add support for custom port

4 years ago · 3cc947cc05
parent 6be264d31e
commit 3cc947cc05
7 changed files with 167 additions and 45 deletions
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@ -6,14 +6,27 @@ jobs:
  e2e-test:
    runs-on: ubuntu-latest
    steps:
+      - name: Print the GitHub context
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+        run: echo "$GITHUB_CONTEXT"
+
      - name: Checkout
        uses: actions/checkout@v3
-      
-      - name: Run It
+
+      - name: Remove built-in kubectl
        run: |
          sudo rm $(which kubectl)
-          sudo RUN_IN_CI=1 TLS_CERT=test/localhost.crt TLS_KEY=test/localhost.key ./deploy_jitsi.sh localhost test@localhost.local
      
+      - name: Install
+        run: |
+          sudo \
+            DEPLOY_GIT_REPO=${{github.event.pull_request.head.repo.clone_url}} \
+            DEPLOY_GIT_VERSION=${{github.head_ref}} \
+            TLS_CERT=test/localhost.crt \
+            TLS_KEY=test/localhost.key \
+            ./deploy_jitsi.sh localhost
+
      - name: Wait for pods
        run: |
          sudo kubectl -n prod wait pods -l app.kubernetes.io/name=prosody --for condition=Ready --timeout=90s
@ -22,9 +35,71 @@ jobs:
          sudo kubectl -n prod wait pods -l app.kubernetes.io/component=etherpad --for condition=Ready --timeout=180s
          sudo kubectl -n prod wait pods -l app.kubernetes.io/component=jvb --for condition=Ready --timeout=300s

-      - name: Check homepage
+      - name: Check
        run: |
          curl -vIL --cacert test/rootca.crt https://localhost
+          curl \
+            --include \
+            --no-buffer \
+            --header "Connection: Upgrade" \
+            --header "Upgrade: websocket" \
+            --header "Host: localhost:443" \
+            --header "Origin: https://localhost:443" \
+            --cacert test/rootca.crt \
+            https://localhost/xmpp-websocket?room=test |
+          grep 'It works! Now point your WebSocket client to this URL to connect to Prosody.'
+
+      - name: Tear down
+        run: sudo /usr/local/bin/k3s-uninstall.sh
+
+  e2e-test-custom-port:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Print the GitHub context
+        env:
+          GITHUB_CONTEXT: ${{ toJson(github) }}
+        run: echo "$GITHUB_CONTEXT"
+
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Remove built-in kubectl
+        run: |
+          sudo rm $(which kubectl)
+      
+      - name: Install with custom port
+        run: |
+          sudo \
+            DEPLOY_GIT_REPO=${{github.event.pull_request.head.repo.clone_url}} \
+            DEPLOY_GIT_VERSION=${{github.head_ref}} \
+            PORT=7443 \
+            TLS_CERT=test/localhost.crt \
+            TLS_KEY=test/localhost.key \
+            ./deploy_jitsi.sh localhost
+      
+      - name: Wait for pods
+        run: |
+          sudo kubectl -n prod wait pods -l app.kubernetes.io/name=prosody --for condition=Ready --timeout=90s
+          sudo kubectl -n prod wait pods -l app.kubernetes.io/component=web --for condition=Ready --timeout=90s
+          sudo kubectl -n prod wait pods -l app.kubernetes.io/component=jicofo --for condition=Ready --timeout=180s
+          sudo kubectl -n prod wait pods -l app.kubernetes.io/component=etherpad --for condition=Ready --timeout=180s
+          sudo kubectl -n prod wait pods -l app.kubernetes.io/component=jvb --for condition=Ready --timeout=300s
+
+      - name: Check
+        run: |
+          curl -vIL --cacert test/rootca.crt https://localhost:7443
+          curl \
+            --include \
+            --no-buffer \
+            --header "Connection: Upgrade" \
+            --header "Upgrade: websocket" \
+            --header "Host: localhost:7443" \
+            --header "Origin: https://localhost:7443" \
+            --cacert test/rootca.crt \
+            https://localhost:7443/xmpp-websocket?room=test |
+          grep 'It works! Now point your WebSocket client to this URL to connect to Prosody.'
+          curl http://localhost 2>&1 | grep "Connection refused"
+          curl https://localhost 2>&1 | grep "Connection refused"

      - name: Tear down
        run: sudo /usr/local/bin/k3s-uninstall.sh
@ -42,7 +117,7 @@ jobs:
        with:
          version: v3.9.0

-      - uses: actions/setup-python@v3
+      - uses: actions/setup-python@v4
        with:
          python-version: '3.x'

@ -65,7 +140,7 @@ jobs:
      - name: Create k3s cluster
        uses: debianmaster/actions-k3s@master
        with:
-          version: 'v1.24.1+k3s1'
+          version: 'v1.24.1-k3s1'
        if: steps.list-changed.outputs.changed == 'true'

      - name: Wait for traefik
--- a/argocd/ingressroute-server.yaml.sh
+++ b/argocd/ingressroute-server.yaml.sh
@ -1,9 +1,13 @@
 if [ -n "${FQDN}" ]; then
  HOST_RULE="Host(\`${FQDN}\`)"
-  TLS_CERT_RESOLVER="certResolver: ${CERT_RESOLVER}"
 else
  HOST_RULE="Host(\`${PUBLIC_IP}\`)"
-  TLS_MAP="{}"
+fi
+
+if [ ${PUBLIC_PORT} -eq 443 ]; then
+  ENTRYPOINT=websecure
+else
+  ENTRYPOINT=jitsi-meet
 fi

 cat <<EOF
@ -14,7 +18,7 @@ metadata:
  namespace: argocd
 spec:
  entryPoints:
-    - websecure
+    - ${ENTRYPOINT}
  routes:
    - kind: Rule
      match: ${HOST_RULE} && PathPrefix(\`/argocd\`)
@ -27,6 +31,14 @@ spec:
        - name: argocd-server
          port: 80
          scheme: h2c
-  tls: ${TLS_MAP}
-    ${TLS_CERT_RESOLVER}
 EOF
+if [ -n "${CERT_RESOLVER}" ]; then
+  cat <<EOF
+  tls:
+    certResolver: ${CERT_RESOLVER}
+EOF
+else
+  cat <<EOF
+  tls: {}
+EOF
+fi
--- a/deploy_jitsi.sh
+++ b/deploy_jitsi.sh
@ -6,8 +6,8 @@ function err {
 }

 # check usage
-if [ $# -ne 2 ]; then
-  err "usage: $0 <fully-qualified-host-name> <acme_email_address>"
+if [ $# -ne 1 ] && [ $# -ne 2 ]; then
+  err "usage: $0 <fully-qualified-host-name> [<acme_email_address>]"
 fi

 # check sudo
@ -22,6 +22,20 @@ apt update && apt -y install grep bind9-dnsutils iproute2 curl wget git
 export FQDN=$1
 export ACME_EMAIL=$2

+if [ -n "${TLS_CERT}" ] && [ -n "${TLS_KEY}" ]; then
+  CERT_RESOLVER=""
+else
+  if [ -z "${ACME_EMAIL}" ]; then
+    err "<acme_email_address> is required if no TLS cert is provided in TLS_CERT and TLS_KEY envvars"
+  fi
+  if [ -n "${STAGING_CERT}" ]; then
+    CERT_RESOLVER="le-staging"
+  else
+    CERT_RESOLVER="le-prod"
+  fi
+fi
+export CERT_RESOLVER
+
 if [[ "${FQDN}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  export PUBLIC_IP=${FQDN}
  export FQDN=""
@ -42,6 +56,14 @@ if [ ${FQDN} != "localhost" ] && ! (curl -s https://ipinfo.io/ip | grep -q ${PUB
  err "the host doesn't have such public ip: ${PUBLIC_IP}, but these: \n$(curl -s https://ipinfo.io/ip)"
 fi

+if [ -z "${PORT}" ]; then
+  export PUBLIC_PORT=443
+  export PUBLIC_URL="https://${FQDN:-${PUBLIC_IP}}"
+else
+  export PUBLIC_PORT=${PORT}
+  export PUBLIC_URL="https://${FQDN:-${PUBLIC_IP}}:${PUBLIC_PORT}"
+fi
+
 if [ -n "${TEST_INSTALL}" ]; then
  export HELM_NAME=jitsitest
  export NAMESPACE=test
@ -61,11 +83,7 @@ DEPLOY_GIT_REPO=${DEPLOY_GIT_REPO:-"https://github.com/shanghailug/jitsi-deploy.

 # workspace
 WS_DIR=${HOME}/deploy/$(date +"%Y%m%d_%H%M%S")
-if [ -n "${RUN_IN_CI}" ]; then
-  SRC_DIR=${PWD}
-else
-  SRC_DIR=${WS_DIR}/jitsi-deploy
-fi
+SRC_DIR=${WS_DIR}/jitsi-deploy
 mkdir -p ${WS_DIR}

 function get_helm {
@ -78,13 +96,11 @@ function get_helm {
 }

 function get_src {
-  if [ -z "${RUN_IN_CI}" ]; then
-    cd ${WS_DIR}/
-    git clone ${DEPLOY_GIT_REPO}
-    cd $SRC_DIR/
-    if [ -n "${DEPLOY_GIT_VERSION}" ]; then
-      git checkout ${DEPLOY_GIT_VERSION}
-    fi
+  cd ${WS_DIR}/
+  git clone ${DEPLOY_GIT_REPO}
+  cd $SRC_DIR/
+  if [ -n "${DEPLOY_GIT_VERSION}" ]; then
+    git checkout ${DEPLOY_GIT_VERSION}
  fi
 }

@ -169,18 +185,13 @@ function do_chart {
    EXCLUDE_JVB_VALUES_FILE="-f values-jvb-off.yaml"
  fi

-  if [ -n "${STAGING_CERT}" ]; then
-    CERT_RESOLVER="le-staging"
-  else
-    CERT_RESOLVER="le-prod"
-  fi
-
  helm -n ${NAMESPACE} upgrade -i --create-namespace ${HELM_NAME} . \
    -f values.yaml \
    $EXCLUDE_JVB_VALUES_FILE \
    --set certResolver=${CERT_RESOLVER} \
    --set fqdn="${FQDN}" \
-    --set jitsi-meet.publicURL=https://${FQDN:-${PUBLIC_IP}} \
+    --set port=${PUBLIC_PORT} \
+    --set jitsi-meet.publicURL="${PUBLIC_URL}" \
    --set jitsi-meet.jvb.publicIP=${PUBLIC_IP} \
    --set jitsi-meet.jvb.UDPPort=${JVB_PORT}
 }
@ -196,12 +207,6 @@ function do_app {
    EXCLUDE_JVB_VALUES_FILE="--values values-jvb-off.yaml"
  fi

-  if [ -n "${STAGING_CERT}" ]; then
-    CERT_RESOLVER="le-staging"
-  else
-    CERT_RESOLVER="le-prod"
-  fi
-
  argocd login --core
  ORIG_NAMESPACE=$(kubectl config view --minify -o jsonpath='{..namespace}')
  kubectl config set-context --current --namespace=argocd
@ -218,7 +223,8 @@ function do_app {
    ${EXCLUDE_JVB_VALUES_FILE} \
    --helm-set certResolver=${CERT_RESOLVER} \
    --helm-set fqdn="${FQDN}" \
-    --helm-set jitsi-meet.publicURL=https://${FQDN:-${PUBLIC_IP}} \
+    --helm-set port=${PUBLIC_PORT} \
+    --helm-set jitsi-meet.publicURL="${PUBLIC_URL}" \
    --helm-set jitsi-meet.jvb.publicIP=${PUBLIC_IP} \
    --helm-set jitsi-meet.jvb.UDPPort=${JVB_PORT}

--- a/jitsi/Chart.yaml
+++ b/jitsi/Chart.yaml
@ -1,7 +1,7 @@
 ---
 apiVersion: v2
 name: jitsi-deploy
-version: 0.1.5
+version: 0.1.6
 dependencies:
  - name: jitsi-meet
    version: "1.2.2+etherpad.1"
--- a/jitsi/templates/ingressroute-web.yaml
+++ b/jitsi/templates/ingressroute-web.yaml
@ -6,20 +6,25 @@ metadata:
  name: jitsi-websecure
 spec:
  entryPoints:
+    {{- if eq (int .Values.port) 443 }}
    - websecure
+    {{- else }}
+    - jitsi-meet
+    {{- end }}
  routes:
    - kind: Rule
      match: Host(`{{ $hostname }}`) && PathPrefix(`/`)
      services:
        - name: {{ .Release.Name }}-jitsi-meet-web
          port: 80
-  {{- if .Values.fqdn }}
+  {{- if .Values.certResolver }}
  tls:
    certResolver: {{ .Values.certResolver }}
  {{- else }}
  tls: {}
  {{- end }}

+{{- if eq (int .Values.port) 443 }}
 ---
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
@ -36,3 +41,4 @@ spec:
      services:
        - name: {{ .Release.Name }}-jitsi-meet-web
          port: 80
+{{- end }}
--- a/jitsi/values.yaml
+++ b/jitsi/values.yaml
@ -3,6 +3,8 @@ certResolver: le-staging

 fqdn: ""

+port: 443
+
 etherpad:
  scheduled: false
  schedules:
--- a/traefik-config.yaml.sh
+++ b/traefik-config.yaml.sh
@ -8,6 +8,9 @@ spec:
  valuesContent: |-
    additionalArguments:
      - "--log.level=DEBUG"
+EOF
+if [ -n "${CERT_RESOLVER}" ]; then
+  cat <<EOF
      - "--certificatesresolvers.le-prod.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.le-prod.acme.storage=/data/acme-prod.json"
      - "--certificatesresolvers.le-prod.acme.tlschallenge=true"
@ -16,13 +19,30 @@ spec:
      - "--certificatesresolvers.le-staging.acme.storage=/data/acme-staging.json"
      - "--certificatesresolvers.le-staging.acme.tlschallenge=true"
      - "--certificatesresolvers.le-staging.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"
+EOF
+fi
+cat <<EOF
    # dashboard:
    #   enabled: true
    ports:
-      # traefik:
-      #   expose: true
-      # web:
-      #   redirectTo: websecure
+      traefik:
+        expose: false
+EOF
+if [ ${PUBLIC_PORT} -ne 443 ]; then
+  cat <<EOF
+      web:
+        expose: false
+      websecure:
+        expose: false
+      jitsi-meet:
+        port: ${PUBLIC_PORT}
+        expose: true
+        exposedPort: ${PUBLIC_PORT}
+        protocol: TCP
+EOF
+fi
+if [ -n "${EXCLUDE_JVB}" ]; then
+  cat <<EOF
      xmpp-prod:
        port: 5222
        expose: true
@ -34,3 +54,4 @@ spec:
        exposedPort: 5223
        protocol: TCP
 EOF
+fi