jitsi: require auth to start rooms; vault ui default oidc

2025-12-24 20:11:29 -03:00 · 2025-12-24 20:11:29 -03:00 · cf2e4c8bb2
commit cf2e4c8bb2
parent bbe4fb2cff
4 changed files with 32 additions and 1 deletions
--- a/services/jitsi/deployment.yaml
+++ b/services/jitsi/deployment.yaml
@ -15,6 +15,21 @@ spec:
      nodeSelector:
        kubernetes.io/hostname: titan-22
        kubernetes.io/arch: amd64
+      initContainers:
+        - name: prosody-bootstrap-auth
+          image: jitsi/prosody:stable
+          command: ["/bin/sh","-c"]
+          args:
+            - |
+              set -euo pipefail
+              prosodyctl --config /config/prosody.cfg.lua register "${JITSI_AUTH_USER}" meet.jitsi "${JITSI_AUTH_PASSWORD}" || true
+          env:
+            - name: JITSI_AUTH_USER
+              valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: username } }
+            - name: JITSI_AUTH_PASSWORD
+              valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: password } }
+          volumeMounts:
+            - { name: cfg, mountPath: /config }
      containers:
        - name: prosody
          image: jitsi/prosody:stable
@ -27,8 +42,10 @@ spec:
            - { name: XMPP_AUTH_DOMAIN, value: "auth.meet.jitsi" }
            - { name: XMPP_MUC_DOMAIN, value: "muc.meet.jitsi" }
            - { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" }
-            - { name: ENABLE_AUTH, value: "0" }     # open instance, no auth (fastest path)
+            - { name: ENABLE_AUTH, value: "1" }
            - { name: ENABLE_GUESTS, value: "1" }
+            - { name: AUTH_TYPE, value: "internal" }
+            - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
            - { name: JICOFO_AUTH_USER, value: "focus" }
            - { name: JVB_AUTH_USER, value: "jvb" }
            - name: JICOFO_AUTH_PASSWORD
@ -181,6 +198,7 @@ spec:
            - { name: XMPP_AUTH_DOMAIN, value: "auth.meet.jitsi" }
            - { name: XMPP_MUC_DOMAIN, value: "muc.meet.jitsi" }
            - { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" }
+            - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
            - { name: XMPP_BOSH_URL_BASE, value: "https://meet.bstein.dev" }
            - { name: ENABLE_XMPP_WEBSOCKET, value: "1" }
            - { name: ENABLE_COLIBRI_WEBSOCKET, value: "1" }
--- a/services/jitsi/kustomization.yaml
+++ b/services/jitsi/kustomization.yaml
@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
+  - secret-auth-user.yaml
  - deployment.yaml
  - service.yaml
  - pvc.yaml
--- a/services/jitsi/secret-auth-user.yaml
+++ b/services/jitsi/secret-auth-user.yaml
@ -0,0 +1,9 @@
+# services/jitsi/secret-auth-user.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jitsi-auth-user
+  namespace: jitsi
+stringData:
+  username: brad
+  password: qvUqX5foh2zyM0th
--- a/services/vault/configmap.yaml
+++ b/services/vault/configmap.yaml
@ -9,6 +9,9 @@ data:
    ui = true
    cluster_name = "vault-k8s"
    disable_mlock = true
+    ui {
+      default_auth_method = "oidc"
+    }

    listener "tcp" {
      address         = "0.0.0.0:8200"