clusters/atlas/flux-system/platform/kustomization.yaml

@@ -8,4 +8,3 @@ resources:
   - gitops-ui/kustomization.yaml
   - monitoring/kustomization.yaml
   - longhorn-ui/kustomization.yaml
-  - ../platform/vault-csi/kustomization.yaml

clusters/atlas/flux-system/platform/vault-csi/kustomization.yaml

@@ -1,16 +0,0 @@
-# clusters/atlas/flux-system/platform/vault-csi/kustomization.yaml
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: vault-csi
-  namespace: flux-system
-spec:
-  interval: 30m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-    namespace: flux-system
-  path: ./infrastructure/vault-csi
-  prune: true
-  wait: true
-  targetNamespace: kube-system

infrastructure/sources/helm/kustomization.yaml

@@ -10,4 +10,3 @@ resources:
   - harbor.yaml
   - prometheus.yaml
   - victoria-metrics.yaml
-  - secrets-store-csi.yaml

infrastructure/sources/helm/secrets-store-csi.yaml

@@ -1,9 +0,0 @@
-# infrastructure/sources/helm/secrets-store-csi.yaml
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: secrets-store-csi-driver
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

infrastructure/vault-csi/kustomization.yaml

@@ -1,7 +0,0 @@
-# infrastructure/vault-csi/kustomization.yaml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kube-system
-resources:
-  - secrets-store-csi-driver.yaml
-  - vault-csi-provider.yaml

infrastructure/vault-csi/secrets-store-csi-driver.yaml

@@ -1,20 +0,0 @@
-# infrastructure/vault-csi/secrets-store-csi-driver.yaml
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: secrets-store-csi-driver
-  namespace: kube-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: secrets-store-csi-driver
-      version: "~1.3.0"
-      sourceRef:
-        kind: HelmRepository
-        name: secrets-store-csi-driver
-        namespace: flux-system
-  values:
-    syncSecret:
-      enabled: true
-    enableSecretRotation: false

infrastructure/vault-csi/vault-csi-provider.yaml

@@ -1,17 +0,0 @@
-# infrastructure/vault-csi/vault-csi-provider.yaml
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: vault-csi-provider
-  namespace: kube-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: vault-csi-provider
-      version: "~1.1.0"
-      sourceRef:
-        kind: HelmRepository
-        name: hashicorp
-        namespace: flux-system
-  values: {}

services/jitsi/deployment.yaml

@@ -12,10 +12,24 @@ spec:
     metadata:
       labels: { app: jitsi-prosody }
     spec:
-      serviceAccountName: jitsi
       nodeSelector:
         kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
+      initContainers:
+        - name: prosody-bootstrap-auth
+          image: jitsi/prosody:stable
+          command: ["/bin/sh","-c"]
+          args:
+            - |
+              set -eu
+              prosodyctl --config /config/prosody.cfg.lua register "${JITSI_AUTH_USER}" meet.jitsi "${JITSI_AUTH_PASSWORD}" || true
+          env:
+            - name: JITSI_AUTH_USER
+              valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: username } }
+            - name: JITSI_AUTH_PASSWORD
+              valueFrom: { secretKeyRef: { name: jitsi-auth-user, key: password } }
+          volumeMounts:
+            - { name: cfg, mountPath: /config }
       containers:
         - name: prosody
           image: jitsi/prosody:stable
@@ -30,13 +44,8 @@ spec:
             - { name: XMPP_INTERNAL_MUC_DOMAIN, value: "internal-muc.meet.jitsi" }
             - { name: ENABLE_AUTH, value: "1" }
             - { name: ENABLE_GUESTS, value: "1" }
-            - { name: AUTH_TYPE, value: "jwt" }
+            - { name: AUTH_TYPE, value: "internal" }
             - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
-            - { name: JWT_ACCEPTED_ISSUERS, value: "https://sso.bstein.dev/realms/atlas" }
-            - { name: JWT_ACCEPTED_AUDIENCES, value: "jitsi" }
-            - { name: JWT_APP_ID, value: "jitsi" }
-            - name: JWT_APP_SECRET
-              valueFrom: { secretKeyRef: { name: jitsi-jwt, key: app_secret } }
             - { name: JICOFO_AUTH_USER, value: "focus" }
             - { name: JVB_AUTH_USER, value: "jvb" }
             - name: JICOFO_AUTH_PASSWORD
@@ -47,16 +56,9 @@ spec:
               valueFrom: { secretKeyRef: { name: jitsi-internal-secrets, key: JVB_AUTH_PASSWORD } }
           volumeMounts:
             - { name: cfg, mountPath: /config }
-            - { name: jwt, mountPath: /var/lib/jitsi-jwt, readOnly: true }
       volumes:
         - name: cfg
           persistentVolumeClaim: { claimName: jitsi-prosody-config }
-        - name: jwt
-          csi:
-            driver: secrets-store.csi.x-k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: jitsi-jwt
 
 ---
 
@@ -73,7 +75,6 @@ spec:
     metadata:
       labels: { app: jitsi-jicofo }
     spec:
-      serviceAccountName: jitsi
       nodeSelector:
         kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
@@ -88,7 +89,7 @@ spec:
             - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
             - { name: ENABLE_AUTH, value: "1" }
             - { name: ENABLE_GUESTS, value: "1" }
-            - { name: AUTH_TYPE, value: "jwt" }
+            - { name: AUTH_TYPE, value: "internal" }
             - { name: XMPP_SERVER, value: "jitsi-prosody.jitsi.svc.cluster.local" }
             - { name: JICOFO_AUTH_USER, value: "focus" }
             - name: JICOFO_AUTH_PASSWORD
@@ -119,7 +120,6 @@ spec:
     metadata:
       labels: { app: jitsi-jvb }
     spec:
-      serviceAccountName: jitsi
       initContainers:
         - name: jvb-custom-config
           image: busybox:1.36
@@ -163,7 +163,6 @@ spec:
             - { name: JVB_ADVERTISE_IPS, value: "38.28.125.112,192.168.22.22" }
             - { name: JVB_TCP_HARVESTER_DISABLED, value: "false" }
             - { name: JVB_TCP_PORT, value: "4443" }
-            - { name: AUTH_TYPE, value: "jwt" }
             - name: JVB_OPTS
               value: "-Dorg.jitsi.videobridge.DISABLE_TCP_HARVESTER=false -Dorg.ice4j.ice.harvest.DISABLE_TCP_HARVESTER=false -Dorg.jitsi.videobridge.TCP_HARVESTER_PORT=4443 -Dorg.jitsi.videobridge.TCP_HARVESTER_MAPPED_PORT=4443"
           volumeMounts:
@@ -190,7 +189,6 @@ spec:
     metadata:
       labels: { app: jitsi-web }
     spec:
-      serviceAccountName: jitsi
       nodeSelector:
         kubernetes.io/hostname: titan-22
         kubernetes.io/arch: amd64
@@ -208,24 +206,12 @@ spec:
             - { name: XMPP_GUEST_DOMAIN, value: "guest.meet.jitsi" }
             - { name: ENABLE_AUTH, value: "1" }
             - { name: ENABLE_GUESTS, value: "1" }
-            - { name: AUTH_TYPE, value: "jwt" }
+            - { name: AUTH_TYPE, value: "internal" }
-            - { name: JWT_APP_ID, value: "jitsi" }
-            - { name: JWT_ACCEPTED_ISSUERS, value: "https://sso.bstein.dev/realms/atlas" }
-            - { name: JWT_ACCEPTED_AUDIENCES, value: "jitsi" }
-            - name: JWT_APP_SECRET
-              valueFrom: { secretKeyRef: { name: jitsi-jwt, key: app_secret } }
             - { name: XMPP_BOSH_URL_BASE, value: "https://meet.bstein.dev" }
             - { name: ENABLE_XMPP_WEBSOCKET, value: "1" }
             - { name: ENABLE_COLIBRI_WEBSOCKET, value: "1" }
           volumeMounts:
             - { name: cfg, mountPath: /config }
-            - { name: jwt, mountPath: /var/lib/jitsi-jwt, readOnly: true }
       volumes:
         - name: cfg
           persistentVolumeClaim: { claimName: jitsi-web-config }
-        - name: jwt
-          csi:
-            driver: secrets-store.csi.x-k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: jitsi-jwt

services/jitsi/kustomization.yaml

@@ -3,8 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - serviceaccount.yaml
+  - secret-auth-user.yaml
-  - secretproviderclass.yaml
   - deployment.yaml
   - service.yaml
   - pvc.yaml

services/jitsi/secret-auth-user.yaml

@@ -0,0 +1,9 @@
+# services/jitsi/secret-auth-user.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jitsi-auth-user
+  namespace: jitsi
+stringData:
+  username: brad
+  password: qvUqX5foh2zyM0th

services/jitsi/secretproviderclass.yaml

@@ -1,21 +0,0 @@
-# services/jitsi/secretproviderclass.yaml
-apiVersion: secrets-store.csi.x-k8s.io/v1
-kind: SecretProviderClass
-metadata:
-  name: jitsi-jwt
-  namespace: jitsi
-spec:
-  provider: vault
-  parameters:
-    vaultAddress: "http://vault.vault.svc.cluster.local:8200"
-    roleName: jitsi-jwt
-    objects: |
-      - objectName: "jwt"
-        secretPath: "kv/data/jitsi/jwt-hs256"
-        secretKey: "app_secret"
-  secretObjects:
-    - secretName: jitsi-jwt
-      type: Opaque
-      data:
-        - objectName: "jwt"
-          key: app_secret

services/jitsi/serviceaccount.yaml

@@ -1,6 +0,0 @@
-# services/jitsi/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: jitsi
-  namespace: jitsi