From 759571e58984f6848f8f3aaa7c5d6ff906c7df2b Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sun, 21 Jan 2024 23:34:23 -0800 Subject: [PATCH] k/matrix/coturn: initial commit --- .../matrix/coturn/config-secrets.enc.yaml | 118 ++++++++++++++++++ kustomizations/matrix/coturn/daemonset.yaml | 69 ++++++++++ .../matrix/coturn/kustomization.yaml | 12 ++ .../matrix/coturn/secret-generator.yaml | 6 + kustomizations/matrix/coturn/service.yaml | 39 ++++++ 5 files changed, 244 insertions(+) create mode 100644 kustomizations/matrix/coturn/config-secrets.enc.yaml create mode 100644 kustomizations/matrix/coturn/daemonset.yaml create mode 100644 kustomizations/matrix/coturn/kustomization.yaml create mode 100644 kustomizations/matrix/coturn/secret-generator.yaml create mode 100644 kustomizations/matrix/coturn/service.yaml diff --git a/kustomizations/matrix/coturn/config-secrets.enc.yaml b/kustomizations/matrix/coturn/config-secrets.enc.yaml new file mode 100644 index 0000000..25750bf --- /dev/null +++ b/kustomizations/matrix/coturn/config-secrets.enc.yaml @@ -0,0 +1,118 @@ +apiVersion: v1 +kind: Secret +metadata: + name: coturn +type: Opaque +stringData: + turnserver.conf: ENC[AES256_GCM,data:suQA1LL8JiKemZo1LojR4WYSk5ex5DIv4wyOGjS6gZKGCViqR2uvIBT1DVI/LfIjYjuBDM7NqDOSP/kQxChJDrUksaOCU4Q5uc/eE9zlyP7A/c4Cb8evPQ1JApK2GTzFwz8J5x6S4aa+JpoAB5aTvijfcW131pmQOtz6uanEhuU1As9c9g57nbGGR2lLRx7rYVMqGC2fxg30JJewSjIYWsOJoz6+Y/callulnQKznil7cMYwjiMK/QoVgdsvmW4fjcm8PbBKdBZbh7nDQBcvtrr8lqyMBNl/XOTtU4Ael28YWzDtdbWH1jdJMnMieWxpa2D2XnWNqd0XdYxPwS3HnVHVXSgwOYUQutMyWNBA1wnIaC1sg8Z5lzqE38DzXfA=,iv:8wwzXOMCH4zadAtifiFAbwFEQ7O5CO2ogvCiuEDV8gU=,tag:D04paJjlkzeXmuyLvk4f8w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-01-16T07:13:58Z" + mac: ENC[AES256_GCM,data:t8y4z+JQ2ua9KcykwoH2rHi1wsHC0Z1TkxkMZvUenQFxvwNTHC4NghwWGN2kcCDO9SjUb1J3BPobZd/EqSitQ7kTxyeBTa+qcylUIDvCmk9S1ZHVyJKhoQABbJX9raClYV3a3zrk5WNi4obXAHgXGpMdq1cVe53GR/X5z5ury7Q=,iv:x+WQ8t86EOrejNyv0grHSyd1bOpWcoZ/lqmFtFHHR0o=,tag:XuiuZUKe32MjNMg4nx9Kvg==,type:str] + pgp: + - created_at: "2024-01-11T20:55:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA82rPM2mSf/aARAAkFACzQmqyF9BqaD1qEjIO4e6owS/n4h3U6ee0Y7fhO8y + a5RJ4/HvMmfXcYeHm+CZjsFaui4YJkPS93clGTJzV4w15yXJUunIVjAmkvSrVh6P + GqRUtNpi1y+JCS3sjlAfvm3h9b08dNxFv7rTwZtDiP8zmcNuB0zbLBFR7G6ixetx + ZxL7piPYX75Rqoz8A/+V7VAtsoX8t3xv5xgjHzzfhiM3TeoQUgLnF8aN5huiSptf + dMmNMa0GGu5QaUjYJ3iHjv5eMtCJ79KwpuCfv5iX34Q++rTe5VUWoQabNAiE/Frt + Rc3JB8o8rfL6WME9qIIa5k654JlVDKqOvTH3mtHkOIWhD2+CEK89Siq3G35Kkct8 + Ym7UNa6gE8IdSGkCOH81G4ZheU6Z8OKF1Z7dO+o7IdgIURTwLEFeBIC2PtWOKOJP + PnzqZNk1w4n4XK6hQg4bmIj8VaZXXgHEXcO/jaGCoRyr36BHCE1Sj1ae5cMUgDje + p6WKVO6gXfRg7SRJqQNUh03Lz0YKIjsI/429UPyf9mtXbHfvVyrW3+wyByok86FG + cGL1Y/N7thxAxXqHy4OZFCE0NMP2bobMzzGJTtDY9oPsGwTb6xk1g0wE5zg6IoQa + 9hnObBJhdpvYcD6juz+V0wkeI30essnz7ZTtsLdfCox6mnP5BMTtzxmcRrCpNvHS + UQFIZa0XryYoXv3rcw6yUpkqv6aYzD3L4PnqYtGUEtbMoTb8NXa9Cp+1OeypqZ0g + 7uO5zCKJgL6sBaPnJL5/n+afafzYcIOsQc2O+q0s4O1d5Q== + =3E6w + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2024-01-11T20:55:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAw95Vf08z8oUAQ//abo3n5r8YdQ6p+/X031/n8MCvWKw+ERGSvDuT2r7g8m8 + DqrBQmX578jHVmZkC2B6fYqEBuQAeyEJyQ56MLMuGMNSET8dgNS4Uj/gwvsuEDQf + NhU10WLkfQ3g2/o654BVzPC2b3UQTL4mmXqp0+ID79uynn0/WZ0TQQ8xj/uUaDS1 + h6/uC7mmDGTHaxF3gFuYkvWMghU0bqX5BfrAPdICAr8FIqxUGIvUD6KkBu9hWTYP + RLtfwpU/DAcT/7pNtic25WzzQt7W0mok3zUZZq5r2UqO35x2XOrgC5DQ69QYf7JZ + a9S236gEpAS0Kl1IWSvY2kDzj/J27T3nonY2kX3a+UqVWX15LEmVmNNUMwjz91/b + 0G+26vustzinHBs30EHGBqhyELjRW0RjcmlVGNXvZwhgGL5/LNIEcfBi19tIang1 + dRYE9TasSeRbyTU/A/CXFDeuGtC8K552SzXjv1zP6gkwZFb0/zd0/XHPSyGyOLbM + 1PC3JhkA8GEYQ7l9y5BdPXxZseuoSHDPHfMRIcnogx6w6rfBdd9+78M1WjnGzhYi + /utORBaiwU9Zk+Xm3B+WbkDl5+jio+UIp9nHoYAGfuJ9A6TZYBIavB6K171wALke + Kl6hoTxef/VGwdfXB9ikUy0bi0Km1vVpZGVzIjSFXiSlLkaamhxUFSgDPGZN21rS + UQHeXKkhgKXTEVvi+kypRbN2/174bElGTWz1C2TWPNJAcvvKmRw66t5g8pahnXbm + SYQoB5JaAl0URu6zHWBYhCjQjiyePhnxHV4tgGtEYAdY3g== + =xXRR + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2024-01-11T20:55:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA0/D4ws+/KPtARAAsxa6N9jRT1AUqfWI7gIfJK6i6g0F5oxRYJ5A2mjhc89k + ZAN4/tO9GC+Fg8+lLhPHdiz6v2T1+92AFXET3jm+ax6rYei2woMHNXKzgqxjkQEQ + xQ/3LcQ3+FOTrvy7Gir9HQ/DoWSePBF7tx16unxH75hi6AgOiT0nFoEbXP3CJXie + lVOO5r5jKgBg9LENj/U+9LHjXB6W0PbVdhxdeStk2TTKcmuDnrGeqKZ3SyZ9V33p + DEfydW+T0ac156Eb2tdszzW5e87oPmW78wvLkotboZcPVWBadRtJkzVn3JXoMAda + gN+W2+I4/4iQN8ITBQ+2i5GsdbHtnrmPkzSbtSqhujwZ1k/a7uRmHy46ejDK9QnT + lQzm2OKyjTlCDhnxnKj0eTE4nN0CDyxGBNlNVG2piKd8i+HpqrjKJ9IUcMj7oO3U + 8rtQ2A0LHquNvu6ZatP6fUk3tKgLaEslV4ORXMlILdZXlYqgznmvWJaII3XVeu8l + G/tHPkOhrcQDIecBeYcTLZYXtPtmY1UNJZfbDazG/9J0rdq/r9NmnB7woy7FSYEp + yRNji1i/89nVLsu94ra1D6FHyxgIFTSLkD7s1iCMTsz0UdwfbxqdLIWumYrm04XF + wM2eTB8OAGe8mdfi1q4te0FEDMLTpdYBhYDDjHmBv4fXwKPcWkgixvNJtT6xPgLS + UQEvOn03hQ8MCQ5kh1R1FoTOw1UpgV0eqJSateC2wkBKbZ/4NWPbnZA7XAW6Jb98 + JidKJ8TiYiI33hxUhu4nUeZWjNcd7MgHyl1Do2r7SfyICw== + =TXST + -----END PGP MESSAGE----- + fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA + - created_at: "2024-01-11T20:55:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA5Wf+FyJ+zFJAQ/+I9khYJfqjCHhrAaElVWKgn4c+7C+oilVNE0132pQZfLb + u17yv6AYY5zThK6Lg0GZMKaKFn+JuF9wonTyixJQccJ+w2MxsJQRNQZTV/t19HrQ + B+6YFLVPNyOglr7jf+o5BnOdIvpR0Cog5JDzn0j4iwpRWRSGW1sWXiABKWUIW0Ks + nR7Rm/k3Jm8zYO6LtoyYog5HGUEHRMuOY6Yoj/EEbfDLKFU5WZ+hfKnbGGM9KW31 + RkXoCtjm2AstZTia5+Y0E3wNb9bbvpbkewyQd5KqaHmHaX3MzuoYKNHGVEgPMfla + Y26aED5uSLETv+C1U/jYJyxyVJxNYb2JBrS8a7+p+mo00Cvbs/pbM/cr5Y/Ogu7Q + Ed0+Ixst3LzSTOcYAAiEC/LpWztaIp/4h/cAfE7eKnsoFUVcv2lLpLHyI7fS/sJH + Ywp8tlqlfx7DaCqYEVjPMSfI9qBbJomoQ77szHL+Gyi4ibyF0iRz0/NnF5lmu5H5 + sDAYiqnHEIpk1v+gWXoj/CQq7a5jJf044cYylcO+al27cugr+jr5TBQQVv+wDNJV + LqpAxmmz8yUJ6RlTSg5JwNlNCCOONv6f+lX0Cjk7V0kPcOMgbVn19Su7zIvhM7wd + m9mzuVWWx2SBGzORdK9W4tt7lybU7aCvusT1jP1nwXF/JCz9lyEbb1syaNIAiXHS + UQE2Va23CUVgB+cV/ImXBCEuAjZhiSMFVCtWOZrcqPS8EZX9s6WzscpsEmFnDE7t + GVR3u1IyjxTsuTxxYU0ldSjHqYFjQrgRD3ZBzwZcgeajqw== + =bF9b + -----END PGP MESSAGE----- + fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D + - created_at: "2024-01-11T20:55:07Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8KRInHl7Vz+ARAAoMRyGipvXTgUChfL1Lryej14FI9+8dvWQculBjPQzg6x + oxdPzz07ifIX8D64zfToE+qc439l/RYwiMx9XyGscEim0D1GIFPwxOm4DCXT+/5m + wlLkOBP7oMwirqSazS7dNF1hE83717QTi1GqC0UqhoMINtxrhQIv1Y6xxREqD1Wd + eW3M45p1i8iSZkzF7n0EhIK3J59Wl3vxt9FUX3YRWk1JH0oaqIc1VCH3TJc73DAx + 9e1jIVQSo4R8BfQc5Y64xRh0eq/87Ud2E2x9JbZmpnw4FN/OHg9QqRMaZ9r6EQ/l + VerhJFkfSj3UVAfODzViKXyNTKRak1GOcQBE5lfAXynAW1nfTTx0re0rl6/tvOwC + i02a/raksTI8afak1RMclNFqlihsegGU239ZGDRPb4apL32nYY0SMim58vET8rv5 + eTiQE1udg+1ttIRAGq/PxzHKlc6FUEdyJ6i2Da16c0K76FpF3Gnxxhw+Tleixx3h + 6+PbhC2qEgt7LS8TNg9J2WTDy4Hlw5YEmzOAM9NA6UYrH9BHsR87sbdriz6pAC55 + CnFkWptrME4CjUP72qIezRYt/4784ABTw6poQ51jP30641YhgPoYLrWS8hWQYaE3 + jcrum3JQnLTjsE88OclcreKNvNj+b1t0uxuHa/6UdMnyRCd8osJ22s6JJHLGgB/S + UQHvy+Rv0QJ65DjsJ4TfdRBLcKXaF7Ar5SaANqGi8EYwjVbhfImwx5VSEsvQclEU + 7JihoETtCrRwJM1BkJz3nuBAaYDm1Y+lWHSyVZ6xi8G0eg== + =n6cE + -----END PGP MESSAGE----- + fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kustomizations/matrix/coturn/daemonset.yaml b/kustomizations/matrix/coturn/daemonset.yaml new file mode 100644 index 0000000..815a22b --- /dev/null +++ b/kustomizations/matrix/coturn/daemonset.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: coturn +spec: + template: + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + containers: + - name: "coturn" + image: coturn/coturn + args: ["-c", "/config/turnserver.conf"] + ports: + - name: turn-3478 + containerPort: 3478 + protocol: UDP + - name: turn-49152 + containerPort: 49152 + hostPort: 49152 + protocol: UDP + - name: turn-49153 + containerPort: 49153 + hostPort: 49153 + protocol: UDP + - name: turn-49154 + containerPort: 49154 + hostPort: 49154 + protocol: UDP + - name: turn-49155 + containerPort: 49155 + hostPort: 49155 + protocol: UDP + - name: turn-49156 + containerPort: 49156 + hostPort: 49156 + protocol: UDP + - name: turn-49157 + containerPort: 49157 + hostPort: 49157 + protocol: UDP + - name: turn-49158 + containerPort: 49158 + hostPort: 49158 + protocol: UDP + volumeMounts: + - name: config + mountPath: /config/turnserver.conf + subPath: turnserver.conf + readOnly: true + - name: var-tmp + mountPath: /var/tmp + securityContext: + capabilities: + # https://github.com/coturn/coturn/issues/994 + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + volumes: + - name: config + secret: + secretName: coturn + - name: var-tmp + emptyDir: {} diff --git a/kustomizations/matrix/coturn/kustomization.yaml b/kustomizations/matrix/coturn/kustomization.yaml new file mode 100644 index 0000000..b743bfc --- /dev/null +++ b/kustomizations/matrix/coturn/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +labels: +- includeSelectors: true + pairs: + app.kubernetes.io/name: coturn + app.kubernetes.io/part-of: matrix +resources: +- daemonset.yaml +- service.yaml +generators: +- secret-generator.yaml diff --git a/kustomizations/matrix/coturn/secret-generator.yaml b/kustomizations/matrix/coturn/secret-generator.yaml new file mode 100644 index 0000000..77841c9 --- /dev/null +++ b/kustomizations/matrix/coturn/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: coturn-ksops-secrets +files: + - config-secrets.enc.yaml diff --git a/kustomizations/matrix/coturn/service.yaml b/kustomizations/matrix/coturn/service.yaml new file mode 100644 index 0000000..ef9681f --- /dev/null +++ b/kustomizations/matrix/coturn/service.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Service +metadata: + name: coturn +spec: + type: ClusterIP + ports: + - targetPort: turn-3478 + name: turn-3478 + port: 3478 + protocol: UDP + - targetPort: turn-49152 + name: turn-49152 + port: 49152 + protocol: UDP + - targetPort: turn-49153 + name: turn-49153 + port: 49153 + protocol: UDP + - targetPort: turn-49154 + name: turn-49154 + port: 49154 + protocol: UDP + - targetPort: turn-49155 + name: turn-49155 + port: 49155 + protocol: UDP + - targetPort: turn-49156 + name: turn-49156 + port: 49156 + protocol: UDP + - targetPort: turn-49157 + name: turn-49157 + port: 49157 + protocol: UDP + - targetPort: turn-49158 + name: turn-49158 + port: 49158 + protocol: UDP