Kubernetes deployment: guest domain not properly configured in jitsi-meet container configuration

Hi, I’m trying to deploy Jitsi meet on a IBM Cloud’s Kubernetes cluster, based on the instructions at:

https://github.com/jitsi/docker-jitsi-meet/tree/master/examples/kubernetes

but the unauthenticated guest domain doesn’t get applied correctly.

In details I’ve tried implementing the JWT authentication, by adding (just as in the docker container deployment) to the deployment.yaml chart’s Prosody container ENV section:

 - name: XMPP_GUEST_DOMAIN
          value: guest.meet.jitsi
        - name: XMPP_MUC_DOMAIN
          value: muc.meet.jitsi
        - name: XMPP_INTERNAL_MUC_DOMAIN
          value: internal-muc.meet.jitsi
        - name: ENABLE_AUTH
          value: "1"
        - name: ENABLE_GUESTS
          value: "1"
        - name: AUTH_TYPE
          value: "jwt"
        - name: JWT_APP_ID
          valueFrom:
            secretKeyRef:
              name: jitsi-config
              key: JWT_APP_ID
        - name: JWT_APP_SECRET
          valueFrom:
            secretKeyRef:
              name: jitsi-config
              key: JWT_APP_SECRET

Moreover, I’ve added to every other other containers ENV sections (jicofo,web,jvb):

           - name: XMPP_GUEST_DOMAIN
              value: guest.meet.jitsi

When I apply this chart, the JWT token authentication gets enabled on the prosody’s virtualhost config and in fact works, and in the prosody container domain.cfg.lua file the guest domain is present:

VirtualHost "meet.jitsi"

    authentication = "token"
    app_id = "JitsiVideoOpenSquare"
    app_secret = "*********"
    allow_empty_token = false

And:

VirtualHost "guest.meet.jitsi"
    authentication = "anonymous"
    c2s_require_encryption = false

The problem resides in the web container’s config.js file, which shows:

hosts: {
        // XMPP domain.
        domain: 'jitsi-meet.example.com',

        // When using authentication, domain for guest users.
        // anonymousdomain: 'guest.example.com',

        // Domain for authenticated users. Defaults to <domain>.
        // authdomain: 'jitsi-meet.example.com',

        // Call control component (Jigasi).
        // call_control: 'callcontrol.jitsi-meet.example.com',

        // Focus component domain. Defaults to focus.<domain>.
        // focus: 'focus.jitsi-meet.example.com',

        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
        muc: 'conference.jitsi-meet.example.com'
    },

As you can see the guest domain part is not getting uncommented.
This leads to the problem that guests cannot join rooms already created by authenticated (via JWT) users.

I tried manually changing with sed in the running container

// anonymousdomain: 'guest.example.com',

to

anonymousdomain: 'guest.example.com',

But if I do so, guests trying to join are still not prompted with “the conference has not yet started”. It shows only the standard conference page, with cam and video disabled, so I guess it’s not working either.

What is missing to enable the guest domain and JWT authentication together, just as in the docker deployment which works perfectly?

What version of the containers are you using? We are of such bug in the latest release.

Hi @saghul , I guess the deployment.yaml chart pulls the latest available images of the containers. From what I can see in the pod’s details:

Jicofo:
image: ‘docker.io/jitsi/jicofo:latest
imageID:
docker.io/jitsi/jicofo@sha256:b0d54c3570d1d651391f73185e511c3b2398aed2ed493945b25b7630a5ebf167

JVB:
image: ‘docker.io/jitsi/jvb:latest
imageID: docker.io/jitsi/jvb@sha256:25d60c6e2c3bb84158e51c2bf3d101099e8bd6092cc77777166e83b1fd072da4

Prosody:
image: ‘docker.io/jitsi/prosody:latest
imageID: docker.io/jitsi/prosody@sha256:5d330ea18c7f2374d5a9e4b8319b67cc4f17c20674c5b0edd70dbcce2f3d6b28

Meet Web:
image: ‘docker.io/jitsi/web:latest
imageID: docker.io/jitsi/web@sha256:cd08661c5b28c47fa665ae47d397435d9d1a515f4b6d9b9f3645a82831a902d0

So it’s a common bug? Which release should I use?

Update:

I’ve tried modifying the yml chart to pull the stable-4857 version for each container (jicofo, jvb etc),so, for example, I wrote:

spec:
      containers:
        - name: jicofo
          image: jitsi/jicofo:stable-4857
          imagePullPolicy: Always
          env:

But this did not solve the issue; guests are still prompted with basic auth when joining already created rooms.
I’ve chosen to try the 4857 version because I’ve already deployed it for my company on a dockerized (but not kubernetes) environment, and everything works fine, JWT authentication works and guests can only enter on already created room.

What can I do to make JWT and guest access work properly on kubernetes?

Your env file looks ok, have you tried to wipe your config volume? In 4857 we don’t generate the config on every boot, just the first time.

@saghul I see no volumes attached to the jitsi pod… Could you tell me how to wipe the config volume?

I do have only a secret containing the various components passwords And the only volume mounted is another secret one containing these keys and (their values)

  • ca.crt
  • namespace
  • token

At the moment, each time I re-deploy Jitsi, I do delete the deployment everytime, and that, in cascade, deletes the pod. Is that not enough?

TBH I don’t know k8s well enough to tell you. Basically, you need to delete the CONFIG env variable.