fix: only expose status port in NodePort service when nodePort is set

mbillow · mbillow · commit 2412cd746058 · 2026-05-14T22:56:34.000-05:00
PINT queries the FreeRADIUS status server directly via pod IP, so the
status port has no business being on the external NodePort service. Gate
the status port entry on statusServer.nodePort being explicitly set so
it only appears in dev (kind) and never in prod.
diff --git a/chart/templates/freeradius-service.yaml b/chart/templates/freeradius-service.yaml
@@ -17,13 +17,11 @@ spec:
       {{- if and (eq .Values.freeradius.service.type "NodePort") .Values.freeradius.service.nodePort }}
       nodePort: {{ .Values.freeradius.service.nodePort }}
       {{- end }}
-    {{- if .Values.freeradius.statusServer.enabled }}
+    {{- if and .Values.freeradius.statusServer.enabled .Values.freeradius.statusServer.nodePort }}
     - port: 18121
       targetPort: status
       protocol: UDP
       name: status
-      {{- if and (eq .Values.freeradius.service.type "NodePort") .Values.freeradius.statusServer.nodePort }}
       nodePort: {{ .Values.freeradius.statusServer.nodePort }}
-      {{- end }}
     {{- end }}
 {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -74,7 +74,7 @@ freeradius:
   statusServer:
     enabled: true
     clientCIDR: "0.0.0.0/0"  # CIDR allowed to query the status server; restrict to pod CIDR in production
-    nodePort: null  # UDP NodePort for status server; only used when freeradius.service.type=NodePort
+    nodePort: null  # set to expose status port via NodePort (dev only; PINT queries pods directly in prod)
   securityContext:
     runAsNonRoot: true
     allowPrivilegeEscalation: false
