dowerx
/
jitsi-k8s
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated k8s configs to use non-root containers

This commit is contained in:
Benedek László 2024-07-15 21:37:33 +02:00
parent deb15c161e
commit 289b212205
5 changed files with 197 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
00-common.yml
View File

@ -7,9 +7,9 @@ type: Opaque
stringData:
JICOFO_AUTH_PASSWORD: 1b90bbfb8b17b3b8f610dd9e282b076c
JVB_AUTH_PASSWORD: 21e5abd0efbb69e31facbf735d737caa
JIGASI_XMPP_PASSWORD: 78e1d598b43d57a7ce38d5a102a48946
JIBRI_RECORDER_PASSWORD: 3fc11181cc426d698317bceab3fe76ad
JIBRI_XMPP_PASSWORD: 21412968cb037cd706996bcbb1c5502a
# JIGASI_XMPP_PASSWORD: 78e1d598b43d57a7ce38d5a102a48946
# JIBRI_RECORDER_PASSWORD: 3fc11181cc426d698317bceab3fe76ad
# JIBRI_XMPP_PASSWORD: 21412968cb037cd706996bcbb1c5502a
---
@ -26,7 +26,7 @@ data:
ETHERPAD_SKIN_VARIANTS: "super-light-toolbar super-light-editor light-background full-width-editor"
ENABLE_AUTH: "1"
AUTH_TYPE: internal
XMPP_SERVER: prosody.jitsi.svc.cluster.local
XMPP_BOSH_URL: http://prosody:5280
XMPP_SERVER: jitsi-prosody.external-app-development.svc.cluster.local
XMPP_BOSH_URL_BASE: http://jitsi-prosody.external-app-development.svc.cluster.local:5280
PUBLIC_URL: jitsi.dev.srv.k8s.bevonodas.euronetrt.hu
JVB_PORT: "10000"

46
01-storages.yml
View File

@ -1,53 +1,11 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jitsi-web
name: jitsi
namespace: external-app-development
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Mi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jitsi-prosody
namespace: external-app-development
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Mi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jitsi-jicofo
namespace: external-app-development
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Mi
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: jitsi-jvb
namespace: external-app-development
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Mi
storage: 2G

292
02-deployments.yml
View File

@ -1,12 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: jitsi-web-conf
namespace: external-app-development
data:
20-use-env: |-
#!/bin/bash
sed -i "s|xmpp.meet.jitsi|XMPP_SERVER|" /config/nginx/meet.conf
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: jitsi-web-conf
# namespace: external-app-development
# data:
# 20-use-env: |-
# #!/bin/bash
# sed -i "s|xmpp.meet.jitsi|XMPP_SERVER|" /config/nginx/meet.conf
---
@ -37,34 +37,38 @@ spec:
values:
- arm64
- amd64
initContainers:
- name: jitsi-web-conf
image: busybox
args: ["sh", "-c", "cat /20-use-env | sed \"s/XMPP_SERVER/$XMPP_SERVER/\" > /config/20-use-env && chmod +x /config/20-use-env"]
volumeMounts:
- mountPath: /config
name: jitsi-web
- mountPath: /20-use-env
name: jitsi-web-conf
subPath: 20-use-env
envFrom:
- configMapRef:
name: jitsi-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# initContainers:
# - name: jitsi-web-conf
# image: busybox
# args: ["sh", "-c", "cat /20-use-env | sed \"s/XMPP_SERVER/$XMPP_SERVER/\" > /config/20-use-env && chmod +x /config/20-use-env"]
# volumeMounts:
# - mountPath: /config
# name: jitsi
# subPath: web
# - mountPath: /20-use-env
# name: jitsi-web-conf
# subPath: 20-use-env
# envFrom:
# - configMapRef:
# name: jitsi-env
# securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# runAsNonRoot: true
# seccompProfile:
# type: RuntimeDefault
containers:
- name: jitsi-web
image: jitsi/web:stable-9457-2
image: dowerx/jitsi-web:non-root
imagePullPolicy: Always
ports:
- containerPort: 80
- containerPort: 8000
protocol: TCP
- containerPort: 443
- containerPort: 8443
protocol: TCP
envFrom:
- configMapRef:
@ -80,34 +84,37 @@ spec:
secretKeyRef:
name: jitsi-passwords
key: JVB_AUTH_PASSWORD
- name: JIGASI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIGASI_XMPP_PASSWORD
- name: JIBRI_RECORDER_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_RECORDER_PASSWORD
- name: JIBRI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_XMPP_PASSWORD
volumeMounts:
- mountPath: /config
name: jitsi-web
- mountPath: /var/spool/cron/crontabs
name: jitsi-web
subPath: crontabs
- mountPath: /usr/share/jitsi-meet/transcripts
name: jitsi-web
subPath: transcripts
- mountPath: /etc/cont-init.d/20-use-env
name: jitsi-web
subPath: 20-use-env
# - name: JIGASI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIGASI_XMPP_PASSWORD
# - name: JIBRI_RECORDER_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_RECORDER_PASSWORD
# - name: JIBRI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_XMPP_PASSWORD
# volumeMounts:
# - mountPath: /config
# name: jitsi
# subPath: web
# - mountPath: /var/spool/cron/crontabs
# name: jitsi
# subPath: web/crontabs
# - mountPath: /usr/share/jitsi-meet/transcripts
# name: jitsi
# subPath: web/transcripts
# - mountPath: /etc/cont-init.d/20-use-env
# name: jitsi
# subPath: web/20-use-env
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
@ -132,16 +139,16 @@ spec:
# port: 80
# initialDelaySeconds: 15
# periodSeconds: 10
volumes:
- name: jitsi-web
persistentVolumeClaim:
claimName: jitsi-web
- name: jitsi-web-conf
configMap:
name: jitsi-web-conf
items:
- key: 20-use-env
path: 20-use-env
# volumes:
# - name: jitsi
# persistentVolumeClaim:
# claimName: jitsi
# - name: jitsi-web-conf
# configMap:
# name: jitsi-web-conf
# items:
# - key: 20-use-env
# path: 20-use-env
---
kind: Deployment
apiVersion: apps/v1
@ -172,7 +179,7 @@ spec:
- amd64
containers:
- name: jitsi-prosody
image: jitsi/prosody:stable-9457-2
image: dowerx/prosody:non-root
ports:
- containerPort: 5222
protocol: TCP
@ -196,22 +203,24 @@ spec:
secretKeyRef:
name: jitsi-passwords
key: JVB_AUTH_PASSWORD
- name: JIGASI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIGASI_XMPP_PASSWORD
- name: JIBRI_RECORDER_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_RECORDER_PASSWORD
- name: JIBRI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_XMPP_PASSWORD
# - name: JIGASI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIGASI_XMPP_PASSWORD
# - name: JIBRI_RECORDER_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_RECORDER_PASSWORD
# - name: JIBRI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_XMPP_PASSWORD
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
@ -221,10 +230,11 @@ spec:
type: RuntimeDefault
volumeMounts:
- mountPath: /config
name: jitsi-prosody
name: jitsi
subPath: prosody
- mountPath: /prosody-plugins-custom
name: jitsi-prosody
subPath: prosody-plugins-custom
name: jitsi
subPath: prosody/prosody-plugins-custom
resources:
limits:
cpu: "500m"
@ -242,10 +252,12 @@ spec:
# port: 5280
# initialDelaySeconds: 15
# periodSeconds: 10
securityContext:
fsGroup: 1000
volumes:
- name: jitsi-prosody
- name: jitsi
persistentVolumeClaim:
claimName: jitsi-prosody
claimName: jitsi
---
kind: Deployment
apiVersion: apps/v1
@ -276,7 +288,7 @@ spec:
- amd64
containers:
- name: jitsi-jicofo
image: jitsi/jicofo:stable-9457-2
image: dowerx/jicofo:non-root
ports:
- containerPort: 8888
protocol: TCP
@ -294,22 +306,24 @@ spec:
secretKeyRef:
name: jitsi-passwords
key: JVB_AUTH_PASSWORD
- name: JIGASI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIGASI_XMPP_PASSWORD
- name: JIBRI_RECORDER_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_RECORDER_PASSWORD
- name: JIBRI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_XMPP_PASSWORD
# - name: JIGASI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIGASI_XMPP_PASSWORD
# - name: JIBRI_RECORDER_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_RECORDER_PASSWORD
# - name: JIBRI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_XMPP_PASSWORD
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
@ -317,9 +331,10 @@ spec:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /config
name: jitsi-jicofo
# volumeMounts:
# - mountPath: /config
# name: jitsi
# subPath: jicofo
resources:
limits:
cpu: "500m"
@ -337,10 +352,10 @@ spec:
# port: 8888
# initialDelaySeconds: 15
# periodSeconds: 10
volumes:
- name: jitsi-jicofo
persistentVolumeClaim:
claimName: jitsi-jicofo
# volumes:
# - name: jitsi
# persistentVolumeClaim:
# claimName: jitsi
---
kind: Deployment
apiVersion: apps/v1
@ -371,7 +386,7 @@ spec:
- amd64
containers:
- name: jitsi-jvb
image: jitsi/jvb:stable-9457-2
image: dowerx/jvb:non-root
ports:
- containerPort: 10000
protocol: UDP
@ -391,22 +406,24 @@ spec:
secretKeyRef:
name: jitsi-passwords
key: JVB_AUTH_PASSWORD
- name: JIGASI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIGASI_XMPP_PASSWORD
- name: JIBRI_RECORDER_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_RECORDER_PASSWORD
- name: JIBRI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: jitsi-passwords
key: JIBRI_XMPP_PASSWORD
# - name: JIGASI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIGASI_XMPP_PASSWORD
# - name: JIBRI_RECORDER_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_RECORDER_PASSWORD
# - name: JIBRI_XMPP_PASSWORD
# valueFrom:
# secretKeyRef:
# name: jitsi-passwords
# key: JIBRI_XMPP_PASSWORD
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
@ -414,9 +431,10 @@ spec:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /config
name: jitsi-jvb
# volumeMounts:
# - mountPath: /config
# subPath: jvb
# name: jitsi
resources:
limits:
cpu: "500m"
@ -434,7 +452,7 @@ spec:
# port: 8080
# initialDelaySeconds: 15
# periodSeconds: 10
volumes:
- name: jitsi-jvb
persistentVolumeClaim:
claimName: jitsi-jvb
# volumes:
# - name: jitsi
# persistentVolumeClaim:
# claimName: jitsi

12
03-services.yml
View File

@ -5,12 +5,12 @@ metadata:
namespace: external-app-development
spec:
ports:
- port: 80
targetPort: 80
- port: 8000
targetPort: 8000
name: http
protocol: TCP
- port: 443
targetPort: 443
- port: 8443
targetPort: 8443
name: https
protocol: TCP
selector:
@ -60,7 +60,7 @@ spec:
selector:
app: jitsi-jvb
---
# ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRouteUDP
@ -146,4 +146,4 @@ spec:
service:
name: jitsi-web
port:
number: 80
number: 8000

48
04-add-users.yml
View File

@ -1,7 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: users
name: jitsi-users
data:
users: |-
user1 asdqwe
@ -50,61 +50,71 @@ spec:
- amd64
containers:
- name: add-users
image: jitsi/prosody:stable-9457-2
image: dowerx/prosody:non-root
command: ["/bin/bash", "-c"]
args: ["bash /clear.sh && bash /add.sh"]
envFrom:
- configMapRef:
name: env
name: jitsi-env
env:
- name: JICOFO_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
name: jitsi-passwords
key: JICOFO_AUTH_PASSWORD
- name: JVB_AUTH_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
name: jitsi-passwords
key: JVB_AUTH_PASSWORD
- name: JIGASI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
name: jitsi-passwords
key: JIGASI_XMPP_PASSWORD
- name: JIBRI_RECORDER_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
name: jitsi-passwords
key: JIBRI_RECORDER_PASSWORD
- name: JIBRI_XMPP_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
name: jitsi-passwords
key: JIBRI_XMPP_PASSWORD
securityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /config
name: prosody
- mountPath: /prosody-plugins-custom
name: prosody
subPath: prosody-plugins-custom
name: jitsi
subPath: prosody
- mountPath: /users
name: users
name: jitsi-users
subPath: users
- mountPath: /clear.sh
name: users
name: jitsi-users
subPath: clear.sh
- mountPath: /add.sh
name: users
name: jitsi-users
subPath: add.sh
restartPolicy: OnFailure
securityContext:
fsGroup: 1000
volumes:
- name: prosody
- name: jitsi
persistentVolumeClaim:
claimName: prosody
- name: users
claimName: jitsi
- name: jitsi-users
configMap:
name: users
name: jitsi-users
items:
- key: users
path: users