feat(media): deploy lk-jwt-service for Matrix Element Call

Bridges Element Call to LiveKit by exchanging Matrix OpenID tokens for LiveKit JWTs. Shares API credentials with livekit-server via the existing VSO secret (removed excludeRaw so raw fields are available).
2026-03-25 13:23:48 +00:00
parent 50a4abf94f
commit 4837983380
3 changed files with 71 additions and 1 deletions
--- a/base/media/kustomization.yaml
+++ b/base/media/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
  - namespace.yaml
  - vault-secrets.yaml
  - livekit-alertrules.yaml
+  - lk-jwt-service.yaml
  # livekit-servicemonitor.yaml disabled — LiveKit runs on hostNetwork and port 6789
  # is not reachable from Prometheus due to host firewall. Open port 6789 on the host
  # or add an iptables rule, then re-enable.
--- a/base/media/lk-jwt-service.yaml
+++ b/base/media/lk-jwt-service.yaml
@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: lk-jwt-service
+  namespace: media
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: lk-jwt-service
+  template:
+    metadata:
+      labels:
+        app: lk-jwt-service
+    spec:
+      containers:
+        - name: lk-jwt-service
+          image: ghcr.io/element-hq/lk-jwt-service:latest
+          ports:
+            - containerPort: 8081
+          env:
+            - name: LIVEKIT_JWT_BIND
+              value: ":8081"
+            - name: LIVEKIT_URL
+              value: "wss://livekit.DOMAIN_SUFFIX"
+            - name: LIVEKIT_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: livekit-api-credentials
+                  key: api-key
+            - name: LIVEKIT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: livekit-api-credentials
+                  key: api-secret
+            - name: LIVEKIT_FULL_ACCESS_HOMESERVERS
+              value: "sunbeam.pt"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          resources:
+            limits:
+              memory: 64Mi
+              cpu: 100m
+            requests:
+              memory: 32Mi
+              cpu: 25m
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: lk-jwt-service
+  namespace: media
+spec:
+  selector:
+    app: lk-jwt-service
+  ports:
+    - port: 80
+      targetPort: 8081
--- a/base/media/vault-secrets.yaml
+++ b/base/media/vault-secrets.yaml
@@ -26,12 +26,13 @@ spec:
  rolloutRestartTargets:
    - kind: Deployment
      name: livekit-server
+    - kind: Deployment
+      name: lk-jwt-service
  destination:
    name: livekit-api-credentials
    create: true
    overwrite: true
    transformation:
-      excludeRaw: true
      templates:
        keys.yaml:
          text: '{{ index .Secrets "api-key" }}: {{ index .Secrets "api-secret" }}'