fix(element-call): improve auto-restart, optional lk-jwt and networkpolicy

2024-08-23 15:16:47 +02:00 · 2024-08-23 15:16:47 +02:00 · b9234328e9
commit b9234328e9
parent d9944d6c3f
10 changed files with 146 additions and 8 deletions
--- a/element-call/Chart.yaml
+++ b/element-call/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: element-call
 description: Run Element-Call and his dependencies
 type: application
-version: 0.0.2
+version: 0.1.0
 # renovate: image=ghcr.io/element-hq/element-call
 appVersion: "0.6.0"
 maintainers:
--- a/element-call/README.adoc
+++ b/element-call/README.adoc
@ -2,7 +2,7 @@

 = element-call

-image::https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square[Version: 0.0.2]
+image::https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square[Version: 0.1.0]
 image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
 image::https://img.shields.io/badge/AppVersion-0.6.0-informational?style=flat-square[AppVersion: 0.6.0]
 == Maintainers
@ -157,6 +157,26 @@ helm uninstall element-call-release
 | `"http"`
 |

+| service.call.networkPolicy.egress.enabled
+| bool
+| `true`
+| activate egress no networkpolicy
+
+| service.call.networkPolicy.egress.extra
+| list
+| `[]`
+| egress rules
+
+| service.call.networkPolicy.enabled
+| bool
+| `false`
+|
+
+| service.call.networkPolicy.ingress.http
+| list
+| `[]`
+| ingress for http port (e.g. ingress-controller)
+
 | service.call.nodeSelector
 | object
 | `{}`
@ -247,6 +267,11 @@ helm uninstall element-call-release
 | `""`
 |

+| service.lkJWT.enabled
+| bool
+| `true`
+|
+
 | service.lkJWT.image.pullPolicy
 | string
 | `"IfNotPresent"`
@ -282,6 +307,26 @@ helm uninstall element-call-release
 | `"http"`
 |

+| service.lkJWT.networkPolicy.egress.enabled
+| bool
+| `false`
+| activate egress no networkpolicy
+
+| service.lkJWT.networkPolicy.egress.extra
+| list
+| `[]`
+| egress rules
+
+| service.lkJWT.networkPolicy.enabled
+| bool
+| `false`
+|
+
+| service.lkJWT.networkPolicy.ingress.http
+| list
+| `[]`
+| ingress for http port (e.g. ingress-controller)
+
 | service.lkJWT.nodeSelector
 | object
 | `{}`
--- a/element-call/templates/ingress.yaml
+++ b/element-call/templates/ingress.yaml
@ -29,9 +29,12 @@ spec:
                name: {{ $fullName }}
                port:
                  name: http
+    {{- if .Values.service.lkJWT.enabled }}
+    {{- if (eq .Values.service.lkJWT.ingress.host .Values.service.call.ingress.host)}}
    - host: {{ .Values.service.lkJWT.ingress.host | quote }}
      http:
        paths:
+    {{- end }}
          - path: /sfu/get
            pathType: Exact
            backend:
@ -39,4 +42,5 @@ spec:
                name: {{ $fullName }}-lk-jwt
                port:
                  name: http
+    {{- end }}
 {{- end }}
--- a/element-call/templates/lk-jwt/deployment.yaml
+++ b/element-call/templates/lk-jwt/deployment.yaml
@ -1,5 +1,6 @@
 {{- $fullName := include "element-call.fullname" . -}}
 {{- with .Values.service.lkJWT }}
+{{- if .enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -17,10 +18,11 @@ spec:
      app.kubernetes.io/component: lk-jwt
  template:
    metadata:
-      {{- with .podAnnotations }}
      annotations:
+        secret-env-hash: {{ include (print $.Template.BasePath "/lk-jwt/secret.yaml") $ | sha256sum }}
+        {{- with .podAnnotations }}
        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- end }}
      labels:
        {{- include "element-call.labels" $ | nindent 8 }}
        app.kubernetes.io/component: lk-jwt
@ -73,4 +75,5 @@ spec:
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+{{- end }}{{/* end-if .enabled */}}
 {{- end }}{{/* end-with .Values.service.lkJWT */}}
--- a/element-call/templates/lk-jwt/networkpolicy.yaml
+++ b/element-call/templates/lk-jwt/networkpolicy.yaml
@ -0,0 +1,31 @@
+{{- with .Values.service.lkJWT.networkPolicy }}
+{{- if and $.Values.service.lkJWT.enabled .enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "element-call.fullname" $ }}-lk-jwt
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "element-call.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: lk-jwt
+  policyTypes:
+    - Ingress
+    {{- if .egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    - ports:
+        - port: 8080
+          protocol: TCP
+      from:
+        {{- toYaml .ingress.http | nindent 8 }}
+  {{- with .egress }}
+  egress:
+    {{- toYaml .extra | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
--- a/element-call/templates/lk-jwt/secret.yaml
+++ b/element-call/templates/lk-jwt/secret.yaml
@ -1,3 +1,4 @@
+{{- if .Values.service.lkJWT.enabled }}
 ---
 apiVersion: v1
 kind: Secret
@ -10,3 +11,4 @@ data:
  LIVEKIT_KEY: {{ .key | b64enc }}
  LIVEKIT_SECRET: {{ .secret | b64enc }}
  {{- end }}
+{{- end }}
--- a/element-call/templates/lk-jwt/service.yaml
+++ b/element-call/templates/lk-jwt/service.yaml
@ -1,3 +1,5 @@
+{{- if .Values.service.lkJWT.enabled }}
+---
 apiVersion: v1
 kind: Service
 metadata:
@ -14,3 +16,4 @@ spec:
  selector:
    {{- include "element-call.selectorLabels" . | nindent 4 }}
    app.kubernetes.io/component: lk-jwt
+{{- end }}
--- a/element-call/templates/lk-jwt/serviceaccount.yaml
+++ b/element-call/templates/lk-jwt/serviceaccount.yaml
@ -1,5 +1,5 @@
 {{- with .Values.service.lkJWT }}
-{{- if .serviceAccount.create -}}
+{{- if and .enabled .serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
--- a/element-call/templates/networkpolicy.yaml
+++ b/element-call/templates/networkpolicy.yaml
@ -0,0 +1,31 @@
+{{- with .Values.service.call.networkPolicy }}
+{{- if .enabled }}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "element-call.fullname" $ }}
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "element-call.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: call
+  policyTypes:
+    - Ingress
+    {{- if .egress.enabled }}
+    - Egress
+    {{- end }}
+  ingress:
+    - ports:
+        - port: 8080
+          protocol: TCP
+      from:
+        {{- toYaml .ingress.http | nindent 8 }}
+  {{- with .egress }}
+  egress:
+    {{- toYaml .extra | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
--- a/element-call/values.yaml
+++ b/element-call/values.yaml
@ -9,8 +9,6 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""

-
-
 ingress:
  enabled: false
  className: ""
@ -39,6 +37,16 @@ service:
    config: {}
    ingress:
      host:
+    networkPolicy:
+      enabled: false
+      ingress:
+        # -- ingress for http port (e.g. ingress-controller)
+        http: []
+      egress:
+        # -- activate egress no networkpolicy
+        enabled: true
+        # -- egress rules
+        extra: []
    livenessProbe:
      httpGet:
        path: /
@ -77,6 +85,7 @@ service:
    affinity: {}

  lkJWT:
+    enabled: true
    replicaCount: 1
    image:
      registry: ghcr.io
@ -89,6 +98,16 @@ service:
      secret: "secret"
    ingress:
      host:
+    networkPolicy:
+      enabled: false
+      ingress:
+        # -- ingress for http port (e.g. ingress-controller)
+        http: []
+      egress:
+        # -- activate egress no networkpolicy
+        enabled: false
+        # -- egress rules
+        extra: []
    livenessProbe:
      httpGet:
        path: /healthz