bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

jitsi: use vault jwt via csi

Browse Source
This commit is contained in:
Brad Stein 2025-12-25 03:15:06 -03:00
parent fbe2490ef7
commit 5666eceec7
5 changed files with 61 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
services/jitsi/deployment.yaml
View File

@ -12,24 +12,10 @@ spec:
metadata: metadata:
labels: { app: jitsi-prosody } labels: { app: jitsi-prosody }
spec: spec:
serviceAccountName: jitsi
nodeSelector: nodeSelector:
kubernetes.io/hostname: titan-22 kubernetes.io/hostname: titan-22
kubernetes.io/arch: amd64 kubernetes.io/arch: amd64
initContainers:
- name: prosody-bootstrap-auth
image: jitsi/prosody:stable
command: ["/bin/sh","-c"]
args:
- |
set -eu
prosodyctl --config /config/prosody.cfg.lua register "${JITSI_AUTH_USER}" meet.jitsi "${JITSI_AUTH_PASSWORD}" || true
env:
- name: JITSI_AUTH_USER
valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: username } }
- name: JITSI_AUTH_PASSWORD
valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: password } }
volumeMounts:
- { name: cfg, mountPath: /config }
containers: containers:
- name: prosody - name: prosody
image: jitsi/prosody:stable image: jitsi/prosody:stable
@ -44,8 +30,13 @@ spec:
- { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" } - { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" }
- { name: ENABLE_AUTH, value: "1" } - { name: ENABLE_AUTH, value: "1" }
- { name: ENABLE_GUESTS, value: "1" } - { name: ENABLE_GUESTS, value: "1" }
- { name: AUTH_TYPE, value: "internal" } - { name: AUTH_TYPE, value: "jwt" }
- { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" } - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
- { name: JWT_ACCEPTED_ISSUERS, value: "https://sso.bstein.dev/realms/atlas" }
- { name: JWT_ACCEPTED_AUDIENCES, value: "jitsi" }
- { name: JWT_APP_ID, value: "jitsi" }
- name: JWT_APP_SECRET
valueFrom: { secretKeyRef: { name: jitsi-jwt, key: app_secret } }
- { name: JICOFO_AUTH_USER, value: "focus" } - { name: JICOFO_AUTH_USER, value: "focus" }
- { name: JVB_AUTH_USER, value: "jvb" } - { name: JVB_AUTH_USER, value: "jvb" }
- name: JICOFO_AUTH_PASSWORD - name: JICOFO_AUTH_PASSWORD
@ -56,9 +47,16 @@ spec:
valueFrom: { secretKeyRef: { name: jitsi-internal-secrets, key: JVB_AUTH_PASSWORD } } valueFrom: { secretKeyRef: { name: jitsi-internal-secrets, key: JVB_AUTH_PASSWORD } }
volumeMounts: volumeMounts:
- { name: cfg, mountPath: /config } - { name: cfg, mountPath: /config }
- { name: jwt, mountPath: /var/lib/jitsi-jwt, readOnly: true }
volumes: volumes:
- name: cfg - name: cfg
persistentVolumeClaim: { claimName: jitsi-prosody-config } persistentVolumeClaim: { claimName: jitsi-prosody-config }
- name: jwt
csi:
driver: secrets-store.csi.x-k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: jitsi-jwt
--- ---
@ -75,6 +73,7 @@ spec:
metadata: metadata:
labels: { app: jitsi-jicofo } labels: { app: jitsi-jicofo }
spec: spec:
serviceAccountName: jitsi
nodeSelector: nodeSelector:
kubernetes.io/hostname: titan-22 kubernetes.io/hostname: titan-22
kubernetes.io/arch: amd64 kubernetes.io/arch: amd64
@ -89,7 +88,7 @@ spec:
- { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" } - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
- { name: ENABLE_AUTH, value: "1" } - { name: ENABLE_AUTH, value: "1" }
- { name: ENABLE_GUESTS, value: "1" } - { name: ENABLE_GUESTS, value: "1" }
- { name: AUTH_TYPE, value: "internal" } - { name: AUTH_TYPE, value: "jwt" }
- { name: XMPP_SERVER, value: "jitsi-prosody.jitsi.svc.cluster.local" } - { name: XMPP_SERVER, value: "jitsi-prosody.jitsi.svc.cluster.local" }
- { name: JICOFO_AUTH_USER, value: "focus" } - { name: JICOFO_AUTH_USER, value: "focus" }
- name: JICOFO_AUTH_PASSWORD - name: JICOFO_AUTH_PASSWORD
@ -120,6 +119,7 @@ spec:
metadata: metadata:
labels: { app: jitsi-jvb } labels: { app: jitsi-jvb }
spec: spec:
serviceAccountName: jitsi
initContainers: initContainers:
- name: jvb-custom-config - name: jvb-custom-config
image: busybox:1.36 image: busybox:1.36
@ -163,6 +163,7 @@ spec:
- { name: JVB_ADVERTISE_IPS, value: "38.28.125.112,192.168.22.22" } - { name: JVB_ADVERTISE_IPS, value: "38.28.125.112,192.168.22.22" }
- { name: JVB_TCP_HARVESTER_DISABLED, value: "false" } - { name: JVB_TCP_HARVESTER_DISABLED, value: "false" }
- { name: JVB_TCP_PORT, value: "4443" } - { name: JVB_TCP_PORT, value: "4443" }
- { name: AUTH_TYPE, value: "jwt" }
- name: JVB_OPTS - name: JVB_OPTS
value: "-Dorg.jitsi.videobridge.DISABLE_TCP_HARVESTER=false -Dorg.ice4j.ice.harvest.DISABLE_TCP_HARVESTER=false -Dorg.jitsi.videobridge.TCP_HARVESTER_PORT=4443 -Dorg.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443" value: "-Dorg.jitsi.videobridge.DISABLE_TCP_HARVESTER=false -Dorg.ice4j.ice.harvest.DISABLE_TCP_HARVESTER=false -Dorg.jitsi.videobridge.TCP_HARVESTER_PORT=4443 -Dorg.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443"
volumeMounts: volumeMounts:
@ -189,6 +190,7 @@ spec:
metadata: metadata:
labels: { app: jitsi-web } labels: { app: jitsi-web }
spec: spec:
serviceAccountName: jitsi
nodeSelector: nodeSelector:
kubernetes.io/hostname: titan-22 kubernetes.io/hostname: titan-22
kubernetes.io/arch: amd64 kubernetes.io/arch: amd64
@ -206,12 +208,24 @@ spec:
- { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" } - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
- { name: ENABLE_AUTH, value: "1" } - { name: ENABLE_AUTH, value: "1" }
- { name: ENABLE_GUESTS, value: "1" } - { name: ENABLE_GUESTS, value: "1" }
- { name: AUTH_TYPE, value: "internal" } - { name: AUTH_TYPE, value: "jwt" }
- { name: JWT_APP_ID, value: "jitsi" }
- { name: JWT_ACCEPTED_ISSUERS, value: "https://sso.bstein.dev/realms/atlas" }
- { name: JWT_ACCEPTED_AUDIENCES, value: "jitsi" }
- name: JWT_APP_SECRET
valueFrom: { secretKeyRef: { name: jitsi-jwt, key: app_secret } }
- { name: XMPP_BOSH_URL_BASE, value: "https://meet.bstein.dev" } - { name: XMPP_BOSH_URL_BASE, value: "https://meet.bstein.dev" }
- { name: ENABLE_XMPP_WEBSOCKET, value: "1" } - { name: ENABLE_XMPP_WEBSOCKET, value: "1" }
- { name: ENABLE_COLIBRI_WEBSOCKET, value: "1" } - { name: ENABLE_COLIBRI_WEBSOCKET, value: "1" }
volumeMounts: volumeMounts:
- { name: cfg, mountPath: /config } - { name: cfg, mountPath: /config }
- { name: jwt, mountPath: /var/lib/jitsi-jwt, readOnly: true }
volumes: volumes:
- name: cfg - name: cfg
persistentVolumeClaim: { claimName: jitsi-web-config } persistentVolumeClaim: { claimName: jitsi-web-config }
- name: jwt
csi:
driver: secrets-store.csi.x-k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: jitsi-jwt

3
services/jitsi/kustomization.yaml
View File

@ -3,7 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- namespace.yaml - namespace.yaml
- secret-auth-user.yaml - serviceaccount.yaml
- secretproviderclass.yaml
- deployment.yaml - deployment.yaml
- service.yaml - service.yaml
- pvc.yaml - pvc.yaml

9
services/jitsi/secret-auth-user.yaml
View File

@ -1,9 +0,0 @@
# services/jitsi/secret-auth-user.yaml
apiVersion: v1
kind: Secret
metadata:
name: jitsi-auth-user
namespace: jitsi
stringData:
username: brad
password: qvUqX5foh2zyM0th

21
services/jitsi/secretproviderclass.yaml Normal file
View File

@ -0,0 +1,21 @@
# services/jitsi/secretproviderclass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: jitsi-jwt
namespace: jitsi
spec:
provider: vault
parameters:
vaultAddress: "http://vault.vault.svc.cluster.local:8200"
roleName: jitsi-jwt
objects: |
- objectName: "jwt"
secretPath: "kv/data/jitsi/jwt-hs256"
secretKey: "app_secret"
secretObjects:
- secretName: jitsi-jwt
type: Opaque
data:
- objectName: "jwt"
key: app_secret

6
services/jitsi/serviceaccount.yaml Normal file
View File

@ -0,0 +1,6 @@
# services/jitsi/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: jitsi
namespace: jitsi