feat: add radsec-agent sidecar for HAProxy agent-check health probes

Replaces raw RadSec TCP health checks (which generate "unknown client"
errors) with a proper HAProxy agent-check. The radsec-agent binary listens
on TCP 2084, probes the FreeRADIUS status virtual server via Status-Server
UDP, and responds up/down per the HAProxy agent-check protocol.

HAProxy backend config: agent-check agent-port 2084

Author: mbillow

Dockerfile

@@ -11,11 +11,13 @@ RUN git config --system --add safe.directory '*'
 RUN CGO_ENABLED=0 GOOS=linux go build \
     -ldflags "-X github.com/ComputerScienceHouse/pint/internal/version.GitCommit=$(git rev-parse --short HEAD)" \
     -o pint ./cmd/pint/
+RUN CGO_ENABLED=0 GOOS=linux go build -o radsec-agent ./cmd/radsec-agent/
 
 FROM alpine:3.19
 RUN apk add --no-cache ca-certificates
 WORKDIR /app
 COPY --from=builder /build/pint .
+COPY --from=builder /build/radsec-agent .
 COPY --from=builder /build/templates ./templates
 
 EXPOSE 8080

chart/templates/freeradius-deployment.yaml

@@ -40,6 +40,25 @@ spec:
             - name: pint-eap
               mountPath: /etc/pint/eap
               readOnly: true
+        {{- if .Values.freeradius.agentCheck.enabled }}
+        - name: radsec-agent
+          image: {{ include "pint.image" . }}
+          imagePullPolicy: {{ .Values.pint.image.pullPolicy }}
+          command: ["./radsec-agent"]
+          args:
+            - -listen=:{{ .Values.freeradius.agentCheck.port }}
+            - -status=127.0.0.1:18121
+            - -secret-file=/etc/pint/config/status-secret
+          ports:
+            - containerPort: {{ .Values.freeradius.agentCheck.port }}
+              name: agent-check
+          securityContext:
+            {{- toYaml .Values.freeradius.securityContext | nindent 12 }}
+          volumeMounts:
+            - name: pint-config
+              mountPath: /etc/pint/config
+              readOnly: true
+        {{- end }}
       volumes:
         - name: pint-config
           secret:

chart/values.yaml

@@ -91,6 +91,12 @@ freeradius:
     enabled: true
     clientCIDR: "0.0.0.0/0"  # CIDR allowed to query the status server; restrict to pod CIDR in production
     nodePort: null  # set to expose status port via NodePort (dev only; PINT queries pods directly in prod)
+  # HAProxy agent-check sidecar — pings the FreeRADIUS status server and
+  # responds up/down on TCP so HAProxy can detect backend failures without
+  # making raw RadSec connections that produce "unknown client" errors.
+  agentCheck:
+    enabled: true
+    port: 2084  # must match agent-port in the HAProxy backend config
   securityContext:
     runAsNonRoot: true
     allowPrivilegeEscalation: false

cmd/radsec-agent/main.go

@@ -0,0 +1,60 @@
+// cmd/radsec-agent/main.go
+// HAProxy agent-check sidecar for FreeRADIUS.
+// Listens on TCP and responds "up\n" or "down\n" based on a Status-Server
+// probe to the local FreeRADIUS status virtual server.
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/ComputerScienceHouse/pint/internal/radius"
+)
+
+func main() {
+	listenAddr := flag.String("listen", ":2084", "TCP address for HAProxy agent-check connections")
+	statusAddr := flag.String("status", "127.0.0.1:18121", "FreeRADIUS status server UDP address")
+	secretFile := flag.String("secret-file", "/etc/pint/config/status-secret", "File containing the RADIUS status server secret")
+	flag.Parse()
+
+	secretBytes, err := os.ReadFile(*secretFile)
+	if err != nil {
+		log.Fatalf("read secret file: %v", err)
+	}
+	secret := strings.TrimSpace(string(secretBytes))
+
+	ln, err := net.Listen("tcp", *listenAddr)
+	if err != nil {
+		log.Fatalf("listen: %v", err)
+	}
+	log.Printf("radsec-agent listening on %s, checking %s", *listenAddr, *statusAddr)
+
+	for {
+		conn, err := ln.Accept()
+		if err != nil {
+			log.Printf("accept: %v", err)
+			continue
+		}
+		go handle(conn, *statusAddr, secret)
+	}
+}
+
+func handle(conn net.Conn, statusAddr, secret string) {
+	defer conn.Close()
+	conn.SetDeadline(time.Now().Add(5 * time.Second))
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	response := "down\n"
+	if radius.QueryRADIUSStats(ctx, statusAddr, secret) != nil {
+		response = "up\n"
+	}
+	fmt.Fprint(conn, response)
+}