From f9889e311650b8746205c33f3142cbdcc76a04c5 Mon Sep 17 00:00:00 2001 From: Ben Banfield-Zanin Date: Tue, 27 Jun 2023 14:41:17 +0100 Subject: [PATCH] Add user verification service support --- Chart.yaml | 2 +- README.md | 67 +++++++++--------- templates/_helpers.tpl | 19 +++++ templates/prosody-deployment.yaml | 21 ++++++ templates/secrets.yaml | 6 ++ templates/uvs-deployment.yaml | 111 ++++++++++++++++++++++++++++++ templates/uvs-service.yaml | 15 ++++ templates/uvs-wellknown.yaml | 10 +++ templates/web-deployment.yaml | 10 +++ values.yaml | 23 +++++++ 10 files changed, 250 insertions(+), 34 deletions(-) create mode 100644 templates/uvs-deployment.yaml create mode 100644 templates/uvs-service.yaml create mode 100644 templates/uvs-wellknown.yaml diff --git a/Chart.yaml b/Chart.yaml index 4251d5c..8a6c85e 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.6.4 +version: 0.7.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/README.md b/README.md index d9735b1..aab8fa5 100644 --- a/README.md +++ b/README.md @@ -54,39 +54,40 @@ helm delete --purge jitsi The following table lists the configurable parameters of the Jitsi Meet chart and their default values. -| Parameter | Description | Default | -|------------------------------------|---------------------------------------------------------|-------------------| -| `shardCount` | Number of shards | `2` | -| `haproxy.image` | Docker image | `haproxy:2.1` | -| `ingress.enabled` | Enable ingress | `true` | -| `ingress.hosts` | List of hosts in this ingress | empty | -| `ingress.class ` | Which ingressClassName to use | empty | -| `ingress.tls.enabled` | Enable TLS for ingress | `true` | -| `ingress.tls.secretName` | Name of the secret storing the TLS certificate and key | `jitsi-tls` | -| `ingress.extraPaths ` | Extra paths to add to the ingress | `[]` | -| `jicofo.image` | Jicofo docker image | `jitsi/jicofo` | -| `jicofo.imagePullPolicy` | Jicofo image pull policy | `Always` | -| `jicofo.extraEnvs` | Jicofo extra environment variables | `[]` | -| `jvb.image` | JVB docker image | `jitsi/jvb` | -| `jvb.image.imagePullPolicy` | JVB image pull policy | `Always` | -| `jvb.replicas` | JVB replica count | `1` | -| `jvb.monitoringEnable` | JVB exporter container | `true` | -| `jvb.hostPort` | JVB hostPort | empty | -| `jvb.nodeportPrefix` | JVB Node port prefix | `30` | -| `jvb.extraEnvs` | JVB extra environment variables | `[]` | -| `prosody.image` | Prosody docker image | `jitsi/prosody` | -| `prosody.image.imagePullPolicy` | Prosody image pull policy | `Always` | -| `prosody.extraEnvs` | Extra env var for prosody deployment | `[]` | -| `prosody.extraVolumes` | Additionnal volumes to the prosody deployment | `[]` | -| `prosody.extraVolumeMounts` | Additional volume mounts to the prosody deployment | `[]` | -| `prosody.globalModules` | Additional global modules to enable on prosody | `[]` | -| `prosody.globalConfig` | Additional global config parameters on prosody | `[]` | -| `web.image` | Web docker image | `jitsi/web` | -| `web.image.imagePullPolicy` | Web image pull policy | `Always` | -| `web.extraEnvs` | Extra env var for web deployment | `[]` | -| `web.extraVolumes` | Additionnal volumes to the web deployment | `[]` | -| `web.extraVolumeMounts` | Additional volume mounts to the web deployment | `[]` | -| `watermark` | Watermark logo | `true` | +| Parameter | Description | Default | +|------------------------------------|----------------------------------------------------------------|-------------------| +| `shardCount` | Number of shards | `2` | +| `haproxy.image` | Docker image | `haproxy:2.1` | +| `ingress.enabled` | Enable ingress | `true` | +| `ingress.hosts` | List of hosts in this ingress | empty | +| `ingress.class ` | Which ingressClassName to use | empty | +| `ingress.tls.enabled` | Enable TLS for ingress | `true` | +| `ingress.tls.secretName` | Name of the secret storing the TLS certificate and key | `jitsi-tls` | +| `ingress.extraPaths ` | Extra paths to add to the ingress | `[]` | +| `jicofo.image` | Jicofo docker image | `jitsi/jicofo` | +| `jicofo.imagePullPolicy` | Jicofo image pull policy | `Always` | +| `jicofo.extraEnvs` | Jicofo extra environment variables | `[]` | +| `jvb.image` | JVB docker image | `jitsi/jvb` | +| `jvb.image.imagePullPolicy` | JVB image pull policy | `Always` | +| `jvb.replicas` | JVB replica count | `1` | +| `jvb.monitoringEnable` | JVB exporter container | `true` | +| `jvb.hostPort` | JVB hostPort | empty | +| `jvb.nodeportPrefix` | JVB Node port prefix | `30` | +| `jvb.extraEnvs` | JVB extra environment variables | `[]` | +| `prosody.image` | Prosody docker image | `jitsi/prosody` | +| `prosody.image.imagePullPolicy` | Prosody image pull policy | `Always` | +| `prosody.extraEnvs` | Extra env var for prosody deployment | `[]` | +| `prosody.extraVolumes` | Additionnal volumes to the prosody deployment | `[]` | +| `prosody.extraVolumeMounts` | Additional volume mounts to the prosody deployment | `[]` | +| `prosody.globalModules` | Additional global modules to enable on prosody | `[]` | +| `prosody.globalConfig` | Additional global config parameters on prosody | `[]` | +| `uvs.enable` | Whether the Matrix User Verification Service should be enabled | `false` | +| `web.image` | Web docker image | `jitsi/web` | +| `web.image.imagePullPolicy` | Web image pull policy | `Always` | +| `web.extraEnvs` | Extra env var for web deployment | `[]` | +| `web.extraVolumes` | Additionnal volumes to the web deployment | `[]` | +| `web.extraVolumeMounts` | Additional volume mounts to the web deployment | `[]` | +| `watermark` | Watermark logo | `true` | ## Running two jitsi instances inside the same cluster diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index d50f34e..c6245ad 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -83,6 +83,13 @@ app.kubernetes.io/name: jitsi-sysctl-jvb app.kubernetes.io/component: jitsi-sysctl-setter {{- end -}} +{{- define "jitsi.uvs.selectorLabels" -}} +{{ include "jitsi.selectorLabels" . }} +app.kubernetes.io/instance: {{ include "jitsi.name" . }}-uvs +app.kubernetes.io/name: jitsi-uvs +app.kubernetes.io/component: jitsi-access-controller +{{- end -}} + {{- define "jitsi.webShard.selectorLabels" -}} {{ include "jitsi.selectorLabels" . }} app.kubernetes.io/instance: {{ include "jitsi.name" . }}-web @@ -197,6 +204,14 @@ app.kubernetes.io/component: jitsi-ingress {{- end }} {{- end -}} +{{- define "jitsi.uvs.labels" -}} +{{ include "jitsi.labels" . }} +{{ include "jitsi.uvs.selectorLabels" . }} +{{- with $.Values.uvs.extraLabels }} +{{ toYaml .}} +{{- end }} +{{- end -}} + {{- define "jitsi.webShard.labels" -}} {{ include "jitsi.labels" . }} {{ include "jitsi.webShard.selectorLabels" . }} @@ -237,3 +252,7 @@ Define a helper function to create a hash of the output of the previous function {{- define "jitsi.sharedSecret.name" -}} {{ $.Values.secretName | default (include "jitsi.name" .) }} {{- end -}} + +{{- define "jitsi.uvsAccessTokenSecret.name" -}} +{{ $.Values.uvs.secrets.accessTokenSecretName | default (include "jitsi.sharedSecret.name" .) }} +{{- end -}} diff --git a/templates/prosody-deployment.yaml b/templates/prosody-deployment.yaml index b64d8b5..8dc86e1 100644 --- a/templates/prosody-deployment.yaml +++ b/templates/prosody-deployment.yaml @@ -181,6 +181,27 @@ spec: configMapKeyRef: name: {{ include "jitsi.sharedConfigMap.name" $ }} key: PUBLIC_URL + {{- if $.Values.uvs.enable }} + - name: ENABLE_AUTH + value: "1" + - name: AUTH_TYPE + value: "matrix" + - name: MATRIX_UVS_URL + value: "{{ include "jitsi.name" $ }}-uvs.{{ $.Release.Namespace }}.svc.cluster.local" + - name: MATRIX_UVS_ISSUER + valueFrom: + configMapKeyRef: + name: {{ include "jitsi.sharedConfigMap.name" $ }} + key: PUBLIC_URL + - name: MATRIX_UVS_AUTH_TOKEN + valueFrom: + secretKeyRef: + key: UVS_AUTH_TOKEN + name: {{ include "jitsi.sharedSecret.name" $ }} + optional: false + - name: MATRIX_UVS_SYNC_POWER_LEVELS + value: "{{ $.Values.uvs.syncPowerLevels }}" + {{- end }} {{- if $.Values.prosody.extraEnvs }} {{- toYaml $.Values.prosody.extraEnvs | nindent 12 }} {{- end }} diff --git a/templates/secrets.yaml b/templates/secrets.yaml index 1e13162..f45c28a 100644 --- a/templates/secrets.yaml +++ b/templates/secrets.yaml @@ -4,6 +4,12 @@ data: JICOFO_AUTH_PASSWORD: {{ required "JICOFO_AUTH_PASSWORD is required" $.Values.JICOFO_AUTH_PASSWORD | b64enc }} JICOFO_COMPONENT_SECRET: {{ required "JICOFO_COMPONENT_SECRET is required" $.Values.JICOFO_COMPONENT_SECRET | b64enc }} JVB_AUTH_PASSWORD: {{ required "JVB_AUTH_PASSWORD is required" $.Values.JVB_AUTH_PASSWORD | b64enc }} +{{- if $.Values.uvs.enable }} + UVS_AUTH_TOKEN: {{ required "uvs.secrets.AUTH_TOKEN is required if UVS is enabled" $.Values.uvs.secrets.AUTH_TOKEN | b64enc }} +{{- if eq (include "jitsi.uvsAccessTokenSecret.name" $) (include "jitsi.sharedSecret.name" $) }} + UVS_ACCESS_TOKEN: {{ required "uvs.secrets.ACCESS_TOKEN is required if UVS is enabled" $.Values.uvs.secrets.ACCESS_TOKEN | b64enc }} +{{- end }} +{{- end }} kind: Secret metadata: labels: {{ include "jitsi.config.labels" $ | nindent 4 }} diff --git a/templates/uvs-deployment.yaml b/templates/uvs-deployment.yaml new file mode 100644 index 0000000..57e09ec --- /dev/null +++ b/templates/uvs-deployment.yaml @@ -0,0 +1,111 @@ +{{ if $.Values.uvs.enable -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: {{ include "jitsi.uvs.labels" $ | nindent 4 }} + annotations: + configmap-hash: {{ include "jitsi.sharedConfigMap.hash" $ }} + {{- with $.Values.uvs.extraAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "jitsi.name" $ }}-uvs + namespace: {{ $.Release.Namespace }} +spec: + replicas: {{ $.Values.uvs.replicas }} + selector: + matchLabels: {{ include "jitsi.uvs.selectorLabels" $ | nindent 6 }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + labels: {{ include "jitsi.uvs.labels" $ | nindent 8 }} + annotations: + configmap-hash: {{ include "jitsi.sharedConfigMap.hash" $ }} + {{- with $.Values.uvs.extraAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with $.Values.uvs.extraPodSpec }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if (($.Values.global).serviceAccount) }} + serviceAccountName: {{ (($.Values.global).serviceAccount) }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + {{- if gt ($.Values.uvs.replicas | int) 1 }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{ include "jitsi.uvs.selectorLabels" $ | nindent 16 }} + topologyKey: kubernetes.io/hostname + {{- end }} + {{- if $.Values.uvs.imagePullSecrets }} + imagePullSecrets: + {{- range $secretName := $.Values.uvs.imagePullSecrets }} + - name: {{ $secretName }} + {{- end }} + {{- end }} + containers: + - name: uvs + ports: + - containerPort: 3000 + name: http + protocol: TCP + env: + - name: UVS_HOMESERVER_URL + value: "{{ $.Values.uvs.homeserverUrl }}" + - name: UVS_ACCESS_TOKEN + valueFrom: + secretKeyRef: + key: UVS_ACCESS_TOKEN + name: {{ include "jitsi.uvsAccessTokenSecret.name" $ }} + optional: false + - name: UVS_AUTH_TOKEN + valueFrom: + secretKeyRef: + key: UVS_AUTH_TOKEN + name: {{ include "jitsi.sharedSecret.name" $ }} + optional: false + - name: UVS_DISABLE_IP_BLACKLIST + value: "{{ $.Values.uvs.canQueryPrivateIps }}" + - name: UVS_LISTEN_ADDRESS + value: 0.0.0.0 + - name: UVS_PORT + value: "3000" + image: {{ $.Values.uvs.image}} + imagePullPolicy: {{ $.Values.uvs.imagePullPolicy }} + livenessProbe: + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + httpGet: + path: /health + port: http + scheme: HTTP + initialDelaySeconds: 2 + periodSeconds: 3 + {{- with $.Values.uvs.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if $.Values.uvs.extraVolumeMounts }} + volumeMounts: + {{- toYaml $.Values.uvs.extraVolumeMounts | nindent 8 }} + {{- end }} + {{- with $.Values.uvs.extraContainerSpec }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $.Values.uvs.extraVolumes }} + volumes: + {{- toYaml $.Values.uvs.extraVolumes | nindent 6 }} + {{- end }} +{{ end -}} diff --git a/templates/uvs-service.yaml b/templates/uvs-service.yaml new file mode 100644 index 0000000..e95d86e --- /dev/null +++ b/templates/uvs-service.yaml @@ -0,0 +1,15 @@ +{{ if $.Values.uvs.enable -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "jitsi.name" $ }}-uvs + namespace: {{ $.Release.Namespace }} + labels: {{ include "jitsi.uvs.labels" $ | nindent 4 }} +spec: + ports: + - name: http + port: 3000 + targetPort: http + selector: {{ include "jitsi.uvs.selectorLabels" $ | nindent 6 }} + type: ClusterIP +{{ end -}} diff --git a/templates/uvs-wellknown.yaml b/templates/uvs-wellknown.yaml new file mode 100644 index 0000000..b97aa76 --- /dev/null +++ b/templates/uvs-wellknown.yaml @@ -0,0 +1,10 @@ +{{ if $.Values.uvs.enable -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "jitsi.name" $ }}-uvs-wellknown + namespace: {{ $.Release.Namespace }} + labels: {{ include "jitsi.uvs.labels" $ | nindent 4 }} +data: + jitsi: "{\"auth\": \"openidtoken-jwt\"}" +{{ end -}} diff --git a/templates/web-deployment.yaml b/templates/web-deployment.yaml index 790626a..02f27ae 100644 --- a/templates/web-deployment.yaml +++ b/templates/web-deployment.yaml @@ -138,6 +138,11 @@ spec: name: watermark subPath: watermark.png {{ end }} + {{- if $.Values.uvs.enable }} + - mountPath: /usr/share/jitsi-meet/.well-known/element + name: uvs-wellknown + readOnly: true + {{- end }} {{- if $.Values.web.extraVolumeMounts }} {{- toYaml $.Values.web.extraVolumeMounts | nindent 8 }} {{- end }} @@ -185,6 +190,11 @@ spec: name: {{ $.Values.web.customWatermark.name }} name: watermark {{ end }} + {{- if $.Values.uvs.enable }} + - configMap: + name: {{ include "jitsi.name" $ }}-uvs-wellknown + name: uvs-wellknown + {{- end }} {{- if $.Values.web.extraVolumes }} {{- toYaml $.Values.web.extraVolumes | nindent 6 }} {{- end }} diff --git a/values.yaml b/values.yaml index d5adfb2..aa6e11d 100644 --- a/values.yaml +++ b/values.yaml @@ -111,6 +111,29 @@ prosody: globalConfig: [] extraLabels: {} extraAnnotations: {} +uvs: + enable: false + canQueryPrivateIps: false + syncPowerLevels: true + image: matrixdotorg/matrix-user-verification-service:v2.0.0 + imagePullPolicy: Always + replicas: 2 + resources: + requests: + memory: 100Mi + cpu: 50m + limits: + memory: 300Mi + extraPodSpec: {} + extraVolumes: [] + extraVolumeMounts: [] + extraContainerSpec: {} + extraLabels: {} + extraAnnotations: {} + secrets: {} + # ACCESS_TOKEN - provides access to Synapse + # accessTokenSecretName - the above in a separate secret with the key UVS_ACCESS_TOKEN present + # AUTH_TOKEN - protects requests to this API web: replicas: 2 imagePullPolicy: Always