diff --git a/element-call/Chart.yaml b/element-call/Chart.yaml index 02b7852..251e45b 100644 --- a/element-call/Chart.yaml +++ b/element-call/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: element-call description: Run Element-Call and his dependencies type: application -version: 0.0.2 +version: 0.1.0 # renovate: image=ghcr.io/element-hq/element-call appVersion: "0.6.0" maintainers: diff --git a/element-call/README.adoc b/element-call/README.adoc index a577219..d036a29 100644 --- a/element-call/README.adoc +++ b/element-call/README.adoc @@ -2,7 +2,7 @@ = element-call -image::https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square[Version: 0.0.2] +image::https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square[Version: 0.1.0] image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application] image::https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square[AppVersion: 0.6.0] == Maintainers @@ -157,6 +157,26 @@ helm uninstall element-call-release | `"http"` | +| service.call.networkPolicy.egress.enabled +| bool +| `true` +| activate egress no networkpolicy + +| service.call.networkPolicy.egress.extra +| list +| `[]` +| egress rules + +| service.call.networkPolicy.enabled +| bool +| `false` +| + +| service.call.networkPolicy.ingress.http +| list +| `[]` +| ingress for http port (e.g. ingress-controller) + | service.call.nodeSelector | object | `{}` @@ -247,6 +267,11 @@ helm uninstall element-call-release | `""` | +| service.lkJWT.enabled +| bool +| `true` +| + | service.lkJWT.image.pullPolicy | string | `"IfNotPresent"` @@ -282,6 +307,26 @@ helm uninstall element-call-release | `"http"` | +| service.lkJWT.networkPolicy.egress.enabled +| bool +| `false` +| activate egress no networkpolicy + +| service.lkJWT.networkPolicy.egress.extra +| list +| `[]` +| egress rules + +| service.lkJWT.networkPolicy.enabled +| bool +| `false` +| + +| service.lkJWT.networkPolicy.ingress.http +| list +| `[]` +| ingress for http port (e.g. ingress-controller) + | service.lkJWT.nodeSelector | object | `{}` diff --git a/element-call/templates/ingress.yaml b/element-call/templates/ingress.yaml index b31c1e4..cced22b 100644 --- a/element-call/templates/ingress.yaml +++ b/element-call/templates/ingress.yaml @@ -29,9 +29,12 @@ spec: name: {{ $fullName }} port: name: http + {{- if .Values.service.lkJWT.enabled }} + {{- if (eq .Values.service.lkJWT.ingress.host .Values.service.call.ingress.host)}} - host: {{ .Values.service.lkJWT.ingress.host | quote }} http: paths: + {{- end }} - path: /sfu/get pathType: Exact backend: @@ -39,4 +42,5 @@ spec: name: {{ $fullName }}-lk-jwt port: name: http + {{- end }} {{- end }} diff --git a/element-call/templates/lk-jwt/deployment.yaml b/element-call/templates/lk-jwt/deployment.yaml index c504d72..037ef4f 100644 --- a/element-call/templates/lk-jwt/deployment.yaml +++ b/element-call/templates/lk-jwt/deployment.yaml @@ -1,5 +1,6 @@ {{- $fullName := include "element-call.fullname" . -}} {{- with .Values.service.lkJWT }} +{{- if .enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -17,10 +18,11 @@ spec: app.kubernetes.io/component: lk-jwt template: metadata: - {{- with .podAnnotations }} annotations: + secret-env-hash: {{ include (print $.Template.BasePath "/lk-jwt/secret.yaml") $ | sha256sum }} + {{- with .podAnnotations }} {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} labels: {{- include "element-call.labels" $ | nindent 8 }} app.kubernetes.io/component: lk-jwt @@ -73,4 +75,5 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} +{{- end }}{{/* end-if .enabled */}} {{- end }}{{/* end-with .Values.service.lkJWT */}} diff --git a/element-call/templates/lk-jwt/networkpolicy.yaml b/element-call/templates/lk-jwt/networkpolicy.yaml new file mode 100644 index 0000000..b04dbb7 --- /dev/null +++ b/element-call/templates/lk-jwt/networkpolicy.yaml @@ -0,0 +1,31 @@ +{{- with .Values.service.lkJWT.networkPolicy }} +{{- if and $.Values.service.lkJWT.enabled .enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "element-call.fullname" $ }}-lk-jwt + labels: + {{- include "element-call.labels" $ | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "element-call.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: lk-jwt + policyTypes: + - Ingress + {{- if .egress.enabled }} + - Egress + {{- end }} + ingress: + - ports: + - port: 8080 + protocol: TCP + from: + {{- toYaml .ingress.http | nindent 8 }} + {{- with .egress }} + egress: + {{- toYaml .extra | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/element-call/templates/lk-jwt/secret.yaml b/element-call/templates/lk-jwt/secret.yaml index 06968fd..771f342 100644 --- a/element-call/templates/lk-jwt/secret.yaml +++ b/element-call/templates/lk-jwt/secret.yaml @@ -1,3 +1,4 @@ +{{- if .Values.service.lkJWT.enabled }} --- apiVersion: v1 kind: Secret @@ -10,3 +11,4 @@ data: LIVEKIT_KEY: {{ .key | b64enc }} LIVEKIT_SECRET: {{ .secret | b64enc }} {{- end }} +{{- end }} diff --git a/element-call/templates/lk-jwt/service.yaml b/element-call/templates/lk-jwt/service.yaml index a0f0e38..90f602a 100644 --- a/element-call/templates/lk-jwt/service.yaml +++ b/element-call/templates/lk-jwt/service.yaml @@ -1,3 +1,5 @@ +{{- if .Values.service.lkJWT.enabled }} +--- apiVersion: v1 kind: Service metadata: @@ -14,3 +16,4 @@ spec: selector: {{- include "element-call.selectorLabels" . | nindent 4 }} app.kubernetes.io/component: lk-jwt +{{- end }} diff --git a/element-call/templates/lk-jwt/serviceaccount.yaml b/element-call/templates/lk-jwt/serviceaccount.yaml index f46447e..4ce35f4 100644 --- a/element-call/templates/lk-jwt/serviceaccount.yaml +++ b/element-call/templates/lk-jwt/serviceaccount.yaml @@ -1,5 +1,5 @@ {{- with .Values.service.lkJWT }} -{{- if .serviceAccount.create -}} +{{- if and .enabled .serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/element-call/templates/networkpolicy.yaml b/element-call/templates/networkpolicy.yaml new file mode 100644 index 0000000..3aab727 --- /dev/null +++ b/element-call/templates/networkpolicy.yaml @@ -0,0 +1,31 @@ +{{- with .Values.service.call.networkPolicy }} +{{- if .enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "element-call.fullname" $ }} + labels: + {{- include "element-call.labels" $ | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "element-call.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: call + policyTypes: + - Ingress + {{- if .egress.enabled }} + - Egress + {{- end }} + ingress: + - ports: + - port: 8080 + protocol: TCP + from: + {{- toYaml .ingress.http | nindent 8 }} + {{- with .egress }} + egress: + {{- toYaml .extra | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/element-call/values.yaml b/element-call/values.yaml index 5da5a53..a2ebc4c 100644 --- a/element-call/values.yaml +++ b/element-call/values.yaml @@ -3,14 +3,12 @@ global: # -- if set it will overwrite all registry entries registry: # -- if set it will overwrite all pullPolicy - pullPolicy: + pullPolicy: imagePullSecrets: [] nameOverride: "" fullnameOverride: "" - - ingress: enabled: false className: "" @@ -39,6 +37,16 @@ service: config: {} ingress: host: + networkPolicy: + enabled: false + ingress: + # -- ingress for http port (e.g. ingress-controller) + http: [] + egress: + # -- activate egress no networkpolicy + enabled: true + # -- egress rules + extra: [] livenessProbe: httpGet: path: / @@ -77,6 +85,7 @@ service: affinity: {} lkJWT: + enabled: true replicaCount: 1 image: registry: ghcr.io @@ -89,6 +98,16 @@ service: secret: "secret" ingress: host: + networkPolicy: + enabled: false + ingress: + # -- ingress for http port (e.g. ingress-controller) + http: [] + egress: + # -- activate egress no networkpolicy + enabled: false + # -- egress rules + extra: [] livenessProbe: httpGet: path: /healthz