From 1b6360c59933fe4f1b308fca82182fedabba4280 Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 29 Jul 2023 13:59:44 +0200 Subject: [PATCH 1/4] make service.type configurable for coturn --- charts/coturn/Chart.yaml | 2 +- charts/coturn/README.md | 5 +++-- charts/coturn/templates/service-tcp.yaml | 4 +++- charts/coturn/templates/service-udp.yaml | 4 +++- charts/coturn/values.yaml | 19 ++++++++++++++++++- 5 files changed, 28 insertions(+), 6 deletions(-) diff --git a/charts/coturn/Chart.yaml b/charts/coturn/Chart.yaml index 612051f..50f2ee3 100644 --- a/charts/coturn/Chart.yaml +++ b/charts/coturn/Chart.yaml @@ -3,7 +3,7 @@ name: coturn type: application description: A Helm chart to deploy coturn home: "https://github.com/jessebot/coturn-chart" -version: 4.0.0 +version: 4.0.1 appVersion: 4.6.2 sources: - "https://github.com/jessebot/coturn-chart" diff --git a/charts/coturn/README.md b/charts/coturn/README.md index 87b9e67..f41e1a2 100644 --- a/charts/coturn/README.md +++ b/charts/coturn/README.md @@ -1,6 +1,6 @@ # coturn -![Version: 4.0.0](https://img.shields.io/badge/Version-4.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square) +![Version: 4.0.1](https://img.shields.io/badge/Version-4.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.6.2](https://img.shields.io/badge/AppVersion-4.6.2-informational?style=flat-square) A Helm chart to deploy coturn @@ -83,7 +83,8 @@ A Helm chart to deploy coturn | securityContext.readOnlyRootFilesystem | bool | `false` | allow modificatin to root filesystem | | securityContext.runAsGroup | int | `1000` | for all Containers in the Pod, all processes run w/ this GroupID | | securityContext.runAsUser | int | `1000` | for all Containers in the Pod, all processes run w/ this userID | -| service.externalTrafficPolicy | string | `"Local"` | I don't actually know what this is 🤔 open a PR if you know | +| service.externalTrafficPolicy | string | `""` | I don't actually know what this is 🤔 open a PR if you know was originally "Local" | +| service.type | string | `"ClusterIP"` | The type of service to deploy for routing Coturn traffic. ClusterIP: Recommended for DaemonSet configurations. This will create a standard Kubernetes service for Coturn within the cluster. No external networking will be configured as the DaemonSet will handle binding to each Node's host networking NodePort: Recommended for Deployment configurations. This will open TURN ports on every node and route traffic on these ports to the Coturn pods. You will need to make sure your cloud provider supports the cluster config setting, apiserver.service-node-port-range, as this range must contain the ports defined above for the service to be created. LoadBalancer: This was what was originally set for this chart in the upstream of this fork, but with no details | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/coturn/templates/service-tcp.yaml b/charts/coturn/templates/service-tcp.yaml index 1316dae..14ef489 100644 --- a/charts/coturn/templates/service-tcp.yaml +++ b/charts/coturn/templates/service-tcp.yaml @@ -7,7 +7,9 @@ metadata: "{{ $key }}": "{{ tpl $value $ }}" {{- end }} spec: + {{- if .Values.service.externalTrafficPolicy }} externalTrafficPolicy: {{.Values.service.externalTrafficPolicy}} + {{- end }} ports: - name: turn-tcp port: {{ .Values.coturn.ports.listening }} @@ -20,4 +22,4 @@ spec: selector: app.kubernetes.io/name: {{ .Release.Name }}-coturn app.kubernetes.io/instance: {{ .Release.Name }} - type: LoadBalancer + type: {{ .Values.service.type }} diff --git a/charts/coturn/templates/service-udp.yaml b/charts/coturn/templates/service-udp.yaml index 04d7491..ae1a79d 100644 --- a/charts/coturn/templates/service-udp.yaml +++ b/charts/coturn/templates/service-udp.yaml @@ -7,7 +7,9 @@ metadata: "{{ $key }}": "{{ tpl $value $ }}" {{- end }} spec: + {{- if .Values.service.externalTrafficPolicy }} externalTrafficPolicy: {{.Values.service.externalTrafficPolicy}} + {{- end }} ports: - name: turn-udp port: {{ .Values.coturn.ports.listening }} @@ -20,4 +22,4 @@ spec: selector: app.kubernetes.io/name: {{ .Release.Name }}-coturn app.kubernetes.io/instance: {{ .Release.Name }} - type: LoadBalancer + type: {{ .Values.service.type }} diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index 4384807..08b3b6a 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -5,8 +5,25 @@ replicas: 2 nameOverride: "" service: + # -- The type of service to deploy for routing Coturn traffic. + # ClusterIP: Recommended for DaemonSet configurations. This will create a + # standard Kubernetes service for Coturn within the cluster. + # No external networking will be configured as the DaemonSet + # will handle binding to each Node's host networking + # + # NodePort: Recommended for Deployment configurations. This will open + # TURN ports on every node and route traffic on these ports to + # the Coturn pods. You will need to make sure your cloud + # provider supports the cluster config setting, + # apiserver.service-node-port-range, as this range must contain + # the ports defined above for the service to be created. + # + # LoadBalancer: This was what was originally set for this chart in the + # upstream of this fork, but with no details + type: ClusterIP # -- I don't actually know what this is 🤔 open a PR if you know - externalTrafficPolicy: Local + # was originally "Local" + externalTrafficPolicy: "" image: # -- container registry and repo for coturn docker image From 926a264dc5d015449cf27b271d6ff298a96ce0f7 Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 29 Jul 2023 14:09:59 +0200 Subject: [PATCH 2/4] disable external database and postgresql by default --- charts/coturn/README.md | 4 ++-- charts/coturn/values.yaml | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/charts/coturn/README.md b/charts/coturn/README.md index f41e1a2..41f829d 100644 --- a/charts/coturn/README.md +++ b/charts/coturn/README.md @@ -43,7 +43,7 @@ A Helm chart to deploy coturn | coturn.ports.tlsListening | int | `5349` | secure listening port | | coturn.realm | string | `"turn.example.com"` | hostname for the coturn server realm | | externalDatabase.database | string | `""` | database to create, ignored if existingSecret is passed in | -| externalDatabase.enabled | bool | `true` | enables the use of postgresql instead of the default sqlite | +| externalDatabase.enabled | bool | `false` | enables the use of postgresql instead of the default sqlite to use the bundled subchart, enable this, and postgresql.enable | | externalDatabase.existingSecret | string | `""` | name of existing Secret to use for postgresql credentials | | externalDatabase.hostname | string | `""` | required if externalDatabase.enabled: true and postgresql.enabled: false | | externalDatabase.password | string | `""` | password for database, ignored if existingSecret is passed in | @@ -63,7 +63,7 @@ A Helm chart to deploy coturn | persistence.existingClaim | string | `""` | existing PVC to use instead of creating one on the fly | | persistence.size | string | `"1Mi"` | size of the PVC, ignored if persistence.existingClaim passed in | | persistence.storageClass | string | `""` | storageClass for the PVC, ignored if persistence.existingClaim passed in | -| postgresql.enabled | bool | `true` | enables bitnami postgresql subchart, you can disable to use external db | +| postgresql.enabled | bool | `false` | enables bitnami postgresql subchart, you can disable to use external db | | postgresql.global.postgresql.auth | object | `{"database":"coturn","existingSecret":"","password":"","secretKeys":{"adminPasswordKey":"postgresPassword","database":"database","hostname":"hostname","userPasswordKey":"password","username":"username"},"username":"coturn"}` | global.postgresql.auth overrides postgresql.auth | | postgresql.global.postgresql.auth.database | string | `"coturn"` | database to create, ignored if existingSecret is passed in | | postgresql.global.postgresql.auth.existingSecret | string | `""` | name of existing Secret to use for postgresql credentials | diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index 08b3b6a..d7bb158 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -52,7 +52,8 @@ certificate: externalDatabase: # -- enables the use of postgresql instead of the default sqlite - enabled: true + # to use the bundled subchart, enable this, and postgresql.enable + enabled: false # -- Currently only postgresql is supported. mysql coming soon type: "postgresql" # -- required if externalDatabase.enabled: true and postgresql.enabled: false @@ -80,7 +81,7 @@ externalDatabase: # see: https://github.com/bitnami/charts/tree/main/bitnami/postgresql postgresql: # -- enables bitnami postgresql subchart, you can disable to use external db - enabled: true + enabled: false global: postgresql: # -- global.postgresql.auth overrides postgresql.auth From bcd1ee57fdcb193c8257a649234e800788c62cd8 Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 29 Jul 2023 14:14:31 +0200 Subject: [PATCH 3/4] set replicas to default one --- charts/coturn/README.md | 2 +- charts/coturn/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/coturn/README.md b/charts/coturn/README.md index 41f829d..21b7757 100644 --- a/charts/coturn/README.md +++ b/charts/coturn/README.md @@ -74,7 +74,7 @@ A Helm chart to deploy coturn | postgresql.global.postgresql.auth.secretKeys.userPasswordKey | string | `"password"` | key in existing Secret to use for coturn user's password | | postgresql.global.postgresql.auth.secretKeys.username | string | `"username"` | key in exsiting Secret to use for the coturn user | | postgresql.global.postgresql.auth.username | string | `"coturn"` | username for database, ignored if existingSecret is passed in | -| replicas | int | `2` | | +| replicas | int | `1` | | | resources | object | `{}` | ref: kubernetes.io/docs/concepts/configuration/manage-resources-containers | | securityContext.allowPrivilegeEscalation | bool | `true` | allow priviledged access | | securityContext.capabilities.add | list | `["NET_BIND_SERVICE"]` | linux cabilities to allow for the coturn k8s pod | diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml index d7bb158..b6067b5 100644 --- a/charts/coturn/values.yaml +++ b/charts/coturn/values.yaml @@ -1,5 +1,5 @@ --- -replicas: 2 +replicas: 1 # -- different name for the helm release nameOverride: "" From 718260e29a5085a1a796a99f215d7a84186a1028 Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 29 Jul 2023 14:15:58 +0200 Subject: [PATCH 4/4] removing the container level security context for coturn --- charts/coturn/templates/deployment.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/charts/coturn/templates/deployment.yaml b/charts/coturn/templates/deployment.yaml index d6b9991..8fb7375 100644 --- a/charts/coturn/templates/deployment.yaml +++ b/charts/coturn/templates/deployment.yaml @@ -162,12 +162,6 @@ spec: {{- end }} - name: var-tmp mountPath: /var/tmp - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false {{- with .Values.resources }} resources: {{- toYaml . | nindent 12 }}