diff --git a/.gitignore b/.gitignore index 79b5594..ff6a97d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ **/.DS_Store +charts/coturn/charts +charts/coturn/Chart.lock diff --git a/charts/coturn/Chart.lock b/charts/coturn/Chart.lock deleted file mode 100644 index 42d37b2..0000000 --- a/charts/coturn/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: postgresql - repository: oci://registry-1.docker.io/bitnamicharts - version: 16.7.10 -- name: mysql - repository: oci://registry-1.docker.io/bitnamicharts - version: 13.0.1 -digest: sha256:5618e69cf8e72335354b5b2fb322c7c5f7d428f5f66c79e9c1ff471cf741f55b -generated: "2025-06-07T23:51:28.710565+02:00" diff --git a/charts/coturn/charts/mysql-13.0.1.tgz b/charts/coturn/charts/mysql-13.0.1.tgz deleted file mode 100644 index 9c14e51..0000000 Binary files a/charts/coturn/charts/mysql-13.0.1.tgz and /dev/null differ diff --git a/charts/coturn/charts/postgresql-16.7.10.tgz b/charts/coturn/charts/postgresql-16.7.10.tgz deleted file mode 100644 index c345cee..0000000 Binary files a/charts/coturn/charts/postgresql-16.7.10.tgz and /dev/null differ diff --git a/charts/coturn/templates/daemonset.yaml b/charts/coturn/templates/daemonset.yaml new file mode 100644 index 0000000..977efcf --- /dev/null +++ b/charts/coturn/templates/daemonset.yaml @@ -0,0 +1,298 @@ +{{- if eq ((.Values.deployment).type | default "Deployment") "DaemonSet" }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ .Release.Name }}-coturn + labels: +{{ include "labels" . | indent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ .Release.Name }}-coturn + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ .Release.Name }}-coturn + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + hostNetwork: {{ (.Values.deployment).hostNetwork | default false }} + dnsPolicy: {{ (.Values.deployment).dnsPolicy | default "ClusterFirst" }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + {{- with .Values.podSecurityContext }} + securityContext: + runAsNonRoot: {{ .runAsNonRoot }} + runAsUser: {{ .runAsUser }} + runAsGroup: {{ .runAsGroup }} + fsGroup: {{ .fsGroup }} + seccompProfile: {{- .seccompProfile | toYaml | nindent 10 }} + {{- end }} + {{- end }} + initContainers: + {{- if or .Values.postgresql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "postgresql")) }} + - name: postgresql-isready + image: {{ include "db.isReady.image.repository" . }}:{{ include "db.isReady.image.tag" . }} + env: + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.username }} + key: {{ .Values.externalDatabase.secretKeys.username }} + {{ else }} + key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.username }} + {{- end }} + - name: DATABASE_HOSTNAME + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.hostname }} + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + key: {{ .Values.externalDatabase.secretKeys.hostname }} + {{ else }} + value: {{ template "postgresql.v1.primary.fullname" .Subcharts.postgresql }} + {{- end }} + command: + - "sh" + - "-c" + - "until pg_isready -h $DATABASE_HOSTNAME -U $POSTGRES_USER ; do sleep 2 ; done" + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} + {{- else if or .Values.mysql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "mysql")) }} + - name: mysql-isready + image: {{ include "db.isReady.image.repository" . }}:{{ include "db.isReady.image.tag" . }} + env: + - name: MYSQL_USER + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.username }} + key: {{ .Values.externalDatabase.secretKeys.username }} + {{ else }} + key: {{ .Values.mysql.auth.secretKeys.username }} + {{ end }} + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.password }} + key: {{ .Values.externalDatabase.secretKeys.password }} + {{ else }} + key: {{ .Values.mysql.auth.secretKeys.password }} + {{ end }} + - name: DATABASE_HOSTNAME + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.hostname }} + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + key: {{ .Values.externalDatabase.secretKeys.hostname }} + {{ else }} + value: {{ template "mysql.primary.fullname" .Subcharts.mysql }} + {{- end }} + command: + - "sh" + - "-c" + - "until mysql -h $DATABASE_HOSTNAME -u $MYSQL_USER -p$MYSQL_PASSWORD -e 'SELECT VERSION();' ; do sleep 2 ; done" + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} + {{- end }} + - name: add-secret-values-to-config + image: {{ .Values.coturn.initContainer.image.repository }}:{{ .Values.coturn.initContainer.image.tag }} + imagePullPolicy: Always + env: + - name: USER + valueFrom: + secretKeyRef: + name: {{ include "coturn.auth.secretName" . }} + {{- if and .Values.coturn.auth.existingSecret .Values.coturn.auth.secretKeys.username }} + key: {{ .Values.coturn.auth.secretKeys.username }} + {{ else }} + key: username + {{- end }} + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "coturn.auth.secretName" . }} + key: {{ .Values.coturn.auth.secretKeys.password }} + {{- if or .Values.coturn.auth.staticAuthSecret .Values.coturn.auth.secretKeys.staticAuthSecret }} + - name: STATIC_AUTH_SECRET + valueFrom: + secretKeyRef: + name: {{ include "coturn.auth.secretName" . }} + key: {{ .Values.coturn.auth.secretKeys.staticAuthSecret | default "staticAuthSecret" }} + {{- end }} + {{- if or .Values.externalDatabase.enabled .Values.postgresql.enabled .Values.mysql.enabled }} + - name: DATABASE_HOSTNAME + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.hostname }} + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + key: {{ .Values.externalDatabase.secretKeys.hostname }} + {{ else if .Values.postgresql.enabled }} + value: {{ template "postgresql.v1.primary.fullname" .Subcharts.postgresql }} + {{ else if .Values.mysql.enabled }} + value: {{ template "mysql.primary.fullname" .Subcharts.mysql }} + {{- end }} + - name: DATABASE_USER + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.username }} + key: {{ .Values.externalDatabase.secretKeys.username }} + {{ else if .Values.postgresql.enabled }} + key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.username }} + {{ else if .Values.mysql.enabled }} + key: username + {{- end }} + - name: DATABASE_PASS + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.password }} + key: {{ .Values.externalDatabase.secretKeys.password }} + {{ else if .Values.postgresql.enabled }} + key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.userPasswordKey }} + {{ else if .Values.mysql.enabled }} + key: password + {{- end }} + - name: DATABASE + valueFrom: + secretKeyRef: + name: {{ include "database.secretName" . }} + {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.database }} + key: {{ .Values.externalDatabase.secretKeys.database }} + {{ else if .Values.postgresql.enabled }} + key: {{ .Values.postgresql.global.postgresql.auth.secretKeys.database }} + {{ else if .Values.mysql.enabled }} + key: database + {{- end }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /initial/turnserver.conf /data/turnserver.yaml && \ + export USER_STR="$USER:$PASSWORD" && \ + yq eval -i '.user = env(USER_STR)' /data/turnserver.yaml && \ + {{- if or (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "postgresql")) .Values.postgresql.enabled }} + export CONNECTION_STRING="host=$DATABASE_HOSTNAME dbname=$DATABASE user=$DATABASE_USER password=$DATABASE_PASS connect_timeout=30" && \ + yq eval -i '.psql-userdb = env(CONNECTION_STRING)' /data/turnserver.yaml && \ + {{- else if or (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "mysql")) .Values.mysql.enabled }} + export CONNECTION_STRING="host=$DATABASE_HOSTNAME dbname=$DATABASE user=$DATABASE_USER password=$DATABASE_PASS port=3306 connect_timeout=10 read_timeout=10" && \ + yq eval -i '.mysql-userdb = env(CONNECTION_STRING)' /data/turnserver.yaml && \ + {{- end }} + {{- if or .Values.coturn.auth.staticAuthSecret .Values.coturn.auth.secretKeys.staticAuthSecret }} + yq eval -i '.static-auth-secret = env(STATIC_AUTH_SECRET)' /data/turnserver.yaml && \ + sed -i '1i use-auth-secret' /data/turnserver.yaml && \ + {{- end }} + sed -i 's/: /=/' /data/turnserver.yaml && \ + cat /extra/turnserver.conf >> /data/turnserver.yaml && \ + echo '' >> /data/turnserver.yaml && \ + echo 'lt-cred-mech' >> /data/turnserver.yaml && \ + mv /data/turnserver.yaml /data/turnserver.conf + volumeMounts: + - name: {{ .Release.Name }}-initial-config + mountPath: "/initial" + - name: {{ .Release.Name }}-extra-config + mountPath: /extra + - name: {{ .Release.Name }}-config + mountPath: /data + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} + containers: + - name: "coturn" + image: {{ include "coturn.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.coturn.extraEnvVars }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + args: ["-c", "/turnserver.conf"] + ports: + - name: turn-udp + containerPort: {{ .Values.coturn.ports.listening }} + protocol: UDP + - name: turn-tcp + containerPort: {{ .Values.coturn.ports.listening }} + protocol: TCP + - name: turn-tcp-tls + containerPort: {{ .Values.coturn.ports.tlsListening }} + protocol: TCP + - name: turn-udp-dtls + containerPort: {{ .Values.coturn.ports.tlsListening }} + protocol: UDP + volumeMounts: + - name: {{ .Release.Name }}-config + mountPath: "/turnserver.conf" + subPath: turnserver.conf + readOnly: true + {{- if .Values.certificate.enabled }} + - name: tls + mountPath: /tls + readOnly: true + {{- end }} + - name: var-tmp + mountPath: /var/tmp + {{- if and (not .Values.externalDatabase.enabled) (not .Values.postgresql.enabled) (not .Values.mysql.enabled) }} + - name: sqllite + mountPath: /var/db + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + {{- with .Values.containerSecurityContext }} + securityContext: + capabilities: + add: {{- .capabilities.add | toYaml | nindent 16 }} + drop: {{- .capabilities.drop | toYaml | nindent 16 }} + readOnlyRootFilesystem: {{ .readOnlyRootFilesystem }} + allowPrivilegeEscalation: {{ .allowPrivilegeEscalation }} + {{- end }} + {{- end }} + volumes: + {{- if .Values.certificate.enabled }} + - name: tls + secret: + secretName: {{ .Values.certificate.secret }} + {{- end }} + - name: {{ .Release.Name }}-initial-config + configMap: + name: {{ .Release.Name }}-initial-config + - name: {{ .Release.Name }}-extra-config + configMap: + name: {{ .Release.Name }}-extra-config + - name: {{ .Release.Name }}-config + emptyDir: {} + - name: var-tmp + emptyDir: {} + {{- if and (not .Values.externalDatabase.enabled) (not .Values.postgresql.enabled) (not .Values.mysql.enabled) }} + - name: sqllite + emptyDir: {} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/coturn/templates/deployment.yaml b/charts/coturn/templates/deployment.yaml index f7045ea..07d1328 100644 --- a/charts/coturn/templates/deployment.yaml +++ b/charts/coturn/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- if (eq ((.Values.deployment).type | default "Deployment") "Deployment") }} apiVersion: apps/v1 kind: Deployment metadata: @@ -16,6 +17,8 @@ spec: app.kubernetes.io/name: {{ .Release.Name }}-coturn app.kubernetes.io/instance: {{ .Release.Name }} spec: + hostNetwork: {{ and .Values.deployment .Values.deployment.hostNetwork }} + dnsPolicy: {{ (.Values.deployment).dnsPolicy | default "ClusterFirst" }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -293,3 +296,4 @@ spec: - name: sqllite emptyDir: {} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index 36ab7a0..95ddebd 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -3,6 +3,11 @@ replicas: 1 # -- different name for the helm release nameOverride: "" +deployment: + type: Deployment + hostNetwork: false + # When hostNetwork is set to true, the dnsPolicy must be set to ClusterFirstWithHostNet so Cluster internal services are still resolvable + dnsPolicy: "ClusterFirst" service: # -- The type of service to deploy for routing Coturn traffic.