communication: render LiveKit TURN creds

2026-01-01 11:31:39 -03:00 · 2026-01-01 11:31:39 -03:00 · beb975182a
commit beb975182a
parent 5c59640bf5
2 changed files with 35 additions and 23 deletions
--- a/services/communication/livekit-config.yaml
+++ b/services/communication/livekit-config.yaml
@ -14,11 +14,17 @@ data:
        - host: turn.live.bstein.dev
          port: 5349
          protocol: tls
+          username: livekit
+          credential: "@@TURN_PASSWORD@@"
        - host: turn.live.bstein.dev
          port: 3478
          protocol: tcp
+          username: livekit
+          credential: "@@TURN_PASSWORD@@"
        - host: turn.live.bstein.dev
          port: 3478
          protocol: udp
+          username: livekit
+          credential: "@@TURN_PASSWORD@@"
    room:
      auto_create: false
--- a/services/communication/livekit.yaml
+++ b/services/communication/livekit.yaml
@ -13,7 +13,7 @@ spec:
  template:
    metadata:
      annotations:
-        checksum/config: livekit-config-v4
+        checksum/config: livekit-config-v5
      labels:
        app: livekit
    spec:
@ -29,6 +29,30 @@ spec:
                  - key: hardware
                    operator: In
                    values: ["rpi5","rpi4"]
+      initContainers:
+        - name: render-config
+          image: alpine:3.20
+          command: ["/bin/sh","-c"]
+          args:
+            - |
+              set -euo pipefail
+              umask 077
+              TURN_PASSWORD_ESCAPED="$(printf '%s' "${TURN_PASSWORD}" | sed 's/[\\/&]/\\&/g')"
+              sed "s/@@TURN_PASSWORD@@/${TURN_PASSWORD_ESCAPED}/g" /etc/livekit-template/livekit.yaml > /etc/livekit/livekit.yaml
+              chmod 0644 /etc/livekit/livekit.yaml
+          env:
+            - name: TURN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: turn-shared-secret
+                  key: TURN_STATIC_AUTH_SECRET
+          volumeMounts:
+            - name: config-template
+              mountPath: /etc/livekit-template
+              readOnly: true
+            - name: config
+              mountPath: /etc/livekit
+              readOnly: false
      containers:
        - name: livekit
          image: livekit/livekit-server:v1.9.0
@ -49,27 +73,6 @@ spec:
                secretKeyRef:
                  name: livekit-api
                  key: primary
-            - name: LIVEKIT_RTC__TURN_SERVERS_0__USERNAME
-              value: livekit
-            - name: LIVEKIT_RTC__TURN_SERVERS_0__CREDENTIAL
-              valueFrom:
-                secretKeyRef:
-                  name: turn-shared-secret
-                  key: TURN_STATIC_AUTH_SECRET
-            - name: LIVEKIT_RTC__TURN_SERVERS_1__USERNAME
-              value: livekit
-            - name: LIVEKIT_RTC__TURN_SERVERS_1__CREDENTIAL
-              valueFrom:
-                secretKeyRef:
-                  name: turn-shared-secret
-                  key: TURN_STATIC_AUTH_SECRET
-            - name: LIVEKIT_RTC__TURN_SERVERS_2__USERNAME
-              value: livekit
-            - name: LIVEKIT_RTC__TURN_SERVERS_2__CREDENTIAL
-              valueFrom:
-                secretKeyRef:
-                  name: turn-shared-secret
-                  key: TURN_STATIC_AUTH_SECRET
          ports:
            - containerPort: 7880
              name: http
@ -86,6 +89,7 @@ spec:
          volumeMounts:
            - name: config
              mountPath: /etc/livekit
+              readOnly: true
            - name: runtime-keys
              mountPath: /var/run/livekit
          resources:
@ -96,12 +100,14 @@ spec:
              cpu: "2"
              memory: 1Gi
      volumes:
-        - name: config
+        - name: config-template
          configMap:
            name: livekit-config
            items:
              - key: livekit.yaml
                path: livekit.yaml
+        - name: config
+          emptyDir: {}
        - name: runtime-keys
          emptyDir: {}
 ---