feat(aws): setup with cognito + auth2_proxy + haproxy ing controller

4 years ago · 87b2d8d00e
parent 93ea9b8bed
commit 87b2d8d00e
4 changed files with 201 additions and 73 deletions
--- a/jitsi-meet-examples/aws/cloudformation.yaml
+++ b/jitsi-meet-examples/aws/cloudformation.yaml
@ -8,15 +8,11 @@ Parameters:
  Subnet1AvailabilityZone:
    Description: "The availability zone for the subnet #1"
    Type: "AWS::EC2::AvailabilityZone::Name"
-    Default: "us-east-1a"
+    Default: "eu-west-1b"
  Subnet2AvailabilityZone:
    Description: "The availability zone for the subnet #2"
    Type: "AWS::EC2::AvailabilityZone::Name"
-    Default: "us-east-1b"
-  Subnet3AvailabilityZone:
-    Description: "The availability zone for the subnet #3"
-    Type: "AWS::EC2::AvailabilityZone::Name"
-    Default: "us-east-1c"
+    Default: "eu-west-1c"
 Resources:
  Role:
    Type: AWS::IAM::Role
@ -229,6 +225,104 @@ Resources:
          ToPort: 65535
          CidrIp: "0.0.0.0/0"

+  # SecurityGroupNodeGroups:
+  #   Type: "AWS::EC2::SecurityGroup"
+  #   Properties:
+  #     GroupDescription: "Cluster SG Node Group"
+  #     GroupName: node-group-sg
+  #     VpcId: !Ref Vpc
+  #     SecurityGroupIngress:
+  #       - FromPort: 22
+  #         ToPort: 22
+  #         IpProtocol: "tcp"
+  #         CidrIp: "0.0.0.0/0"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "0.0.0.0/0"
+  #       - FromPort: 30300
+  #         ToPort: 30300
+  #         IpProtocol: "udp"
+  #         CidrIp: "0.0.0.0/0"
+  #       - IpProtocol: -1
+  #         FromPort: 1025
+  #         ToPort: 65535
+  #         CidrIp: "0.0.0.0/0"
+  #     SecurityGroupEgress:
+  #       - IpProtocol: "-1"
+  #         FromPort: 0
+  #         ToPort: 65535
+  #         CidrIp: "0.0.0.0/0"
+
+  # SecurityGroupIngressController:
+  #   Type: "AWS::EC2::SecurityGroup"
+  #   Properties:
+  #     GroupDescription: "Cluster SG ingress controller"
+  #     GroupName: ingress-ctrl-sg
+  #     VpcId: !Ref Vpc
+  #     SecurityGroupIngress:
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "173.245.48.0/20"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "103.21.244.0/22"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "103.22.200.0/22"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "103.31.4.0/22"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "141.101.64.0/18"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "108.162.192.0/18"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "190.93.240.0/20"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "188.114.96.0/20"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "197.234.240.0/22"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "198.41.128.0/17"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "162.158.0.0/15"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "104.16.0.0/12"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "172.64.0.0/13"
+  #       - FromPort: 443
+  #         ToPort: 443
+  #         IpProtocol: "tcp"
+  #         CidrIp: "131.0.72.0/22"
+  #     SecurityGroupEgress:
+  #       - IpProtocol: "tcp"
+  #         FromPort: 1025
+  #         ToPort: 65535
+  #         CidrIp: "0.0.0.0/0"
+
  Cluster:
    Type: "AWS::EKS::Cluster"
    Properties:
@ -241,12 +335,12 @@ Resources:
        SecurityGroupIds:
          - !Ref SecurityGroup

-  BaseNodeGroup:
+  DevNodeGroup:
    Type: "AWS::EKS::Nodegroup"
    DependsOn: Cluster
    Properties:
      ClusterName: !Ref ClusterName
-      NodegroupName: base
+      NodegroupName: group-dev
      AmiType: AL2_x86_64
      RemoteAccess:
        Ec2SshKey: "eks-dev-nodes"
@ -257,8 +351,10 @@ Resources:
        DesiredSize: 3
        MaxSize: 5
      InstanceTypes:
-        - t2.small
+        - m5.large
      NodeRole: !GetAtt NodeInstanceRole.Arn
      Subnets:
        - !Ref Subnet1
        - !Ref Subnet2
+
+
--- a/jitsi-meet-examples/aws/jitsi-values.yaml
+++ b/jitsi-meet-examples/aws/jitsi-values.yaml
@ -1,20 +1,32 @@
+webHost: jitsi.meat-project.tk
+
+common:
+  environment:
+    - name: XMPP_DOMAIN
+      value: jitsi.meet
+    - name: XMPP_AUTH_DOMAIN
+      value: auth.jitsi.meet
+    - name: XMPP_INTERNAL_MUC_DOMAIN
+      value: internal-muc.jitsi.meet
+    - name: XMPP_MUC_DOMAIN
+      value: muc.jitsi.meet
+    - name: XMPP_GUEST_DOMAIN
+      value: guest.jitsi.meet
+    - name: JVB_BREWERY_MUC
+      value: jvbbrewery
+    - name: TZ
+      value: Europe/Amsterdam
+
 jicofo:
  userAuth:
    enabled: true
    name: "focus"
    secret: dG90bw==
  componentSecret: dG90bw==
-  environment:
-    - name: TZ
-      value: Europe/Amsterdam
-    - name: JVB_BREWERY_MUC
-      value: jvbbrewery
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
+  replicaCount: 1
+  environmnet:
+    - name: JICOFO_AUTH_DOMAIN
+      value: auth.jitsi.meet

 # need JVM optimisation
 jvb:
@ -25,19 +37,9 @@ jvb:
  ingress:
    enabled: false
  replicaCount: 2
+  service:
+    sessionAffinity: ClientIP
  environment:
-    - name: TZ
-      value: Europe/Amsterdam
-    - name: JVB_BREWERY_MUC
-      value: jvbbrewery
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_MUC_DOMAIN
-      value: muc.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
    - name: JVB_STUN_SERVERS
      value: stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302
    - name: JVB_TCP_HARVESTER_DISABLED
@ -46,46 +48,59 @@ jvb:
      valueFrom:
        fieldRef:
          fieldPath: status.hostIP
+    - name: JVB_OPTS
+      value: "--apis=xmpp,rest"
+    - name: ENABLE_STATISTICS
+      value: "true"
+  # resources:
+  #   limits:
+  #     memory: 512Mi
+  #     cpu: 100m
+  #   requests:
+  #     memory: 256Mi
+  #     cpu: 25m

 prosody:
+  auth:
+    enabled: false
+    guest: 0
+    # type: jwt
+  recorder: false
+  replicaCount: 1
  environment:
    - name: JVB_TCP_HARVESTER_DISABLED
      value: "true"
-    - name: TZ
-      value: Europe/Amsterdam
-    - name: JVB_BREWERY_MUC
-      value: jvbbrewery
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
-    - name: JVB_TCP_HARVESTER_DISABLED
-      value: "true"
-    - name: XMPP_MUC_DOMAIN
-      value: muc.meet.jitsi
+    - name: ENABLE_GUESTS
+      value: "1"

 web:
  ingress:
    enabled: true
    annotations:
-      kubernetes.io/ingress.class: "nginx"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      cert-manager.io/cluster-issuer: "letsencrypt"
+      cert-manager.io/acme-challenge-type: http01
+      ingress.kubernetes.io/auth: "oauth2_proxy"
+      ingress.kubernetes.io/oauth-uri-prefix: "/oauth2"
+      ingress.kubernetes.io/forwarded-for: "enabled"
+      ingress.kubernetes.io/load-balance: "uri"
+      ingress.kubernetes.io/ssl-redirect: "ON"
+      ingress.kubernetes.io/ssl-certificate: jitsi/meet-web
+      ingress.kubernetes.io/timeout-tunnel: 3h
+      kubernetes.io/ingress.class: "haproxy"
    hosts:
      - host: jitsi.meat-project.tk
+        oauth: true
        paths:
-          - "/"
+          - /
    tls:
      - hosts:
          - jitsi.meat-project.tk
-        secretName: jitsi-web
+        secretName: meet-web
  replicaCount: 2
  hpa:
    enabled: true
    minReplicas: 2
-    maxReplicas: 3
+    maxReplicas: 5
    metrics:
      - type: Resource
        resource:
@ -95,19 +110,33 @@ web:
        resource:
          name: cpu
          targetAverageUtilization: 70
+  jwtsidecar:
+    extraArgs:
+      provider: oidc
+      email-domain: *
+      provider-display-name: aws_cognito
+      client-id: yourclientid
+      client-secret: yourclientsecret
+      insecure-oidc-allow-unverified-email: false
+      oidc-issuer-url: issuerurl
+      oidc-jwks-url: jwksurl
+      scope: "openid profile aws.cognito.signin.user.admin"
+      cookie-secure: true
+      cookie-domain: mydomain.com
+      cookie-secret: randomcookiesecret
+      cookie-samesite: lax
+      provider: oidc
+      set-xauthrequest: true
+      proxy-prefix: "/oauth2"
  environment:
-    - name: XMPP_DOMAIN
-      value: meet.jitsi
-    - name: XMPP_AUTH_DOMAIN
-      value: auth.meet.jitsi
-    - name: XMPP_INTERNAL_MUC_DOMAIN
-      value: internal-muc.meet.jitsi
-    - name: XMPP_MUC_DOMAIN
-      value: muc.meet.jitsi
-    - name: TZ
-      value: America/Los_Angeles
    - name: JVB_TCP_HARVESTER_DISABLED
      value: "true"
+    - name: ENABLE_GUESTS
+      value: "1"
+    - name: ENABLE_LETSENCRYPT
+      value: "0"
+    - name: DISABLE_HTTPS
+      value: "1"
  resources:
    limits:
      memory: 128Mi
--- a/jitsi-meet-examples/aws/k8s/ingress-haproxy-values.yaml
+++ b/jitsi-meet-examples/aws/k8s/ingress-haproxy-values.yaml
@ -1,16 +1,11 @@
 controller:
-  resources:
-   limits:
-     cpu: 150m
-     memory: 128Mi
-   requests:
-     cpu: 100m
-     memory: 64Mi
-  proxySetHeaders:
-    use-proxy-protocol: 'true'
-    proxy-real-ip-cidr: 'true'
+  replicaCount: 1
  autoscaling:
    enabled: true
+    minReplicas: 1
+    maxReplicas: 3
+    targetCPUUtilizationPercentage: 70
+    targetMemoryUtilizationPercentage: 50
  service:
    externalTrafficPolicy: Local
    annotations:
@ -18,3 +13,11 @@ controller:
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60'
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true'
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
+  resources:
+    limits:
+      memory: 64Mi
+      cpu: 50m
+    requests:
+      memory: 32Mi
+      cpu: 15m
+
--- a/jitsi-meet-examples/aws/k8s/letsencrypt.yaml
+++ b/jitsi-meet-examples/aws/k8s/letsencrypt.yaml
@ -4,11 +4,11 @@ metadata:
  name: letsencrypt
 spec:
  acme:
-    email: youremail@address.com
+    email: your@email.address
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-secret
    solvers:
    - http01:
        ingress:
-          class: nginx
+          class: haproxy