Merge pull request #3 from Telecominfraproject/feature/helm-freeradius

[TOOLS-131] Add: freeradius helm chart with validation

.github/workflows/helm-validation.yml

@@ -0,0 +1,41 @@
+name: Helm validation
+
+on: 
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Validators setup
+        run: |
+          mkdir /tmp/k8s-validators
+          cd /tmp/k8s-validators
+
+          curl -LO https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
+          tar xf kubeval-linux-amd64.tar.gz
+          rm -f kubeval-linux-amd64.tar.gz LICENSE README.md
+
+          curl -LO https://get.helm.sh/helm-v3.2.4-linux-amd64.tar.gz
+          tar xf helm-v3.2.4-linux-amd64.tar.gz
+          mv linux-amd64/helm .
+          rm -fr helm-v3.2.4-linux-amd64.tar.gz linux-amd64
+      - name: Cache validators
+        uses: actions/cache@v1
+        with:
+          path: /tmp/k8s-validators
+          key: ${{ runner.os }}-k8s-validators
+      - name: Test freeradius helm chart
+        working-directory: freeradius/helm
+        run: |
+          echo "Helm lint test"
+          helm lint .
+
+          echo "Kubeval test"
+          helm template -f values.yaml . | /tmp/k8s-validators/kubeval --ignore-missing-schemas

freeradius/helm/.gitignore

@@ -0,0 +1 @@
+*.swp

freeradius/helm/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

freeradius/helm/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: freeradius
+version: 0.1.0

freeradius/helm/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "freeradius.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "freeradius.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "freeradius.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

freeradius/helm/templates/deployment.yaml

@@ -0,0 +1,103 @@
+{{- $root := . -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "freeradius.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "freeradius.name" . }}
+    helm.sh/chart: {{ include "freeradius.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "freeradius.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- with .Values.services.freeradius.labels }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "freeradius.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.services.freeradius.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+
+      containers:
+
+        - name: freeradius
+          image: "{{ .Values.images.freeradius.repository }}:{{ .Values.images.freeradius.tag }}"
+          imagePullPolicy: {{ .Values.images.freeradius.pullPolicy }}
+
+          env:
+            - name: KUBERNETES_DEPLOYED
+              value: "{{ now }}"
+          {{- range $key, $value := .Values.public_env_variables }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+          {{- end }}
+          {{- range $key, $value := .Values.secret_env_variables }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "freeradius.fullname" $root }}-env
+                  key: {{ $key }}
+          {{- end }}
+
+          ports:
+          {{- range $port, $portValue := .Values.services.freeradius.ports }}
+            - name: {{ $port }}
+              containerPort: {{ $portValue.targetPort }}
+              protocol: {{ $portValue.protocol }}
+          {{- end }}
+
+          volumeMounts:
+          {{- range .Values.volumes.freeradius }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            {{- if .subPath }}
+            subPath: {{ .subPath }}
+            {{- end }}
+          {{- end }}
+
+          {{- if .Values.checks.freeradius.liveness }}
+          livenessProbe:
+            {{- toYaml .Values.checks.freeradius.liveness | nindent 12 }}
+          {{- end }}
+          {{- if .Values.checks.freeradius.readiness }}
+          readinessProbe:
+            {{- toYaml .Values.checks.freeradius.readiness | nindent 12 }}
+          {{- end }}
+
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+      volumes:
+      {{- range $container, $containerVolumes := .Values.volumes }}
+      {{- range $containerVolumes }}
+      - name: {{ .name }}
+        {{- tpl .volumeDefinition $root | nindent 8 }}
+      {{- end }}
+      {{- end }}
+
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

freeradius/helm/templates/secret-env.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kuberentes.io/name: {{ include "freeradius.name" . }}
+    helm.sh/chart: {{ include "freeradius.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "freeradius.fullname" . }}-env
+kind: Secret
+type: Opaque
+data:
+  # Secret env variables
+  {{- range $key, $value := .Values.secret_env_variables }}
+  {{ $key }}: {{ $value | b64enc | quote }}
+  {{- end }}
+

freeradius/helm/templates/secret-users-file.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kuberentes.io/name: {{ include "freeradius.name" . }}
+    helm.sh/chart: {{ include "freeradius.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "freeradius.fullname" . }}-configs
+kind: Secret
+type: Opaque
+data:
+  users: {{ .Values.users_data | b64enc | quote }}
+  clients: {{ .Values.clients_data | b64enc | quote }}
+  extraSite: {{ .Values.extra_site | b64enc | quote }}

freeradius/helm/templates/service.yaml

@@ -0,0 +1,48 @@
+{{- $root := . -}}
+{{- range $service, $serviceValue := .Values.services }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "freeradius.fullname" $root }}-{{ $service }}
+  {{- with $serviceValue.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ include "freeradius.name" $root }}
+    helm.sh/chart: {{ include "freeradius.chart" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $root.Release.Service }}
+
+    {{- with $serviceValue.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+    {{- if $serviceValue.serviceMonitor }}
+
+    {{- range $selector, $selectorValue := $serviceValue.serviceMonitor.serviceSelector }}
+    {{ $selector }}: {{ tpl $selectorValue $root }}
+    {{- end }}
+    {{- end }}
+spec:
+  type: {{ $serviceValue.type }}
+  ports:
+
+  {{- range $service_service, $service_value := $serviceValue.ports }}
+    - name: {{ $service_service }}
+      targetPort: {{ $service_value.targetPort }}
+      protocol: {{ $service_value.protocol }}
+      port: {{ $service_value.servicePort }}
+      {{- if and (eq "NodePort" $serviceValue.type) $service_value.nodePort }}
+      nodePort: {{ $service_value.nodePort }}
+      {{- end }}
+  {{- end }}
+  selector:
+    app.kubernetes.io/name: {{ include "freeradius.name" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name }}
+    {{- with $serviceValue.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+{{- end }}

freeradius/helm/values.yaml

@@ -0,0 +1,122 @@
+# System
+replicaCount: 1
+
+nameOverride: ""
+fullnameOverride: ""
+
+images:
+  freeradius:
+    repository: freeradius/freeradius-server
+    tag: 3.0.21
+    pullPolicy: IfNotPresent
+
+services:
+  freeradius:
+    type: ClusterIP
+    selectors: {}
+    labels: {}
+    annotations: {}
+    ports:
+      auth:
+        servicePort: 1812
+        targetPort: 1812
+        protocol: UDP
+      acct:
+        servicePort: 1813
+        targetPort: 1813
+        protocol: UDP
+
+checks:
+  # This check uses extra site that binds on TCP port 1812 (same as auth port) which is defined below
+  # TCP port is not exposed in service as it may create mixed protocol service that is not supported by LoadBalancer services
+  freeradius:
+    liveness:
+      tcpSocket:
+        port: 1812
+    readiness:
+      tcpSocket:
+        port: 1812
+
+volumes:
+  freeradius:
+    - name: users
+      mountPath: /etc/raddb/users
+      subPath: users
+      # Template below will be rendered in template
+      volumeDefinition: |
+        secret:
+          secretName: {{ include "freeradius.fullname" . }}-configs
+    - name: clients
+      mountPath: /etc/raddb/clients.conf
+      subPath: clients
+      volumeDefinition: |
+        secret:
+          secretName: {{ include "freeradius.fullname" . }}-configs
+    - name: site
+      mountPath: /etc/freeradius/sites-enabled/extra
+      subPath: extraSite
+      volumeDefinition: |
+        secret:
+          secretName: {{ include "freeradius.fullname" . }}-configs
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# Application
+public_env_variables: {}
+
+clients_data: |
+  client ipv4 {
+    ipv4addr = 0.0.0.0/0
+    proto = *
+    secret = $ENV{FREERADIUS_SECRET}
+    require_message_authenticator = no
+    nas_type = other
+    limit {
+      max_connections = 16
+      lifetime = 0
+      idle_timeout = 30
+    }
+  }
+  client ipv6 {
+    ipv6addr = ::/0
+    proto = *
+    secret = $ENV{FREERADIUS_SECRET}
+    require_message_authenticator = no
+    nas_type = other
+    limit {
+      max_connections = 16
+      lifetime = 0
+      idle_timeout = 30
+    }
+  }
+
+extra_site: |
+  listen {
+    ipaddr = *
+    port = 1812
+    type = auth+acct
+    proto = tcp
+  }
+
+
+secret_env_variables:
+  FREERADIUS_SECRET: testing123
+
+users_data: |
+  user Cleartext-Password := "password", MS-CHAP-Use-NTLM-Auth := 0