feat(aws): add working example with AWS

4 years ago · 1fcb74a772
parent fc9d4f0175
commit 1fcb74a772
7 changed files with 448 additions and 35 deletions
--- a/jitsi-meet-examples/aws/cloudformation.yaml
+++ b/jitsi-meet-examples/aws/cloudformation.yaml
@ -0,0 +1,264 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: Jitsi platform
+Parameters:
+  ClusterName:
+    Description: "Cluster name"
+    Type: String
+    Default: "dev"
+  Subnet1AvailabilityZone:
+    Description: "The availability zone for the subnet #1"
+    Type: "AWS::EC2::AvailabilityZone::Name"
+    Default: "us-east-1a"
+  Subnet2AvailabilityZone:
+    Description: "The availability zone for the subnet #2"
+    Type: "AWS::EC2::AvailabilityZone::Name"
+    Default: "us-east-1b"
+  Subnet3AvailabilityZone:
+    Description: "The availability zone for the subnet #3"
+    Type: "AWS::EC2::AvailabilityZone::Name"
+    Default: "us-east-1c"
+Resources:
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+            - eks.amazonaws.com
+          Action:
+            - sts:AssumeRole
+      Policies:
+        - PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+            - Effect: Allow
+              Resource: '*'
+              Action:
+                - autoscaling:DescribeAutoScalingGroups
+                - autoscaling:DescribeLaunchConfigurations
+                - autoscaling:DescribeTags
+                - ec2:DescribeInstances
+                - ec2:DescribeRegions
+                - ec2:DescribeAccountAttributes
+                - ec2:DescribeInternetGateways
+                - ec2:DescribeRouteTables
+                - ec2:DescribeSecurityGroups
+                - ec2:DescribeSubnets
+                - ec2:DescribeVolumes
+                - ec2:CreateSecurityGroup
+                - ec2:CreateTags
+                - ec2:CreateVolume
+                - ec2:ModifyInstanceAttribute
+                - ec2:ModifyVolume
+                - ec2:AttachVolume
+                - ec2:AuthorizeSecurityGroupIngress
+                - ec2:CreateRoute
+                - ec2:DeleteRoute
+                - ec2:DeleteSecurityGroup
+                - ec2:DeleteVolume
+                - ec2:DetachVolume
+                - ec2:RevokeSecurityGroupIngress
+                - ec2:DescribeVpcs
+                - elasticloadbalancing:AddTags
+                - elasticloadbalancing:AttachLoadBalancerToSubnets
+                - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
+                - elasticloadbalancing:CreateLoadBalancer
+                - elasticloadbalancing:CreateLoadBalancerPolicy
+                - elasticloadbalancing:CreateLoadBalancerListeners
+                - elasticloadbalancing:ConfigureHealthCheck
+                - elasticloadbalancing:DeleteLoadBalancer
+                - elasticloadbalancing:DeleteLoadBalancerListeners
+                - elasticloadbalancing:DescribeLoadBalancers
+                - elasticloadbalancing:DescribeLoadBalancerAttributes
+                - elasticloadbalancing:DetachLoadBalancerFromSubnets
+                - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
+                - elasticloadbalancing:ModifyLoadBalancerAttributes
+                - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+                - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
+                - elasticloadbalancing:AddTags
+                - elasticloadbalancing:CreateListener
+                - elasticloadbalancing:CreateTargetGroup
+                - elasticloadbalancing:DeleteListener
+                - elasticloadbalancing:DeleteTargetGroup
+                - elasticloadbalancing:DescribeListeners
+                - elasticloadbalancing:DescribeLoadBalancerPolicies
+                - elasticloadbalancing:DescribeTargetGroups
+                - elasticloadbalancing:DescribeTargetHealth
+                - elasticloadbalancing:ModifyListener
+                - elasticloadbalancing:ModifyTargetGroup
+                - elasticloadbalancing:RegisterTargets
+                - elasticloadbalancing:DeregisterTargets
+                - elasticloadbalancing:SetLoadBalancerPoliciesOfListener
+                - iam:CreateServiceLinkedRole
+                - kms:DescribeKey
+          PolicyName: 'eks-master'
+      ManagedPolicyArns:
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy'
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy'
+
+  NodeInstanceRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - eks.amazonaws.com
+            Action:
+              - "sts:AssumeRole"
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com
+            Action:
+              - "sts:AssumeRole"
+      ManagedPolicyArns:
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+        - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess'
+      Policies:
+        - PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+            - Effect: Allow
+              Action:
+                - ec2:DescribeInstances
+                - ec2:DescribeRegions
+                - ecr:GetAuthorizationToken
+                - ecr:BatchCheckLayerAvailability
+                - ecr:GetDownloadUrlForLayer
+                - ecr:GetRepositoryPolicy
+                - ecr:DescribeRepositories
+                - ecr:ListImages
+                - ecr:BatchGetImage
+              Resource: '*'
+          PolicyName: 'eks-node'
+      Path: /
+
+  Vpc:
+    Type: "AWS::EC2::VPC"
+    Properties:
+      CidrBlock: "10.0.0.0/24"
+      EnableDnsHostnames: true
+      EnableDnsSupport: true
+
+  PublicRouteTable:
+    Type: "AWS::EC2::RouteTable"
+    Properties:
+      VpcId: !Ref Vpc
+
+  Subnet1:
+    Type: "AWS::EC2::Subnet"
+    Properties:
+      CidrBlock: "10.0.0.0/26"
+      VpcId: !Ref Vpc
+      AvailabilityZone: !Ref Subnet1AvailabilityZone
+      MapPublicIpOnLaunch: true
+      Tags:
+        - Key: !Join
+                  - "/"
+                  - - "kubernetes.io/cluster"
+                    - !Ref ClusterName
+          Value: shared
+  Subnet1Assoc:
+    Type: "AWS::EC2::SubnetRouteTableAssociation"
+    Properties:
+      RouteTableId: !Ref PublicRouteTable
+      SubnetId: !Ref Subnet1
+
+  Subnet2:
+    Type: "AWS::EC2::Subnet"
+    Properties:
+      CidrBlock: "10.0.0.192/26"
+      VpcId: !Ref Vpc
+      AvailabilityZone: !Ref Subnet2AvailabilityZone
+      MapPublicIpOnLaunch: true
+      Tags:
+        - Key: !Join
+                  - "/"
+                  - - "kubernetes.io/cluster"
+                    - !Ref ClusterName
+          Value: shared
+  Subnet2Assoc:
+    Type: "AWS::EC2::SubnetRouteTableAssociation"
+    Properties:
+      RouteTableId: !Ref PublicRouteTable
+      SubnetId: !Ref Subnet2
+
+  # Elastic IP
+  Eip:
+    Type: AWS::EC2::EIP
+    DependsOn: VpcIgPairing
+    Properties:
+      Domain: vpc
+  # Gateways
+  InternetGateway:
+    Type: "AWS::EC2::InternetGateway"
+  InternetRoute:
+    Type: "AWS::EC2::Route"
+    Properties:
+      RouteTableId: !Ref PublicRouteTable
+      DestinationCidrBlock: "0.0.0.0/0"
+      GatewayId: !Ref InternetGateway
+  VpcIgPairing:
+    Type: "AWS::EC2::VPCGatewayAttachment"
+    Properties:
+      InternetGatewayId: !Ref InternetGateway
+      VpcId: !Ref Vpc
+
+  SecurityGroup:
+    Type: "AWS::EC2::SecurityGroup"
+    Properties:
+      GroupDescription: "Cluster SG"
+      GroupName: cluster-sg
+      VpcId: !Ref Vpc
+      SecurityGroupIngress:
+        - FromPort: 0
+          ToPort: 65535
+          IpProtocol: "-1"
+          CidrIp: "0.0.0.0/0"
+      SecurityGroupEgress:
+        - IpProtocol: "-1"
+          FromPort: 0
+          ToPort: 65535
+          CidrIp: "0.0.0.0/0"
+
+  Cluster:
+    Type: "AWS::EKS::Cluster"
+    Properties:
+      RoleArn: !GetAtt Role.Arn
+      Name: !Ref ClusterName
+      ResourcesVpcConfig:
+        SubnetIds:
+          - !Ref Subnet1
+          - !Ref Subnet2
+        SecurityGroupIds:
+          - !Ref SecurityGroup
+
+  BaseNodeGroup:
+    Type: "AWS::EKS::Nodegroup"
+    DependsOn: Cluster
+    Properties:
+      ClusterName: !Ref ClusterName
+      NodegroupName: base
+      AmiType: AL2_x86_64
+      RemoteAccess:
+        Ec2SshKey: "eks-dev-nodes"
+        SourceSecurityGroups:
+          - !Ref SecurityGroup
+      ScalingConfig:
+        MinSize: 2
+        DesiredSize: 3
+        MaxSize: 5
+      InstanceTypes:
+        - t2.small
+      NodeRole: !GetAtt NodeInstanceRole.Arn
+      Subnets:
+        - !Ref Subnet1
+        - !Ref Subnet2
--- a/jitsi-meet-examples/aws/jitsi-values.yaml
+++ b/jitsi-meet-examples/aws/jitsi-values.yaml
@ -0,0 +1,92 @@
+jicofo:
+  userAuth:
+    enabled: true
+    name: "focus"
+    secret: dG90bw==
+  componentSecret: dG90bw==
+  environment:
+    - name: TZ
+      value: Europe/Amsterdam
+    - name: JVB_BREWERY_MUC
+      value: jvbbrewery
+    - name: XMPP_DOMAIN
+      value: meet.jitsi
+    - name: XMPP_AUTH_DOMAIN
+      value: auth.meet.jitsi
+    - name: XMPP_INTERNAL_MUC_DOMAIN
+      value: internal-muc.meet.jitsi
+
+jvb:
+  userAuth:
+    enabled: true
+    name: "jvb"
+    secret: dG90bw==
+  environment:
+    - name: TZ
+      value: Europe/Amsterdam
+    - name: JVB_BREWERY_MUC
+      value: jvbbrewery
+    - name: XMPP_DOMAIN
+      value: meet.jitsi
+    - name: XMPP_AUTH_DOMAIN
+      value: auth.meet.jitsi
+    - name: XMPP_MUC_DOMAIN
+      value: muc.meet.jitsi
+    - name: XMPP_INTERNAL_MUC_DOMAIN
+      value: internal-muc.meet.jitsi
+    - name: JVB_STUN_SERVERS
+      value: stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
+    - name: JVB_TCP_HARVESTER_DISABLED
+      value: "true"
+    - name: DOCKER_HOST_ADDRESS
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
+
+prosody:
+  environment:
+    - name: JVB_TCP_HARVESTER_DISABLED
+      value: "true"
+    - name: TZ
+      value: Europe/Amsterdam
+    - name: JVB_BREWERY_MUC
+      value: jvbbrewery
+    - name: XMPP_DOMAIN
+      value: meet.jitsi
+    - name: XMPP_AUTH_DOMAIN
+      value: auth.meet.jitsi
+    - name: XMPP_INTERNAL_MUC_DOMAIN
+      value: internal-muc.meet.jitsi
+    - name: JVB_TCP_HARVESTER_DISABLED
+      value: "true"
+    - name: XMPP_MUC_DOMAIN
+      value: muc.meet.jitsi
+
+web:
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/ingress.class: "nginx"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+      cert-manager.io/cluster-issuer: "letsencrypt"
+    hosts:
+      - host: jitsi.meat-project.tk
+        paths:
+          - "/"
+    tls:
+      - hosts:
+          - jitsi.meat-project.tk
+        secretName: jitsi-web
+  environment:
+    - name: XMPP_DOMAIN
+      value: meet.jitsi
+    - name: XMPP_AUTH_DOMAIN
+      value: auth.meet.jitsi
+    - name: XMPP_INTERNAL_MUC_DOMAIN
+      value: internal-muc.meet.jitsi
+    - name: XMPP_MUC_DOMAIN
+      value: muc.meet.jitsi
+    - name: TZ
+      value: America/Los_Angeles
+    - name: JVB_TCP_HARVESTER_DISABLED
+      value: "true"
--- a/jitsi-meet-examples/aws/k8s/ingress-values.yaml
+++ b/jitsi-meet-examples/aws/k8s/ingress-values.yaml
@ -0,0 +1,20 @@
+controller:
+  resources:
+   limits:
+     cpu: 150m
+     memory: 128Mi
+   requests:
+     cpu: 100m
+     memory: 64Mi
+  proxySetHeaders:
+    use-proxy-protocol: 'true'
+    proxy-real-ip-cidr: 'true'
+  autoscaling:
+    enabled: true
+  service:
+    externalTrafficPolicy: Local
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
+      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
+      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb
--- a/jitsi-meet-examples/aws/k8s/letsencrypt.yaml
+++ b/jitsi-meet-examples/aws/k8s/letsencrypt.yaml
@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: youremail@address.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-secret
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
--- a/jitsi-meet-examples/aws/k8s/rbac-config-helm.yaml
+++ b/jitsi-meet-examples/aws/k8s/rbac-config-helm.yaml
@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: helm
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tiller
+  namespace: helm
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: helm
--- a/jitsi-meet/templates/deployment-prosody.yaml
+++ b/jitsi-meet/templates/deployment-prosody.yaml
@ -24,40 +24,6 @@ spec:
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
-        - name: {{ include "jitsi-meet.name-jicofo" . }}
-          image: "{{ .Values.jicofo.image.repository }}:{{ .Values.jicofo.image.tag }}"
-          imagePullPolicy: {{ .Values.jicofo.image.pullPolicy }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          ports:
-            - name: http
-              containerPort: 80
-              protocol: TCP
-          env:
-            {{ if .Values.jicofo.userAuth.enabled }}
-            - name: JICOFO_AUTH_USER
-              value: {{ .Values.jicofo.userAuth.name }}
-            - name: JICOFO_AUTH_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "jitsi-meet.name-jicofo-config" . }}
-                  key: JICOFO_AUTH_PASSWORD
-            {{ end }}
-            {{ if .Values.jicofo.componentSecret }}
-            - name: JICOFO_COMPONENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "jitsi-meet.name-jicofo-config" . }}
-                  key: JICOFO_COMPONENT_SECRET
-            {{ end }}
-            - name: XMPP_SERVER
-              value: localhost
-            {{- range .Values.jicofo.environment }}
-            - name: {{ .name | quote }}
-              value: {{ .value | quote }}
-            {{- end }}
-          resources:
-            {{- toYaml .Values.jicofo.resources | nindent 12 }}
        - name: {{ include "jitsi-meet.name-prosody" . }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
@ -108,6 +74,40 @@ spec:
              name: xmpp
          resources:
            {{- toYaml .Values.prosody.resources | nindent 12 }}
+        - name: {{ include "jitsi-meet.name-jicofo" . }}
+          image: "{{ .Values.jicofo.image.repository }}:{{ .Values.jicofo.image.tag }}"
+          imagePullPolicy: {{ .Values.jicofo.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          env:
+            {{ if .Values.jicofo.userAuth.enabled }}
+            - name: JICOFO_AUTH_USER
+              value: {{ .Values.jicofo.userAuth.name }}
+            - name: JICOFO_AUTH_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "jitsi-meet.name-jicofo-config" . }}
+                  key: JICOFO_AUTH_PASSWORD
+            {{ end }}
+            {{ if .Values.jicofo.componentSecret }}
+            - name: JICOFO_COMPONENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "jitsi-meet.name-jicofo-config" . }}
+                  key: JICOFO_COMPONENT_SECRET
+            {{ end }}
+            - name: XMPP_SERVER
+              value: localhost
+            {{- range .Values.jicofo.environment }}
+            - name: {{ .name | quote }}
+              value: {{ .value | quote }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.jicofo.resources | nindent 12 }}
      {{- with .Values.prosody.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/jitsi-meet/templates/service-jvb.yaml
+++ b/jitsi-meet/templates/service-jvb.yaml
@ -10,7 +10,7 @@ metadata:
  {{- end }}
 spec:
  type: NodePort
-  externalTrafficPolicy: Cluster
+  externalTrafficPolicy: Local
  ports:
  - port: 30300
    protocol: UDP