Dennis Paradzinski
8e76a96668
All checks were successful
deploy / deploy (push) Successful in 4s
Replaces the anonymous-OK setup with JWT-gated joins. Only participants that Embertime invited get a valid token — random URL-guessers can no longer enter rooms even if they discover the slug. - ConfigMap: ENABLE_AUTH=1 + AUTH_TYPE=jwt + JWT_APP_ID=embertime - 20-secrets.yaml.example: JWT_APP_SECRET placeholder with docs - CLAUDE.md: documents the new auth model + rotation flow Pipeline rolls config out; the secret itself stays out-of-band — admin copies it from Embertime UI (Settings → Meeting-Server) or queries the embertime DB directly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
28 lines
1.2 KiB
Plaintext
28 lines
1.2 KiB
Plaintext
# TEMPLATE — do NOT commit a filled-in copy. Generate the real secret
|
|
# via scripts/generate-secrets.sh and apply once out-of-band:
|
|
#
|
|
# ./scripts/generate-secrets.sh > infra/k3s/20-secrets.yaml
|
|
# kubectl apply -f infra/k3s/20-secrets.yaml
|
|
#
|
|
# Component passwords are only used cluster-internally between
|
|
# prosody/jicofo/jvb — clients (browsers) never see them.
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: jitsi-secrets
|
|
namespace: jitsi
|
|
type: Opaque
|
|
stringData:
|
|
# Inter-component passwords — generate fresh via generate-secrets.sh
|
|
JICOFO_COMPONENT_SECRET: "REPLACE_WITH_32_RANDOM_CHARS"
|
|
JICOFO_AUTH_USER: "focus"
|
|
JICOFO_AUTH_PASSWORD: "REPLACE_WITH_32_RANDOM_CHARS"
|
|
JVB_AUTH_USER: "jvb"
|
|
JVB_AUTH_PASSWORD: "REPLACE_WITH_32_RANDOM_CHARS"
|
|
# HMAC key shared with Embertime — must match app_settings.meeting_jwt_secret
|
|
# in Embertime's DB. Get it from the Embertime UI (Settings → Meeting-Server
|
|
# → "Secret rotieren") OR query the DB directly with:
|
|
# kubectl -n embertime exec -it deploy/embertime-postgres -- \
|
|
# psql -U embertime -t -c "select meeting_jwt_secret from app_settings"
|
|
JWT_APP_SECRET: "REPLACE_WITH_VALUE_FROM_EMBERTIME"
|