From 94e3cea15329cffafe3662dbda7b0a9527f62368 Mon Sep 17 00:00:00 2001
From: Dennis Paradzinski <dennis.paradzinski@it.financeflow.de>
Date: Wed, 13 May 2026 14:53:28 +0200
Subject: [PATCH] =?UTF-8?q?fix(turn):=20emit=20TURN=5FCREDENTIALS=20too=20?=
 =?UTF-8?q?(Prosody=20key=20name)=20=E2=80=94=20was=20missing=20the=20secr?=
 =?UTF-8?q?et=20value=20in=20external=5Fservices=20config?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 infra/k3s/20-secrets.yaml.example | 6 +++++-
 scripts/generate-secrets.sh       | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/infra/k3s/20-secrets.yaml.example b/infra/k3s/20-secrets.yaml.example
index 47b26f1..c78a419 100644
--- a/infra/k3s/20-secrets.yaml.example
+++ b/infra/k3s/20-secrets.yaml.example
@@ -27,5 +27,9 @@ stringData:
   JWT_APP_SECRET: "REPLACE_WITH_VALUE_FROM_EMBERTIME"
   # HMAC secret shared between coturn and Prosody. Prosody mints
   # time-limited TURN credentials; coturn validates with the same key.
-  # Generate fresh via generate-secrets.sh.
+  # Set under BOTH key names — same value:
+  #   - TURN_CREDENTIALS (Prosody mod_external_services convention)
+  #   - TURN_CREDENTIALS_SECRET (coturn / our manifest convention)
+  # generate-secrets.sh writes both for you.
+  TURN_CREDENTIALS: "REPLACE_WITH_32_RANDOM_CHARS"
   TURN_CREDENTIALS_SECRET: "REPLACE_WITH_32_RANDOM_CHARS"
diff --git a/scripts/generate-secrets.sh b/scripts/generate-secrets.sh
index 4b1a830..a023807 100755
--- a/scripts/generate-secrets.sh
+++ b/scripts/generate-secrets.sh
@@ -32,5 +32,9 @@ stringData:
   JICOFO_AUTH_PASSWORD: "${JICOFO_AUTH_PASSWORD}"
   JVB_AUTH_USER: "jvb"
   JVB_AUTH_PASSWORD: "${JVB_AUTH_PASSWORD}"
+  # Same HMAC value under two keys: Prosody's mod_external_services
+  # template reads TURN_CREDENTIALS; coturn's start-script reads
+  # TURN_CREDENTIALS_SECRET. Both must match.
+  TURN_CREDENTIALS: "${TURN_CREDENTIALS_SECRET}"
   TURN_CREDENTIALS_SECRET: "${TURN_CREDENTIALS_SECRET}"
 EOF