apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-configs namespace: {{ .Release.Namespace }} labels: app: clickhouse-operator data: default: | server default { listen { type = auth ipaddr = * port = {{.Values.ports.main}} limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { ipaddr = * port = {{.Values.ports.second}} type = acct limit { } } authorize { filter_username preprocess chap mschap digest expiration logintime pap Autz-Type New-TLS-Connection { ok } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } digest } preacct { preprocess acct_unique suffix files } accounting { detail unix -sql exec attr_filter.accounting_response } session { } post-auth { if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { update reply { &User-Name !* ANY } } update { &reply: += &session-state: } -sql exec remove_reply_message_if_eap Post-Auth-Type REJECT { -sql attr_filter.access_reject remove_reply_message_if_eap } Post-Auth-Type Client-Lost { } if (EAP-Key-Name && &reply:EAP-Session-Id) { update reply { &EAP-Key-Name := &reply:EAP-Session-Id } } } pre-proxy { } post-proxy { } } sql: | sql { dialect = "postgresql" driver = "rlm_sql_${dialect}" postgresql { send_application_name = yes } server = "{{.Values.db.host}}" port = {{.Values.db.port}} login = "{{.Values.db.user}}" password = "{{.Values.db.password}}" radius_db = "{{.Values.db.name}}" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" groupcheck_table = "radgroupcheck" authreply_table = "radreply" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" delete_stale_sessions = yes pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } client_table = "nas" group_attribute = "SQL-Group" $INCLUDE ${modconfdir}/${.:name}/main/${dialect}/queries.conf } rest: | rest { tls { } connect_uri = "http://{{.Values.api.host}}:{{.Values.api.port}}/" authorize { uri = "${..connect_uri}radius/auth" method = 'post' body = 'json' data = '{"ip": "%{Packet-Src-IP-Address}", "hotspot-group": "%{raw:Called-Station-Id}", "hotspot-id": "%{raw:NAS-Identifier}"}' force_to = 'json' auth = 'none' require_auth = no timeout = 4.000000 } pool { start = ${thread[pool].start_servers} min = ${thread[pool].min_spare_servers} max = ${thread[pool].max_servers} spare = ${thread[pool].max_spare_servers} uses = 0 retry_delay = 30 lifetime = 0 idle_timeout = 60 } }