Skip to content

Commit

Permalink
Add user verification service support
Browse files Browse the repository at this point in the history
  • Loading branch information
@benbz
benbz committed Jun 30, 2023
1 parent b6d4a0d commit f9889e3
Show file tree
Hide file tree
Showing 10 changed files with 250 additions and 34 deletions.
2 changes: 1 addition & 1 deletion Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.6.4
version: 0.7.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
67 changes: 34 additions & 33 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,39 +54,40 @@ helm delete --purge jitsi

The following table lists the configurable parameters of the Jitsi Meet chart and their default values.

| Parameter | Description | Default |
|------------------------------------|---------------------------------------------------------|-------------------|
| `shardCount` | Number of shards | `2` |
| `haproxy.image` | Docker image | `haproxy:2.1` |
| `ingress.enabled` | Enable ingress | `true` |
| `ingress.hosts` | List of hosts in this ingress | empty |
| `ingress.class ` | Which ingressClassName to use | empty |
| `ingress.tls.enabled` | Enable TLS for ingress | `true` |
| `ingress.tls.secretName` | Name of the secret storing the TLS certificate and key | `jitsi-tls` |
| `ingress.extraPaths ` | Extra paths to add to the ingress | `[]` |
| `jicofo.image` | Jicofo docker image | `jitsi/jicofo` |
| `jicofo.imagePullPolicy` | Jicofo image pull policy | `Always` |
| `jicofo.extraEnvs` | Jicofo extra environment variables | `[]` |
| `jvb.image` | JVB docker image | `jitsi/jvb` |
| `jvb.image.imagePullPolicy` | JVB image pull policy | `Always` |
| `jvb.replicas` | JVB replica count | `1` |
| `jvb.monitoringEnable` | JVB exporter container | `true` |
| `jvb.hostPort` | JVB hostPort | empty |
| `jvb.nodeportPrefix` | JVB Node port prefix | `30` |
| `jvb.extraEnvs` | JVB extra environment variables | `[]` |
| `prosody.image` | Prosody docker image | `jitsi/prosody` |
| `prosody.image.imagePullPolicy` | Prosody image pull policy | `Always` |
| `prosody.extraEnvs` | Extra env var for prosody deployment | `[]` |
| `prosody.extraVolumes` | Additionnal volumes to the prosody deployment | `[]` |
| `prosody.extraVolumeMounts` | Additional volume mounts to the prosody deployment | `[]` |
| `prosody.globalModules` | Additional global modules to enable on prosody | `[]` |
| `prosody.globalConfig` | Additional global config parameters on prosody | `[]` |
| `web.image` | Web docker image | `jitsi/web` |
| `web.image.imagePullPolicy` | Web image pull policy | `Always` |
| `web.extraEnvs` | Extra env var for web deployment | `[]` |
| `web.extraVolumes` | Additionnal volumes to the web deployment | `[]` |
| `web.extraVolumeMounts` | Additional volume mounts to the web deployment | `[]` |
| `watermark` | Watermark logo | `true` |
| Parameter | Description | Default |
|------------------------------------|----------------------------------------------------------------|-------------------|
| `shardCount` | Number of shards | `2` |
| `haproxy.image` | Docker image | `haproxy:2.1` |
| `ingress.enabled` | Enable ingress | `true` |
| `ingress.hosts` | List of hosts in this ingress | empty |
| `ingress.class ` | Which ingressClassName to use | empty |
| `ingress.tls.enabled` | Enable TLS for ingress | `true` |
| `ingress.tls.secretName` | Name of the secret storing the TLS certificate and key | `jitsi-tls` |
| `ingress.extraPaths ` | Extra paths to add to the ingress | `[]` |
| `jicofo.image` | Jicofo docker image | `jitsi/jicofo` |
| `jicofo.imagePullPolicy` | Jicofo image pull policy | `Always` |
| `jicofo.extraEnvs` | Jicofo extra environment variables | `[]` |
| `jvb.image` | JVB docker image | `jitsi/jvb` |
| `jvb.image.imagePullPolicy` | JVB image pull policy | `Always` |
| `jvb.replicas` | JVB replica count | `1` |
| `jvb.monitoringEnable` | JVB exporter container | `true` |
| `jvb.hostPort` | JVB hostPort | empty |
| `jvb.nodeportPrefix` | JVB Node port prefix | `30` |
| `jvb.extraEnvs` | JVB extra environment variables | `[]` |
| `prosody.image` | Prosody docker image | `jitsi/prosody` |
| `prosody.image.imagePullPolicy` | Prosody image pull policy | `Always` |
| `prosody.extraEnvs` | Extra env var for prosody deployment | `[]` |
| `prosody.extraVolumes` | Additionnal volumes to the prosody deployment | `[]` |
| `prosody.extraVolumeMounts` | Additional volume mounts to the prosody deployment | `[]` |
| `prosody.globalModules` | Additional global modules to enable on prosody | `[]` |
| `prosody.globalConfig` | Additional global config parameters on prosody | `[]` |
| `uvs.enable` | Whether the Matrix User Verification Service should be enabled | `false` |
| `web.image` | Web docker image | `jitsi/web` |
| `web.image.imagePullPolicy` | Web image pull policy | `Always` |
| `web.extraEnvs` | Extra env var for web deployment | `[]` |
| `web.extraVolumes` | Additionnal volumes to the web deployment | `[]` |
| `web.extraVolumeMounts` | Additional volume mounts to the web deployment | `[]` |
| `watermark` | Watermark logo | `true` |

## Running two jitsi instances inside the same cluster

Expand Down
19 changes: 19 additions & 0 deletions templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,13 @@ app.kubernetes.io/name: jitsi-sysctl-jvb
app.kubernetes.io/component: jitsi-sysctl-setter
{{- end -}}

{{- define "jitsi.uvs.selectorLabels" -}}
{{ include "jitsi.selectorLabels" . }}
app.kubernetes.io/instance: {{ include "jitsi.name" . }}-uvs
app.kubernetes.io/name: jitsi-uvs
app.kubernetes.io/component: jitsi-access-controller
{{- end -}}

{{- define "jitsi.webShard.selectorLabels" -}}
{{ include "jitsi.selectorLabels" . }}
app.kubernetes.io/instance: {{ include "jitsi.name" . }}-web
Expand Down Expand Up @@ -197,6 +204,14 @@ app.kubernetes.io/component: jitsi-ingress
{{- end }}
{{- end -}}
{{- define "jitsi.uvs.labels" -}}
{{ include "jitsi.labels" . }}
{{ include "jitsi.uvs.selectorLabels" . }}
{{- with $.Values.uvs.extraLabels }}
{{ toYaml .}}
{{- end }}
{{- end -}}
{{- define "jitsi.webShard.labels" -}}
{{ include "jitsi.labels" . }}
{{ include "jitsi.webShard.selectorLabels" . }}
Expand Down Expand Up @@ -237,3 +252,7 @@ Define a helper function to create a hash of the output of the previous function
{{- define "jitsi.sharedSecret.name" -}}
{{ $.Values.secretName | default (include "jitsi.name" .) }}
{{- end -}}
{{- define "jitsi.uvsAccessTokenSecret.name" -}}
{{ $.Values.uvs.secrets.accessTokenSecretName | default (include "jitsi.sharedSecret.name" .) }}
{{- end -}}
21 changes: 21 additions & 0 deletions templates/prosody-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,27 @@ spec:
configMapKeyRef:
name: {{ include "jitsi.sharedConfigMap.name" $ }}
key: PUBLIC_URL
{{- if $.Values.uvs.enable }}
- name: ENABLE_AUTH
value: "1"
- name: AUTH_TYPE
value: "matrix"
- name: MATRIX_UVS_URL
value: "{{ include "jitsi.name" $ }}-uvs.{{ $.Release.Namespace }}.svc.cluster.local"
- name: MATRIX_UVS_ISSUER
valueFrom:
configMapKeyRef:
name: {{ include "jitsi.sharedConfigMap.name" $ }}
key: PUBLIC_URL
- name: MATRIX_UVS_AUTH_TOKEN
valueFrom:
secretKeyRef:
key: UVS_AUTH_TOKEN
name: {{ include "jitsi.sharedSecret.name" $ }}
optional: false
- name: MATRIX_UVS_SYNC_POWER_LEVELS
value: "{{ $.Values.uvs.syncPowerLevels }}"
{{- end }}
{{- if $.Values.prosody.extraEnvs }}
{{- toYaml $.Values.prosody.extraEnvs | nindent 12 }}
{{- end }}
Expand Down
6 changes: 6 additions & 0 deletions templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@ data:
JICOFO_AUTH_PASSWORD: {{ required "JICOFO_AUTH_PASSWORD is required" $.Values.JICOFO_AUTH_PASSWORD | b64enc }}
JICOFO_COMPONENT_SECRET: {{ required "JICOFO_COMPONENT_SECRET is required" $.Values.JICOFO_COMPONENT_SECRET | b64enc }}
JVB_AUTH_PASSWORD: {{ required "JVB_AUTH_PASSWORD is required" $.Values.JVB_AUTH_PASSWORD | b64enc }}
{{- if $.Values.uvs.enable }}
UVS_AUTH_TOKEN: {{ required "uvs.secrets.AUTH_TOKEN is required if UVS is enabled" $.Values.uvs.secrets.AUTH_TOKEN | b64enc }}
{{- if eq (include "jitsi.uvsAccessTokenSecret.name" $) (include "jitsi.sharedSecret.name" $) }}
UVS_ACCESS_TOKEN: {{ required "uvs.secrets.ACCESS_TOKEN is required if UVS is enabled" $.Values.uvs.secrets.ACCESS_TOKEN | b64enc }}
{{- end }}
{{- end }}
kind: Secret
metadata:
labels: {{ include "jitsi.config.labels" $ | nindent 4 }}
Expand Down
111 changes: 111 additions & 0 deletions templates/uvs-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
{{ if $.Values.uvs.enable -}}
apiVersion: apps/v1
kind: Deployment
metadata:
labels: {{ include "jitsi.uvs.labels" $ | nindent 4 }}
annotations:
configmap-hash: {{ include "jitsi.sharedConfigMap.hash" $ }}
{{- with $.Values.uvs.extraAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "jitsi.name" $ }}-uvs
namespace: {{ $.Release.Namespace }}
spec:
replicas: {{ $.Values.uvs.replicas }}
selector:
matchLabels: {{ include "jitsi.uvs.selectorLabels" $ | nindent 6 }}
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels: {{ include "jitsi.uvs.labels" $ | nindent 8 }}
annotations:
configmap-hash: {{ include "jitsi.sharedConfigMap.hash" $ }}
{{- with $.Values.uvs.extraAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with $.Values.uvs.extraPodSpec }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- if (($.Values.global).serviceAccount) }}
serviceAccountName: {{ (($.Values.global).serviceAccount) }}
{{- else }}
automountServiceAccountToken: false
{{- end }}
{{- if gt ($.Values.uvs.replicas | int) 1 }}
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels: {{ include "jitsi.uvs.selectorLabels" $ | nindent 16 }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{- if $.Values.uvs.imagePullSecrets }}
imagePullSecrets:
{{- range $secretName := $.Values.uvs.imagePullSecrets }}
- name: {{ $secretName }}
{{- end }}
{{- end }}
containers:
- name: uvs
ports:
- containerPort: 3000
name: http
protocol: TCP
env:
- name: UVS_HOMESERVER_URL
value: "{{ $.Values.uvs.homeserverUrl }}"
- name: UVS_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: UVS_ACCESS_TOKEN
name: {{ include "jitsi.uvsAccessTokenSecret.name" $ }}
optional: false
- name: UVS_AUTH_TOKEN
valueFrom:
secretKeyRef:
key: UVS_AUTH_TOKEN
name: {{ include "jitsi.sharedSecret.name" $ }}
optional: false
- name: UVS_DISABLE_IP_BLACKLIST
value: "{{ $.Values.uvs.canQueryPrivateIps }}"
- name: UVS_LISTEN_ADDRESS
value: 0.0.0.0
- name: UVS_PORT
value: "3000"
image: {{ $.Values.uvs.image}}
imagePullPolicy: {{ $.Values.uvs.imagePullPolicy }}
livenessProbe:
httpGet:
path: /health
port: http
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: http
scheme: HTTP
initialDelaySeconds: 2
periodSeconds: 3
{{- with $.Values.uvs.resources }}
resources:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if $.Values.uvs.extraVolumeMounts }}
volumeMounts:
{{- toYaml $.Values.uvs.extraVolumeMounts | nindent 8 }}
{{- end }}
{{- with $.Values.uvs.extraContainerSpec }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if $.Values.uvs.extraVolumes }}
volumes:
{{- toYaml $.Values.uvs.extraVolumes | nindent 6 }}
{{- end }}
{{ end -}}
15 changes: 15 additions & 0 deletions templates/uvs-service.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{ if $.Values.uvs.enable -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "jitsi.name" $ }}-uvs
namespace: {{ $.Release.Namespace }}
labels: {{ include "jitsi.uvs.labels" $ | nindent 4 }}
spec:
ports:
- name: http
port: 3000
targetPort: http
selector: {{ include "jitsi.uvs.selectorLabels" $ | nindent 6 }}
type: ClusterIP
{{ end -}}
10 changes: 10 additions & 0 deletions templates/uvs-wellknown.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{ if $.Values.uvs.enable -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "jitsi.name" $ }}-uvs-wellknown
namespace: {{ $.Release.Namespace }}
labels: {{ include "jitsi.uvs.labels" $ | nindent 4 }}
data:
jitsi: "{\"auth\": \"openidtoken-jwt\"}"
{{ end -}}
10 changes: 10 additions & 0 deletions templates/web-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,11 @@ spec:
name: watermark
subPath: watermark.png
{{ end }}
{{- if $.Values.uvs.enable }}
- mountPath: /usr/share/jitsi-meet/.well-known/element
name: uvs-wellknown
readOnly: true
{{- end }}
{{- if $.Values.web.extraVolumeMounts }}
{{- toYaml $.Values.web.extraVolumeMounts | nindent 8 }}
{{- end }}
Expand Down Expand Up @@ -185,6 +190,11 @@ spec:
name: {{ $.Values.web.customWatermark.name }}
name: watermark
{{ end }}
{{- if $.Values.uvs.enable }}
- configMap:
name: {{ include "jitsi.name" $ }}-uvs-wellknown
name: uvs-wellknown
{{- end }}
{{- if $.Values.web.extraVolumes }}
{{- toYaml $.Values.web.extraVolumes | nindent 6 }}
{{- end }}
Expand Down
23 changes: 23 additions & 0 deletions values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,29 @@ prosody:
globalConfig: []
extraLabels: {}
extraAnnotations: {}
uvs:
enable: false
canQueryPrivateIps: false
syncPowerLevels: true
image: matrixdotorg/matrix-user-verification-service:v2.0.0
imagePullPolicy: Always
replicas: 2
resources:
requests:
memory: 100Mi
cpu: 50m
limits:
memory: 300Mi
extraPodSpec: {}
extraVolumes: []
extraVolumeMounts: []
extraContainerSpec: {}
extraLabels: {}
extraAnnotations: {}
secrets: {}
# ACCESS_TOKEN - provides access to Synapse
# accessTokenSecretName - the above in a separate secret with the key UVS_ACCESS_TOKEN present
# AUTH_TOKEN - protects requests to this API
web:
replicas: 2
imagePullPolicy: Always
Expand Down

0 comments on commit f9889e3

Please sign in to comment.