diff --git a/jitsi-meet-examples/aws/cloudformation.yaml b/jitsi-meet-examples/aws/cloudformation.yaml index 4df9135..b4fdd5a 100644 --- a/jitsi-meet-examples/aws/cloudformation.yaml +++ b/jitsi-meet-examples/aws/cloudformation.yaml @@ -8,15 +8,11 @@ Parameters: Subnet1AvailabilityZone: Description: "The availability zone for the subnet #1" Type: "AWS::EC2::AvailabilityZone::Name" - Default: "us-east-1a" + Default: "eu-west-1b" Subnet2AvailabilityZone: Description: "The availability zone for the subnet #2" Type: "AWS::EC2::AvailabilityZone::Name" - Default: "us-east-1b" - Subnet3AvailabilityZone: - Description: "The availability zone for the subnet #3" - Type: "AWS::EC2::AvailabilityZone::Name" - Default: "us-east-1c" + Default: "eu-west-1c" Resources: Role: Type: AWS::IAM::Role @@ -229,6 +225,104 @@ Resources: ToPort: 65535 CidrIp: "0.0.0.0/0" + # SecurityGroupNodeGroups: + # Type: "AWS::EC2::SecurityGroup" + # Properties: + # GroupDescription: "Cluster SG Node Group" + # GroupName: node-group-sg + # VpcId: !Ref Vpc + # SecurityGroupIngress: + # - FromPort: 22 + # ToPort: 22 + # IpProtocol: "tcp" + # CidrIp: "0.0.0.0/0" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "0.0.0.0/0" + # - FromPort: 30300 + # ToPort: 30300 + # IpProtocol: "udp" + # CidrIp: "0.0.0.0/0" + # - IpProtocol: -1 + # FromPort: 1025 + # ToPort: 65535 + # CidrIp: "0.0.0.0/0" + # SecurityGroupEgress: + # - IpProtocol: "-1" + # FromPort: 0 + # ToPort: 65535 + # CidrIp: "0.0.0.0/0" + + # SecurityGroupIngressController: + # Type: "AWS::EC2::SecurityGroup" + # Properties: + # GroupDescription: "Cluster SG ingress controller" + # GroupName: ingress-ctrl-sg + # VpcId: !Ref Vpc + # SecurityGroupIngress: + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "173.245.48.0/20" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "103.21.244.0/22" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "103.22.200.0/22" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "103.31.4.0/22" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "141.101.64.0/18" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "108.162.192.0/18" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "190.93.240.0/20" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "188.114.96.0/20" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "197.234.240.0/22" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "198.41.128.0/17" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "162.158.0.0/15" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "104.16.0.0/12" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "172.64.0.0/13" + # - FromPort: 443 + # ToPort: 443 + # IpProtocol: "tcp" + # CidrIp: "131.0.72.0/22" + # SecurityGroupEgress: + # - IpProtocol: "tcp" + # FromPort: 1025 + # ToPort: 65535 + # CidrIp: "0.0.0.0/0" + Cluster: Type: "AWS::EKS::Cluster" Properties: @@ -241,12 +335,12 @@ Resources: SecurityGroupIds: - !Ref SecurityGroup - BaseNodeGroup: + DevNodeGroup: Type: "AWS::EKS::Nodegroup" DependsOn: Cluster Properties: ClusterName: !Ref ClusterName - NodegroupName: base + NodegroupName: group-dev AmiType: AL2_x86_64 RemoteAccess: Ec2SshKey: "eks-dev-nodes" @@ -257,8 +351,10 @@ Resources: DesiredSize: 3 MaxSize: 5 InstanceTypes: - - t2.small + - m5.large NodeRole: !GetAtt NodeInstanceRole.Arn Subnets: - !Ref Subnet1 - !Ref Subnet2 + + diff --git a/jitsi-meet-examples/aws/jitsi-values.yaml b/jitsi-meet-examples/aws/jitsi-values.yaml index f5016b3..e9e9d20 100644 --- a/jitsi-meet-examples/aws/jitsi-values.yaml +++ b/jitsi-meet-examples/aws/jitsi-values.yaml @@ -1,20 +1,32 @@ +webHost: jitsi.meat-project.tk + +common: + environment: + - name: XMPP_DOMAIN + value: jitsi.meet + - name: XMPP_AUTH_DOMAIN + value: auth.jitsi.meet + - name: XMPP_INTERNAL_MUC_DOMAIN + value: internal-muc.jitsi.meet + - name: XMPP_MUC_DOMAIN + value: muc.jitsi.meet + - name: XMPP_GUEST_DOMAIN + value: guest.jitsi.meet + - name: JVB_BREWERY_MUC + value: jvbbrewery + - name: TZ + value: Europe/Amsterdam + jicofo: userAuth: enabled: true name: "focus" secret: dG90bw== componentSecret: dG90bw== - environment: - - name: TZ - value: Europe/Amsterdam - - name: JVB_BREWERY_MUC - value: jvbbrewery - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi + replicaCount: 1 + environmnet: + - name: JICOFO_AUTH_DOMAIN + value: auth.jitsi.meet # need JVM optimisation jvb: @@ -25,19 +37,9 @@ jvb: ingress: enabled: false replicaCount: 2 + service: + sessionAffinity: ClientIP environment: - - name: TZ - value: Europe/Amsterdam - - name: JVB_BREWERY_MUC - value: jvbbrewery - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_MUC_DOMAIN - value: muc.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi - name: JVB_STUN_SERVERS value: stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302 - name: JVB_TCP_HARVESTER_DISABLED @@ -46,46 +48,59 @@ jvb: valueFrom: fieldRef: fieldPath: status.hostIP + - name: JVB_OPTS + value: "--apis=xmpp,rest" + - name: ENABLE_STATISTICS + value: "true" + # resources: + # limits: + # memory: 512Mi + # cpu: 100m + # requests: + # memory: 256Mi + # cpu: 25m prosody: + auth: + enabled: false + guest: 0 + # type: jwt + recorder: false + replicaCount: 1 environment: - name: JVB_TCP_HARVESTER_DISABLED value: "true" - - name: TZ - value: Europe/Amsterdam - - name: JVB_BREWERY_MUC - value: jvbbrewery - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi - - name: JVB_TCP_HARVESTER_DISABLED - value: "true" - - name: XMPP_MUC_DOMAIN - value: muc.meet.jitsi + - name: ENABLE_GUESTS + value: "1" web: ingress: enabled: true annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" cert-manager.io/cluster-issuer: "letsencrypt" + cert-manager.io/acme-challenge-type: http01 + ingress.kubernetes.io/auth: "oauth2_proxy" + ingress.kubernetes.io/oauth-uri-prefix: "/oauth2" + ingress.kubernetes.io/forwarded-for: "enabled" + ingress.kubernetes.io/load-balance: "uri" + ingress.kubernetes.io/ssl-redirect: "ON" + ingress.kubernetes.io/ssl-certificate: jitsi/meet-web + ingress.kubernetes.io/timeout-tunnel: 3h + kubernetes.io/ingress.class: "haproxy" hosts: - host: jitsi.meat-project.tk + oauth: true paths: - - "/" + - / tls: - hosts: - jitsi.meat-project.tk - secretName: jitsi-web + secretName: meet-web replicaCount: 2 hpa: enabled: true minReplicas: 2 - maxReplicas: 3 + maxReplicas: 5 metrics: - type: Resource resource: @@ -95,19 +110,33 @@ web: resource: name: cpu targetAverageUtilization: 70 + jwtsidecar: + extraArgs: + provider: oidc + email-domain: * + provider-display-name: aws_cognito + client-id: yourclientid + client-secret: yourclientsecret + insecure-oidc-allow-unverified-email: false + oidc-issuer-url: issuerurl + oidc-jwks-url: jwksurl + scope: "openid profile aws.cognito.signin.user.admin" + cookie-secure: true + cookie-domain: mydomain.com + cookie-secret: randomcookiesecret + cookie-samesite: lax + provider: oidc + set-xauthrequest: true + proxy-prefix: "/oauth2" environment: - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi - - name: XMPP_MUC_DOMAIN - value: muc.meet.jitsi - - name: TZ - value: America/Los_Angeles - name: JVB_TCP_HARVESTER_DISABLED value: "true" + - name: ENABLE_GUESTS + value: "1" + - name: ENABLE_LETSENCRYPT + value: "0" + - name: DISABLE_HTTPS + value: "1" resources: limits: memory: 128Mi diff --git a/jitsi-meet-examples/aws/k8s/ingress-values.yaml b/jitsi-meet-examples/aws/k8s/ingress-haproxy-values.yaml similarity index 64% rename from jitsi-meet-examples/aws/k8s/ingress-values.yaml rename to jitsi-meet-examples/aws/k8s/ingress-haproxy-values.yaml index f1dea09..61d7d2a 100644 --- a/jitsi-meet-examples/aws/k8s/ingress-values.yaml +++ b/jitsi-meet-examples/aws/k8s/ingress-haproxy-values.yaml @@ -1,16 +1,11 @@ controller: - resources: - limits: - cpu: 150m - memory: 128Mi - requests: - cpu: 100m - memory: 64Mi - proxySetHeaders: - use-proxy-protocol: 'true' - proxy-real-ip-cidr: 'true' + replicaCount: 1 autoscaling: enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 + targetMemoryUtilizationPercentage: 50 service: externalTrafficPolicy: Local annotations: @@ -18,3 +13,11 @@ controller: service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' service.beta.kubernetes.io/aws-load-balancer-type: nlb + resources: + limits: + memory: 64Mi + cpu: 50m + requests: + memory: 32Mi + cpu: 15m + diff --git a/jitsi-meet-examples/aws/k8s/letsencrypt.yaml b/jitsi-meet-examples/aws/k8s/letsencrypt.yaml index 0147c2c..bed2c1d 100644 --- a/jitsi-meet-examples/aws/k8s/letsencrypt.yaml +++ b/jitsi-meet-examples/aws/k8s/letsencrypt.yaml @@ -4,11 +4,11 @@ metadata: name: letsencrypt spec: acme: - email: youremail@address.com + email: your@email.address server: https://acme-v02.api.letsencrypt.org/directory privateKeySecretRef: name: letsencrypt-secret solvers: - http01: ingress: - class: nginx \ No newline at end of file + class: haproxy \ No newline at end of file