From 48379833801227585dfd06b8f55ad66301503d01 Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@sunbeam.pt>
Date: Wed, 25 Mar 2026 13:23:48 +0000
Subject: [PATCH] feat(media): deploy lk-jwt-service for Matrix Element Call

Bridges Element Call to LiveKit by exchanging Matrix OpenID tokens for
LiveKit JWTs. Shares API credentials with livekit-server via the
existing VSO secret (removed excludeRaw so raw fields are available).
---
 base/media/kustomization.yaml  |  1 +
 base/media/lk-jwt-service.yaml | 68 ++++++++++++++++++++++++++++++++++
 base/media/vault-secrets.yaml  |  3 +-
 3 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 base/media/lk-jwt-service.yaml

diff --git a/base/media/kustomization.yaml b/base/media/kustomization.yaml
index f66c4ab..e9e4030 100644
--- a/base/media/kustomization.yaml
+++ b/base/media/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
   - namespace.yaml
   - vault-secrets.yaml
   - livekit-alertrules.yaml
+  - lk-jwt-service.yaml
   # livekit-servicemonitor.yaml disabled — LiveKit runs on hostNetwork and port 6789
   # is not reachable from Prometheus due to host firewall. Open port 6789 on the host
   # or add an iptables rule, then re-enable.
diff --git a/base/media/lk-jwt-service.yaml b/base/media/lk-jwt-service.yaml
new file mode 100644
index 0000000..6cf0031
--- /dev/null
+++ b/base/media/lk-jwt-service.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: lk-jwt-service
+  namespace: media
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lk-jwt-service
+  template:
+    metadata:
+      labels:
+        app: lk-jwt-service
+    spec:
+      containers:
+        - name: lk-jwt-service
+          image: ghcr.io/element-hq/lk-jwt-service:latest
+          ports:
+            - containerPort: 8081
+          env:
+            - name: LIVEKIT_JWT_BIND
+              value: ":8081"
+            - name: LIVEKIT_URL
+              value: "wss://livekit.DOMAIN_SUFFIX"
+            - name: LIVEKIT_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: livekit-api-credentials
+                  key: api-key
+            - name: LIVEKIT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: livekit-api-credentials
+                  key: api-secret
+            - name: LIVEKIT_FULL_ACCESS_HOMESERVERS
+              value: "sunbeam.pt"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          resources:
+            limits:
+              memory: 64Mi
+              cpu: 100m
+            requests:
+              memory: 32Mi
+              cpu: 25m
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: lk-jwt-service
+  namespace: media
+spec:
+  selector:
+    app: lk-jwt-service
+  ports:
+    - port: 80
+      targetPort: 8081
diff --git a/base/media/vault-secrets.yaml b/base/media/vault-secrets.yaml
index 4ca44d8..db14d0c 100644
--- a/base/media/vault-secrets.yaml
+++ b/base/media/vault-secrets.yaml
@@ -26,12 +26,13 @@ spec:
   rolloutRestartTargets:
     - kind: Deployment
       name: livekit-server
+    - kind: Deployment
+      name: lk-jwt-service
   destination:
     name: livekit-api-credentials
     create: true
     overwrite: true
     transformation:
-      excludeRaw: true
       templates:
         keys.yaml:
           text: '{{ index .Secrets "api-key" }}: {{ index .Secrets "api-secret" }}'