From cf2e4c8bb232c0e9a6850ca97930a33ad2574264 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Wed, 24 Dec 2025 20:11:29 -0300 Subject: [PATCH] jitsi: require auth to start rooms; vault ui default oidc --- services/jitsi/deployment.yaml | 20 +++++++++++++++++++- services/jitsi/kustomization.yaml | 1 + services/jitsi/secret-auth-user.yaml | 9 +++++++++ services/vault/configmap.yaml | 3 +++ 4 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 services/jitsi/secret-auth-user.yaml diff --git a/services/jitsi/deployment.yaml b/services/jitsi/deployment.yaml index 680ec8d..7476caf 100644 --- a/services/jitsi/deployment.yaml +++ b/services/jitsi/deployment.yaml @@ -15,6 +15,21 @@ spec: nodeSelector: kubernetes.io/hostname: titan-22 kubernetes.io/arch: amd64 + initContainers: + - name: prosody-bootstrap-auth + image: jitsi/prosody:stable + command: ["/bin/sh","-c"] + args: + - | + set -euo pipefail + prosodyctl --config /config/prosody.cfg.lua register "${JITSI_AUTH_USER}" meet.jitsi "${JITSI_AUTH_PASSWORD}" || true + env: + - name: JITSI_AUTH_USER + valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: username } } + - name: JITSI_AUTH_PASSWORD + valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: password } } + volumeMounts: + - { name: cfg, mountPath: /config } containers: - name: prosody image: jitsi/prosody:stable @@ -27,8 +42,10 @@ spec: - { name: XMPP_AUTH_DOMAIN, value: "auth.meet.jitsi" } - { name: XMPP_MUC_DOMAIN, value: "muc.meet.jitsi" } - { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" } - - { name: ENABLE_AUTH, value: "0" } # open instance, no auth (fastest path) + - { name: ENABLE_AUTH, value: "1" } - { name: ENABLE_GUESTS, value: "1" } + - { name: AUTH_TYPE, value: "internal" } + - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" } - { name: JICOFO_AUTH_USER, value: "focus" } - { name: JVB_AUTH_USER, value: "jvb" } - name: JICOFO_AUTH_PASSWORD @@ -181,6 +198,7 @@ spec: - { name: XMPP_AUTH_DOMAIN, value: "auth.meet.jitsi" } - { name: XMPP_MUC_DOMAIN, value: "muc.meet.jitsi" } - { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" } + - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" } - { name: XMPP_BOSH_URL_BASE, value: "https://meet.bstein.dev" } - { name: ENABLE_XMPP_WEBSOCKET, value: "1" } - { name: ENABLE_COLIBRI_WEBSOCKET, value: "1" } diff --git a/services/jitsi/kustomization.yaml b/services/jitsi/kustomization.yaml index c0f5ebb..117ef5e 100644 --- a/services/jitsi/kustomization.yaml +++ b/services/jitsi/kustomization.yaml @@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml + - secret-auth-user.yaml - deployment.yaml - service.yaml - pvc.yaml diff --git a/services/jitsi/secret-auth-user.yaml b/services/jitsi/secret-auth-user.yaml new file mode 100644 index 0000000..2a2949e --- /dev/null +++ b/services/jitsi/secret-auth-user.yaml @@ -0,0 +1,9 @@ +# services/jitsi/secret-auth-user.yaml +apiVersion: v1 +kind: Secret +metadata: + name: jitsi-auth-user + namespace: jitsi +stringData: + username: brad + password: qvUqX5foh2zyM0th diff --git a/services/vault/configmap.yaml b/services/vault/configmap.yaml index d4ffdb5..56beb4b 100644 --- a/services/vault/configmap.yaml +++ b/services/vault/configmap.yaml @@ -9,6 +9,9 @@ data: ui = true cluster_name = "vault-k8s" disable_mlock = true + ui { + default_auth_method = "oidc" + } listener "tcp" { address = "0.0.0.0:8200"