Fix meet: ALLOWED_HOSTS, OIDC callback, and LiveKit connectivity

- meet-config: rename ALLOWED_HOSTS → DJANGO_ALLOWED_HOSTS (django-configurations ListValue uses DJANGO_ prefix by default; without it the list was empty and every browser request got 400 DisallowedHost) - meet-config: set LIVEKIT_API_URL to public https://livekit.DOMAIN_SUFFIX so the meet frontend can reach LiveKit for WebSocket signaling - pingora-config: add livekit.DOMAIN_SUFFIX → livekit-server:80 WebSocket route - cert-manager: add livekit.DOMAIN_SUFFIX to TLS cert dnsNames - oidc-clients: fix meet redirect URI /oidc/callback/ → /api/v1.0/callback/ (meet embeds mozilla-django-oidc inside the api/v1.0/ prefix); add postLogoutRedirectUri for clean logout - livekit-values: replace hardcoded devkey:secret-placeholder with key_file loaded from a VSO-managed K8s Secret (secret/livekit in OpenBao) - media/vault-secrets: add VaultAuth + VaultStaticSecret for media namespace to sync livekit API credentials from OpenBao
2026-03-06 13:56:29 +00:00
parent 1d01a1411a
commit f3faf31d4b
7 changed files with 53 additions and 7 deletions
--- a/base/media/kustomization.yaml
+++ b/base/media/kustomization.yaml
@@ -5,6 +5,7 @@ namespace: media

 resources:
  - namespace.yaml
+  - vault-secrets.yaml

 helmCharts:
  # helm repo add livekit https://helm.livekit.io
--- a/base/media/livekit-values.yaml
+++ b/base/media/livekit-values.yaml
@@ -26,10 +26,13 @@ livekit:
    # Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint
    address: valkey.data.svc.cluster.local:6379

-  # API keys — overridden per-environment via secrets.
-  # At least one key must be present for the server to start.
-  keys:
-    devkey: secret-placeholder
+  # API keys — loaded from K8s Secret managed by VSO (secret/livekit in OpenBao).
+  # The keys.yaml field contains "devkey: <api-secret>" in YAML format.
+  key_file: keys.yaml
+
+storeKeysInSecret:
+  enabled: true
+  existingSecret: livekit-api-credentials

 deployment:
  # hostNetwork gives LiveKit direct access to the host network namespace,
--- a/base/media/vault-secrets.yaml
+++ b/base/media/vault-secrets.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: vso-auth
+  namespace: media
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: vso
+    serviceAccount: default
+---
+# LiveKit API keys — mounted as keys.yaml into livekit-server pod.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: livekit-api-credentials
+  namespace: media
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: livekit
+  refreshAfter: 30s
+  destination:
+    name: livekit-api-credentials
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        keys.yaml:
+          text: "{{ index .Secrets \"keys.yaml\" }}"