diff --git a/base/ingress/pingora-config.yaml b/base/ingress/pingora-config.yaml index ebc0716..845a60b 100644 --- a/base/ingress/pingora-config.yaml +++ b/base/ingress/pingora-config.yaml @@ -156,6 +156,11 @@ data: host_prefix = "grafana" backend = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80" + [[routes]] + host_prefix = "livekit" + backend = "http://livekit-server.media.svc.cluster.local:80" + websocket = true + [[routes]] host_prefix = "s3" backend = "http://seaweedfs-filer.storage.svc.cluster.local:8333" diff --git a/base/lasuite/meet-config.yaml b/base/lasuite/meet-config.yaml index 55d30f9..7a7a00f 100644 --- a/base/lasuite/meet-config.yaml +++ b/base/lasuite/meet-config.yaml @@ -6,9 +6,9 @@ metadata: data: DJANGO_CONFIGURATION: Production DJANGO_SETTINGS_MODULE: meet.settings - ALLOWED_HOSTS: meet.DOMAIN_SUFFIX + DJANGO_ALLOWED_HOSTS: meet.DOMAIN_SUFFIX DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.DOMAIN_SUFFIX DB_NAME: meet_db DB_USER: meet AWS_STORAGE_BUCKET_NAME: sunbeam-meet - LIVEKIT_API_URL: http://livekit-server.media.svc.cluster.local:7880 + LIVEKIT_API_URL: https://livekit.DOMAIN_SUFFIX diff --git a/base/lasuite/oidc-clients.yaml b/base/lasuite/oidc-clients.yaml index 31b57cd..3938dc3 100644 --- a/base/lasuite/oidc-clients.yaml +++ b/base/lasuite/oidc-clients.yaml @@ -61,7 +61,9 @@ spec: - code scope: openid email profile redirectUris: - - https://meet.DOMAIN_SUFFIX/oidc/callback/ + - https://meet.DOMAIN_SUFFIX/api/v1.0/callback/ + postLogoutRedirectUris: + - https://meet.DOMAIN_SUFFIX/api/v1.0/logout-callback/ tokenEndpointAuthMethod: client_secret_post secretName: oidc-meet skipConsent: true diff --git a/base/media/kustomization.yaml b/base/media/kustomization.yaml index d8bafb6..4b00bd9 100644 --- a/base/media/kustomization.yaml +++ b/base/media/kustomization.yaml @@ -5,6 +5,7 @@ namespace: media resources: - namespace.yaml + - vault-secrets.yaml helmCharts: # helm repo add livekit https://helm.livekit.io diff --git a/base/media/livekit-values.yaml b/base/media/livekit-values.yaml index 8debe65..667ca1a 100644 --- a/base/media/livekit-values.yaml +++ b/base/media/livekit-values.yaml @@ -26,10 +26,13 @@ livekit: # Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint address: valkey.data.svc.cluster.local:6379 - # API keys — overridden per-environment via secrets. - # At least one key must be present for the server to start. - keys: - devkey: secret-placeholder + # API keys — loaded from K8s Secret managed by VSO (secret/livekit in OpenBao). + # The keys.yaml field contains "devkey: " in YAML format. + key_file: keys.yaml + +storeKeysInSecret: + enabled: true + existingSecret: livekit-api-credentials deployment: # hostNetwork gives LiveKit direct access to the host network namespace, diff --git a/base/media/vault-secrets.yaml b/base/media/vault-secrets.yaml new file mode 100644 index 0000000..fcee390 --- /dev/null +++ b/base/media/vault-secrets.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vso-auth + namespace: media +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: vso + serviceAccount: default +--- +# LiveKit API keys — mounted as keys.yaml into livekit-server pod. +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: livekit-api-credentials + namespace: media +spec: + vaultAuthRef: vso-auth + mount: secret + type: kv-v2 + path: livekit + refreshAfter: 30s + destination: + name: livekit-api-credentials + create: true + overwrite: true + transformation: + excludeRaw: true + templates: + keys.yaml: + text: "{{ index .Secrets \"keys.yaml\" }}" diff --git a/overlays/production/cert-manager.yaml b/overlays/production/cert-manager.yaml index cb39b29..a4911d5 100644 --- a/overlays/production/cert-manager.yaml +++ b/overlays/production/cert-manager.yaml @@ -66,3 +66,4 @@ spec: - grafana.DOMAIN_SUFFIX - admin.DOMAIN_SUFFIX - integration.DOMAIN_SUFFIX + - livekit.DOMAIN_SUFFIX