Merge pull request #635 from element-hq/gaelg/upgrade-lk-jwt

matrix-authorisation-service: upgrade lk-jwt-service

Author: gaelgatelement

charts/matrix-stack/configs/matrix-rtc/sfu/config-overrides.yaml.tpl

@@ -55,4 +55,7 @@ key_file: /secrets/{{ (printf "/secrets/%s"
 key_file: /conf/keys.yaml
 {{- end }}
 
+room:
+  auto_create: false
+
 {{ end }}

charts/matrix-stack/source/matrix-rtc.json

@@ -6,6 +6,9 @@
     "enabled": {
       "type": "boolean"
     },
+    "restrictRoomCreationToLocalUsers": {
+      "type": "boolean"
+    },
     "livekitAuth": {
       "type": "object",
       "oneOf": [

charts/matrix-stack/source/matrix-rtc.yaml.j2

@@ -7,6 +7,11 @@ SPDX-License-Identifier: AGPL-3.0-only
 {% import 'sub_schema_values.yaml.j2' as sub_schema_values -%}
 enabled: true
 
+# Allows restricting room creation to local users only
+# Remote federated users can still join the room
+# Defaults to false for now until clients are upgraded to support the new mechanism
+restrictRoomCreationToLocalUsers: false
+
 # LiveKit Authentication Configuration
 # This section allows you to configure authentication for the LiveKit SFU.
 # You can either use an existing keys.yaml file or provide a key and secret.
@@ -19,7 +24,7 @@ enabled: true
 
 replicas: 1
 {{- sub_schema_values.ingress() }}
-{{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/lk-jwt-service', tag='0.2.3') }}
+{{- sub_schema_values.image(registry='ghcr.io', repository='element-hq/lk-jwt-service', tag='0.3.0') }}
 {{- sub_schema_values.labels() }}
 {{- sub_schema_values.workloadAnnotations() }}
 {{- sub_schema_values.containersSecurityContext() }}

charts/matrix-stack/templates/matrix-rtc/_helpers.tpl

@@ -69,6 +69,12 @@ env:
 {{- if .sfu.enabled }}
 - name: "LIVEKIT_URL"
   value: {{ printf "wss://%s" (tpl .ingress.host $root) }}
+{{- end }}
+- name: "LIVEKIT_FULL_ACCESS_HOMESERVERS"
+{{- if $root.Values.serverName }}
+  value: {{ (.restrictRoomCreationToLocalUsers | ternary (tpl $root.Values.serverName $root) "*") | quote }}
+{{- else }}
+  value: "*"
 {{- end -}}
 {{- end -}}
 {{- end -}}

charts/matrix-stack/values.schema.json

@@ -816,6 +816,9 @@
         "enabled": {
           "type": "boolean"
         },
+        "restrictRoomCreationToLocalUsers": {
+          "type": "boolean"
+        },
         "livekitAuth": {
           "type": "object",
           "oneOf": [

charts/matrix-stack/values.yaml

@@ -367,6 +367,11 @@ deploymentMarkers:
 matrixRTC:
   enabled: true
 
+  # Allows restricting room creation to local users only
+  # Remote federated users can still join the room
+  # Defaults to false for now until clients are upgraded to support the new mechanism
+  restrictRoomCreationToLocalUsers: false
+
   # LiveKit Authentication Configuration
   # This section allows you to configure authentication for the LiveKit SFU.
   # You can either use an existing keys.yaml file or provide a key and secret.
@@ -430,7 +435,7 @@ matrixRTC:
 
     ## The tag of the container image to use.
     ## One of tag or digest must be provided.
-    tag: "0.2.3"
+    tag: "0.3.0"
 
     ## Container digest to use. Used to pull the image instead of the image tag if set
     ## The tag will still be set as the app.kubernetes.io/version label

newsfragments/635.changed.md

@@ -0,0 +1,8 @@
+Upgrade `lk-jwt-service` to 0.3.0.
+
+Highlights:
+* Support restricting matrix room creation to local homeserver only.
+  Configure this through `matrixRTC.restrictRoomCreationToLocalUsers`. Default to false for now until clients support this new feature.
+
+Full Changelog:
+* [0.3.0](https://github.com/element-hq/lk-jwt-service/releases/tag/v0.3.0)

tests/integration/fixtures/helm.py

@@ -163,6 +163,7 @@ async def matrix_stack(
             "ip": ingress,
             "hostnames": [
                 generated_data.server_name,
+                f"mrtc.{generated_data.server_name}",
                 f"synapse.{generated_data.server_name}",
             ],
         }