Dennis Paradzinski
cebcf4f567
All checks were successful
deploy / deploy (push) Successful in 42s
Adds a coturn pod that gives clients a relay path when direct UDP to JVB:10001 doesn't make it through carrier NAT (the typical mobile-data failure mode the user hit). Same domain as the rest — meet.it.financeflow.de — because TURN ports (3478/5349) don't collide with the Ingress on 443. - 80-coturn.yaml: hostNetwork Deployment binding STUN+TURN on 3478 (UDP/TCP) and TURNS on 5349 (UDP/TCP), inline-templates turnserver.conf with PUBLIC_IP + TURN_CREDENTIALS_SECRET. TLS cert mounted from the same jitsi-tls Secret cert-manager already manages for the web Ingress. CronJob restarts coturn weekly so cert renewals propagate. - 10-config.yaml: STUN now points at our own coturn; TURN_HOST/TURNS_HOST set so Prosody mod_external_services hands TURN endpoints to clients during XMPP session init. RESOLUTION capped at 480p, START_VIDEO_MUTED=5 keeps large rooms light on bandwidth. - generate-secrets.sh + 20-secrets.yaml.example: TURN_CREDENTIALS_SECRET added so Prosody and coturn share the HMAC key (already pre-synced out-of-band into the cluster). - deploy.yml: sed __PUBLIC_IP__ in coturn manifest, rollout-status coturn. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
76 lines
2.8 KiB
YAML
76 lines
2.8 KiB
YAML
name: deploy
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install kubectl
|
|
uses: azure/setup-kubectl@v4
|
|
with:
|
|
version: latest
|
|
|
|
- name: Configure kubectl from secret
|
|
run: |
|
|
mkdir -p "$HOME/.kube"
|
|
echo "${{ secrets.KUBECONFIG_B64 }}" | base64 -d > "$HOME/.kube/config"
|
|
chmod 600 "$HOME/.kube/config"
|
|
kubectl config current-context
|
|
|
|
# __PUBLIC_IP__ placeholder lives in JVB + coturn manifests — both
|
|
# advertise their public address so clients can reach them. Single
|
|
# sed pass over the directory keeps the secret out of git.
|
|
- name: Patch __PUBLIC_IP__ in manifests
|
|
run: |
|
|
test -n "${{ secrets.DARKEMBER_PUBLIC_IP }}" || (echo "secret DARKEMBER_PUBLIC_IP missing" && exit 1)
|
|
sed -i "s|__PUBLIC_IP__|${{ secrets.DARKEMBER_PUBLIC_IP }}|g" infra/k3s/60-jvb.yaml infra/k3s/80-coturn.yaml
|
|
|
|
- name: Apply manifests
|
|
# 20-secrets.yaml is intentionally NOT applied — secret must be
|
|
# created out-of-band (see scripts/generate-secrets.sh) so we
|
|
# don't overwrite real values with placeholders.
|
|
run: |
|
|
kubectl apply -f infra/k3s/00-namespace.yaml
|
|
kubectl apply -f infra/k3s/10-config.yaml
|
|
kubectl apply -f infra/k3s/30-prosody.yaml
|
|
kubectl apply -f infra/k3s/40-jicofo.yaml
|
|
kubectl apply -f infra/k3s/50-web.yaml
|
|
kubectl apply -f infra/k3s/60-jvb.yaml
|
|
kubectl apply -f infra/k3s/70-ingress.yaml
|
|
kubectl apply -f infra/k3s/80-coturn.yaml
|
|
|
|
# ConfigMap-only changes don't restart pods on their own, so a
|
|
# deploy that just edits 10-config.yaml would otherwise leave the
|
|
# pods running the old env vars. Force a rollout to pick the new
|
|
# values up — no-op when no spec drift, fast when there is.
|
|
- name: Roll pods to pick up ConfigMap drift
|
|
run: kubectl -n jitsi rollout restart deployment
|
|
|
|
- name: Wait for rollout
|
|
run: |
|
|
kubectl -n jitsi rollout status deployment/prosody --timeout=3m
|
|
kubectl -n jitsi rollout status deployment/jicofo --timeout=3m
|
|
kubectl -n jitsi rollout status deployment/jitsi-web --timeout=3m
|
|
kubectl -n jitsi rollout status deployment/jvb --timeout=3m
|
|
kubectl -n jitsi rollout status deployment/coturn --timeout=3m
|
|
|
|
- name: Smoke-check
|
|
run: |
|
|
for i in 1 2 3 4 5; do
|
|
if curl -fsS -o /dev/null -w "%{http_code}\n" https://meet.it.financeflow.de/ | grep -q "200\|301\|302"; then
|
|
echo "meet.it.financeflow.de is up"
|
|
exit 0
|
|
fi
|
|
sleep 5
|
|
done
|
|
echo "smoke-check failed"
|
|
exit 1
|