add coturn.auth.staticAuthSecret and coturn.auth.secretKeys.staticAuthSecret (#195)

* allow static-auth-secret as per #177

* bump chart version

* clean up the readme

* undo secret thing here

* helm-docs: automated action

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: jessebot

charts/coturn/Chart.yaml

@@ -4,7 +4,7 @@ type: application
 description: A Helm chart to deploy coturn
 home: "https://github.com/small-hack/coturn-chart"
 
-version: 9.3.0
+version: 9.4.0
 
 # renovate: image=coturn/coturn
 appVersion: 4.8.0

charts/coturn/README.md

@@ -1,6 +1,6 @@
 # coturn
 
-![Version: 9.3.0](https://img.shields.io/badge/Version-9.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.8.0](https://img.shields.io/badge/AppVersion-4.8.0-informational?style=flat-square)
+![Version: 9.4.0](https://img.shields.io/badge/Version-9.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 4.8.0](https://img.shields.io/badge/AppVersion-4.8.0-informational?style=flat-square)
 
 A Helm chart to deploy coturn
 
@@ -38,7 +38,9 @@ A Helm chart to deploy coturn
 | coturn.auth.existingSecret | string | `""` | existing secret with keys username/password for coturn |
 | coturn.auth.password | string | `""` | password for the main user of the turn server |
 | coturn.auth.secretKeys.password | string | `"password"` | key in existing secret for turn server user's password |
+| coturn.auth.secretKeys.staticAuthSecret | string | `""` | key in existing secret for coturn static-auth-secret |
 | coturn.auth.secretKeys.username | string | `"username"` | key in existing secret for turn server user |
+| coturn.auth.staticAuthSecret | string | `""` | 'Static' authentication secret value (a string) for TURN REST API only. If not set, then the turn server will try to use the 'dynamic' value in the turn_secret table in the user database (if present). The database-stored  value can be changed on-the-fly by a separate program, so this is why that mode is considered 'dynamic'. |
 | coturn.auth.username | string | `"coturn"` | username for the main user of the turn server |
 | coturn.extraEnvVars | list | `[]` | Extra environment variables to pass to the Coturn container example:   - name: STATIC_AUTH_SECRET_VAL_OPT     value: supersecretpassword123abcyes |
 | coturn.extraTurnserverConfiguration | string | `"verbose\n"` | extra configuration for turnserver.conf |

charts/coturn/templates/auth-secret.yaml

@@ -12,4 +12,7 @@ data:
   {{- else }}
   password: {{ .Values.coturn.auth.password | b64enc | quote }}
   {{- end }}
+  {{- with .Values.coturn.auth.staticAuthSecret }}
+  staticAuthSecret: {{ . }}
+  {{- end }}
 {{- end }}

charts/coturn/templates/deployment.yaml

@@ -129,6 +129,13 @@ spec:
                 secretKeyRef:
                   name: {{ include "coturn.auth.secretName" . }}
                   key: {{ .Values.coturn.auth.secretKeys.password }}
+            {{- if or .Values.coturn.auth.staticAuthSecret .Values.coturn.auth.secretKeys.staticAuthSecret }}
+            - name: STATIC_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "coturn.auth.secretName" . }}
+                  key: {{ .Values.coturn.auth.secretKeys.staticAuthSecret | default "staticAuthSecret" }}
+            {{- end }}
             {{- if or .Values.externalDatabase.enabled .Values.postgresql.enabled .Values.mysql.enabled }}
             - name: DATABASE_HOSTNAME
             {{- if and .Values.externalDatabase.enabled .Values.externalDatabase.secretKeys.hostname }}
@@ -189,6 +196,10 @@ spec:
               export CONNECTION_STRING="host=$DATABASE_HOSTNAME dbname=$DATABASE user=$DATABASE_USER password=$DATABASE_PASS port=3306 connect_timeout=10 read_timeout=10" && \
               yq eval -i '.mysql-userdb = env(CONNECTION_STRING)' /data/turnserver.yaml && \
               {{- end }}
+              {{- if or .Values.coturn.auth.staticAuthSecret .Values.coturn.auth.secretKeys.staticAuthSecret }}
+              yq eval -i '.static-auth-secret = env(STATIC_AUTH_SECRET)' /data/turnserver.yaml && \
+              sed -i '1i use-auth-secret' /data/turnserver.yaml && \
+              {{- end }}
               sed -i 's/: /=/' /data/turnserver.yaml && \
               cat /extra/turnserver.conf >> /data/turnserver.yaml && \
               echo '' >> /data/turnserver.yaml && \

charts/coturn/values.yaml

@@ -159,13 +159,21 @@ coturn:
     username: "coturn"
     # -- password for the main user of the turn server
     password: ""
+    # -- 'Static' authentication secret value (a string) for TURN REST API only.
+    # If not set, then the turn server
+    # will try to use the 'dynamic' value in the turn_secret table
+    # in the user database (if present). The database-stored  value can be changed on-the-fly
+    # by a separate program, so this is why that mode is considered 'dynamic'.
+    staticAuthSecret: ""
     # -- existing secret with keys username/password for coturn
     existingSecret: ""
     secretKeys:
       # -- key in existing secret for turn server user
       username: username
       # -- key in existing secret for turn server user's password
       password: password
+      # -- key in existing secret for coturn static-auth-secret
+      staticAuthSecret: ""
 
   # -- coturn's listening IP address
   listeningIP: "0.0.0.0"