diff --git a/egress-sample.yaml b/egress-sample.yaml index 72df4f8..39d85da 100644 --- a/egress-sample.yaml +++ b/egress-sample.yaml @@ -4,9 +4,6 @@ replicaCount: 1 terminationGracePeriodSeconds: 3600 egress: - api_key: "server-api-key" - api_secret: "server-api-secret" - ws_url: "ws://livekit-host:" log_level: info health_port: 8080 prometheus_port: 9090 @@ -16,26 +13,32 @@ egress: address: # db: 0 # username: - # password: # use_tls: false + # Non-sensitive S3 config (bucket, region) can stay here s3: - access_key: "access_key" - secret: "secret" region: "us-west-2" # endpoint: bucket: "my-egress" - # azure: - # account_name: - # account_key: - # container_name: - # gcp: - # credentials_json: - # bucket: # cpu_cost: # room_composite_cpu_cost: 3 # track_composite_cpu_cost: 2 # track_cpu_cost: 1 + # Sensitive values — stored in a Kubernetes Secret, not in ConfigMap + secrets: + api_key: "server-api-key" + api_secret: "server-api-secret" + ws_url: "ws://livekit-host:" + redis: + password: "" + s3: + access_key: "access_key" + secret: "secret" + # azure: + # account_key: "" + # gcp: + # credentials_json: "" + # autoscaling requires resources to be defined autoscaling: # set to true to enable autoscaling. when set, ignores replicaCount @@ -90,3 +93,7 @@ securityContext: {} tolerations: [] affinity: {} + +# Use a pre-existing secret for the full egress config (e.g. from External Secrets Operator or Vault) +# existingSecret: "my-egress-secret" + diff --git a/egress/templates/configmap.yaml b/egress/templates/configmap.yaml index 409929d..f4e8852 100644 --- a/egress/templates/configmap.yaml +++ b/egress/templates/configmap.yaml @@ -1,7 +1,13 @@ +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.egress }} +{{- $_ := unset $config "secrets" }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "egress.fullname" . }} + labels: + {{- include "egress.labels" . | nindent 4 }} data: config.yaml: | -{{ toYaml .Values.egress | indent 4 }} +{{ toYaml $config | indent 4 }} +{{- end }} diff --git a/egress/templates/deployment.yaml b/egress/templates/deployment.yaml index 4a8808a..4385999 100644 --- a/egress/templates/deployment.yaml +++ b/egress/templates/deployment.yaml @@ -17,7 +17,10 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.existingSecret }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} labels: {{- include "egress.selectorLabels" . | nindent 8 }} spec: @@ -34,8 +37,8 @@ spec: env: - name: EGRESS_CONFIG_BODY valueFrom: - configMapKeyRef: - name: {{ include "egress.fullname" . }} + secretKeyRef: + name: {{ .Values.existingSecret | default (include "egress.fullname" .) }} key: config.yaml ports: {{- if .Values.egress.health_port }} diff --git a/egress/templates/secret.yaml b/egress/templates/secret.yaml new file mode 100644 index 0000000..0513ae3 --- /dev/null +++ b/egress/templates/secret.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.egress }} +{{- $secrets := $config.secrets | default dict }} +{{- $_ := unset $config "secrets" }} +{{- $merged := mustMergeOverwrite $config $secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "egress.fullname" . }} + labels: + {{- include "egress.labels" . | nindent 4 }} +type: Opaque +data: + config.yaml: {{ toYaml $merged | b64enc }} +{{- end }} diff --git a/egress/values.yaml b/egress/values.yaml index 1343c35..c0f5089 100644 --- a/egress/values.yaml +++ b/egress/values.yaml @@ -12,6 +12,21 @@ egress: log_level: info health_port: 8080 prometheus_port: 9090 + # Sensitive values go under 'secrets' — these are stored in a Kubernetes Secret, + # never in the ConfigMap. The Secret merges these into the full config at deploy time. + secrets: {} + # api_key: "" + # api_secret: "" + # ws_url: "" + # redis: + # password: "" + # s3: + # access_key: "" + # secret: "" + # gcp: + # credentials_json: "" + # azure: + # account_key: "" terminationGracePeriodSeconds: 3600 @@ -40,4 +55,9 @@ securityContext: {} tolerations: [] +# Use a pre-existing secret for the full egress config (e.g. from External Secrets Operator or Vault). +# When set, neither the chart's Secret nor ConfigMap will contain config — the deployment reads +# from this secret directly. +existingSecret: "" + affinity: {} diff --git a/examples/egress.yaml b/examples/egress.yaml index 5845ba6..c44a6d5 100644 --- a/examples/egress.yaml +++ b/examples/egress.yaml @@ -1,16 +1,20 @@ replicaCount: 2 egress: - ws_url: - api_key: - api_secret: log_level: info health_port: 8080 prometheus_port: 9090 redis: address: s3: - access_key: - secret: region: "us-west-2" bucket: "my-egress" + + # Sensitive values — stored in a Kubernetes Secret, never in ConfigMap + secrets: + api_key: + api_secret: + ws_url: + s3: + access_key: + secret: diff --git a/ingress-sample.yaml b/ingress-sample.yaml index 28af89d..36cb807 100644 --- a/ingress-sample.yaml +++ b/ingress-sample.yaml @@ -4,9 +4,6 @@ replicaCount: 1 terminationGracePeriodSeconds: 10800 ingress: - api_key: "server-api-key" - api_secret: "server-api-secret" - ws_url: "ws://livekit-host:" logging: level: info health_port: 7888 @@ -22,7 +19,6 @@ ingress: address: # db: 0 # username: - # password: # use_tls: false cpu_cost: @@ -33,6 +29,14 @@ ingress: # See kubernetes serviceTypes on official documentation: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types serviceType: "LoadBalancer" + # Sensitive values — stored in a Kubernetes Secret, not in ConfigMap + secrets: + api_key: "server-api-key" + api_secret: "server-api-secret" + ws_url: "ws://livekit-host:" + redis: + password: "" + # autoscaling requires resources to be defined autoscaling: # set to true to enable autoscaling. when set, ignores replicaCount @@ -88,3 +92,7 @@ securityContext: tolerations: [] affinity: {} + +# Use a pre-existing secret for the full ingress config (e.g. from External Secrets Operator or Vault) +# existingSecret: "my-ingress-secret" + diff --git a/ingress/templates/configmap.yaml b/ingress/templates/configmap.yaml index 0ab2a6f..e0c5de7 100644 --- a/ingress/templates/configmap.yaml +++ b/ingress/templates/configmap.yaml @@ -1,7 +1,13 @@ +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.ingress }} +{{- $_ := unset $config "secrets" }} apiVersion: v1 kind: ConfigMap metadata: name: {{ include "ingress.fullname" . }} + labels: + {{- include "ingress.labels" . | nindent 4 }} data: config.yaml: | -{{ toYaml .Values.ingress | indent 4 }} +{{ toYaml $config | indent 4 }} +{{- end }} diff --git a/ingress/templates/deployment.yaml b/ingress/templates/deployment.yaml index c2d2307..563b050 100644 --- a/ingress/templates/deployment.yaml +++ b/ingress/templates/deployment.yaml @@ -17,7 +17,10 @@ spec: annotations: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not .Values.existingSecret }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} labels: {{- include "ingress.selectorLabels" . | nindent 8 }} spec: @@ -38,8 +41,8 @@ spec: env: - name: INGRESS_CONFIG_BODY valueFrom: - configMapKeyRef: - name: {{ include "ingress.fullname" . }} + secretKeyRef: + name: {{ .Values.existingSecret | default (include "ingress.fullname" .) }} key: config.yaml ports: {{- if .Values.ingress.health_port }} diff --git a/ingress/templates/secret.yaml b/ingress/templates/secret.yaml new file mode 100644 index 0000000..a0904c6 --- /dev/null +++ b/ingress/templates/secret.yaml @@ -0,0 +1,15 @@ +{{- if not .Values.existingSecret }} +{{- $config := deepCopy .Values.ingress }} +{{- $secrets := $config.secrets | default dict }} +{{- $_ := unset $config "secrets" }} +{{- $merged := mustMergeOverwrite $config $secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "ingress.fullname" . }} + labels: + {{- include "ingress.labels" . | nindent 4 }} +type: Opaque +data: + config.yaml: {{ toYaml $merged | b64enc }} +{{- end }} diff --git a/ingress/values.yaml b/ingress/values.yaml index 00d8b06..4208ebd 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -26,6 +26,15 @@ ingress: whip_cpu_cost: 2 whip_bypass_transcoding_cpu_cost: 0.1 + # Sensitive values go under 'secrets' — these are stored in a Kubernetes Secret, + # never in the ConfigMap. The Secret merges these into the full config at deploy time. + secrets: {} + # api_key: "" + # api_secret: "" + # ws_url: "" + # redis: + # password: "" + loadBalancer: servicePort: 7888 annotations: {} @@ -60,3 +69,8 @@ securityContext: {} tolerations: [] affinity: {} + +# Use a pre-existing secret for the full ingress config (e.g. from External Secrets Operator or Vault). +# When set, neither the chart's Secret nor ConfigMap will contain config — the deployment reads +# from this secret directly. +existingSecret: "" diff --git a/livekit-server/values.yaml b/livekit-server/values.yaml index bcf6d51..e427b61 100644 --- a/livekit-server/values.yaml +++ b/livekit-server/values.yaml @@ -49,7 +49,7 @@ livekit: # Set this option to true if you want to store your API keys in a secret instead of the config file storeKeysInSecret: - enabled: false + enabled: true # Use a pre existing secret, useful to combine with external secret managers # as GCP External Secrets or Hashicorp Vault existingSecret: ""