Adds a coturn pod that gives clients a relay path when direct UDP to
JVB:10001 doesn't make it through carrier NAT (the typical mobile-data
failure mode the user hit). Same domain as the rest — meet.it.financeflow.de
— because TURN ports (3478/5349) don't collide with the Ingress on 443.
- 80-coturn.yaml: hostNetwork Deployment binding STUN+TURN on 3478
(UDP/TCP) and TURNS on 5349 (UDP/TCP), inline-templates turnserver.conf
with PUBLIC_IP + TURN_CREDENTIALS_SECRET. TLS cert mounted from the
same jitsi-tls Secret cert-manager already manages for the web Ingress.
CronJob restarts coturn weekly so cert renewals propagate.
- 10-config.yaml: STUN now points at our own coturn; TURN_HOST/TURNS_HOST
set so Prosody mod_external_services hands TURN endpoints to clients
during XMPP session init. RESOLUTION capped at 480p,
START_VIDEO_MUTED=5 keeps large rooms light on bandwidth.
- generate-secrets.sh + 20-secrets.yaml.example: TURN_CREDENTIALS_SECRET
added so Prosody and coturn share the HMAC key (already pre-synced
out-of-band into the cluster).
- deploy.yml: sed __PUBLIC_IP__ in coturn manifest, rollout-status coturn.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
