Skip to content

Commit

Permalink
Merge pull request #17 from startechnica/freeradius
Browse files Browse the repository at this point in the history 
[freeradius] Release v0.1.6
  • Loading branch information
@firmansyahn
firmansyahn authored Jun 3, 2022
2 parents 00c95d5 + 1d0c29e commit 6a6ce8b
Show file tree
Hide file tree
Showing 21 changed files with 361 additions and 308 deletions.
8 changes: 4 additions & 4 deletions charts/freeradius/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ annotations:
- name: Upstream Project
url: https://github.com/FreeRADIUS/freeradius-server
apiVersion: v2
appVersion: 3.0.25
appVersion: 3.2.0
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
Expand All @@ -27,13 +27,13 @@ keywords:
- mysql
- postgresql
- ldap
kubeVersion: ">=1.16.0-0"
kubeVersion: ">=1.19.0-0"
maintainers:
- name: Firmansyah Nainggolan
- name: firmansyahn
email: [email protected]
url: https://firmansyah.nainggolan.id
name: freeradius
sources:
- https://freeradius.org/
type: application
version: 0.1.5
version: 0.1.6
45 changes: 24 additions & 21 deletions charts/freeradius/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,20 +68,20 @@ The command removes all the Kubernetes components associated with the chart and

### FreeRADIUS parameters

| Name | Description | Value |
| -------------------- | -------------------------------------------------------------------- | ------------------------- |
| `image.registry` | FreeRADIUS image registry | `docker.io` |
| `image.repository` | FreeRADIUS image repository | `startechnica/freeradius` |
| `image.tag` | FreeRADIUS image tag (immutable tags are recommended) | `1.21.5-debian-10-r3` |
| `image.pullPolicy` | FreeRADIUS image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Set to true if you would like to see extra information on logs | `false` |
| `hostAliases` | Deployment pod host aliases | `[]` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `extraEnvVars` | Extra environment variables to be set on FreeRADIUS containers | `[]` |
| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` |
| `extraEnvVarsSecret` | Secret with extra environment variables | `""` |
| Name | Description | Value |
| -------------------- | -------------------------------------------------------------------- | ------------------------- |
| `image.registry` | FreeRADIUS image registry | `docker.io` |
| `image.repository` | FreeRADIUS image repository | `freeradius/freeradius-server` |
| `image.tag` | FreeRADIUS image tag (immutable tags are recommended) | `3.2.0` |
| `image.pullPolicy` | FreeRADIUS image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
| `image.debug` | Set to true if you would like to see extra information on logs | `false` |
| `hostAliases` | Deployment pod host aliases | `[]` |
| `command` | Override default container command (useful when using custom images) | `[]` |
| `args` | Override default container args (useful when using custom images) | `[]` |
| `extraEnvVars` | Extra environment variables to be set on FreeRADIUS containers | `[]` |
| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` |
| `extraEnvVarsSecret` | Secret with extra environment variables | `""` |


### FreeRADIUS deployment parameters
Expand All @@ -101,13 +101,16 @@ The command removes all the Kubernetes components associated with the chart and
| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `{}` |
| `priorityClassName` | Priority class name | `""` |
| `podSecurityContext.enabled` | Enabled FreeRADIUS pods' Security Context | `false` |
| `podSecurityContext.fsGroup` | Set FreeRADIUS pod's Security Context fsGroup | `1001` |
| `podSecurityContext.fsGroup` | Set FreeRADIUS pod's Security Context fsGroup | `101` |
| `podSecurityContext.sysctls` | sysctl settings of the FreeRADIUS pods | `[]` |
| `containerSecurityContext.enabled` | Enabled FreeRADIUS containers' Security Context | `false` |
| `containerSecurityContext.runAsUser` | Set FreeRADIUS container's Security Context runAsUser | `1001` |
| `containerSecurityContext.runAsNonRoot` | Set FreeRADIUS container's Security Context runAsNonRoot | `true` |
| `containerPorts.http` | Sets http port inside FreeRADIUS container | `8080` |
| `containerPorts.https` | Sets https port inside FreeRADIUS container | `""` |
| `containerPorts.auth` | Sets auth port inside FreeRADIUS container | `1812` |
| `containerPorts.acct` | Sets acct port inside FreeRADIUS container | `1813` |
| `containerPorts.coa` | Sets coa port inside FreeRADIUS container | `3799` |
| `containerPorts.radsec` | Sets radsec port inside FreeRADIUS container | `2083` |
| `containerPorts.status` | Sets status port inside FreeRADIUS container | `18121` |
| `resources.limits` | The resources limits for the FreeRADIUS container | `{}` |
| `resources.requests` | The requested resources for the FreeRADIUS container | `{}` |
| `livenessProbe.enabled` | Enable livenessProbe | `true` |
Expand Down Expand Up @@ -145,10 +148,10 @@ The command removes all the Kubernetes components associated with the chart and

### Custom FreeRADIUS application parameters

| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------- | ---------------------- |
| `modsEnabled.enabled` | Get the server static content from a Git repository | `true` |
| `sitesEnabled.status.port` | Git image registry | `18121` |
| Name | Description | Value |
| ------------------------------------------ | ------------------------------------------------------------------------------------------------- | ----------------- |
| `modsEnabled.sql.enabled` | | `false` |
| `sitesEnabled.status.port` | Git image registry | `18121` |
| `sitesEnabled.status.secret` | Git image repository | `adminsecret` |


Expand Down
22 changes: 2 additions & 20 deletions charts/freeradius/archive/coa → charts/freeradius/archive/coa-master
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
# Sample virtual server for receiving a CoA or Disconnect-Request packet.
#
server coa {
namespace = radius

namespace = $ENV{FREERADIUS_SITES_NAMESPACE}
# Listen on the CoA port.
#
# This uses the normal set of clients, with the same secret as for
Expand All @@ -23,51 +23,33 @@ server coa {
}
}

#
# Receive a CoA request
#
recv CoA-Request {
# Insert your own policies here.
ok
}

#
# Send a CoA ACK
#
send CoA-ACK {
# Sample module.
ok
}

#
# Send a CoA NAK
#
send CoA-NAK {
# Sample module.
ok
}

#
# Receive a Disconnect request
#
recv Disconnect-Request {
# Insert your own policies here.
ok
}

#
# Send a Disconnect ACK
#
send Disconnect-ACK {
# Sample module.
ok
}

#
# Send a Disconnect NAK
#
send Disconnect-NAK {
# Sample module.
ok
}
}
125 changes: 34 additions & 91 deletions charts/freeradius/archive/tls-old → charts/freeradius/archive/tls-master
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,9 @@ server radsec {
ipaddr = $ENV{FREERADIUS_SITES_TLS_LISTEN}
port = $ENV{FREERADIUS_SITES_TLS_PORT}

#
# Connection limiting for sockets with "proto = tcp".
#
limit {
#
# Limit the number of simultaneous TCP connections to the socket
#
# The default is 16.
Expand All @@ -29,97 +27,59 @@ server radsec {

# The per-socket "max_requests" option does not exist.

#
# The lifetime, in seconds, of a TCP connection. After
# this lifetime, the connection will be closed.
# The lifetime, in seconds, of a TCP connection. After this lifetime, the connection will be closed.
#
# Setting this to 0 means "forever".
lifetime = 0

#
# The idle timeout, in seconds, of a TCP connection.
# If no packets have been received over the connection for
# this time, the connection will be closed.
#
# If no packets have been received over the connection for this time, the connection will be closed.
# Setting this to 0 means "no timeout".
#
# We STRONGLY RECOMMEND that you set an idle timeout.
#
idle_timeout = 30
}

private_key_password = whatever
# private_key_file = ${certdir}/server.pem
private_key_file = /startechnica/freeradius/certs/tls.key
private_key_password = $ENV{FREERADIUS_SITES_TLS_PRIVKEY_PASSWORD}
private_key_file = $ENV{FREERADIUS_SITES_TLS_PRIVKEY_FILE}

# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
# If Private key & Certificate are located in the same file, then private_key_file &
# certificate_file must contain the same file name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
# certificate_file = ${certdir}/server.pem
certificate_file = /startechnica/freeradius/certs/tls.crt
# If ca_file (below) is not used, then the certificate_file below MUST include not only the server certificate, but ALSO all
# of the CA certificates used to sign the server certificate.
certificate_file = $ENV{FREERADIUS_SITES_TLS_CERTIFICATE_FILE}

# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
# ALL of the CA's in this list will be trusted to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
# In general, you should use self-signed certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
# ca_file = ${cadir}/ca.crt
ca_file = /startechnica/freeradius/certs/ca.crt
# This parameter is used only for EAP-TLS, when you issue client certificates. If you do not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete this configuration item.
ca_file = $ENV{FREERADIUS_SITES_TLS_CA_FILE}

#
# For DH cipher suites to work, you have to
# run OpenSSL to create the DH file first:
# For DH cipher suites to work, you have to run OpenSSL to create the DH file first:
#
# openssl dhparam -out certs/dh 1024
#
dh_file = ${certdir}/dh

#
# If your system doesn't have /dev/urandom,
# you will need to create this file, and
# periodically change its contents.
#
# For security reasons, FreeRADIUS doesn't
# write to files in its configuration
# directory.
#
# If your system doesn't have /dev/urandom, you will need to create this file, and periodically change its contents.
# For security reasons, FreeRADIUS doesn't write to files in its configuration directory.
# random_file = /dev/urandom

#
# The default fragment size is 1K.
# However, it's possible to send much more data than
# that over a TCP connection. The upper limit is 64K.
# Setting the fragment size to more than 1K means that
# there are fewer round trips when setting up a TLS
# connection. But only if the certificates are large.
#
# The default fragment size is 1K. However, it's possible to send much more data than that over a TCP connection. The upper limit is 64K.
# Setting the fragment size to more than 1K means that there are fewer round trips when setting up a TLS connection. But only if the certificates are large.
fragment_size = 8192

# include_length is a flag which is
# by default set to yes If set to
# yes, Total Length of the message is
# include_length is a flag which is by default set to yes If set to yes, Total Length of the message is
# included in EVERY packet we send.
# If set to no, Total Length of the
# message is included ONLY in the
# First packet of a fragment series.
#
# If set to no, Total Length of the message is included ONLY in the First packet of a fragment series.
# include_length = yes

# Check the Certificate Revocation List
Expand Down Expand Up @@ -249,47 +209,30 @@ server radsec {
#persist_dir = "${logdir}/tlscache"
}

#
# Require a client certificate.
#
require_client_cert = yes

#
# As of version 2.1.10, client certificates can be
# validated via an external command. This allows
# dynamic CRLs or OCSP to be used.
# As of version 2.1.10, client certificates can be validated via an external command. This allows dynamic CRLs or OCSP to be used.
#
# This configuration is commented out in the
# default configuration. Uncomment it, and configure
# the correct paths below to enable it.
# This configuration is commented out in the default configuration. Uncomment it, and configure the correct paths below to enable it.
#
verify {
# A temporary directory where the client
# certificates are stored. This directory
# MUST be owned by the UID of the server,
# and MUST not be accessible by any other
# users. When the server starts, it will do
# "chmod go-rwx" on the directory, for
# security reasons. The directory MUST
# exist when the server starts.
# A temporary directory where the client certificates are stored. This directory MUST be owned by the UID of the server,
# and MUST not be accessible by any other users. When the server starts, it will do "chmod go-rwx" on the directory, for
# security reasons. The directory MUST exist when the server starts.
#
# You should also delete all of the files
# in the directory when the server starts.
# tmpdir = /tmp/radiusd
# You should also delete all of the files in the directory when the server starts.
tmpdir = /startechnica/freeradius/tmp

# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
# tool.
# The command used to verify the client cert. We recommend using the OpenSSL command-line tool.
#
# The ${..ca_path} text is a reference to
# the ca_path variable defined above.
# The ${..ca_path} text is a reference to the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
# client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
# The %{TLS-Client-Cert-Filename} is the name of the temporary file containing the cert in PEM format. This file is automatically
# deleted by the server when the command returns.
# client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
}
}
Expand Down
Loading

0 comments on commit 6a6ce8b

Please sign in to comment.