fix(element-call): improve auto-restart, optional lk-jwt and networkpolicy

element-call/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: element-call
 description: Run Element-Call and his dependencies
 type: application
-version: 0.0.2
+version: 0.1.0
 # renovate: image=ghcr.io/element-hq/element-call
 appVersion: "0.6.0"
 maintainers:

element-call/README.adoc

@@ -2,7 +2,7 @@
 
 = element-call
 
-image::https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square[Version: 0.0.2]
+image::https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square[Version: 0.1.0]
 image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
 image::https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square[AppVersion: 0.6.0]
 == Maintainers
@@ -157,6 +157,26 @@ helm uninstall element-call-release
 | `"http"`
 |
 
+| service.call.networkPolicy.egress.enabled
+| bool
+| `true`
+| activate egress no networkpolicy
+
+| service.call.networkPolicy.egress.extra
+| list
+| `[]`
+| egress rules
+
+| service.call.networkPolicy.enabled
+| bool
+| `false`
+|
+
+| service.call.networkPolicy.ingress.http
+| list
+| `[]`
+| ingress for http port (e.g. ingress-controller)
+
 | service.call.nodeSelector
 | object
 | `{}`
@@ -247,6 +267,11 @@ helm uninstall element-call-release
 | `""`
 |
 
+| service.lkJWT.enabled
+| bool
+| `true`
+|
+
 | service.lkJWT.image.pullPolicy
 | string
 | `"IfNotPresent"`
@@ -282,6 +307,26 @@ helm uninstall element-call-release
 | `"http"`
 |
 
+| service.lkJWT.networkPolicy.egress.enabled
+| bool
+| `false`
+| activate egress no networkpolicy
+
+| service.lkJWT.networkPolicy.egress.extra
+| list
+| `[]`
+| egress rules
+
+| service.lkJWT.networkPolicy.enabled
+| bool
+| `false`
+|
+
+| service.lkJWT.networkPolicy.ingress.http
+| list
+| `[]`
+| ingress for http port (e.g. ingress-controller)
+
 | service.lkJWT.nodeSelector
 | object
 | `{}`

element-call/templates/ingress.yaml

@@ -29,9 +29,12 @@ spec:
                 name: {{ $fullName }}
                 port:
                   name: http
+    {{- if .Values.service.lkJWT.enabled }}
+    {{- if (eq .Values.service.lkJWT.ingress.host .Values.service.call.ingress.host)}}
     - host: {{ .Values.service.lkJWT.ingress.host | quote }}
       http:
         paths:
+    {{- end }}
           - path: /sfu/get
             pathType: Exact
             backend:
@@ -39,4 +42,5 @@ spec:
                 name: {{ $fullName }}-lk-jwt
                 port:
                   name: http
+    {{- end }}
 {{- end }}

element-call/templates/lk-jwt/deployment.yaml

@@ -1,5 +1,6 @@
 {{- $fullName := include "element-call.fullname" . -}}
 {{- with .Values.service.lkJWT }}
+{{- if .enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -17,10 +18,11 @@ spec:
       app.kubernetes.io/component: lk-jwt
   template:
     metadata:
-      {{- with .podAnnotations }}
       annotations:
+        secret-env-hash: {{ include (print $.Template.BasePath "/lk-jwt/secret.yaml") $ | sha256sum }}
+        {{- with .podAnnotations }}
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
       labels:
         {{- include "element-call.labels" $ | nindent 8 }}
         app.kubernetes.io/component: lk-jwt
@@ -73,4 +75,5 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+{{- end }}{{/* end-if .enabled */}}
 {{- end }}{{/* end-with .Values.service.lkJWT */}}

element-call/templates/lk-jwt/networkpolicy.yaml

@@ -0,0 +1,31 @@
+{{- with .Values.service.lkJWT.networkPolicy }}
+{{- if and $.Values.service.lkJWT.enabled .enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "element-call.fullname" $ }}-lk-jwt
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "element-call.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: lk-jwt
+  policyTypes:
+    - Ingress
+    {{- if .egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    - ports:
+        - port: 8080
+          protocol: TCP
+      from:
+        {{- toYaml .ingress.http | nindent 8 }}
+  {{- with .egress }}
+  egress:
+    {{- toYaml .extra | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

element-call/templates/lk-jwt/secret.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.service.lkJWT.enabled }}
 ---
 apiVersion: v1
 kind: Secret
@@ -10,3 +11,4 @@ data:
   LIVEKIT_KEY: {{ .key | b64enc }}
   LIVEKIT_SECRET: {{ .secret | b64enc }}
   {{- end }}
+{{- end }}

element-call/templates/lk-jwt/service.yaml

@@ -1,3 +1,5 @@
+{{- if .Values.service.lkJWT.enabled }}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -14,3 +16,4 @@ spec:
   selector:
     {{- include "element-call.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: lk-jwt
+{{- end }}

element-call/templates/lk-jwt/serviceaccount.yaml

@@ -1,5 +1,5 @@
 {{- with .Values.service.lkJWT }}
-{{- if .serviceAccount.create -}}
+{{- if and .enabled .serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

element-call/templates/networkpolicy.yaml

@@ -0,0 +1,31 @@
+{{- with .Values.service.call.networkPolicy }}
+{{- if .enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "element-call.fullname" $ }}
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "element-call.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: call
+  policyTypes:
+    - Ingress
+    {{- if .egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    - ports:
+        - port: 8080
+          protocol: TCP
+      from:
+        {{- toYaml .ingress.http | nindent 8 }}
+  {{- with .egress }}
+  egress:
+    {{- toYaml .extra | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}

element-call/values.yaml

@@ -9,8 +9,6 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-
-
 ingress:
   enabled: false
   className: ""
@@ -39,6 +37,16 @@ service:
     config: {}
     ingress:
       host:
+    networkPolicy:
+      enabled: false
+      ingress:
+        # -- ingress for http port (e.g. ingress-controller)
+        http: []
+      egress:
+        # -- activate egress no networkpolicy
+        enabled: true
+        # -- egress rules
+        extra: []
     livenessProbe:
       httpGet:
         path: /
@@ -77,6 +85,7 @@ service:
     affinity: {}
 
   lkJWT:
+    enabled: true
     replicaCount: 1
     image:
       registry: ghcr.io
@@ -89,6 +98,16 @@ service:
       secret: "secret"
     ingress:
       host:
+    networkPolicy:
+      enabled: false
+      ingress:
+        # -- ingress for http port (e.g. ingress-controller)
+        http: []
+      egress:
+        # -- activate egress no networkpolicy
+        enabled: false
+        # -- egress rules
+        extra: []
     livenessProbe:
       httpGet:
         path: /healthz