Fix meet: ALLOWED_HOSTS, OIDC callback, and LiveKit connectivity
- meet-config: rename ALLOWED_HOSTS → DJANGO_ALLOWED_HOSTS (django-configurations ListValue uses DJANGO_ prefix by default; without it the list was empty and every browser request got 400 DisallowedHost) - meet-config: set LIVEKIT_API_URL to public https://livekit.DOMAIN_SUFFIX so the meet frontend can reach LiveKit for WebSocket signaling - pingora-config: add livekit.DOMAIN_SUFFIX → livekit-server:80 WebSocket route - cert-manager: add livekit.DOMAIN_SUFFIX to TLS cert dnsNames - oidc-clients: fix meet redirect URI /oidc/callback/ → /api/v1.0/callback/ (meet embeds mozilla-django-oidc inside the api/v1.0/ prefix); add postLogoutRedirectUri for clean logout - livekit-values: replace hardcoded devkey:secret-placeholder with key_file loaded from a VSO-managed K8s Secret (secret/livekit in OpenBao) - media/vault-secrets: add VaultAuth + VaultStaticSecret for media namespace to sync livekit API credentials from OpenBao
This commit is contained in:
@@ -156,6 +156,11 @@ data:
|
|||||||
host_prefix = "grafana"
|
host_prefix = "grafana"
|
||||||
backend = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80"
|
backend = "http://kube-prometheus-stack-grafana.monitoring.svc.cluster.local:80"
|
||||||
|
|
||||||
|
[[routes]]
|
||||||
|
host_prefix = "livekit"
|
||||||
|
backend = "http://livekit-server.media.svc.cluster.local:80"
|
||||||
|
websocket = true
|
||||||
|
|
||||||
[[routes]]
|
[[routes]]
|
||||||
host_prefix = "s3"
|
host_prefix = "s3"
|
||||||
backend = "http://seaweedfs-filer.storage.svc.cluster.local:8333"
|
backend = "http://seaweedfs-filer.storage.svc.cluster.local:8333"
|
||||||
|
|||||||
@@ -6,9 +6,9 @@ metadata:
|
|||||||
data:
|
data:
|
||||||
DJANGO_CONFIGURATION: Production
|
DJANGO_CONFIGURATION: Production
|
||||||
DJANGO_SETTINGS_MODULE: meet.settings
|
DJANGO_SETTINGS_MODULE: meet.settings
|
||||||
ALLOWED_HOSTS: meet.DOMAIN_SUFFIX
|
DJANGO_ALLOWED_HOSTS: meet.DOMAIN_SUFFIX
|
||||||
DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.DOMAIN_SUFFIX
|
DJANGO_CSRF_TRUSTED_ORIGINS: https://meet.DOMAIN_SUFFIX
|
||||||
DB_NAME: meet_db
|
DB_NAME: meet_db
|
||||||
DB_USER: meet
|
DB_USER: meet
|
||||||
AWS_STORAGE_BUCKET_NAME: sunbeam-meet
|
AWS_STORAGE_BUCKET_NAME: sunbeam-meet
|
||||||
LIVEKIT_API_URL: http://livekit-server.media.svc.cluster.local:7880
|
LIVEKIT_API_URL: https://livekit.DOMAIN_SUFFIX
|
||||||
|
|||||||
@@ -61,7 +61,9 @@ spec:
|
|||||||
- code
|
- code
|
||||||
scope: openid email profile
|
scope: openid email profile
|
||||||
redirectUris:
|
redirectUris:
|
||||||
- https://meet.DOMAIN_SUFFIX/oidc/callback/
|
- https://meet.DOMAIN_SUFFIX/api/v1.0/callback/
|
||||||
|
postLogoutRedirectUris:
|
||||||
|
- https://meet.DOMAIN_SUFFIX/api/v1.0/logout-callback/
|
||||||
tokenEndpointAuthMethod: client_secret_post
|
tokenEndpointAuthMethod: client_secret_post
|
||||||
secretName: oidc-meet
|
secretName: oidc-meet
|
||||||
skipConsent: true
|
skipConsent: true
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ namespace: media
|
|||||||
|
|
||||||
resources:
|
resources:
|
||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
|
- vault-secrets.yaml
|
||||||
|
|
||||||
helmCharts:
|
helmCharts:
|
||||||
# helm repo add livekit https://helm.livekit.io
|
# helm repo add livekit https://helm.livekit.io
|
||||||
|
|||||||
@@ -26,10 +26,13 @@ livekit:
|
|||||||
# Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint
|
# Valkey is protocol-compatible with Redis; LiveKit sees this as a Redis endpoint
|
||||||
address: valkey.data.svc.cluster.local:6379
|
address: valkey.data.svc.cluster.local:6379
|
||||||
|
|
||||||
# API keys — overridden per-environment via secrets.
|
# API keys — loaded from K8s Secret managed by VSO (secret/livekit in OpenBao).
|
||||||
# At least one key must be present for the server to start.
|
# The keys.yaml field contains "devkey: <api-secret>" in YAML format.
|
||||||
keys:
|
key_file: keys.yaml
|
||||||
devkey: secret-placeholder
|
|
||||||
|
storeKeysInSecret:
|
||||||
|
enabled: true
|
||||||
|
existingSecret: livekit-api-credentials
|
||||||
|
|
||||||
deployment:
|
deployment:
|
||||||
# hostNetwork gives LiveKit direct access to the host network namespace,
|
# hostNetwork gives LiveKit direct access to the host network namespace,
|
||||||
|
|||||||
34
base/media/vault-secrets.yaml
Normal file
34
base/media/vault-secrets.yaml
Normal file
@@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: vso-auth
|
||||||
|
namespace: media
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: kubernetes
|
||||||
|
kubernetes:
|
||||||
|
role: vso
|
||||||
|
serviceAccount: default
|
||||||
|
---
|
||||||
|
# LiveKit API keys — mounted as keys.yaml into livekit-server pod.
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: livekit-api-credentials
|
||||||
|
namespace: media
|
||||||
|
spec:
|
||||||
|
vaultAuthRef: vso-auth
|
||||||
|
mount: secret
|
||||||
|
type: kv-v2
|
||||||
|
path: livekit
|
||||||
|
refreshAfter: 30s
|
||||||
|
destination:
|
||||||
|
name: livekit-api-credentials
|
||||||
|
create: true
|
||||||
|
overwrite: true
|
||||||
|
transformation:
|
||||||
|
excludeRaw: true
|
||||||
|
templates:
|
||||||
|
keys.yaml:
|
||||||
|
text: "{{ index .Secrets \"keys.yaml\" }}"
|
||||||
@@ -66,3 +66,4 @@ spec:
|
|||||||
- grafana.DOMAIN_SUFFIX
|
- grafana.DOMAIN_SUFFIX
|
||||||
- admin.DOMAIN_SUFFIX
|
- admin.DOMAIN_SUFFIX
|
||||||
- integration.DOMAIN_SUFFIX
|
- integration.DOMAIN_SUFFIX
|
||||||
|
- livekit.DOMAIN_SUFFIX
|
||||||
|
|||||||
Reference in New Issue
Block a user