fix(jitsi): Support for phone dial-in into Jitsi conferences

docs/security-context.md

@@ -164,6 +164,7 @@ This list gives you an overview of templated security settings and if they compl
 | **jitsi**/jitsi | :white_check_mark: | no | no | yes | yes | 1993 | 1993 | yes | yes |
 | **jitsi**/jitsi/jitsi/jibri | :x: | n/a | n/a | n/a | n/a | n/a | n/a | n/a | no ["SYS_ADMIN"] |
 | **jitsi**/jitsi/jitsi/jicofo | :x: | no | no | no | no | 0 | 0 | yes | no |
+| **jitsi**/jitsi/jitsi/jigasi | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/jvb | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/prosody | :x: | no | no | no | no | 0 | 0 | yes | no |
 | **jitsi**/jitsi/jitsi/web | :x: | no | no | no | no | 0 | 0 | yes | no |

helmfile/apps/jitsi/values-jitsi.yaml.gotmpl

@@ -85,7 +85,7 @@ jitsi:
         - secretName: {{ .Values.ingress.tls.secretName | quote }}
           hosts:
             - "{{ .Values.global.hosts.jitsi }}.{{ .Values.global.domain }}"
-    extraConfigJs:
+    extraConfig:
       doNotStoreRoom: {{ not .Values.functional.dataProtection.jitsiRoomHistory.enabled }}
     extraEnvs:
       TURN_ENABLE: "1"
@@ -175,6 +175,35 @@ jitsi:
         type: "RuntimeDefault"
       seLinuxOptions:
         {{ .Values.seLinuxOptions.jicofo | toYaml | nindent 8 }}
+  jigasi:
+    replicaCount: {{ .Values.replicas.jigasi }}
+    enabled: {{ .Values.sip.jigasi.enabled }}
+    image:
+      repository: "{{ coalesce .Values.repositories.image.registryOpencodeDe .Values.global.imageRegistry .Values.images.jigasi.registry }}/{{ .Values.images.jigasi.repository }}"
+      tag: {{ .Values.images.jigasi.tag | quote }}
+      pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
+    extraEnvs:
+      JIGASI_SIP_PASSWORD: {{ .Values.sip.jigasi.password | quote }}
+      JIGASI_SIP_PORT: {{ .Values.sip.jigasi.port | quote }}
+      JIGASI_SIP_SERVER: {{ .Values.sip.jigasi.server | quote }}
+      JIGASI_SIP_TRANSPORT: {{ .Values.sip.jigasi.transport | quote }}
+      JIGASI_SIP_URI: {{ .Values.sip.jigasi.uri | quote }}
+    xmpp:
+      password: {{ .Values.secrets.jitsi.jigasiXmppPassword | quote }}
+    resources:
+      {{ .Values.resources.jigasi | toYaml | nindent 6 }}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities: {}
+      privileged: false
+      readOnlyRootFilesystem: false
+      runAsGroup: 0
+      runAsNonRoot: false
+      runAsUser: 0
+      seccompProfile:
+        type: "RuntimeDefault"
+      seLinuxOptions:
+        {{ .Values.seLinuxOptions.jigasi | toYaml | nindent 8 }}
   jvb:
     replicaCount: {{ .Values.replicas.jvb }}
     # The `useNodeIP` option provided by the upstream charts does not support all relevant scenarios, but since

helmfile/environments/default/images.yaml.gotmpl

@@ -162,7 +162,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jibri"
-    tag: "stable-9823@sha256:dd7a330cb14d95b7661167d7b4e1a8f2e988952ba4ea24baa0a96e09bebd40b1"
+    tag: "stable-9955@sha256:a07b82f2758389b2071c794810145111641e78f1b768b1bbfa6d3d1dc76d3da9"
   jicofo:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -172,7 +172,17 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jicofo"
-    tag: "stable-9823@sha256:551aa2adf078f8872474481a9bda7b7526fc5cae2853ce0be2aa1f6d91bf2ecc"
+    tag: "stable-9955@sha256:f1a1478d231bc4891b5eea06443d72187c378d5e38403bb545aab281446f8d50"
+  jigasi:
+    # providerCategory: "Supplier"
+    # providerResponsible: "Nordeck"
+    # upstreamRegistry: "https://registry-1.docker.io"
+    # upstreamRepository: "jitsi/jigasi"
+    # upstreamMirrorTagFilterRegEx: '^stable-(\d+)-?\d?$'
+    # upstreamMirrorStartFrom: ["9955"]
+    registry: "registry.opencode.de"
+    repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jigasi"
+    tag: "stable-9955@sha256:0e191ac39d3e7299d0bcc070fa1867cceb17fe8d92e9d5cd492aec4c268fa56f"
   jitsi:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -182,7 +192,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/web"
-    tag: "stable-9823@sha256:d37d0d34715a0089437c5c030251010e068926f93395d46753e1767d0ee16247"
+    tag: "stable-9955@sha256:81fdcfa14287fe3358532c363875584d0cdd40ff4030695b713af6e60192d306"
   jitsiKeycloakAdapter:
     # providerCategory: "Supplier"
     # providerResponsible: "Nordeck"
@@ -192,7 +202,7 @@ images:
     # upstreamMirrorStartFrom: ["2023", "12", "14"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jitsi-keycloak-adapter"
-    tag: "v20241023@sha256:2391799c5168222f0e3ebb94d7c3cb3bcea6f075399458197f0c1bbbb8f293fe"
+    tag: "v20250117@sha256:254025cb03a05a1eba5971a1f07f13a4148c4ac8538a7e7c79fbd4b86e2f2cd5"
   jitsiPatchJVB:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -210,7 +220,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/jvb"
-    tag: "stable-9823@sha256:e6e43071ce26628c816bea46a259c7462c8d5edbbd2ed66f983b1e0f2d9a6cb2"
+    tag: "stable-9955@sha256:27753ac320910e04f5c4f4f628d20995ea969ea38523d90a9066adc52f9bc022"
   mariadb:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"
@@ -880,7 +890,7 @@ images:
     # upstreamMirrorStartFrom: ["8922"]
     registry: "registry.opencode.de"
     repository: "bmi/opendesk/components/supplier/nordeck/images-mirror/prosody"
-    tag: "stable-9823@sha256:1c52b4ca8397545d54067c67a54c50473d83242c75f001fbf20ee628dfc80b7b"
+    tag: "stable-9955@sha256:fa66872338c7c3b6fdb1f1a67ad770f2b62948f4193b91a58f12c0aa5ca2e783"
   redis:
     # providerCategory: "Community"
     # providerResponsible: "openDesk"

helmfile/environments/default/replicas.yaml.gotmpl

@@ -140,6 +140,8 @@ replicas:
   # -- scalable: tbd
   jicofo: 1
   # -- scalable: tbd
+  jigasi: 1
+  # -- scalable: tbd
   jitsi: 1
   # -- scalable: tbd
   jitsiKeycloakAdapter: 1

helmfile/environments/default/resources.yaml.gotmpl

@@ -91,7 +91,7 @@ resources:
     requests:
       cpu: 0.1
       memory: "384Mi"
-  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jicofo:
     limits:
       cpu: 99
@@ -99,6 +99,14 @@ resources:
     requests:
       cpu: 0.1
       memory: "256Mi"
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  jigasi:
+    limits:
+      cpu: 99
+      memory: "3584Mi"
+    requests:
+      cpu: 0.1
+      memory: "256Mi"
   jitsi:
     limits:
       cpu: 99
@@ -113,7 +121,7 @@ resources:
     requests:
       cpu: 0.01
       memory: "48Mi"
-  # The jifico and jvb containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
+  # The jicofo, jvb and jigasi containers require 3GB memory for the Java process, so we limit it to 3.5Gi overall consumption.
   jvb:
     limits:
       cpu: 99

helmfile/environments/default/secrets.yaml.gotmpl

@@ -109,6 +109,7 @@ secrets:
     jibriXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jibriXmppPassword" | sha1sum | quote }}
     jicofoAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoAuthPassword" | sha1sum | quote }}
     jicofoComponentPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jicofoComponentPassword" | sha1sum | quote }}
+    jigasiXmppPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jigasiXmppPassword" | sha1sum | quote }}
     jvbAuthPassword: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "jistiStandalone" "jvbAuthPassword" | sha1sum | quote }}
   whiteboard:
     apiKey: {{ derivePassword 1 "long" (env "MASTER_PASSWORD" | default "sovereign-workplace") "whiteboard" "apiKey" | sha1sum | quote }}

helmfile/environments/default/selinux.yaml.gotmpl

@@ -22,6 +22,7 @@ seLinuxOptions:
   # The Jibri Helm chart does not support setting the securityContext externally.
   # jibri: ~
   jicofo: ~
+  jigasi: ~
   jitsi: ~
   jitsiKeycloakAdapter: ~
   jitsiPatchJVB: ~

helmfile/environments/default/sip.yaml.gotmpl

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2025 Zentrum für Digitale Souveränität der Öffentlichen Verwaltung (ZenDiS) GmbH
+# SPDX-License-Identifier: Apache-2.0
+---
+sip:
+  jigasi:
+    enabled: false
+    port: "5060"
+    # e.g. sip.mydomain.tld
+    server: ""
+    transport: "TCP"
+    # e.g. jigasi@sip.mydomain.tld
+    uri: ""
+    password: ~
+...