diff --git a/jitsi-meet/configs/jicofo/sip-communicator.properties b/jitsi-meet/configs/jicofo/sip-communicator.properties new file mode 100644 index 0000000..6ac697a --- /dev/null +++ b/jitsi-meet/configs/jicofo/sip-communicator.properties @@ -0,0 +1,19 @@ +org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true +org.jitsi.jicofo.BRIDGE_MUC={{ .Env.JVB_BREWERY_MUC }}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }} + +{{ if and .Env.JIBRI_BREWERY_MUC .Env.JIBRI_PENDING_TIMEOUT }} +org.jitsi.jicofo.jibri.BREWERY={{ .Env.JIBRI_BREWERY_MUC}}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }} +org.jitsi.jicofo.jibri.PENDING_TIMEOUT={{ .Env.JIBRI_PENDING_TIMEOUT }} +{{ end }} + +{{ if and .Env.JIGASI_SIP_URI .Env.JIGASI_BREWERY_MUC }} +org.jitsi.jicofo.jigasi.BREWERY={{ .Env.JIGASI_BREWERY_MUC}}@{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }} +{{ end }} + +{{ if .Env.ENABLE_AUTH | default "0" | toBool }} +org.jitsi.jicofo.auth.URL=XMPP:{{ .Env.XMPP_DOMAIN }} +{{ end }} + +{{ if .Env.JICOFO_RESERVATION_REST_BASE_URL }} +org.jitsi.impl.reservation.rest.BASE_URL={{ .Env.JICOFO_RESERVATION_REST_BASE_URL }} +{{ end }} diff --git a/jitsi-meet/configs/jvb/logging.properties b/jitsi-meet/configs/jvb/logging.properties new file mode 100644 index 0000000..14cddbc --- /dev/null +++ b/jitsi-meet/configs/jvb/logging.properties @@ -0,0 +1,13 @@ +handlers= java.util.logging.ConsoleHandler + +java.util.logging.ConsoleHandler.level = ALL +java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter + +net.java.sip.communicator.util.ScLogFormatter.programname=JVB + +.level=INFO + +org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE + +# All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge. +org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING \ No newline at end of file diff --git a/jitsi-meet/configs/jvb/sip-communicator.properties b/jitsi-meet/configs/jvb/sip-communicator.properties index f8a454e..612ffb0 100644 --- a/jitsi-meet/configs/jvb/sip-communicator.properties +++ b/jitsi-meet/configs/jvb/sip-communicator.properties @@ -18,11 +18,6 @@ org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS={{ .Env.JVB_BREWERY_MUC }}@{{ .En org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME={{ .Env.HOSTNAME }} org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=true -org.jitsi.videobridge.ENABLE_STATISTICS=true +org.jitsi.videobridge.ENABLE_STATISTICS={{ .Env.ENABLE_STATISTICS }} org.jitsi.videobridge.STATISTICS_TRANSPORT=muc org.jitsi.videobridge.STATISTICS_INTERVAL=5000 - -org.jitsi.videobridge.ENABLE_STATISTICS=true -org.jitsi.videobridge.STATISTICS_TRANSPORT=pubsub -org.jitsi.videobridge.PUBSUB_SERVICE={{ .Env.XMPP_DOMAIN }} -org.jitsi.videobridge.PUBSUB_NODE=sharedStatsNode diff --git a/jitsi-meet/configs/prosody/jitsi-meet.cfg.lua b/jitsi-meet/configs/prosody/jitsi-meet.cfg.lua new file mode 100644 index 0000000..3513ab3 --- /dev/null +++ b/jitsi-meet/configs/prosody/jitsi-meet.cfg.lua @@ -0,0 +1,106 @@ +admins = { {{ .Env.JVB_ADMINS }} } +plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" } +http_default_host = "{{ .Env.XMPP_DOMAIN }}" + +{{ $ENABLE_AUTH := .Env.ENABLE_AUTH | default "0" | toBool }} +{{ $AUTH_TYPE := .Env.AUTH_TYPE | default "internal" }} +{{ $JWT_ASAP_KEYSERVER := .Env.JWT_ASAP_KEYSERVER | default "" }} +{{ $JWT_ALLOW_EMPTY := .Env.JWT_ALLOW_EMPTY | default "0" | toBool }} +{{ $JWT_AUTH_TYPE := .Env.JWT_AUTH_TYPE | default "token" }} +{{ $JWT_TOKEN_AUTH_MODULE := .Env.JWT_TOKEN_AUTH_MODULE | default "token_verification" }} + +{{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_ISSUERS }} +asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" } +{{ end }} +{{ if and $ENABLE_AUTH (eq $AUTH_TYPE "jwt") .Env.JWT_ACCEPTED_AUDIENCES }} +asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AUDIENCES) }}" } +{{ end }} +VirtualHost "{{ .Env.XMPP_DOMAIN }}" +{{ if $ENABLE_AUTH }} + {{ if eq $AUTH_TYPE "jwt" }} + authentication = "{{ $JWT_AUTH_TYPE }}" + app_id = "{{ .Env.JWT_APP_ID }}" + app_secret = "{{ .Env.JWT_APP_SECRET }}" + allow_empty_token = {{ if $JWT_ALLOW_EMPTY }}true{{ else }}false{{ end }} + {{ if $JWT_ASAP_KEYSERVER }} + asap_key_server = "{{ .Env.JWT_ASAP_KEYSERVER }}" + {{ end }} + {{ else if eq $AUTH_TYPE "ldap" }} + authentication = "cyrus" + cyrus_application_name = "xmpp" + allow_unencrypted_plain_auth = true + {{ else if eq $AUTH_TYPE "internal" }} + authentication = "internal_hashed" + {{ end }} +{{ else }} + authentication = "anonymous" +{{ end }} + ssl = { + key = "/config/certs/{{ .Env.XMPP_DOMAIN }}.key"; + certificate = "/config/certs/{{ .Env.XMPP_DOMAIN }}.crt"; + } + modules_enabled = { + "bosh"; + "pubsub"; + "ping"; + "speakerstats"; + "conference_duration"; + {{ if eq $AUTH_TYPE "jwt" }} + "{{ $JWT_TOKEN_AUTH_MODULE }}"; + {{ end }} + {{ if .Env.XMPP_MODULES }} + "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}"; + {{ end }} + {{ if and $ENABLE_AUTH (eq $AUTH_TYPE "ldap") }} + "auth_cyrus"; + {{end}} + } + speakerstats_component = "speakerstats.{{ .Env.XMPP_DOMAIN }}" + conference_duration_component = "conferenceduration.{{ .Env.XMPP_DOMAIN }}" + c2s_require_encryption = false + +{{ if and $ENABLE_AUTH (.Env.ENABLE_GUESTS | default "0" | toBool) }} +VirtualHost "{{ .Env.XMPP_GUEST_DOMAIN }}" + authentication = "anonymous" + c2s_require_encryption = false +{{ end }} +VirtualHost "{{ .Env.XMPP_AUTH_DOMAIN }}" + ssl = { + key = "/config/certs/{{ .Env.XMPP_AUTH_DOMAIN }}.key"; + certificate = "/config/certs/{{ .Env.XMPP_AUTH_DOMAIN }}.crt"; + } + authentication = "internal_hashed" +{{ if .Env.XMPP_RECORDER_DOMAIN }} +VirtualHost "{{ .Env.XMPP_RECORDER_DOMAIN }}" + modules_enabled = { + "ping"; + } + authentication = "internal_hashed" +{{ end }} +Component "{{ .Env.XMPP_INTERNAL_MUC_DOMAIN }}" "muc" + modules_enabled = { + "ping"; + {{ if .Env.XMPP_INTERNAL_MUC_MODULES }} + "{{ join "\";\n\"" (splitList "," .Env.XMPP_INTERNAL_MUC_MODULES) }}"; + {{ end }} + } + storage = "memory" + muc_room_cache_size = 1000 +Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc" + storage = "memory" + modules_enabled = { + {{ if .Env.XMPP_MUC_MODULES }} + "{{ join "\";\n\"" (splitList "," .Env.XMPP_MUC_MODULES) }}"; + {{ end }} + {{ if eq $AUTH_TYPE "jwt" }} + "{{ $JWT_TOKEN_AUTH_MODULE }}"; + {{ end }} + } + muc_room_locking = false + muc_room_default_public_jids = true +Component "focus.{{ .Env.XMPP_DOMAIN }}" + component_secret = "{{ .Env.JICOFO_COMPONENT_SECRET }}" +Component "speakerstats.{{ .Env.XMPP_DOMAIN }}" "speakerstats_component" + muc_component = "{{ .Env.XMPP_MUC_DOMAIN }}" +Component "conferenceduration.{{ .Env.XMPP_DOMAIN }}" "conference_duration_component" + muc_component = "{{ .Env.XMPP_MUC_DOMAIN }}" \ No newline at end of file diff --git a/jitsi-meet/configs/prosody/prosody.cfg.lua b/jitsi-meet/configs/prosody/prosody.cfg.lua new file mode 100644 index 0000000..896f87e --- /dev/null +++ b/jitsi-meet/configs/prosody/prosody.cfg.lua @@ -0,0 +1,146 @@ +{{ $LOG_LEVEL := .Env.LOG_LEVEL | default "info" }} + +-- Prosody Example Configuration File +-- +-- Information on configuring Prosody can be found on our +-- website at http://prosody.im/doc/configure +-- +-- Tip: You can check that the syntax of this file is correct +-- when you have finished by running: luac -p prosody.cfg.lua +-- If there are any errors, it will let you know what and where +-- they are, otherwise it will keep quiet. +-- +-- The only thing left to do is rename this file to remove the .dist ending, and fill in the +-- blanks. Good luck, and happy Jabbering! + + +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see http://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { {{ .Env.JVB_ADMINS }} } + +-- Enable use of libevent for better performance under high load +-- For more information see: http://prosody.im/doc/libevent +--use_libevent = true; + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation on modules can be found at: http://prosody.im/doc/modules +modules_enabled = { + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- Not essential, but recommended + "private"; -- Private XML storage (for room bookmarks, etc.) + "vcard"; -- Allow users to set vCards + + -- These are commented by default as they have a performance impact + --"privacy"; -- Support privacy lists + --"compression"; -- Stream compression (Debian: requires lua-zlib module to work) + + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "pep"; -- Enables users to publish their mood, activity, playing music and more + "register"; -- Allow users to register on this server using a client and change passwords + + -- Admin interfaces + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 + + -- HTTP modules + --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + --"http_files"; -- Serve static files from a directory over HTTP + + -- Other specific functionality + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. + --"groups"; -- Shared roster support + --"announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + --"watchregistrations"; -- Alert admins of registrations + --"motd"; -- Send a message to users when they log in + --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. + {{ if .Env.GLOBAL_MODULES }} + "{{ join "\";\n\"" (splitList "," .Env.GLOBAL_MODULES) }}"; + {{ end }} +}; +consider_bosh_secure = true; +https_ports = { } +-- These modules are auto-loaded, but should you want +-- to disable them then uncomment them here: +modules_disabled = { + -- "offline"; -- Store offline messages + -- "c2s"; -- Handle client connections + -- "s2s"; -- Handle server-to-server connections +}; +-- Disable account creation by default, for security +-- For more information see http://prosody.im/doc/creating_accounts +allow_registration = false; +daemonize = false; +pidfile = "/config/data/prosody.pid"; +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. +c2s_require_encryption = false +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see http://prosody.im/doc/s2s#security +s2s_secure_auth = false +-- Many servers don't support encryption or have invalid or self-signed +-- certificates. You can list domains here that will not be required to +-- authenticate using certificates. They will be authenticated using DNS. +--s2s_insecure_domains = { "gmail.com" } +-- Even if you leave s2s_secure_auth disabled, you can still require valid +-- certificates for some domains by specifying a list here. +--s2s_secure_domains = { "jabber.org" } +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. +-- To allow Prosody to offer secure authentication mechanisms to clients, the +-- default provider stores passwords in plaintext. If you do not trust your +-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed +-- for information about using the hashed backend. +authentication = "internal_hashed" +-- Select the storage backend to use. By default Prosody uses flat files +-- in its configured data directory, but it also supports more backends +-- through modules. An "sql" backend is included by default, but requires +-- additional dependencies. See http://prosody.im/doc/storage for more info. +--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the +-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work) +-- For the "sql" backend, you can uncomment *one* of the below to configure: +--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. +--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } +--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } +-- Logging configuration +-- For advanced logging see http://prosody.im/doc/logging +-- +-- Debian: +-- Logs info and higher to /var/log +-- Logs errors to syslog also +log = { + { levels = {min = "{{ $LOG_LEVEL }}"}, to = "console"}; +} +{{ if .Env.GLOBAL_CONFIG }} +{{ join "\n" (splitList "\\n" .Env.GLOBAL_CONFIG) }} +{{ end }} +-- Enable use of native prosody 0.11 support for epoll over select +network_backend = "epoll"; +-- Set the TCP backlog to 511 since the kernel rounds it up to the next power of 2: 512. +network_settings = { + tcp_backlog = 511; +} +component_interface = { "*" } +data_path = "/config/data" +Include "conf.d/*.cfg.lua" \ No newline at end of file diff --git a/jitsi-meet/templates/_helpers.tpl b/jitsi-meet/templates/_helpers.tpl index 18bbe46..6fc4ae6 100644 --- a/jitsi-meet/templates/_helpers.tpl +++ b/jitsi-meet/templates/_helpers.tpl @@ -6,64 +6,72 @@ Expand the name of the chart. {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "jitsi-meet.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Create the web server name */}} {{- define "jitsi-meet.name-web" -}} -{{- default .Chart.Name "web" | trimSuffix "-" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" $name "web" | trunc 63 -}} {{- end -}} {{/* Create the XMPP server name */}} {{- define "jitsi-meet.name-prosody" -}} -{{- default .Chart.Name "prosody" | trimSuffix "-" -}} +{{- printf "%s-%s" .Chart.Name "prosody" | trunc 63 -}} {{- end -}} {{/* Create the jicofo cmp name */}} {{- define "jitsi-meet.name-jicofo" -}} -{{- default .Chart.Name "jicofo" | trimSuffix "-" -}} +{{- printf "%s-%s" .Chart.Name "jicofo" | trunc 63 -}} {{- end -}} {{/* Create the jicofo config name */}} {{- define "jitsi-meet.name-jicofo-config" -}} -{{- default .Chart.Name "jicofo" "config" | trimSuffix "-" -}} +{{- printf "%s-%s" .Chart.Name "jicofo-config" | trunc 63 -}} {{- end -}} {{/* Create the jvb server name */}} {{- define "jitsi-meet.name-jvb" -}} -{{- default .Chart.Name "jvb" | trimSuffix "-" -}} +{{- printf "%s-%s" .Chart.Name "jvb" | trunc 63 -}} {{- end -}} {{/* Create the jvb config name */}} {{- define "jitsi-meet.name-jvb-config" -}} -{{- default .Chart.Name "jvb" "config" | trimSuffix "-" -}} +{{- printf "%s-%s" .Chart.Name "jvb-config" | trunc 63 -}} {{- end -}} {{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. +Create the sidecar name for jwt auth */}} -{{- define "jitsi-meet.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} +{{- define "jitsi-meet.name-jwt-sidecar" -}} +{{- printf "%s-%s" .Chart.Name "jwt" | trunc 63 -}} {{- end -}} {{/* diff --git a/jitsi-meet/templates/deployment-jvb.yaml b/jitsi-meet/templates/deployment-jvb.yaml deleted file mode 100644 index 721cf6b..0000000 --- a/jitsi-meet/templates/deployment-jvb.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{- $xmppServer := include "jitsi-meet.name-prosody" . -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "jitsi-meet.name-jvb" . }} - labels: -{{ include "jitsi-meet.labels" . | indent 4 }} -spec: - serviceName: {{ include "jitsi-meet.name-jvb" . }} - replicas: {{ .Values.jvb.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "jitsi-meet.name-jvb" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "jitsi-meet.name-jvb" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "jitsi-meet.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.jvb.podSecurityContext | nindent 8 }} - containers: - - name: {{ include "jitsi-meet.name-jvb" . }} - image: "{{ .Values.jvb.image.repository }}:{{ .Values.jvb.image.tag }}" - imagePullPolicy: {{ .Values.jvb.image.pullPolicy }} - env: - - name: XMPP_SERVER - value: {{ include "jitsi-meet.name-prosody" . }} - {{- if .Values.jicofo.userAuth.enabled }} - - name: JICOFO_AUTH_USER - value: {{ .Values.jicofo.userAuth.name }} - - name: JICOFO_AUTH_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "jitsi-meet.name-jicofo-config" . }} - key: JICOFO_AUTH_PASSWORD - {{- end }} - {{- if .Values.jvb.userAuth.enabled }} - - name: JVB_AUTH_USER - value: {{ .Values.jvb.userAuth.name }} - - name: JVB_AUTH_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "jitsi-meet.name-jvb-config" . }} - key: JVB_AUTH_PASSWORD - {{- end }} - {{ if .Values.jicofo.componentSecret }} - - name: JICOFO_COMPONENT_SECRET - valueFrom: - secretKeyRef: - name: {{ include "jitsi-meet.name-jicofo-config" . }} - key: JICOFO_COMPONENT_SECRET - {{ end }} - - name: JVB_PORT - value: "30300" - {{- with .Values.jvb.environment }} - {{- toYaml . | nindent 12 }} - {{- end }} - ports: - - name: video - containerPort: 30300 - protocol: UDP - volumeMounts: - - name: dockersock - mountPath: "/var/run/docker.sock" - - name: config - mountPath: "/var/app" - lifecycle: - podStart: - exec: - - /bin/bash - - -c - - cp /var/app/sip-communicator.properties /config/sip-communicator.properties - resources: - {{- toYaml .Values.jvb.resources | nindent 12 }} - volumes: - - name: dockersock - hostPath: - path: /var/run/docker.sock - - name: config - configMap: - name: {{ template "jitsi-meet.name-jvb-config" . }}-cm - {{- with .Values.jvb.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.jvb.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.jvb.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/jitsi-meet/templates/ingress-web.yaml b/jitsi-meet/templates/ingress-web.yaml index cc3da32..efeddc4 100644 --- a/jitsi-meet/templates/ingress-web.yaml +++ b/jitsi-meet/templates/ingress-web.yaml @@ -31,8 +31,14 @@ spec: - host: {{ .host | quote }} http: paths: + {{- if .oauth }} + - path: /oauth2 + backend: + serviceName: "{{ $fullName }}-jwt" + servicePort: 4180 + {{- end }} {{- range .paths }} - - path: {{ . }} + - path: {{ . | quote }} backend: serviceName: {{ $fullName }} servicePort: {{ $svcPort }} diff --git a/jitsi-meet/templates/jicofo-config.yaml b/jitsi-meet/templates/jicofo-config.yaml index bfcaa17..a436906 100644 --- a/jitsi-meet/templates/jicofo-config.yaml +++ b/jitsi-meet/templates/jicofo-config.yaml @@ -5,7 +5,7 @@ metadata: labels: {{ include "jitsi-meet.labels" . | indent 4 }} data: - {{ if .Values.jicofo.userAuth.enabled }} + {{- if .Values.jicofo.userAuth.enabled }} JICOFO_AUTH_PASSWORD: {{ .Values.jicofo.userAuth.secret | quote }} - {{ end }} + {{- end }} JICOFO_COMPONENT_SECRET: {{ .Values.jicofo.componentSecret | quote }} \ No newline at end of file diff --git a/jitsi-meet/templates/jicofo-sip-config.yaml b/jitsi-meet/templates/jicofo-sip-config.yaml new file mode 100644 index 0000000..692af42 --- /dev/null +++ b/jitsi-meet/templates/jicofo-sip-config.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "jitsi-meet.name-jicofo-config" . }}-cm + labels: +{{ include "jitsi-meet.labels" . | indent 4 }} +data: + sip-communicator.properties: |- + {{- .Files.Get "configs/jicofo/sip-communicator.properties" | nindent 4 }} diff --git a/jitsi-meet/templates/jvb-deployment.yaml b/jitsi-meet/templates/jvb-deployment.yaml new file mode 100644 index 0000000..d568198 --- /dev/null +++ b/jitsi-meet/templates/jvb-deployment.yaml @@ -0,0 +1,111 @@ +{{- $root := . -}} +{{- $name := include "jitsi-meet.name-jvb" $root -}} +{{- range $index, $nbr := until (.Values.prosody.replicaCount | int) }} +--- +{{- $depName := printf "%s-%d" $name $nbr -}} +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: {{ $depName | quote }} + labels: +{{ include "jitsi-meet.labels" $root | indent 4 }} +spec: + replicas: {{ $root.Values.jvb.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ $depName | quote }} + app.kubernetes.io/instance: {{ $root.Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ $depName | quote }} + app.kubernetes.io/instance: {{ $root.Release.Name }} + spec: + {{- with $root.Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "jitsi-meet.serviceAccountName" $root }} + securityContext: + {{- toYaml $root.Values.jvb.securityContext | nindent 8 }} + containers: + - name: {{ $name | quote }} + image: {{ printf "%s:%s" $root.Values.jvb.image.repository $root.Values.jvb.image.tag | quote }} + imagePullPolicy: {{ $root.Values.jvb.image.pullPolicy | quote }} + securityContext: + capabilities: + add: + - SYS_RESOURCE + - NET_ADMIN + {{- with $root.Values.jvb.podSecurityContext }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: XMPP_SERVER + value: {{ include "jitsi-meet.name-prosody" $root }} + - name: PROSODY_INSTANCE + value: {{ printf "%d" $nbr | quote }} + {{- if $root.Values.jicofo.userAuth.enabled }} + - name: JICOFO_AUTH_USER + value: {{ $root.Values.jicofo.userAuth.name }} + - name: JICOFO_AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "jitsi-meet.name-jicofo-config" $root }} + key: JICOFO_AUTH_PASSWORD + {{- end }} + {{- if $root.Values.jvb.userAuth.enabled }} + - name: JVB_AUTH_USER + value: {{ $root.Values.jvb.userAuth.name }} + - name: JVB_AUTH_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "jitsi-meet.name-jvb-config" $root }} + key: JVB_AUTH_PASSWORD + {{- end }} + {{- if $root.Values.jicofo.componentSecret }} + - name: JICOFO_COMPONENT_SECRET + valueFrom: + secretKeyRef: + name: {{ include "jitsi-meet.name-jicofo-config" $root }} + key: JICOFO_COMPONENT_SECRET + {{- end }} + - name: JVB_PORT + value: {{ printf "%s%s" "3030" (toString $nbr) | quote }} + {{- with $root.Values.jvb.environment }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with $root.Values.common.environment }} + {{- toYaml . | nindent 12 }} + {{- end }} + ports: + - name: video + containerPort: {{ printf "%s%s" "3030" (toString $nbr) | int }} + protocol: UDP + volumeMounts: + - name: dockersock + mountPath: "/var/run/docker.sock" + - name: config + mountPath: "/defaults" + resources: + {{- toYaml $root.Values.jvb.resources | nindent 12 }} + volumes: + - name: dockersock + hostPath: + path: /var/run/docker.sock + - name: config + configMap: + name: {{ template "jitsi-meet.name-jvb-config" $root }}-cm + {{- with $root.Values.jvb.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $root.Values.jvb.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $root.Values.jvb.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/jitsi-meet/templates/jvb-service.yaml b/jitsi-meet/templates/jvb-service.yaml new file mode 100644 index 0000000..6554249 --- /dev/null +++ b/jitsi-meet/templates/jvb-service.yaml @@ -0,0 +1,31 @@ +{{- $root := . }} +{{- $name := include "jitsi-meet.name-jvb" $root }} +{{- range $index, $nbr := until (.Values.prosody.replicaCount | int) }} +{{- $port := printf "%s%s" "3030" (toString $nbr) }} +{{- $target := printf "%s-%d" $name $nbr}} +apiVersion: v1 +kind: Service +metadata: + name: {{ $target | quote }} + labels: +{{ include "jitsi-meet.labels" $root | indent 4 }} + {{- with $root.Values.jvb.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: NodePort + externalTrafficPolicy: Local + sessionAffinity: {{ $root.Values.jvb.service.sessionAffinity }} + {{- if $root.Values.jvb.service.sessionAffinityConfig }} + {{- toYaml $root.Values.jvb.service.sessionAffinityConfig }} + {{- end }} + ports: + - port: {{ atoi $port }} + protocol: UDP + targetPort: video + nodePort: {{ atoi $port }} + selector: + app.kubernetes.io/name: {{ $target | quote }} + app.kubernetes.io/instance: {{ $root.Release.Name }} +{{- end }} \ No newline at end of file diff --git a/jitsi-meet/templates/jvb-sip-config.yaml b/jitsi-meet/templates/jvb-sip-config.yaml index aa4295b..bae1fa2 100644 --- a/jitsi-meet/templates/jvb-sip-config.yaml +++ b/jitsi-meet/templates/jvb-sip-config.yaml @@ -5,7 +5,7 @@ metadata: labels: {{ include "jitsi-meet.labels" . | indent 4 }} data: - {{- range $path, $d := .Files.Glob "configs/jvb/*.properties" }} - {{- $path }}: |- - {{- $d | toString | nindent 4 }} - {{- end }} + sip-communicator.properties: |- + {{- .Files.Get "configs/jvb/sip-communicator.properties" | nindent 4 }} + logging.properties: |- + {{- .Files.Get "configs/jvb/logging.properties" | nindent 4 }} \ No newline at end of file diff --git a/jitsi-meet/templates/prosody-cfg-cm.yaml b/jitsi-meet/templates/prosody-cfg-cm.yaml new file mode 100644 index 0000000..68101b5 --- /dev/null +++ b/jitsi-meet/templates/prosody-cfg-cm.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "jitsi-meet.name-prosody" . }}-config-cm + labels: +{{ include "jitsi-meet.labels" . | indent 4 }} +data: + prosody.cfg.lua: |- + {{- .Files.Get "configs/prosody/prosody.cfg.lua" | b64enc | nindent 4 }} + jitsi-meet.cfg.lua: |- + {{- .Files.Get "configs/prosody/jitsi-meet.cfg.lua" | b64enc | nindent 4 }} \ No newline at end of file diff --git a/jitsi-meet/templates/service-prosody.yaml b/jitsi-meet/templates/prosody-service.yaml similarity index 85% rename from jitsi-meet/templates/service-prosody.yaml rename to jitsi-meet/templates/prosody-service.yaml index c1e0e1f..afc8e41 100644 --- a/jitsi-meet/templates/service-prosody.yaml +++ b/jitsi-meet/templates/prosody-service.yaml @@ -7,11 +7,11 @@ metadata: spec: type: {{ .Values.prosody.service.type }} ports: - - port: {{ .Values.prosody.service.portC2S1 }} + - port: 5222 targetPort: c2s1 protocol: TCP name: c2s1 - - port: {{ .Values.prosody.service.portC2S2 }} + - port: 5269 targetPort: c2s2 protocol: TCP name: c2s2 @@ -23,6 +23,7 @@ spec: targetPort: xmpp protocol: TCP name: xmpp + sessionAffinity: ClientIP selector: app.kubernetes.io/name: {{ include "jitsi-meet.name-prosody" . }} app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/jitsi-meet/templates/deployment-prosody.yaml b/jitsi-meet/templates/prosody-statefulset.yaml similarity index 55% rename from jitsi-meet/templates/deployment-prosody.yaml rename to jitsi-meet/templates/prosody-statefulset.yaml index 4704820..a203c1b 100644 --- a/jitsi-meet/templates/deployment-prosody.yaml +++ b/jitsi-meet/templates/prosody-statefulset.yaml @@ -1,11 +1,12 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "jitsi-meet.name-prosody" . }} labels: {{ include "jitsi-meet.labels" . | indent 4 }} spec: - replicas: {{ .Values.jicofo.replicaCount }} + serviceName: {{ include "jitsi-meet.name-prosody" . }} + replicas: {{ .Values.prosody.replicaCount }} selector: matchLabels: app.kubernetes.io/name: {{ include "jitsi-meet.name-prosody" . }} @@ -55,15 +56,27 @@ spec: name: {{ template "jitsi-meet.name-jvb-config" . }} key: JVB_AUTH_PASSWORD {{- end }} + {{- if .Values.prosody.auth.enabled }} + - name: ENABLE_AUTH + value: "1" + - name: ENABLE_GUESTS + value: {{ .Values.prosody.auth.guest | quote }} + - name: AUTH_TYPE + value: {{ .Values.prosody.auth.type | quote }} + {{- end }} {{- range .Values.prosody.environment }} - name: {{ .name | quote }} value: {{ .value | quote }} {{- end }} + {{- range .Values.common.environment }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} ports: - containerPort: 5222 protocol: TCP name: c2s1 - - containerPort: 5322 + - containerPort: 5269 protocol: TCP name: c2s2 - containerPort: 5280 @@ -72,8 +85,22 @@ spec: - containerPort: 5347 protocol: TCP name: xmpp + # lifecycle: + # postStart: + # exec: + # command: + # - /bin/bash + # - -c + # - cat /var/app/prosody.cfg.lua | base64 -d > /defaults/prosody.cfg.lua + # - cat /var/app/jitsi-meet.cfg.lua | base64 -d > /defaults/conf.d/jitsi-meet.cfg.lua + # # {{ if .Values.prosody.auth.enabled }} + # # - prosodyctl --config /config/prosody.cfg.lua register me $XMPP_DOMAIN $JVB_AUTH_PASSWORD; + # # {{ end }} resources: {{- toYaml .Values.prosody.resources | nindent 12 }} + volumeMounts: + - name: config-prosody + mountPath: "/var/app" - name: {{ include "jitsi-meet.name-jicofo" . }} image: "{{ .Values.jicofo.image.repository }}:{{ .Values.jicofo.image.tag }}" imagePullPolicy: {{ .Values.jicofo.image.pullPolicy }} @@ -101,13 +128,77 @@ spec: key: JICOFO_COMPONENT_SECRET {{ end }} - name: XMPP_SERVER - value: localhost + value: "localhost" + {{- if .Values.prosody.auth.enabled }} + - name: ENABLE_AUTH + value: "1" + {{- end }} {{- range .Values.jicofo.environment }} - name: {{ .name | quote }} value: {{ .value | quote }} {{- end }} + {{- range .Values.common.environment }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} resources: {{- toYaml .Values.jicofo.resources | nindent 12 }} + # lifecycle: + # postStart: + # exec: + # command: + # - /bin/bash + # - -c + # - cp /var/app/sip-communicator.properties /defaults/sip-communicator.properties + volumeMounts: + - name: config-jicofo + mountPath: "/var/app" + {{ if .Values.prosody.recorder }} + - name: {{ include "jitsi-meet.name-jibri" . }} + image: "{{ .Values.jibri.image.repository }}:{{ .Values.jibri.image.tag }}" + imagePullPolicy: {{ .Values.jibri.image.pullPolicy }} + securityContext: + # required to record sound + privileged: true + capabilities: + add: + - SYS_RESOURCE + - NET_BIND_SERVICE + {{- with .Values.jibri.podSecurityContext }} + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: XMPP_SERVER + value: localhost + {{- range .Values.jibri.environment }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} + {{- range .Values.common.environment }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} + volumeMounts: + - mountPath: /dev/shm + name: shm + - mountPath: /dev/snd + name: dev-snd + {{ end }} + volumes: + - name: config-jicofo + configMap: + name: {{ template "jitsi-meet.name-jicofo-config" . }}-cm + - name: config-prosody + configMap: + name: {{ template "jitsi-meet.name-prosody" . }}-config-cm + {{ if .Values.prosody.recorder }} + - name: shm + hostPath: + path: /dev/shm + - name: dev-snd + hostPath: + path: /dev/snd + {{ end }} {{- with .Values.prosody.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/jitsi-meet/templates/service-jvb.yaml b/jitsi-meet/templates/service-jvb.yaml deleted file mode 100644 index a3068b5..0000000 --- a/jitsi-meet/templates/service-jvb.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "jitsi-meet.name-jvb" . }} - labels: -{{ include "jitsi-meet.labels" . | indent 4 }} - {{- with .Values.jvb.service.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - type: NodePort - externalTrafficPolicy: Local - sessionAffinity: {{ .Values.jvb.service.sessionAffinity }} - {{ if .Values.jvb.service.sessionAffinityConfig }} - {{- toYaml .Values.jvb.service.sessionAffinityConfig }} - {{ end }} - ports: - - port: 30300 - protocol: UDP - targetPort: video - nodePort: 30300 - selector: - app.kubernetes.io/name: {{ include "jitsi-meet.name-jvb" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/jitsi-meet/templates/service-web-jwt.yaml b/jitsi-meet/templates/service-web-jwt.yaml new file mode 100644 index 0000000..ef3dfcd --- /dev/null +++ b/jitsi-meet/templates/service-web-jwt.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "jitsi-meet.name-web" . }}-jwt + labels: +{{ include "jitsi-meet.labels" . | indent 4 }} +spec: + type: {{ .Values.web.service.type }} + ports: + - port: 4180 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "jitsi-meet.name-web" . }}-jwt + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/jitsi-meet/templates/tcp-routes.yaml b/jitsi-meet/templates/tcp-routes.yaml deleted file mode 100644 index 8a92dc5..0000000 --- a/jitsi-meet/templates/tcp-routes.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.jvb.ingress.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: tcp-services - namespace: {{ .Values.serviceAccount.create }} -data: -{{ include "jitsi-meet.tcp-route-table-entry" . }} -{{- end -}} diff --git a/jitsi-meet/templates/udp-routes.yaml b/jitsi-meet/templates/udp-routes.yaml deleted file mode 100644 index a6685b3..0000000 --- a/jitsi-meet/templates/udp-routes.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.jvb.ingress.enabled -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: udp-services - namespace: {{ .Values.serviceAccount.create }} -data: -{{ include "jitsi-meet.udp-route-table-entry" . }} -{{- end -}} diff --git a/jitsi-meet/templates/deployment-web.yaml b/jitsi-meet/templates/web-deployment.yaml similarity index 86% rename from jitsi-meet/templates/deployment-web.yaml rename to jitsi-meet/templates/web-deployment.yaml index d312df9..027436e 100644 --- a/jitsi-meet/templates/deployment-web.yaml +++ b/jitsi-meet/templates/web-deployment.yaml @@ -32,7 +32,7 @@ spec: env: - name: XMPP_SERVER value: {{ include "jitsi-meet.name-prosody" . }} - {{ if .Values.jicofo.userAuth.enabled }} + {{- if .Values.jicofo.userAuth.enabled }} - name: JICOFO_AUTH_USER value: {{ .Values.jicofo.userAuth.name }} - name: JICOFO_AUTH_PASSWORD @@ -40,7 +40,7 @@ spec: secretKeyRef: name: {{ include "jitsi-meet.name-jicofo-config" . }} key: JICOFO_AUTH_PASSWORD - {{ end }} + {{- end }} {{- if .Values.jvb.userAuth.enabled }} - name: JVB_AUTH_USER value: {{ .Values.jvb.userAuth.name }} @@ -50,12 +50,22 @@ spec: name: {{ template "jitsi-meet.name-jvb-config" . }} key: JVB_AUTH_PASSWORD {{- end }} + {{- if .Values.prosody.auth.enabled }} + - name: ENABLE_AUTH + value: "1" + - name: ENABLE_GUESTS + value: {{ .Values.prosody.auth.guest | quote }} + {{- end }} - name: XMPP_BOSH_URL_BASE value: "http://{{ include "jitsi-meet.name-prosody" . }}:5280" {{- range .Values.web.environment }} - name: {{ .name | quote }} value: {{ .value | quote }} {{- end }} + {{- range .Values.common.environment }} + - name: {{ .name | quote }} + value: {{ .value | quote }} + {{- end }} ports: - name: http containerPort: 80 diff --git a/jitsi-meet/templates/web-jwt-deployment.yaml b/jitsi-meet/templates/web-jwt-deployment.yaml new file mode 100644 index 0000000..1c901b6 --- /dev/null +++ b/jitsi-meet/templates/web-jwt-deployment.yaml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "jitsi-meet.name-web" . }}-jwt + labels: +{{ include "jitsi-meet.labels" . | indent 4 }} +spec: + replicas: {{ .Values.web.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "jitsi-meet.name-web" . }}-jwt + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "jitsi-meet.name-web" . }}-jwt + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "jitsi-meet.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ include "jitsi-meet.name-jwt-sidecar" . }} + image: quay.io/oauth2-proxy/oauth2-proxy:latest + imagePullPolicy: IfNotPresent + args: + - --http-address=0.0.0.0:4180 + {{- range $key, $value := .Values.web.jwtsidecar.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - name: http + containerPort: 4180 + protocol: TCP + resources: + {{- toYaml .Values.web.jwtsidecar.resources | nindent 12 }} + {{- with .Values.web.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.web.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.web.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/jitsi-meet/values.yaml b/jitsi-meet/values.yaml index 05d63c2..4d470e6 100644 --- a/jitsi-meet/values.yaml +++ b/jitsi-meet/values.yaml @@ -5,6 +5,8 @@ image: pullSecrets: [] +webHost: jitsi.meet.local + web: image: repository: jitsi/web @@ -14,6 +16,9 @@ web: - name: ENABLE_LETSENCRYPT value: false replicaCount: 1 + jwtsidecar: + extraArgs: {} + resources: {} hpa: enabled: false minReplicas: 1 @@ -30,6 +35,7 @@ web: annotations: [] hosts: - host: jitsi.meet.local + oauth: false paths: [] tls: [] resources: {} @@ -37,14 +43,24 @@ web: tolerations: [] affinity: {} +jibri: + image: + repository: jitsi/jibri + tag: latest + pullPolicy: Always + environment: [] + resources: {} + prosody: + auth: + enabled: true + guest: 0 + type: internal image: repository: jitsi/prosody tag: latest pullPolicy: Always - environment: - - name: ENABLE_GUEST - value: true + environment: [] replicaCount: 1 service: annotations: [] @@ -71,6 +87,7 @@ prosody: nodeSelector: {} tolerations: [] affinity: {} + recorder: false jicofo: # jicofo is used as a sidecar container for every prosody instance image: @@ -94,14 +111,16 @@ jvb: replicaCount: 1 securityContext: fsGroup: 412 + podSecurityContext: + capabilities: + add: + - SYS_RESOURCE + - NET_ADMIN service: annotations: [] type: NodePort externalTrafficPolicy: Cluster sessionAffinity: None - sessionAffinityConfig: - clientIP: - timeoutSeconds: 10800 ingress: enabled: false resources: {}