Merge pull request #2 from startechnica/freeradius

Add TLS Helper
startechnica · Feb 16, 2022 · f73072e · f73072e
2 parents 7352be2 + 981d91c
commit f73072e
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 2 deletions.
diff --git a/charts/freeradius/README.md b/charts/freeradius/README.md
@@ -31,7 +31,7 @@ $ helm install my-release startechnica/freeradius --namespace my-release --creat
 
 These commands deploy FreeRADIUS on the Kubernetes cluster in the default configuration.
 
-> **Tip**: List all releases using `helm list`
+> **Tip**: List all releases using `helm list -A`
 
 ## Uninstalling the Chart
 

diff --git a/charts/freeradius/templates/_helpers.tpl b/charts/freeradius/templates/_helpers.tpl
@@ -74,4 +74,23 @@ Create the name of the SSL certificate to use
 {{- else }}
   {{- default (printf "%s-tls" (include "freeradius.fullname" .)) }}
 {{- end }}
+{{- end }}
+
+{{/*
+Return true if a TLS secret object should be created
+*/}}
+{{- define "freeradius.createTlsSecret" }}
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated (not .Values.tls.existingSecret) }}
+    {{- true }}
+{{- end }}
+{{- end }}
+
+{{/* Validate values of FreeRADIUS - Auth TLS enabled */}}
+{{- define "freeradius.validateValues.tls" }}
+{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecret) }}
+freeradius: tls.enabled
+    In order to enable TLS, you also need to provide
+    an existing secret containing the Keystore and Truststore or
+    enable auto-generated certificates.
+{{- end }}
 {{- end }}
diff --git a/charts/freeradius/templates/certificate.yaml b/charts/freeradius/templates/certificate.yaml
@@ -0,0 +1,42 @@
+{{- if .Capabilities.APIVersions.Has "cert-manager.io/v1/Certificate" }}
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-cert
+  namespace: {{ .Values.istio.namespace }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "adminer.labels" . | nindent 4 }}
+spec:
+  secretName: {{ include "istioCertificateSecret" . }}
+  issuerRef:
+    group: {{ .Values.istio.certificate.issuerRef.group }}
+    kind: {{ .Values.istio.certificate.issuerRef.kind }}
+    name: {{ .Values.istio.certificate.issuerRef.name }}
+    #name: letsencrypt-prd
+  privateKey:
+    algorithm: ECDSA
+    rotationPolicy: Always
+    size: 256
+  subject:
+    countries:
+    - ID
+    organizations:
+    - {{ .Values.organization | quote }}
+    organizationalUnits:
+    - {{ .Release.Name | quote }}
+    localities:
+    - Asgard
+    provinces:
+    - Yggdrasil
+  dnsNames:
+  {{- if .Values.istio.hosts }}
+    {{- toYaml .Values.istio.hosts | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+---
diff --git a/charts/freeradius/values.yaml b/charts/freeradius/values.yaml
@@ -414,7 +414,6 @@ serviceAccount:
   ##
   automountServiceAccountToken: false
 
-
 modsEnabled:
   sql:
     enabled: true
@@ -431,6 +430,11 @@ sitesEnabled:
     port: 18121
     secret: adminsecret
 
+tls:
+  enabled: false
+  autoGenerated: false
+  existingSecret: ""
+
 mariadb:
   enabled: false