From 1323ef142e789820acb05cb4991d10502a35498b Mon Sep 17 00:00:00 2001 From: emrah Date: Tue, 21 Jan 2025 15:04:06 +0300 Subject: [PATCH] fix(jitsi): Support for phone dial-in into Jitsi conferences --- docs/security-context.md | 1 + helmfile/apps/jitsi/values-jitsi.yaml.gotmpl | 31 ++++++++++++++++++- .../environments/default/images.yaml.gotmpl | 22 +++++++++---- .../environments/default/replicas.yaml.gotmpl | 2 ++ .../default/resources.yaml.gotmpl | 12 +++++-- .../environments/default/secrets.yaml.gotmpl | 1 + .../environments/default/selinux.yaml.gotmpl | 1 + helmfile/environments/default/sip.yaml.gotmpl | 14 +++++++++ 8 files changed, 75 insertions(+), 9 deletions(-) create mode 100644 helmfile/environments/default/sip.yaml.gotmpl diff --git a/docs/security-context.md b/docs/security-context.md index ed1ecabb..f678e17d 100644 --- a/docs/security-context.md +++ b/docs/security-context.md @@ -164,6 +164,7 @@ This list gives you an overview of templated security settings and if they compl | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes | | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] | | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no | +| **jitsi**/jitsi/jitsi/jigasi | :x: | no | no | no | no | 0 | 0 | yes | no | | **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no | | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no | | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no | diff --git a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl index 17e3bb62..c7f31611 100644 --- a/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl +++ b/helmfile/apps/jitsi/values-jitsi.yaml.gotmpl @@ -85,7 +85,7 @@ jitsi: - secretName: {{ .Values.ingress.tls.secretName | quote }} hosts: - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}" - extraConfigJs: + extraConfig: doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }} extraEnvs: TURN_ENABLE: "1" @@ -175,6 +175,35 @@ jitsi: type: "RuntimeDefault" seLinuxOptions: {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }} + jigasi: + replicaCount: {{ .Values.replicas.jigasi }} + enabled: {{ .Values.sip.jigasi.enabled }} + image: + repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jigasi.registry }}/{{ .Values.images.jigasi.repository }}" + tag: {{ .Values.images.jigasi.tag | quote }} + pullPolicy: {{ .Values.global.imagePullPolicy | quote }} + extraEnvs: + JIGASI_SIP_PASSWORD: {{ .Values.sip.jigasi.password | quote }} + JIGASI_SIP_PORT: {{ .Values.sip.jigasi.port | quote }} + JIGASI_SIP_SERVER: {{ .Values.sip.jigasi.server | quote }} + JIGASI_SIP_TRANSPORT: {{ .Values.sip.jigasi.transport | quote }} + JIGASI_SIP_URI: {{ .Values.sip.jigasi.uri | quote }} + xmpp: + password: {{ .Values.secrets.jitsi.jigasiXmppPassword | quote }} + resources: + {{ .Values.resources.jigasi | toYaml | nindent 6 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: "RuntimeDefault" + seLinuxOptions: + {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }} jvb: replicaCount: {{ .Values.replicas.jvb }} # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since diff --git a/helmfile/environments/default/images.yaml.gotmpl b/helmfile/environments/default/images.yaml.gotmpl index 419c9fd7..5e2bccd5 100644 --- a/helmfile/environments/default/images.yaml.gotmpl +++ b/helmfile/environments/default/images.yaml.gotmpl @@ -162,7 +162,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri" - tag: "stable-9823@sha256:dd7a330cb14d95b7661167d7b4e1a8f2e988952ba4ea24baa0a96e09bebd40b1" + tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9" jicofo: # providerCategory: "Supplier" # providerResponsible: "Nordeck" @@ -172,7 +172,17 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo" - tag: "stable-9823@sha256:551aa2adf078f8872474481a9bda7b7526fc5cae2853ce0be2aa1f6d91bf2ecc" + tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50" + jigasi: + # providerCategory: "Supplier" + # providerResponsible: "Nordeck" + # upstreamRegistry: "https://registry-1.docker.io" + # upstreamRepository: "jitsi/jigasi" + # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$' + # upstreamMirrorStartFrom: ["9955"] + registry: "registry.opencode.de" + repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi" + tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f" jitsi: # providerCategory: "Supplier" # providerResponsible: "Nordeck" @@ -182,7 +192,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web" - tag: "stable-9823@sha256:d37d0d34715a0089437c5c030251010e068926f93395d46753e1767d0ee16247" + tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306" jitsiKeycloakAdapter: # providerCategory: "Supplier" # providerResponsible: "Nordeck" @@ -192,7 +202,7 @@ images: # upstreamMirrorStartFrom: ["2023", "12", "14"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter" - tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe" + tag: "v20250117@sha256:254025cb03a05a1eba5971a1f07f13a4148c4ac8538a7e7c79fbd4b86e2f2cd5" jitsiPatchJVB: # providerCategory: "Community" # providerResponsible: "openDesk" @@ -210,7 +220,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb" - tag: "stable-9823@sha256:e6e43071ce26628c816bea46a259c7462c8d5edbbd2ed66f983b1e0f2d9a6cb2" + tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022" mariadb: # providerCategory: "Community" # providerResponsible: "openDesk" @@ -880,7 +890,7 @@ images: # upstreamMirrorStartFrom: ["8922"] registry: "registry.opencode.de" repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody" - tag: "stable-9823@sha256:1c52b4ca8397545d54067c67a54c50473d83242c75f001fbf20ee628dfc80b7b" + tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783" redis: # providerCategory: "Community" # providerResponsible: "openDesk" diff --git a/helmfile/environments/default/replicas.yaml.gotmpl b/helmfile/environments/default/replicas.yaml.gotmpl index 52cda218..af6622d4 100644 --- a/helmfile/environments/default/replicas.yaml.gotmpl +++ b/helmfile/environments/default/replicas.yaml.gotmpl @@ -140,6 +140,8 @@ replicas: # -- scalable: tbd jicofo: 1 # -- scalable: tbd + jigasi: 1 + # -- scalable: tbd jitsi: 1 # -- scalable: tbd jitsiKeycloakAdapter: 1 diff --git a/helmfile/environments/default/resources.yaml.gotmpl b/helmfile/environments/default/resources.yaml.gotmpl index 7ad853dd..84984cb3 100644 --- a/helmfile/environments/default/resources.yaml.gotmpl +++ b/helmfile/environments/default/resources.yaml.gotmpl @@ -91,7 +91,7 @@ resources: requests: cpu: 0.1 memory: "384Mi" - # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption. + # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption. jicofo: limits: cpu: 99 @@ -99,6 +99,14 @@ resources: requests: cpu: 0.1 memory: "256Mi" + # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption. + jigasi: + limits: + cpu: 99 + memory: "3584Mi" + requests: + cpu: 0.1 + memory: "256Mi" jitsi: limits: cpu: 99 @@ -113,7 +121,7 @@ resources: requests: cpu: 0.01 memory: "48Mi" - # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption. + # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption. jvb: limits: cpu: 99 diff --git a/helmfile/environments/default/secrets.yaml.gotmpl b/helmfile/environments/default/secrets.yaml.gotmpl index 5e631c74..7f4bdddd 100644 --- a/helmfile/environments/default/secrets.yaml.gotmpl +++ b/helmfile/environments/default/secrets.yaml.gotmpl @@ -109,6 +109,7 @@ secrets: jibriXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum | quote }} jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }} jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }} + jigasiXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jigasiXmppPassword" | sha1sum | quote }} jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }} whiteboard: apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }} diff --git a/helmfile/environments/default/selinux.yaml.gotmpl b/helmfile/environments/default/selinux.yaml.gotmpl index 2134c83d..229f78c0 100644 --- a/helmfile/environments/default/selinux.yaml.gotmpl +++ b/helmfile/environments/default/selinux.yaml.gotmpl @@ -22,6 +22,7 @@ seLinuxOptions: # The Jibri Helm chart does not support setting the securityContext externally. # jibri: ~ jicofo: ~ + jigasi: ~ jitsi: ~ jitsiKeycloakAdapter: ~ jitsiPatchJVB: ~ diff --git a/helmfile/environments/default/sip.yaml.gotmpl b/helmfile/environments/default/sip.yaml.gotmpl new file mode 100644 index 00000000..29f50423 --- /dev/null +++ b/helmfile/environments/default/sip.yaml.gotmpl @@ -0,0 +1,14 @@ +# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH +# SPDX-License-Identifier: Apache-2.0 +--- +sip: + jigasi: + enabled: false + port: "5060" + # e.g. sip.mydomain.tld + server: "" + transport: "TCP" + # e.g. jigasi@sip.mydomain.tld + uri: "" + password: ~ +...