diff --git a/charts/lfx-v2-meeting-service/Chart.yaml b/charts/lfx-v2-meeting-service/Chart.yaml index 73fd1a6..28edef2 100644 --- a/charts/lfx-v2-meeting-service/Chart.yaml +++ b/charts/lfx-v2-meeting-service/Chart.yaml @@ -2,8 +2,14 @@ # SPDX-License-Identifier: MIT --- apiVersion: v2 -name: lfx-v2-meeting-service -description: LFX Platform V2 Meeting Service chart +name: lfx-one-meeting-service +description: LFX one Meeting Service chart type: application -version: 0.4.16 +version: 2.0.0 appVersion: "latest" + +dependencies: + - name: lfx-service + version: 1.0.0 + repository: file://../../../lfx-v2-helm/charts/lfx-service + # repository: oci://ghcr.io/linuxfoundation/lfx-service/chart \ No newline at end of file diff --git a/charts/lfx-v2-meeting-service/templates/deployment.yaml b/charts/lfx-v2-meeting-service/templates/deployment.yaml deleted file mode 100644 index 00d6f5a..0000000 --- a/charts/lfx-v2-meeting-service/templates/deployment.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright The Linux Foundation and each contributor to LFX. -# SPDX-License-Identifier: MIT ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }} - namespace: {{ .Release.Namespace }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ .Chart.Name }} - template: - metadata: - labels: - app: {{ .Chart.Name }} - spec: - serviceAccountName: {{ .Values.serviceAccount.name | default .Chart.Name }} - containers: - - name: app - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - securityContext: - allowPrivilegeEscalation: false - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - {{- range $name, $config := .Values.app.environment }} - - name: {{ $name }} - {{- if $config.value }} - value: {{ $config.value | quote }} - {{- else if $config.valueFrom }} - valueFrom: - {{- toYaml $config.valueFrom | nindent 14 }} - {{- end }} - {{- end }} - ports: - - containerPort: {{ .Values.service.port }} - name: web - livenessProbe: - httpGet: - path: /livez - port: web - failureThreshold: 3 - periodSeconds: 15 - readinessProbe: - httpGet: - path: /readyz - port: web - failureThreshold: 1 - periodSeconds: 10 - startupProbe: - httpGet: - path: /readyz - port: web - failureThreshold: 30 - periodSeconds: 1 diff --git a/charts/lfx-v2-meeting-service/templates/heimdall-middleware.yaml b/charts/lfx-v2-meeting-service/templates/heimdall-middleware.yaml deleted file mode 100644 index 2d7a28d..0000000 --- a/charts/lfx-v2-meeting-service/templates/heimdall-middleware.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright The Linux Foundation and each contributor to LFX. -# SPDX-License-Identifier: MIT -{{ if .Values.heimdall.add_middleware }} ---- -# Heimdall middleware with body forwarding capability -# This is the default middleware that should be used in most cases, particularly -# when parentRef requiring authentication is in the request body. -# Note: For routes handling very large payloads (like file uploads), consider using -# the lighter-weight middleware below to reduce overhead. -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: heimdall-forward-body - namespace: {{ .Release.Namespace }} -spec: - forwardAuth: - address: "{{ .Values.heimdall.url }}" - authResponseHeaders: - - Authorization - forwardBody: true ---- -# Alternative Heimdall middleware without body forwarding -# Use this middleware only for routes where body inspection isn't required for authentication -# and when dealing with large payloads where forwarding the entire body would be inefficient. -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: heimdall - namespace: {{ .Release.Namespace }} -spec: - forwardAuth: - address: "{{ .Values.heimdall.url }}" - authResponseHeaders: - - Authorization -{{- end }} diff --git a/charts/lfx-v2-meeting-service/templates/httproute.yaml b/charts/lfx-v2-meeting-service/templates/httproute.yaml deleted file mode 100644 index e0d9c84..0000000 --- a/charts/lfx-v2-meeting-service/templates/httproute.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright The Linux Foundation and each contributor to LFX. -# SPDX-License-Identifier: MIT ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: lfx-v2-meeting-service - namespace: {{ .Values.lfx.namespace }} -spec: - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: {{ .Values.traefik.gateway.name }} - namespace: {{ .Values.traefik.gateway.namespace }} - hostnames: - - "lfx-api.{{ .Values.lfx.domain }}" - rules: - # Main application endpoints (with authentication) - - matches: - - path: - type: Exact - value: /meetings - - path: - type: PathPrefix - value: /meetings/ - - path: - type: Exact - value: /past_meetings - - path: - type: PathPrefix - value: /past_meetings/ - - path: - type: PathPrefix - value: /webhooks/ - - path: - type: PathPrefix - value: /_meetings/ - {{- if .Values.heimdall.enabled }} - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: heimdall-forward-body - {{- end }} - backendRefs: - - group: '' - kind: Service - name: lfx-v2-meeting-service - port: {{ .Values.service.port }} - weight: 1 diff --git a/charts/lfx-v2-meeting-service/templates/nats-kv-buckets.yaml b/charts/lfx-v2-meeting-service/templates/nats-kv-buckets.yaml deleted file mode 100644 index dc86002..0000000 --- a/charts/lfx-v2-meeting-service/templates/nats-kv-buckets.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright The Linux Foundation and each contributor to LFX. -# SPDX-License-Identifier: MIT ---- -{{- if .Values.nats.kv_bucket_meetings.creation }} -apiVersion: jetstream.nats.io/v1beta2 -kind: KeyValue -metadata: - name: {{ .Values.nats.kv_bucket_meetings.name }} - namespace: lfx - {{- if .Values.nats.kv_bucket_meetings.keep }} - annotations: - "helm.sh/resource-policy": keep - {{- end }} -spec: - bucket: {{ .Values.nats.kv_bucket_meetings.name }} - history: {{ .Values.nats.kv_bucket_meetings.history }} - storage: {{ .Values.nats.kv_bucket_meetings.storage }} - maxValueSize: {{ .Values.nats.kv_bucket_meetings.maxValueSize }} - maxBytes: {{ .Values.nats.kv_bucket_meetings.maxBytes }} - compression: {{ .Values.nats.kv_bucket_meetings.compression }} -{{- end }} ---- -{{- if .Values.nats.kv_bucket_meeting_settings.creation }} -apiVersion: jetstream.nats.io/v1beta2 -kind: KeyValue -metadata: - name: {{ .Values.nats.kv_bucket_meeting_settings.name }} - namespace: lfx - {{- if .Values.nats.kv_bucket_meeting_settings.keep }} - annotations: - "helm.sh/resource-policy": keep - {{- end }} -spec: - bucket: {{ .Values.nats.kv_bucket_meeting_settings.name }} - history: {{ .Values.nats.kv_bucket_meeting_settings.history }} - storage: {{ .Values.nats.kv_bucket_meeting_settings.storage }} - maxValueSize: {{ .Values.nats.kv_bucket_meeting_settings.maxValueSize }} - maxBytes: {{ .Values.nats.kv_bucket_meeting_settings.maxBytes }} - compression: {{ .Values.nats.kv_bucket_meeting_settings.compression }} -{{- end }} ---- -{{- if .Values.nats.kv_bucket_meeting_registrants.creation }} -apiVersion: jetstream.nats.io/v1beta2 -kind: KeyValue -metadata: - name: {{ .Values.nats.kv_bucket_meeting_registrants.name }} - namespace: lfx - {{- if .Values.nats.kv_bucket_meeting_registrants.keep }} - annotations: - "helm.sh/resource-policy": keep - {{- end }} -spec: - bucket: {{ .Values.nats.kv_bucket_meeting_registrants.name }} - history: {{ .Values.nats.kv_bucket_meeting_registrants.history }} - storage: {{ .Values.nats.kv_bucket_meeting_registrants.storage }} - maxValueSize: {{ .Values.nats.kv_bucket_meeting_registrants.maxValueSize }} - maxBytes: {{ .Values.nats.kv_bucket_meeting_registrants.maxBytes }} - compression: {{ .Values.nats.kv_bucket_meeting_registrants.compression }} -{{- end }} ---- -{{- if .Values.nats.kv_bucket_past_meetings.creation }} -apiVersion: jetstream.nats.io/v1beta2 -kind: KeyValue -metadata: - name: {{ .Values.nats.kv_bucket_past_meetings.name }} - namespace: lfx - {{- if .Values.nats.kv_bucket_past_meetings.keep }} - annotations: - "helm.sh/resource-policy": keep - {{- end }} -spec: - bucket: {{ .Values.nats.kv_bucket_past_meetings.name }} - history: {{ .Values.nats.kv_bucket_past_meetings.history }} - storage: {{ .Values.nats.kv_bucket_past_meetings.storage }} - maxValueSize: {{ .Values.nats.kv_bucket_past_meetings.maxValueSize }} - maxBytes: {{ .Values.nats.kv_bucket_past_meetings.maxBytes }} - compression: {{ .Values.nats.kv_bucket_past_meetings.compression }} -{{- end }} ---- -{{- if .Values.nats.kv_bucket_past_meeting_participants.creation }} -apiVersion: jetstream.nats.io/v1beta2 -kind: KeyValue -metadata: - name: {{ .Values.nats.kv_bucket_past_meeting_participants.name }} - namespace: lfx - {{- if .Values.nats.kv_bucket_past_meeting_participants.keep }} - annotations: - "helm.sh/resource-policy": keep - {{- end }} -spec: - bucket: {{ .Values.nats.kv_bucket_past_meeting_participants.name }} - history: {{ .Values.nats.kv_bucket_past_meeting_participants.history }} - storage: {{ .Values.nats.kv_bucket_past_meeting_participants.storage }} - maxValueSize: {{ .Values.nats.kv_bucket_past_meeting_participants.maxValueSize }} - maxBytes: {{ .Values.nats.kv_bucket_past_meeting_participants.maxBytes }} - compression: {{ .Values.nats.kv_bucket_past_meeting_participants.compression }} -{{- end }} ---- -{{- if .Values.nats.kv_bucket_past_meeting_recordings.creation }} -apiVersion: jetstream.nats.io/v1beta2 -kind: KeyValue -metadata: - name: {{ .Values.nats.kv_bucket_past_meeting_recordings.name }} - namespace: lfx - {{- if .Values.nats.kv_bucket_past_meeting_recordings.keep }} - annotations: - "helm.sh/resource-policy": keep - {{- end }} -spec: - bucket: {{ .Values.nats.kv_bucket_past_meeting_recordings.name }} - history: {{ .Values.nats.kv_bucket_past_meeting_recordings.history }} - storage: {{ .Values.nats.kv_bucket_past_meeting_recordings.storage }} - maxValueSize: {{ .Values.nats.kv_bucket_past_meeting_recordings.maxValueSize }} - maxBytes: {{ .Values.nats.kv_bucket_past_meeting_recordings.maxBytes }} - compression: {{ .Values.nats.kv_bucket_past_meeting_recordings.compression }} -{{- end }} ---- -{{- if .Values.nats.kv_bucket_past_meeting_summaries.creation }} -apiVersion: jetstream.nats.io/v1beta2 -kind: KeyValue -metadata: - name: {{ .Values.nats.kv_bucket_past_meeting_summaries.name }} - namespace: lfx - {{- if .Values.nats.kv_bucket_past_meeting_summaries.keep }} - annotations: - "helm.sh/resource-policy": keep - {{- end }} -spec: - bucket: {{ .Values.nats.kv_bucket_past_meeting_summaries.name }} - history: {{ .Values.nats.kv_bucket_past_meeting_summaries.history }} - storage: {{ .Values.nats.kv_bucket_past_meeting_summaries.storage }} - maxValueSize: {{ .Values.nats.kv_bucket_past_meeting_summaries.maxValueSize }} - maxBytes: {{ .Values.nats.kv_bucket_past_meeting_summaries.maxBytes }} - compression: {{ .Values.nats.kv_bucket_past_meeting_summaries.compression }} -{{- end }} diff --git a/charts/lfx-v2-meeting-service/templates/ruleset.yaml b/charts/lfx-v2-meeting-service/templates/ruleset.yaml deleted file mode 100644 index 3647044..0000000 --- a/charts/lfx-v2-meeting-service/templates/ruleset.yaml +++ /dev/null @@ -1,832 +0,0 @@ -# Copyright The Linux Foundation and each contributor to LFX. -# SPDX-License-Identifier: MIT ---- -apiVersion: heimdall.dadrus.github.com/v1alpha4 -kind: RuleSet -metadata: - name: {{ .Chart.Name }} - namespace: {{ .Release.Namespace }} -spec: - rules: - - id: "rule:lfx:lfx-v2-meeting-service:openapi:get" - match: - methods: - - GET - routes: - - path: /_meetings/openapi.json - - path: /_meetings/openapi.yaml - - path: /_meetings/openapi3.json - - path: /_meetings/openapi3.yaml - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - - authorizer: allow_all - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - id: "rule:lfx:lfx-v2-meeting-service:webhooks:zoom" - match: - methods: - - POST - routes: - - path: /webhooks/zoom - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - # Allow all requests on the zoom webhook endpoint because the endpoint does validation - # of the request to check that it is coming from Zoom. - - authorizer: allow_all - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - id: "rule:lfx:lfx-v2-meeting-service:meetings:create" - match: - methods: - - POST - routes: - - path: /meetings - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: json_content_type - - authorizer: openfga_check - config: - values: - relation: writer - object: "project:{{ "{{- .Request.Body.project_uid -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:get" - match: - methods: - - GET - routes: - - path: /meetings/:id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: viewer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:join_url" - match: - methods: - - GET - routes: - - path: /meetings/:id/join_url - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: viewer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meeting_settings:get" - match: - methods: - - GET - routes: - - path: /meetings/:id/settings - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: auditor - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:update" - match: - methods: - - PUT - routes: - - path: /meetings/:id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meeting_settings:update" - match: - methods: - - PUT - routes: - - path: /meetings/:id/settings - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:delete" - match: - methods: - - DELETE - routes: - - path: /meetings/:id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:create" - match: - methods: - - POST - routes: - - path: /meetings/:id/registrants - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - # TODO: remove this rule once we remove the list meeting registrants endpoint. - # It is not meant to be used by applications, it should only be used - # in local development, therefore the authorizer allows all requests. - - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:list" - match: - methods: - - GET - routes: - - path: /meetings/:id/registrants - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: auditor - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:update" - match: - methods: - - PUT - routes: - - path: /meetings/:id/registrants/:registrant_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:get" - match: - methods: - - GET - routes: - - path: /meetings/:id/registrants/:registrant_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: auditor - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:delete" - match: - methods: - - DELETE - routes: - - path: /meetings/:id/registrants/:registrant_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:resend_invitation" - match: - methods: - - POST - routes: - - path: /meetings/:id/registrants/:registrant_id/resend - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - # =============== Past meetings ================== - - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:create" - match: - methods: - - POST - routes: - - path: /past_meetings - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: json_content_type - - authorizer: openfga_check - config: - values: - relation: writer - object: "project:{{ "{{- .Request.Body.project_uid -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - # TODO: remove this rule once we remove the list past meetings endpoint. - # It is not meant to be used by applications, it should only be used - # in local development, therefore the authorizer allows all requests. - - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:list" - match: - methods: - - GET - routes: - - path: /past_meetings - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{/* - This rule is on an endpoint that is just used for local development, - it will get removed once we remove the list meetings endpoint. - */}} - - authorizer: allow_all - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:past_meeting:get" - match: - methods: - - GET - routes: - - path: /past_meetings/:id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: viewer - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:past_meeting:delete" - match: - methods: - - DELETE - routes: - - path: /past_meetings/:id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:create" - match: - methods: - - POST - routes: - - path: /past_meetings/:id/participants - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - # TODO: remove this rule once we remove the list past meeting participants endpoint. - # It is not meant to be used by applications, it should only be used - # in local development, therefore the authorizer allows all requests. - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:list" - match: - methods: - - GET - routes: - - path: /past_meetings/:id/participants - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: auditor - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:update" - match: - methods: - - PUT - routes: - - path: /past_meetings/:id/participants/:participant_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:get" - match: - methods: - - GET - routes: - - path: /past_meetings/:id/participants/:participant_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: auditor - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:delete" - match: - methods: - - DELETE - routes: - - path: /past_meetings/:id/participants/:participant_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - # TODO: remove this rule once we remove the list past meeting summaries endpoint. - # It is not meant to be used by applications, it should only be used - # in local development, therefore the authorizer allows all requests. - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_summaries:list" - match: - methods: - - GET - routes: - - path: /past_meetings/:id/summaries - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: auditor - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_summaries:update" - match: - methods: - - PUT - routes: - - path: /past_meetings/:id/summaries/:summary_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: organizer - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} - - - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_summaries:get" - match: - methods: - - GET - routes: - - path: /past_meetings/:id/summaries/:summary_id - allow_encoded_slashes: "off" - execute: - - authenticator: oidc - - authenticator: anonymous_authenticator - {{- if .Values.app.use_oidc_contextualizer }} - - contextualizer: oidc_contextualizer - {{- end }} - {{- if .Values.openfga.enabled }} - - authorizer: openfga_check - config: - values: - relation: auditor - object: "past_meeting:{{ "{{- .Request.URL.Captures.id -}}" }}" - {{- else }} - {{/* - When OpenFGA is disabled, allow all requests - (Only meant for *local development* because OpenFGA should be enabled when deployed) - */}} - - authorizer: allow_all - {{- end }} - - finalizer: create_jwt - config: - values: - aud: {{ .Values.app.audience }} diff --git a/charts/lfx-v2-meeting-service/templates/service.yaml b/charts/lfx-v2-meeting-service/templates/service.yaml deleted file mode 100644 index bba81e4..0000000 --- a/charts/lfx-v2-meeting-service/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright The Linux Foundation and each contributor to LFX. -# SPDX-License-Identifier: MIT ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }} - namespace: {{ .Release.Namespace }} - -spec: - ports: - - name: web - port: {{ .Values.service.port }} - targetPort: web - - selector: - app: {{ .Chart.Name }} diff --git a/charts/lfx-v2-meeting-service/templates/serviceaccount.yaml b/charts/lfx-v2-meeting-service/templates/serviceaccount.yaml deleted file mode 100644 index 4abfb64..0000000 --- a/charts/lfx-v2-meeting-service/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright The Linux Foundation and each contributor to LFX. -# SPDX-License-Identifier: MIT -{{- if .Values.serviceAccount.create -}} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Values.serviceAccount.name | default .Chart.Name }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Chart.Name }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} -{{- end }} diff --git a/charts/lfx-v2-meeting-service/values.yaml b/charts/lfx-v2-meeting-service/values.yaml index a73d627..141a3c2 100644 --- a/charts/lfx-v2-meeting-service/values.yaml +++ b/charts/lfx-v2-meeting-service/values.yaml @@ -1,271 +1,382 @@ # Copyright The Linux Foundation and each contributor to LFX. # SPDX-License-Identifier: MIT --- -# image is the configuration for the container images -image: - # repository is the container image repository - repository: ghcr.io/linuxfoundation/lfx-v2-meeting-service/meeting-api - # tag is the container image tag (overrides appVersion from Chart.yaml) - tag: "" - # pullPolicy is the image pull policy - pullPolicy: IfNotPresent - -# app is the configuration for the application -app: - # audience is the JWT audience required for this authentication with this app - audience: lfx-v2-meeting-service - # skipEtagValidation is a boolean to determine if the etag validation should be skipped - # (only use for local development) - skipEtagValidation: false - # use_oidc_contextualizer is a boolean to determine if the OIDC contextualizer should be used - use_oidc_contextualizer: true - - environment: - # NATS_URL is required - NATS_URL: - value: nats://lfx-platform-nats.lfx.svc.cluster.local:4222 - # LOG_LEVEL is optional - LOG_LEVEL: - value: info - # LOG_ADD_SOURCE is optional - LOG_ADD_SOURCE: - value: true - # JWKS_URL is required unless JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL is set to a non-empty value - JWKS_URL: - value: http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks - # JWT_AUDIENCE is required - JWT_AUDIENCE: - value: lfx-v2-meeting-service - # SKIP_ETAG_VALIDATION is optional - SKIP_ETAG_VALIDATION: - value: "false" - # JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL is optional - JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL: - value: '' - # EMAIL_ENABLED is optional - EMAIL_ENABLED: - value: "true" - # SMTP_HOST is optional - SMTP_HOST: - value: lfx-platform-mailpit-smtp.lfx.svc.cluster.local - # SMTP_PORT is optional - SMTP_PORT: - value: "25" - # SMTP_FROM is optional - SMTP_FROM: - value: noreply@lfx.linuxfoundation.org - # SMTP_USERNAME is optional - SMTP_USERNAME: - value: null - # SMTP_PASSWORD is optional - SMTP_PASSWORD: - value: null - # ZOOM_ACCOUNT_ID is optional - ZOOM_ACCOUNT_ID: - value: null - # ZOOM_CLIENT_ID is optional - ZOOM_CLIENT_ID: - value: null - # ZOOM_CLIENT_SECRET is optional - ZOOM_CLIENT_SECRET: - value: null - # ZOOM_WEBHOOK_SECRET_TOKEN is optional - ZOOM_WEBHOOK_SECRET_TOKEN: - value: null - # LFX_ENVIRONMENT is optional (dev, staging, prod) - defaults to prod if not set - LFX_ENVIRONMENT: - value: prod - -# traefik is the configuration for Traefik Gateway API routing -traefik: - # gateway specifies the platform Gateway to attach to - gateway: - name: lfx-platform-gateway - namespace: lfx - -# lfx is the configuration for LFX platform -lfx: - # domain is the base domain for routing - domain: k8s.orb.local - # namespace is the target namespace for deployment - namespace: lfx - -# service is the configuration for the Kubernetes service -service: - # port is the service port - port: 8080 - -# serviceAccount is the configuration for the Kubernetes service account -serviceAccount: - # create specifies whether a service account should be created - create: true - # name is the name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - # annotations to add to the service account - annotations: {} - # automountServiceAccountToken is a boolean to determine if the service account token should be automatically mounted - automountServiceAccountToken: true - -# nats is the configuration for the NATS server -nats: - - # kv_bucket_meetings is the configuration for the KV bucket for storing meeting base information - kv_bucket_meetings: - # creation is a boolean to determine if the KV bucket should be created via the helm chart. - # set it to false if you want to use an existing KV bucket. - creation: true - # keep is a boolean to determine if the KV bucket should be preserved during helm uninstall - # set it to false if you want the bucket to be deleted when the chart is uninstalled - keep: true - # name is the name of the KV bucket for storing meeting base information - name: meetings - # history is the number of history entries to keep for the KV bucket - history: 20 - # storage is the storage type for the KV bucket - storage: file - # maxValueSize is the maximum size of a value in the KV bucket - maxValueSize: 10485760 # 10MB - # maxBytes is the maximum number of bytes in the KV bucket - maxBytes: 1073741824 # 1GB - # compression is a boolean to determine if the KV bucket should be compressed - compression: true - - # kv_bucket_meeting_settings is the configuration for the KV bucket for storing meeting settings - kv_bucket_meeting_settings: - # creation is a boolean to determine if the KV bucket should be created via the helm chart. - # set it to false if you want to use an existing KV bucket. - creation: true - # keep is a boolean to determine if the KV bucket should be preserved during helm uninstall - # set it to false if you want the bucket to be deleted when the chart is uninstalled - keep: true - # name is the name of the KV bucket for storing meeting settings - name: meeting-settings - # history is the number of history entries to keep for the KV bucket - history: 20 - # storage is the storage type for the KV bucket - storage: file - # maxValueSize is the maximum size of a value in the KV bucket - maxValueSize: 10485760 # 10MB - # maxBytes is the maximum number of bytes in the KV bucket - maxBytes: 1073741824 # 1GB - # compression is a boolean to determine if the KV bucket should be compressed - compression: true - - # kv_bucket_meeting_registrants is the configuration for the KV bucket for storing meeting registrants - kv_bucket_meeting_registrants: - # creation is a boolean to determine if the KV bucket should be created via the helm chart. - # set it to false if you want to use an existing KV bucket. - creation: true - # keep is a boolean to determine if the KV bucket should be preserved during helm uninstall - # set it to false if you want the bucket to be deleted when the chart is uninstalled - keep: true - # name is the name of the KV bucket for storing meeting registrants - name: meeting-registrants - # history is the number of history entries to keep for the KV bucket - history: 20 - # storage is the storage type for the KV bucket - storage: file - # maxValueSize is the maximum size of a value in the KV bucket - maxValueSize: 10485760 # 10MB - # maxBytes is the maximum number of bytes in the KV bucket - maxBytes: 1073741824 # 1GB - # compression is a boolean to determine if the KV bucket should be compressed - compression: true - - # kv_bucket_past_meetings is the configuration for the KV bucket for storing past meetings - kv_bucket_past_meetings: - # creation is a boolean to determine if the KV bucket should be created via the helm chart. - # set it to false if you want to use an existing KV bucket. - creation: true - # keep is a boolean to determine if the KV bucket should be preserved during helm uninstall - # set it to false if you want the bucket to be deleted when the chart is uninstalled - keep: true - # name is the name of the KV bucket for storing past meetings - name: past-meetings - # history is the number of history entries to keep for the KV bucket - history: 20 - # storage is the storage type for the KV bucket - storage: file - # maxValueSize is the maximum size of a value in the KV bucket - maxValueSize: 10485760 # 10MB - # maxBytes is the maximum number of bytes in the KV bucket - maxBytes: 5368709120 # 5GB - # compression is a boolean to determine if the KV bucket should be compressed - compression: true - - # kv_bucket_past_meeting_participants is the configuration for the KV bucket for storing past meeting participants - kv_bucket_past_meeting_participants: - # creation is a boolean to determine if the KV bucket should be created via the helm chart. - # set it to false if you want to use an existing KV bucket. - creation: true - # keep is a boolean to determine if the KV bucket should be preserved during helm uninstall - # set it to false if you want the bucket to be deleted when the chart is uninstalled - keep: true - # name is the name of the KV bucket for storing past meeting participants - name: past-meeting-participants - # history is the number of history entries to keep for the KV bucket - history: 20 - # storage is the storage type for the KV bucket - storage: file - # maxValueSize is the maximum size of a value in the KV bucket - maxValueSize: 10485760 # 10MB - # maxBytes is the maximum number of bytes in the KV bucket - maxBytes: 5368709120 # 5GB - # compression is a boolean to determine if the KV bucket should be compressed - compression: true - - # kv_bucket_past_meeting_recordings is the configuration for the KV bucket for storing past meeting recordings - kv_bucket_past_meeting_recordings: - # creation is a boolean to determine if the KV bucket should be created via the helm chart. - # set it to false if you want to use an existing KV bucket. - creation: true - # keep is a boolean to determine if the KV bucket should be preserved during helm uninstall - # set it to false if you want the bucket to be deleted when the chart is uninstalled - keep: true - # name is the name of the KV bucket for storing past meeting recordings - name: past-meeting-recordings - # history is the number of history entries to keep for the KV bucket - history: 20 - # storage is the storage type for the KV bucket - storage: file - # maxValueSize is the maximum size of a value in the KV bucket - maxValueSize: 10485760 # 10MB - # maxBytes is the maximum number of bytes in the KV bucket - maxBytes: 10737418240 # 10GB - # compression is a boolean to determine if the KV bucket should be compressed - compression: true - - # kv_bucket_past_meeting_summaries is the configuration for the KV bucket for storing past meeting summaries - kv_bucket_past_meeting_summaries: - # creation is a boolean to determine if the KV bucket should be created via the helm chart. - # set it to false if you want to use an existing KV bucket. - creation: true - # keep is a boolean to determine if the KV bucket should be preserved during helm uninstall - # set it to false if you want the bucket to be deleted when the chart is uninstalled - keep: true - # name is the name of the KV bucket for storing past meeting summaries - name: past-meeting-summaries - # history is the number of history entries to keep for the KV bucket - history: 20 - # storage is the storage type for the KV bucket - storage: file - # maxValueSize is the maximum size of a value in the KV bucket - maxValueSize: 10485760 # 10MB - # maxBytes is the maximum number of bytes in the KV bucket - maxBytes: 1073741824 # 1GB - # compression is a boolean to determine if the KV bucket should be compressed - compression: true - -# openfga is the configuration for the OpenFGA server -openfga: - # enabled is a boolean to determine if the OpenFGA server should be enabled for authorization - # Note: If it is disabled, then the meeting service will allow all requests - # (Disabling OpenFGA should only be used for local development). - enabled: true - -# heimdall is the configuration for the heimdall middleware -heimdall: - enabled: true - url: http://lfx-platform-heimdall.lfx.svc.cluster.local:4456 - add_middleware: false +# Configuration for the base lfx-service chart +lfx-service: + # Global configuration + global: + domain: "" + namespace: "" + + # Image configuration + image: + repository: ghcr.io/linuxfoundation/lfx-one-meeting-service/meeting-api + tag: "1.0" + + # Deployment configuration + deployment: + # Environment variables using the new format + environment: + NATS_URL: + value: "nats://lfx-platform-nats.lfx.svc.cluster.local:4222" + LOG_LEVEL: + value: "info" + LOG_ADD_SOURCE: + value: "true" + JWKS_URL: + value: "http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks" + JWT_AUDIENCE: + value: "lfx-v2-meeting-service" + SKIP_ETAG_VALIDATION: + value: "false" + JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL: + value: "" + EMAIL_ENABLED: + value: "true" + SMTP_HOST: + value: "lfx-platform-mailpit-smtp.lfx.svc.cluster.local" + SMTP_PORT: + value: "25" + SMTP_FROM: + value: "noreply@lfx.linuxfoundation.org" + SMTP_USERNAME: + value: "" + SMTP_PASSWORD: + value: "" + ZOOM_ACCOUNT_ID: + value: "" + ZOOM_CLIENT_ID: + value: "" + ZOOM_CLIENT_SECRET: + value: "" + ZOOM_WEBHOOK_SECRET_TOKEN: + value: "" + LFX_ENVIRONMENT: + value: "" + + # HTTPRoute configuration + httpRoute: + enabled: true + gateway: + name: lfx-platform-gateway + namespace: lfx + + matches: + - path: + type: Exact + value: /meetings + - path: + type: PathPrefix + value: /meetings/ + - path: + type: Exact + value: /past_meetings + - path: + type: PathPrefix + value: /past_meetings/ + - path: + type: PathPrefix + value: /webhooks/ + - path: + type: PathPrefix + value: /_meetings/ + + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: heimdall-forward-body + + # Heimdall middleware + heimdall: + enabled: true + url: http://lfx-platform-heimdall.lfx.svc.cluster.local:4456 + createMiddleware: true + + # RuleSet for authentication + ruleSet: + enabled: true + audience: lfx-v2-meeting-service + + rules: + # OpenAPI endpoints + - id: "rule:lfx:lfx-v2-meeting-service:openapi:get" + match: + methods: ["GET"] + routes: + - "/_meetings/openapi.json" + - "/_meetings/openapi.yaml" + - "/_meetings/openapi3.json" + - "/_meetings/openapi3.yaml" + # No authorization required for OpenAPI docs + + # Zoom webhook endpoint + - id: "rule:lfx:lfx-v2-meeting-service:webhooks:zoom" + match: + methods: ["POST"] + routes: ["/webhooks/zoom"] + # No authorization - endpoint validates Zoom signature + + # Meeting operations + - id: "rule:lfx:lfx-v2-meeting-service:meetings:create" + match: + methods: ["POST"] + routes: ["/meetings"] + authorization: + requireJsonContent: true + relation: writer + object: "project:{{.Request.Body.project_uid}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:get" + match: + methods: ["GET"] + routes: ["/meetings/:id"] + authorization: + relation: viewer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:join_url" + match: + methods: ["GET"] + routes: ["/meetings/:id/join_url"] + authorization: + relation: viewer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meeting_settings:get" + match: + methods: ["GET"] + routes: ["/meetings/:id/settings"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:update" + match: + methods: ["PUT"] + routes: ["/meetings/:id"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meeting_settings:update" + match: + methods: ["PUT"] + routes: ["/meetings/:id/settings"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meetings:meeting:delete" + match: + methods: ["DELETE"] + routes: ["/meetings/:id"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + # Meeting registrants + - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:create" + match: + methods: ["POST"] + routes: ["/meetings/:id/registrants"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:list" + match: + methods: ["GET"] + routes: ["/meetings/:id/registrants"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:update" + match: + methods: ["PUT"] + routes: ["/meetings/:id/registrants/:registrant_id"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:get" + match: + methods: ["GET"] + routes: ["/meetings/:id/registrants/:registrant_id"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:meeting_registrants:delete" + match: + methods: ["DELETE"] + routes: ["/meetings/:id/registrants/:registrant_id"] + authorization: + relation: organizer + object: "meeting:{{.Request.URL.Captures.id}}" + + # Past meetings + - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:create" + match: + methods: ["POST"] + routes: ["/past_meetings"] + authorization: + requireJsonContent: true + relation: writer + object: "project:{{.Request.Body.project_uid}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:list" + match: + methods: ["GET"] + routes: ["/past_meetings"] + # Allow all for development endpoint + + - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:past_meeting:get" + match: + methods: ["GET"] + routes: ["/past_meetings/:id"] + authorization: + relation: viewer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meetings:past_meeting:delete" + match: + methods: ["DELETE"] + routes: ["/past_meetings/:id"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + # Past meeting participants + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:create" + match: + methods: ["POST"] + routes: ["/past_meetings/:id/participants"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:list" + match: + methods: ["GET"] + routes: ["/past_meetings/:id/participants"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:update" + match: + methods: ["PUT"] + routes: ["/past_meetings/:id/participants/:participant_id"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:get" + match: + methods: ["GET"] + routes: ["/past_meetings/:id/participants/:participant_id"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_participants:delete" + match: + methods: ["DELETE"] + routes: ["/past_meetings/:id/participants/:participant_id"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + # Past meeting summaries + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_summaries:list" + match: + methods: ["GET"] + routes: ["/past_meetings/:id/summaries"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_summaries:update" + match: + methods: ["PUT"] + routes: ["/past_meetings/:id/summaries/:summary_id"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + - id: "rule:lfx:lfx-v2-meeting-service:past_meeting_summaries:get" + match: + methods: ["GET"] + routes: ["/past_meetings/:id/summaries/:summary_id"] + authorization: + relation: organizer + object: "past_meeting:{{.Request.URL.Captures.id}}" + + # NATS KV Buckets + nats: + kvBuckets: + - name: meetings + creation: true + keep: true + history: 20 + storage: file + maxValueSize: 10485760 # 10MB + maxBytes: 1073741824 # 1GB + compression: true + + - name: meeting-settings + creation: true + keep: true + history: 20 + storage: file + maxValueSize: 10485760 # 10MB + maxBytes: 1073741824 # 1GB + compression: true + + - name: meeting-registrants + creation: true + keep: true + history: 20 + storage: file + maxValueSize: 10485760 # 10MB + maxBytes: 1073741824 # 1GB + compression: true + + - name: past-meetings + creation: true + keep: true + history: 20 + storage: file + maxValueSize: 10485760 # 10MB + maxBytes: 5368709120 # 5GB + compression: true + + - name: past-meeting-participants + creation: true + keep: true + history: 20 + storage: file + maxValueSize: 10485760 # 10MB + maxBytes: 5368709120 # 5GB + compression: true + + - name: past-meeting-recordings + creation: true + keep: true + history: 20 + storage: file + maxValueSize: 10485760 # 10MB + maxBytes: 10737418240 # 10GB + compression: true + + - name: past-meeting-summaries + creation: true + keep: true + history: 20 + storage: file + maxValueSize: 10485760 # 10MB + maxBytes: 1073741824 # 1GB + compression: true \ No newline at end of file