Merge pull request #31 from wireapp/ratelimit-allowlist-helm

mastaab · web-flow · commit c4799505e975 · 2025-02-19T15:32:23.000+01:00
add helm config for the allowlist of binding requests rate-limiting
diff --git a/charts/coturn/Chart.yaml b/charts/coturn/Chart.yaml
@@ -6,9 +6,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.42
+version: 0.0.43
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.6.2-federation-wireapp.16
+appVersion: 4.6.2-federation-wireapp.31
diff --git a/charts/coturn/templates/configmap-allowlist.yaml b/charts/coturn/templates/configmap-allowlist.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.ratelimit.allowlist }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coturn-allowlist
+  labels:
+    app: coturn
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  allowlist.txt: |
+    {{- range .Values.ratelimit.allowlist }}
+    {{ . }}
+    {{- end }}
+{{- end }}
diff --git a/charts/coturn/templates/configmap-coturn-conf-template.yaml b/charts/coturn/templates/configmap-coturn-conf-template.yaml
@@ -90,6 +90,10 @@ data:
     401-req-limit={{ .Values.ratelimit.requestLimit }}
     401-window={{ .Values.ratelimit.window }}
     {{- end }}
+    {{- if .Values.ratelimit.allowlist }}
+    ## rate-limiting allowlist location
+    401-allowlist=/etc/coturn/allowlist.txt
+    {{- end }}
 
     {{- if .Values.federate.enabled }}
     ### federation setup
diff --git a/charts/coturn/templates/statefulset.yaml b/charts/coturn/templates/statefulset.yaml
@@ -63,6 +63,11 @@ spec:
           secret:
             secretName: coturn-dtls-certificate
         {{- end }}
+        {{- if .Values.ratelimit.allowlist }}
+        - name: allowlist-volume
+          configMap:
+            name: coturn-allowlist
+        {{- end }}
       initContainers:
         - name: get-external-ip
           image: bitnami/kubectl:1.29.11
@@ -125,11 +130,16 @@ spec:
               mountPath: /secrets-tls/
               readOnly: true
           {{- end }}
-           {{- if .Values.federate.dtls.enabled }}
+          {{- if .Values.federate.dtls.enabled }}
             - name: coturn-dtls-certificate
               mountPath: /coturn-dtls-certificate/
               readOnly: true
-           {{- end }}
+          {{- end }}
+          {{- if .Values.ratelimit.allowlist }}
+            - name: allowlist-volume
+              mountPath: /etc/coturn/allowlist.txt
+              subPath: allowlist.txt
+          {{- end }}
           command:
             - /usr/bin/dumb-init
             - --
diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml
@@ -93,10 +93,14 @@ federate:
 
 ratelimit:
   override: false
-#   # Set the maximum number of 401 Unauthorized responses allowed per rate-limiting window. Defaults is 1000.
-#   requestLimit: 1000
-#   # Set the time window duration in seconds for rate limiting 401 Unauthorized responses. Defaults is 120.
-#   window: 120
+  # # Set the maximum number of 401 Unauthorized responses allowed per rate-limiting window. Defaults is 1000.
+  # requestLimit: 1000
+  # # Set the time window duration in seconds for rate limiting 401 Unauthorized responses. Defaults is 120.
+  # window: 120
+  # # Define the IPs allowed to bypass the 401 rate-limiting
+  # allowlist: 
+  #   - "192.168.1.1"
+  #   - "192.168.1.2"
 
 metrics:
   serviceMonitor:
