnica/freeradius/sites-enabled
-      {{- if .Values.initContainers }}
-        {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
+            - name: raddb
+              mountPath: /etc/freeradius
+        {{- end }}
       {{- end }}
       containers:
         - name: freeradius
@@ -268,5 +275,4 @@ spec:
         {{- end }}
         {{- if .Values.extraVolumes }}
           {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
-        {{- end }}
----
+        {{- end }}
diff --git a/charts/freeradius/templates/NetworkPolicy.yaml b/charts/freeradius/templates/NetworkPolicy.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: freeradius
+    {{- if .Values.commonLabels }}
+      {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+  ingress:
+    - ports:
+        - port: {{ .Values.containerPorts.auth }}
+        - port: {{ .Values.containerPorts.acct }}
+        {{- if .Values.tls.enabled }}
+        - port: {{ .Values.containerPorts.radsec }}
+        {{- end }}
+        {{- if .Values.metrics.enabled }}
+        - port: {{ .Values.containerPorts.metrics }}
+        {{- end }}
+        {{- if .Values.sitesEnabled.coa.enabled }}
+        - port: {{ .Values.containerPorts.coa }}
+        {{- end }}
+        {{- if .Values.sitesEnabled.status.enabled }}
+        - port: {{ .Values.containerPorts.status }}
+        {{- end }}
+      {{- if not .Values.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels:
+              {{ template "common.names.fullname" . }}-client: "true"
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
+              app.kubernetes.io/component: freeradius
+        {{- if .Values.networkPolicy.additionalRules }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.additionalRules "context" $) | nindent 8 }}
+        {{- end }}
+      {{- end }}
+{{- end }}
diff --git a/charts/freeradius/templates/Role.yaml b/charts/freeradius/templates/Role.yaml
@@ -18,4 +18,5 @@ rules:
       - endpoints
     verbs:
       - get
+      - list
 {{- end }}
diff --git a/charts/freeradius/templates/_helpers.tpl b/charts/freeradius/templates/_helpers.tpl
@@ -10,30 +10,35 @@ If release name contains chart name it will be used as a full name.
 */}}
 {{- define "freeradius.fullname" -}}
 {{- if .Values.fullnameOverride }}
-    {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
-    {{- $name := default .Chart.Name .Values.nameOverride }}
+  {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
-    {{- .Release.Name | trunc 63 | trimSuffix "-" }}
+  {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
-    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+  {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end -}}
 
 {{/* Create chart name and version as used by the chart label. */}}
 {{- define "freeradius.chart" -}}
-    {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end -}}
 
 {{/* Return the proper FreeRADIUS image name */}}
 {{- define "freeradius.image" -}}
-    {{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
+  {{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
+{{- end -}}
+
+{{/* Return the proper image name (for the init container volume-permissions image) */}}
+{{- define "freeradius.volumePermissions.image" -}}
+  {{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
 {{- end -}}
 
 {{/* Return the proper Docker Image Registry Secret Names */}}
 {{- define "freeradius.imagePullSecrets" -}}
-{{- include "common.images.pullSecrets" (dict "images" (list .Values.image) "global" .Values.global) -}}
+  {{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}}
 {{- end -}}
 
 {{/* Common labels */}}
@@ -61,20 +66,16 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{- end }}
 
-{{/*
-Return the path to the cert file.
-*/}}
+{{/* Return the path to the cert file. */}}
 {{- define "freeradius.tlsCert" -}}
 {{- if and .Values.tls.enabled .Values.tls.autoGenerated }}
-    {{- printf "/startechnica/freeradius/certs/tls.crt" -}}
+  {{- printf "/startechnica/freeradius/certs/tls.crt" -}}
 {{- else -}}
-    {{- printf "/startechnica/freeradius/certs/%s" .Values.tls.certFilename -}}
+  {{- printf "/startechnica/freeradius/certs/%s" .Values.tls.certFilename -}}
 {{- end -}}
 {{- end -}}
 
-{{/*
-Return the path to the cert key file.
-*/}}
+{{/* Return the path to the cert key file. */}}
 {{- define "freeradius.tlsCertKey" -}}
 {{- if and .Values.tls.enabled .Values.tls.autoGenerated }}
     {{- printf "/startechnica/freeradius/certs/tls.key" -}}
@@ -83,9 +84,7 @@ Return the path to the cert key file.
 {{- end -}}
 {{- end -}}
 
-{{/*
-Return the path to the CA cert file.
-*/}}
+{{/* Return the path to the CA cert file. */}}
 {{- define "freeradius.tlsCACert" -}}
 {{- if and .Values.tls.enabled .Values.tls.autoGenerated }}
     {{- printf "/startechnica/freeradius/certs/ca.crt" -}}
@@ -120,8 +119,7 @@ freeradius: tls.enabled
 {{- end }}
 {{- end -}}
 
-{{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-*/}}
+{{/* Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). */}}
 {{- define "freeradius.mariadb.fullname" -}}
 {{- include "common.names.dependency.fullname" (dict "chartName" "mariadb" "chartValues" .Values.mariadb "context" $) -}}
 {{- end -}}
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,4 +18,5 @@ rules: @@
           - endpoints
         verbs:
           - get
+          - list
     {{- end }}