Conversation
The trigger controller only fired once on annotation creation rather than on subsequent ImageStream updates. Stripping namespace (same-namespace triggers don't need it) and the paused field to match the minimal format that the controller reliably watches. Bump chart to 0.3.3.
…h FreeRADIUS FreeRADIUS performs client lookup by raw TCP source IP before reading the PROXY protocol header, so the HAProxy host IP must be in clients.conf for connections to be accepted. Adds PINT_RADIUS_RADSEC_PROXY_HOSTS (comma-separated IPs/CIDRs) which generates pint_proxy_N client blocks alongside regular RadSec clients, enabling the two-phase client lookup FreeRADIUS requires.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Add
radSecProxyHostschart config andPINT_RADIUS_RADSEC_PROXY_HOSTSenv var to generate FreeRADIUS client blocks for HAProxy proxy hosts. Also adds a startup write ofclients.confso proxy host entries land without requiring a client modification to trigger a rewrite.Why
why these changes were made
FreeRADIUS performs a client lookup by raw TCP source IP in
dual_tcp_accept()(listen.c:1157) before the connection is handed off to the TLS handler where PROXY protocol parsing occurs (tls_listen.c:379). If the HAProxy host IP is not inclients.conf, FreeRADIUS rejects the connection as an unknown client before ever reading the PROXY header, so the real client IP is never extracted. Both the HAProxy host and the actual RadSec client must have entries for the two-phase lookup to succeed.Test Plan
how did you verify these changes did what you expected
-fxx) and observed connections from HAProxy being rejected asunknown client 129.21.49.25with no PROXY protocol parsing attempt in the logsdual_tcp_accept()inlisten.cdoes client lookup and drops unknown clients beforetls_socket_recv()intls_listen.chas a chance to callproxy_protocol_check()radSecProxyHosts, FreeRADIUS accepted the connection, parsed the PROXY header, resolved the real client IP, and matched the correct RadSec client entryEnv Vars
did you add, remove, or rename any environment variables
Added
PINT_RADIUS_RADSEC_PROXY_HOSTS: comma-separated list of IPs/CIDRs for trusted proxy hosts (e.g. HAProxy). Should be set alongsidePINT_RADIUS_RADSEC_PROXY_PROTOCOL=true. Defaults to empty (no proxy client blocks generated).Documentation
did you add or update any documentation. PRs should, at the minimum, update documentation when they make existing documentation out of date.
Updated
chart/values.yamlandchart/values.schema.jsonwith the newradSecProxyHostsfield including description and type.