From f4208f4ec2ca3ec8173d33f6894c1ece547840e0 Mon Sep 17 00:00:00 2001
From: Mathias Staab <mathias.staab@wire.com>
Date: Mon, 10 Feb 2025 17:24:04 +0100
Subject: [PATCH 1/2] add helm config for the allowlist of binding requests
 ratelimiting

---
 charts/coturn/templates/configmap-allowlist.yaml | 16 ++++++++++++++++
 .../configmap-coturn-conf-template.yaml          |  4 ++++
 charts/coturn/templates/statefulset.yaml         | 14 ++++++++++++--
 charts/coturn/values.yaml                        | 12 ++++++++----
 4 files changed, 40 insertions(+), 6 deletions(-)
 create mode 100644 charts/coturn/templates/configmap-allowlist.yaml

diff --git a/charts/coturn/templates/configmap-allowlist.yaml b/charts/coturn/templates/configmap-allowlist.yaml
new file mode 100644
index 000000000..dbb4f9d40
--- /dev/null
+++ b/charts/coturn/templates/configmap-allowlist.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.ratelimit.allowlist }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coturn-allowlist
+  labels:
+    app: coturn
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  allowlist.txt: |
+    {{- range .Values.ratelimit.allowlist }}
+    {{ . }}
+    {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/coturn/templates/configmap-coturn-conf-template.yaml b/charts/coturn/templates/configmap-coturn-conf-template.yaml
index 260333202..06bad6c33 100644
--- a/charts/coturn/templates/configmap-coturn-conf-template.yaml
+++ b/charts/coturn/templates/configmap-coturn-conf-template.yaml
@@ -90,6 +90,10 @@ data:
     401-req-limit={{ .Values.ratelimit.requestLimit }}
     401-window={{ .Values.ratelimit.window }}
     {{- end }}
+    {{- if .Values.ratelimit.allowlist }}
+    ## rate-limiting allowlist location
+    401-allowlist=/etc/coturn/allowlist.txt
+    {{- end }}
 
     {{- if .Values.federate.enabled }}
     ### federation setup
diff --git a/charts/coturn/templates/statefulset.yaml b/charts/coturn/templates/statefulset.yaml
index 4003d6e9e..d733a36d9 100644
--- a/charts/coturn/templates/statefulset.yaml
+++ b/charts/coturn/templates/statefulset.yaml
@@ -63,6 +63,11 @@ spec:
           secret:
             secretName: coturn-dtls-certificate
         {{- end }}
+        {{- if .Values.ratelimit.allowlist }}
+        - name: allowlist-volume
+          configMap:
+            name: coturn-allowlist
+        {{- end }}
       initContainers:
         - name: get-external-ip
           image: bitnami/kubectl:1.29.11
@@ -125,11 +130,16 @@ spec:
               mountPath: /secrets-tls/
               readOnly: true
           {{- end }}
-           {{- if .Values.federate.dtls.enabled }}
+          {{- if .Values.federate.dtls.enabled }}
             - name: coturn-dtls-certificate
               mountPath: /coturn-dtls-certificate/
               readOnly: true
-           {{- end }}
+          {{- end }}
+          {{- if .Values.ratelimit.allowlist }}
+            - name: allowlist-volume
+              mountPath: /etc/coturn/allowlist.txt
+              subPath: allowlist.txt
+          {{- end }}
           command:
             - /usr/bin/dumb-init
             - --
diff --git a/charts/coturn/values.yaml b/charts/coturn/values.yaml
index 913907c55..32d3f9ca1 100644
--- a/charts/coturn/values.yaml
+++ b/charts/coturn/values.yaml
@@ -93,10 +93,14 @@ federate:
 
 ratelimit:
   override: false
-#   # Set the maximum number of 401 Unauthorized responses allowed per rate-limiting window. Defaults is 1000.
-#   requestLimit: 1000
-#   # Set the time window duration in seconds for rate limiting 401 Unauthorized responses. Defaults is 120.
-#   window: 120
+  # # Set the maximum number of 401 Unauthorized responses allowed per rate-limiting window. Defaults is 1000.
+  # requestLimit: 1000
+  # # Set the time window duration in seconds for rate limiting 401 Unauthorized responses. Defaults is 120.
+  # window: 120
+  # # Define the IPs allowed to bypass the 401 rate-limiting
+  # allowlist: 
+  #   - "192.168.1.1"
+  #   - "192.168.1.2"
 
 metrics:
   serviceMonitor:

From 8299a1befdac6df6585b16b6f3554682a3002f36 Mon Sep 17 00:00:00 2001
From: Mathias Staab <mathias.staab@wire.com>
Date: Wed, 19 Feb 2025 08:38:52 +0100
Subject: [PATCH 2/2] bump chart and appversion to match config

---
 charts/coturn/Chart.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/coturn/Chart.yaml b/charts/coturn/Chart.yaml
index 6a8abef6c..a4baddb51 100644
--- a/charts/coturn/Chart.yaml
+++ b/charts/coturn/Chart.yaml
@@ -6,9 +6,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.42
+version: 0.0.43
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: 4.6.2-federation-wireapp.16
+appVersion: 4.6.2-federation-wireapp.31