add livekit-server manifests

ppawiggers · ppawiggers · commit 9b41e4cb7e1b · 2025-01-28T11:59:22.000+01:00
diff --git a/kustomization.yaml b/kustomization.yaml
@@ -7,16 +7,20 @@ namePrefix: meet-
 buildMetadata: [originAnnotations]
 
 resources:
+  - manifests/certificate-livekit-turn.yaml
   - manifests/configmap-redis.yaml
+  - manifests/configmap-livekit-server.yaml
   - manifests/deployment-backend.yaml
   - manifests/deployment-celery.yaml
+  - manifests/deployment-livekit.yaml
   - manifests/deployment-frontend.yaml
   - manifests/deployment-mailcatcher.yaml
   - manifests/deployment-minio.yaml
   - manifests/deployment-redis.yaml
   - manifests/deployment-summary.yaml
   - manifests/ingress-admin.yaml
   - manifests/ingress-backend.yaml
+  - manifests/ingress-livekit.yaml
   - manifests/postgresql-cluster.yaml
   - manifests/pvc-minio.yaml
   - manifests/secret-backend.yaml
@@ -25,6 +29,8 @@ resources:
   - manifests/secret-postgres.yaml
   - manifests/secret-summary.yaml
   - manifests/service-backend.yaml
+  - manifests/service-livekit.yaml
+  - manifests/service-livekit-turn.yaml
   - manifests/service-mailcatcher.yaml
   - manifests/service-frontend.yaml
   - manifests/service-minio.yaml
diff --git a/manifests/certificate-livekit-turn.yaml b/manifests/certificate-livekit-turn.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: livekit-turn-cert
+spec:
+  dnsNames:
+  - turn.meet.la-suite.apps.digilab.network
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-prod
+  secretName: livekit-turn-cert
+  usages:
+  - digital signature
+  - key encipherment
diff --git a/manifests/configmap-livekit-server.yaml b/manifests/configmap-livekit-server.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: livekit-livekit-server
+data:
+    config.yaml: ENC[AES256_GCM,data:LL3ruEVj5zkCNjA3jwtsIdcMqtEeF0Kv7PzVOWFvCax0oBEC6kPLOwkIjK/SRXg5lHCkb5aeE2ZZ014o1HdlXw0H7iluNRikDkmltj5NXz/bX9s7MSCEIr1LgHncGj736zxQtWLGelXtm56nphzVepK4pUTuDC/kuetaemhXqPh/CIiSYqoic9vK0eDj8LQ0Uo2k+HACfZ0UiaoFCAfGnLxrsOqf9Jog+0dVXGtRpX7hl98eoVCasPfb2ndqxxQiTYq/c8uJlQqnVYj49jkHMA8RTZg/gta7ECBc70DB5mXAdetrZWThrg326zVA4adK4tW4+Xske9Ff6/H5Fn+qG0UAORCqhsMLdUUniHmdCnuxVjtp+BGmDhwyJlepQ855j4r6u+m9pvPuhGw04s0RpG/jZkTuySk4tpcFHb8hsOQ+xxX9o36fJFFXLBcUzWcD0ix3Qvci7Tcnz1U6VlmuplTO7nXWFgfWayHNQWCU8bPsR9oYJ7fUHYYGfZ2WT2XXNtTYVon+BMm5jz5LIXI/sKVcIg8TLJJd8W2WTMFOtEUrr778KvQT,iv:/owoP2k1xHxaV4C3ogBg5yB6kz7sTXaWG25mW8l6rS8=,tag:JXa9X8lxBItnMGHtQiv26g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18ut09wsuwf4pusrhywlu9nu3nzvz040m26h4yghhhtvqm88an3zssvsz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSb2loQVVxalN3TDZ0eVpx
+            TlREWGszTmpIYjhlSzVxelBBWk5PaE5GRlM4Cm9QK0doZC9FUklEMk9zTkhac0lH
+            TEdVSjBlQ1V3NDV0alZhZUVhNm9vR1EKLS0tIDJnTWxtWGpnY25ZK0VjWlNERWZl
+            MWJhbHJ1cFkrZEJUL3BsYVNDZi9qeEkKSq9n6dwKxxhnKOcz92FgwKEZwKOmQVbC
+            PzcmfHv7ZFxH5PBDZQoo3MxTZ3IMoLq81Cs30FxuZiZOPfn58/nq2g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-28T10:57:35Z"
+    mac: ENC[AES256_GCM,data:sznBGa777b0cmWOFayI8RsJWm425PCy9MxOEQLVnAE098siIl5qxBcndSU9CgtLZaKm8MTHxJMKik+aX8PggbXHoI2RTIoMA7wXDoDdcUxPTSNtme7Bt1cPKayFrjgGFigr3NljgqJK5Q03DA14PORFIzo0xvtNWKtQ2ZVgwh1A=,iv:wrWy+v7tWfsayPqR3slLMB57LLlpVnaDGj4OJCFQ3nk=,tag:5SUj90drP05khBRhiFsHRw==,type:str]
+    pgp: []
+    encrypted_regex: ^data|stringData$
+    version: 3.8.1
diff --git a/manifests/deployment-livekit.yaml b/manifests/deployment-livekit.yaml
@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: livekit-livekit-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: meet-livekit-server
+  template:
+    metadata:
+      labels:
+        app: meet-livekit-server
+    spec:
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      containers:
+        - name: livekit-server
+          image: "livekit/livekit-server:v1.8.3"
+          args: ["--disable-strict-config"]
+          env:
+            - name: LIVEKIT_CONFIG
+              valueFrom:
+                configMapKeyRef:
+                  name: livekit-livekit-server
+                  key: config.yaml
+            - name: LIVEKIT_TURN_CERT
+              value: /etc/lkcert/tls.crt
+            - name: LIVEKIT_TURN_KEY
+              value: /etc/lkcert/tls.key
+          ports:
+            - name: http
+              containerPort: 7880
+              protocol: TCP
+            - name: rtc-tcp
+              containerPort: 7881
+              hostPort: 7881
+              protocol: TCP
+            - name: turn-tls
+              containerPort: 3478
+              hostPort: 3478
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          volumeMounts:
+            - name: lkturncert
+              mountPath: /etc/lkcert
+              readOnly: true
+        - name: redis
+          image: redis:7.2-alpine
+          ports:
+          - containerPort: 6379
+          livenessProbe:
+            tcpSocket:
+              port: 6379
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+              - redis-cli
+              - ping
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: lkturncert
+          secret:
+            secretName: livekit-turn-cert
diff --git a/manifests/ingress-livekit.yaml b/manifests/ingress-livekit.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: livekit-livekit-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header Upgrade "websocket";
+      proxy_set_header Connection "Upgrade";
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: livekit.meet.la-suite.apps.digilab.network
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: livekit-livekit-server
+                port:
+                  name: http
+  tls:
+    - hosts:
+        - livekit.meet.la-suite.apps.digilab.network
+      secretName: livekit-cert
diff --git a/manifests/service-livekit-turn.yaml b/manifests/service-livekit-turn.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: livekit-livekit-server-turn
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 443
+      targetPort: 3478
+      protocol: TCP
+  selector:
+    app: meet-livekit-server
diff --git a/manifests/service-livekit.yaml b/manifests/service-livekit.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: livekit-livekit-server
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+    - name: rtc-tcp
+      port: 7881
+      protocol: TCP
+      targetPort: rtc-tcp
+  selector:
+    app: meet-livekit-server
