Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 36964dca3b75e054d24b91dbaec76b0611147e3c / . / app / matrix / lib / coturn.libsonnet
blob: f1b127b7faaedbfe74cada2f5612045c2c2e0ed2 [file] [log] [blame]
Piotr Dobrowolski690ed452022-05-07 11:27:24 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 local app = self,
5 local cfg = app.cfg,
6 cfg:: {
7 image: error "cfg.image must be set",
8 realm: error "cfg.realm must be set",
9 authSecret: error "cfg.authSecret must be set",
10 storageClassName: error "cfg.storageClassName must be set",
11
12 portStart: 49152,
13 portEnd: 49172,
14 loadBalancerIP: null,
15 },
16
17 ns:: error "ns needs to be provided",
18
19 configMap: app.ns.Contain(kube.ConfigMap("coturn")) {
20 data: {
21 "coturn.conf": |||
22 # VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
23 no-tcp-relay
24
25 no-tls
26 no-dtls
27
28 # don't let the relay ever try to connect to private IP address ranges within your network (if any)
29 # given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
30 denied-peer-ip=10.0.0.0-10.255.255.255
31 denied-peer-ip=192.168.0.0-192.168.255.255
32 denied-peer-ip=172.16.0.0-172.31.255.255
33
34 # recommended additional local peers to block, to mitigate external access to internal services.
35 # https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
36 no-multicast-peers
37 denied-peer-ip=0.0.0.0-0.255.255.255
38 denied-peer-ip=100.64.0.0-100.127.255.255
39 denied-peer-ip=127.0.0.0-127.255.255.255
40 denied-peer-ip=169.254.0.0-169.254.255.255
41 denied-peer-ip=192.0.0.0-192.0.0.255
42 denied-peer-ip=192.0.2.0-192.0.2.255
43 denied-peer-ip=192.88.99.0-192.88.99.255
44 denied-peer-ip=198.18.0.0-198.19.255.255
45 denied-peer-ip=198.51.100.0-198.51.100.255
46 denied-peer-ip=203.0.113.0-203.0.113.255
47 denied-peer-ip=240.0.0.0-255.255.255.255
48
49 # special case the turn server itself so that client->TURN->TURN->client flows work
50 # this should be one of the turn server's listening IPs
51 # FIXME allowed-peer-ip=10.0.0.1
52
53 # consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
54 user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
55 total-quota=1200
56
57 use-auth-secret
58 |||,
59 },
60 },
61
62 dataVolume: app.ns.Contain(kube.PersistentVolumeClaim("coturn-data")) {
radex36964dc2023-11-24 11:19:46 +0100[diff] [blame^]63 storage:: "10Gi",
64 storageClass:: cfg.storageClassName,
Piotr Dobrowolski690ed452022-05-07 11:27:24 +0200[diff] [blame]65 },
66
67 deployment: app.ns.Contain(kube.Deployment("coturn")) {
68 spec+: {
69 replicas: 1,
70 template+: {
71 spec+: {
72 volumes_: {
73 config: kube.ConfigMapVolume(app.configMap),
74 data: kube.PersistentVolumeClaimVolume(app.dataVolume),
75 },
76 containers_: {
77 coturn: kube.Container("coturn") {
78 image: cfg.image,
79 ports_: {
80 turn: { containerPort: 3478 },
81 } + {
82 ["fwd-%d" % [n]]: { containerPort: n }
83 for n in std.range(cfg.portStart, cfg.portEnd)
84 },
85
86 command: [
87 # This disgusting hack comes from the fact that
88 # official coturn containers have turnserver
89 # binary set up with CAP_NET_BIND_SERVICE=+ep,
90 # while there's really no use that in our case.
91 #
92 # Due to our PSP we can't exec said binary, nor
93 # can we chmod/chown/setcap on it, as we are
94 # running as an unprivileged user.
95 #
96 # Copying it over is the easiest method of
97 # stripping said spurious cap.
98 "/bin/sh", "-c",
99 "cp /usr/bin/turnserver /tmp/turnserver && \\
100 exec /tmp/turnserver \\
101 -c /config/coturn.conf \\
102 --log-binding \\
103 --realm=$(COTURN_REALM) \\
104 --static-auth-secret=$(COTRN_STATIC_AUTH_SECRET) \\
105 --min-port $(COTURN_MIN_PORT) \\
106 --max-port $(COTURN_MAX_PORT) \\
107 " + if cfg.loadBalancerIP != null then "-X $(COTURN_EXTERNAL_IP)" else "",
108 ],
109 volumeMounts_: {
110 config: { mountPath: "/config" },
111 data: { mountPath: "/var/lib/coturn" },
112 },
113 env_: {
114 COTURN_REALM: cfg.realm,
115 COTURN_STATIC_AUTH_SECRET: cfg.authSecret,
116 COTURN_EXTERNAL_IP: cfg.loadBalancerIP,
117 COTURN_MIN_PORT: cfg.portStart,
118 COTURN_MAX_PORT: cfg.portEnd,
119 },
120 },
121 },
122 securityContext: {
123 runAsUser: 1000,
124 runAsGroup: 1000,
125 fsGroup: 2000,
126 },
127 },
128 },
129 },
130 },
131
132 svcTCP: app.ns.Contain(kube.Service("coturn-tcp")) {
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame]133 target:: app.deployment,
Piotr Dobrowolski690ed452022-05-07 11:27:24 +0200[diff] [blame]134 metadata+: {
135 annotations+: {
136 "metallb.universe.tf/allow-shared-ip": "coturn",
137 },
138 },
139 spec+: {
140 type: "LoadBalancer",
141 loadBalancerIP: cfg.loadBalancerIP,
142 externalTrafficPolicy: "Local",
143 ports: [
144 { name: "turn", port: 3478, protocol: "TCP" },
145 ] + [
146 { name: "fwd-%d" % [n], port: n, protocol: "TCP" }
147 for n in std.range(cfg.portStart, cfg.portEnd)
148 ],
149 },
150 },
151
152 svcUDP: app.ns.Contain(kube.Service("coturn-udp")) {
radex8b8f3872023-11-24 11:09:46 +0100[diff] [blame]153 target:: app.deployment,
Piotr Dobrowolski690ed452022-05-07 11:27:24 +0200[diff] [blame]154 metadata+: {
155 annotations+: {
156 "metallb.universe.tf/allow-shared-ip": "coturn",
157 },
158 },
159 spec+: {
160 type: "LoadBalancer",
161 loadBalancerIP: cfg.loadBalancerIP,
162 externalTrafficPolicy: "Local",
163 ports: [
164 { name: "turn", port: 3478, protocol: "UDP" },
165 ] + [
166 { name: "fwd-%d" % [n], port: n, protocol: "UDP" }
167 for n in std.range(cfg.portStart, cfg.portEnd)
168 ],
169 },
170 },
171}