Sienna Meridian Satterwhite
f3faf31d4b
- meet-config: rename ALLOWED_HOSTS → DJANGO_ALLOWED_HOSTS (django-configurations ListValue uses DJANGO_ prefix by default; without it the list was empty and every browser request got 400 DisallowedHost) - meet-config: set LIVEKIT_API_URL to public https://livekit.DOMAIN_SUFFIX so the meet frontend can reach LiveKit for WebSocket signaling - pingora-config: add livekit.DOMAIN_SUFFIX → livekit-server:80 WebSocket route - cert-manager: add livekit.DOMAIN_SUFFIX to TLS cert dnsNames - oidc-clients: fix meet redirect URI /oidc/callback/ → /api/v1.0/callback/ (meet embeds mozilla-django-oidc inside the api/v1.0/ prefix); add postLogoutRedirectUri for clean logout - livekit-values: replace hardcoded devkey:secret-placeholder with key_file loaded from a VSO-managed K8s Secret (secret/livekit in OpenBao) - media/vault-secrets: add VaultAuth + VaultStaticSecret for media namespace to sync livekit API credentials from OpenBao
35 lines
726 B
YAML
35 lines
726 B
YAML
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: vso-auth
|
|
namespace: media
|
|
spec:
|
|
method: kubernetes
|
|
mount: kubernetes
|
|
kubernetes:
|
|
role: vso
|
|
serviceAccount: default
|
|
---
|
|
# LiveKit API keys — mounted as keys.yaml into livekit-server pod.
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultStaticSecret
|
|
metadata:
|
|
name: livekit-api-credentials
|
|
namespace: media
|
|
spec:
|
|
vaultAuthRef: vso-auth
|
|
mount: secret
|
|
type: kv-v2
|
|
path: livekit
|
|
refreshAfter: 30s
|
|
destination:
|
|
name: livekit-api-credentials
|
|
create: true
|
|
overwrite: true
|
|
transformation:
|
|
excludeRaw: true
|
|
templates:
|
|
keys.yaml:
|
|
text: "{{ index .Secrets \"keys.yaml\" }}"
|