This document guides you through the installation of Jitsi into Kubernetes, when it is used together with the STUNner WebRTC media gateway.
In this demo you will learn to:
- integrate a typical WebRTC application server with STUNner,
- obtain a valid TLS certificate to secure the signaling plane,
- deploy the Jitsi server into Kubernetes, and
- configure STUNner to expose Jitsi to clients.
To run this example, you need:
- a Kubernetes cluster,
- a deployed STUNner (presumably the latest stable version),
- an Ingress controller to ingest traffic into the cluster,
- a Cert-manager to automate TLS certificate management.
Note
If you have your own TLS certificate, put it in a Secret resource and deploy it into the default namespace under the jitsi-secret name.
The recommended way to install Jitsi into Kubernetes is deploying the media servers into the host-network namespace of the Kubernetes nodes (hostNetwork: true), or using a NodePort service or a dedicated Ingress to ingest WebRTC media traffic into the network. However, these options allow only one JVB instance per Kubernetes node and the host-network deployment model also comes with a set of uncanny operational limitations and security concerns. Using STUNner, however, media servers can be deployed into ordinary Kubernetes pods and run over a private IP network, like any "normal" Kubernetes workload.
The figure below shows Jitsi deployed into regular Kubernetes pods behind STUNner without the host-networking hack. Here, Jitsi is deployed behind STUNner in the media-plane deployment model, so that STUNner acts as a "local" STUN/TURN server for Jitsi, saving the overhead of using public a 3rd party STUN/TURN server for NAT traversal.
In this tutorial we deploy a video room example using the Jitsi framework for media exchange, a Kubernetes Ingress gateway to secure signaling connections and handle TLS, and STUNner as a media gateway to expose the Jitsi JVB to clients.
Now comes the fun part. The simplest way to run this demo is to clone the STUNner git repository and deploy (after some minor modifications) the manifest packaged with STUNner.
To install the stable version of STUNner, please follow the instructions in this section.
Configure STUNner to act as a STUN/TURN server to clients, and route all received media to the Jitsi server pods.
git clone https://github.com/l7mp/stunner
cd stunner
kubectl apply -f docs/examples/jitsi/jitsi-call-stunner.yamlThe relevant parts here are the STUNner Gateway definition, which exposes the STUNner STUN/TURN server over UDP:3478 to the Internet, and the UDPRoute definition, which takes care of routing media to the pods running the Jitsi service. Also, with the GatewayConfig object we set the authType: longterm parameter because Prosody can't use Plaintext authentication only long term.
apiVersion: stunner.l7mp.io/v1
kind: GatewayConfig
metadata:
name: stunner-gatewayconfig
namespace: stunner
spec:
authType: ephemeral
sharedSecret: "my-shared-secret"
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: udp-gateway
namespace: stunner
spec:
gatewayClassName: stunner-gatewayclass
listeners:
- name: udp-listener
port: 3478
protocol: TURN-UDP
---
apiVersion: stunner.l7mp.io/v1
kind: UDPRoute
metadata:
name: jitsi-media-plane
namespace: stunner
spec:
parentRefs:
- name: udp-gateway
rules:
- backendRefs:
- name: jitsi-jvb
namespace: defaultOnce the Gateway resource is installed into Kubernetes, STUNner will create a Kubernetes LoadBalancer for the Gateway to expose the TURN server on UDP:3478 to clients. It can take up to a minute for Kubernetes to allocate a public external IP for the service.
Wait until Kubernetes assigns an external IP and store the external IP assigned by Kubernetes to STUNner in an environment variable for later use
until [ -n "$(kubectl get svc udp-gateway -n stunner -o jsonpath='{.status.loadBalancer.ingress[0].ip}')" ]; do sleep 1; done
export STUNNERIP=$(kubectl get svc udp-gateway -n stunner -o jsonpath='{.status.loadBalancer.ingress[0].ip}')The crucial step of integrating any WebRTC media server with STUNner is to ensure that the server instructs the clients to use STUNner as the STUN/TURN server. In order to achieve this, first we patch the public IP address of the STUNner STUN/TURN server we have learned above into our Jitsi deployment manifest:
sed -i "s/<stunner-public-ip>/$STUNNERIP/g" docs/examples/jitsi/jitsi-server.yamlThis will make sure that Jitsi is started with STUNner as the STUN/TURN server. Note that Jitsi itself will not use STUNner (that would amount to a less efficient symmetric ICE mode); with the above configuration we are just telling Jitsi to instruct its clients to use STUNner to reach the Jitsi JVB.
We also need the Ingress external IP address we have stored previously: this will make sure that the TLS certificate created by cert-manager will be bound to the proper nip.io domain and IP address.
sed -i "s/<public-ingress-ip>/$INGRESSIP/g" docs/examples/jitsi/jitsi-server.yamlTo use the web server, the corresponding Nginx resolver parameter must be the Kubernetes’ DNS address.
export KUBEDNS=$(kubectl get svc kube-dns -n kube-system -o jsonpath='{.spec.clusterIP}')
sed -i "s/<kube-dns>/$KUBEDNS/g" docs/examples/jitsi/jitsi-server.yamlFinally, fire up Jitsi.
kubectl apply -f docs/examples/jitsi/jitsi-server.yamlThe demo installation bundle includes a lot of resources to deploy Jitsi:
- Ingress resource to terminate the secure connections between your browser and the Kubernetes cluster.
- Jitsi web server serving the landing page
- Cluster issuer for TLS certificates
- Prosody XMPP server to manage the WebRTC session signaling within the cluster
- Jicofo load balancer and connection broker to setup rooms on JVB
- JVB videobridge
Wait until all pods become operational and jump right into testing!
After installing everything, execute the following command to retrieve the URL of your fresh Jitsi demo app:
echo $INGRESSIP.nip.ioCopy the URL into your browser, and now you should be greeted with the Jitsi webpage. In the landing page you should create a room first. After you created a room you can set your username and join the room. On another page you have to open this page again and you should see the previously created room in the list. You only have to connect this room with another user.
STUNner development is coordinated in Discord, feel free to join.