From 873f89e2d95c58ef6831e25aee8e2f52a4ef7ae5 Mon Sep 17 00:00:00 2001 From: Piwccle Date: Tue, 16 Sep 2025 13:09:16 +0200 Subject: [PATCH] Refactor initial admin user and password handling; update variable descriptions for clarity --- .../gcp/tf-gpc-openvidu-singlenode.tf | 53 +++++++------- .../community/singlenode/gcp/variables.tf | 72 +++++++++++++------ 2 files changed, 77 insertions(+), 48 deletions(-) diff --git a/openvidu-deployment/community/singlenode/gcp/tf-gpc-openvidu-singlenode.tf b/openvidu-deployment/community/singlenode/gcp/tf-gpc-openvidu-singlenode.tf index 54fc33de..4735775a 100644 --- a/openvidu-deployment/community/singlenode/gcp/tf-gpc-openvidu-singlenode.tf +++ b/openvidu-deployment/community/singlenode/gcp/tf-gpc-openvidu-singlenode.tf @@ -179,14 +179,24 @@ locals { RANDOM_DOMAIN_STRING=$(tr -dc 'a-z' < /dev/urandom | head -c 8) DOMAIN=openvidu-$RANDOM_DOMAIN_STRING-$(echo $EXTERNAL_IP | tr '.' '-').sslip.io TURN_DOMAIN_NAME_SSLIP_IO=turn-$RANDOM_DOMAIN_STRING-$(echo $EXTERNAL_IP | tr '.' '-').sslip.io - echo $RANDOM_DOMAIN_STRING > /usr/share/openvidu/random-domain-string - echo $EXTERNAL_IP > /usr/share/openvidu/old-host-name else DOMAIN="${var.domainName}" fi - DOMAIN="$(/usr/local/bin/store_secret.sh save DOMAIN_NAME "$DOMAIN")" + # Meet initial admin user and password + MEET_INITIAL_ADMIN_USER="$(/usr/local/bin/store_secret.sh save MEET_INITIAL_ADMIN_USER "admin")" + if [[ "${var.initialMeetAdminPassword}" != '' ]]; then + MEET_INITIAL_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh save MEET_INITIAL_ADMIN_PASSWORD "${var.initialMeetAdminPassword}")" + else + MEET_INITIAL_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh generate MEET_INITIAL_ADMIN_PASSWORD)" + fi + if [[ "${InitialMeetApiKey}" != '' ]]; then + MEET_INITIAL_API_KEY="$(/usr/local/bin/store_secret.sh save MEET_INITIAL_API_KEY "${InitialMeetApiKey}")" + else + MEET_INITIAL_API_KEY="$(/usr/local/bin/store_secret.sh save MEET_INITIAL_API_KEY "")" + fi + # Store usernames and generate random passwords REDIS_PASSWORD="$(/usr/local/bin/store_secret.sh generate REDIS_PASSWORD)" MONGO_ADMIN_USERNAME="$(/usr/local/bin/store_secret.sh save MONGO_ADMIN_USERNAME "mongoadmin")" @@ -198,13 +208,6 @@ locals { DASHBOARD_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh generate DASHBOARD_ADMIN_PASSWORD)" GRAFANA_ADMIN_USERNAME="$(/usr/local/bin/store_secret.sh save GRAFANA_ADMIN_USERNAME "grafanaadmin")" GRAFANA_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh generate GRAFANA_ADMIN_PASSWORD)" - MEET_INITIAL_ADMIN_USER="$(/usr/local/bin/store_secret.sh save MEET_INITIAL_ADMIN_USER "admin")" - if [[ "${var.meetInitialAdminPassword}" == "" ]]; then - MEET_INITIAL_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh generate MEET_INITIAL_ADMIN_PASSWORD)" - else - MEET_INITIAL_ADMIN_PASSWORD="$(/usr/local/bin/store_secret.sh save MEET_INITIAL_ADMIN_PASSWORD "${var.meetInitialAdminPassword}")" - fi - MEET_INITIAL_API_KEY="$(/usr/local/bin/store_secret.sh generate MEET_INITIAL_API_KEY)" ENABLED_MODULES="$(/usr/local/bin/store_secret.sh save ENABLED_MODULES "observability,openviduMeet")" LIVEKIT_API_KEY="$(/usr/local/bin/store_secret.sh generate LIVEKIT_API_KEY "API" 12)" LIVEKIT_API_SECRET="$(/usr/local/bin/store_secret.sh generate LIVEKIT_API_SECRET)" @@ -230,14 +233,13 @@ locals { "--dashboard-admin-password=$DASHBOARD_ADMIN_PASSWORD" "--grafana-admin-user=$GRAFANA_ADMIN_USERNAME" "--grafana-admin-password=$GRAFANA_ADMIN_PASSWORD" - "--meet-initial-admin-user=$MEET_INITIAL_ADMIN_USER" "--meet-initial-admin-password=$MEET_INITIAL_ADMIN_PASSWORD" "--meet-initial-api-key=$MEET_INITIAL_API_KEY" "--livekit-api-key=$LIVEKIT_API_KEY" "--livekit-api-secret=$LIVEKIT_API_SECRET" ) - # Include additional installer flags (trimmed) + # Include additional installer flags provided by the user if [[ "${var.additionalInstallFlags}" != "" ]]; then IFS=',' read -ra EXTRA_FLAGS <<< "${var.additionalInstallFlags}" for extra_flag in "$${EXTRA_FLAGS[@]}"; do @@ -399,11 +401,6 @@ locals { # Replace DOMAIN_NAME export DOMAIN=$(gcloud secrets versions access latest --secret=DOMAIN_NAME) - if [[ $DOMAIN == *"sslip.io"* ]] || [[ -z $DOMAIN ]]; then - EXTERNAL_IP=$(get_meta() "instance/network-interfaces/0/access-configs/0/nat-ip") - RANDOM_DOMAIN_STRING=$(cat /usr/share/openvidu/random-domain-string) - DOMAIN=openvidu-$RANDOM_DOMAIN_STRING-$(echo $EXTERNAL_IP | tr '.' '-').sslip.io - fi if [[ -n "$DOMAIN" ]]; then sed -i "s/DOMAIN_NAME=.*/DOMAIN_NAME=$DOMAIN/" "$${CONFIG_DIR}/openvidu.env" else @@ -412,11 +409,6 @@ locals { # Replace LIVEKIT_TURN_DOMAIN_NAME export LIVEKIT_TURN_DOMAIN_NAME=$(gcloud secrets versions access latest --secret=LIVEKIT_TURN_DOMAIN_NAME) - if [[ $LIVEKIT_TURN_DOMAIN_NAME == *"sslip.io"* ]] || [[ -z $LIVEKIT_TURN_DOMAIN_NAME ]]; then - EXTERNAL_IP=$(get_meta() "instance/network-interfaces/0/access-configs/0/nat-ip") - RANDOM_DOMAIN_STRING=$(cat /usr/share/openvidu/random-domain-string) - LIVEKIT_TURN_DOMAIN_NAME=turn-$RANDOM_DOMAIN_STRING-$(echo $EXTERNAL_IP | tr '.' '-').sslip.io - fi if [[ -n "$LIVEKIT_TURN_DOMAIN_NAME" ]]; then sed -i "s/LIVEKIT_TURN_DOMAIN_NAME=.*/LIVEKIT_TURN_DOMAIN_NAME=$LIVEKIT_TURN_DOMAIN_NAME/" "$${CONFIG_DIR}/openvidu.env" fi @@ -436,7 +428,9 @@ locals { export LIVEKIT_API_SECRET=$(gcloud secrets versions access latest --secret=LIVEKIT_API_SECRET) export MEET_INITIAL_ADMIN_USER=$(gcloud secrets versions access latest --secret=MEET_INITIAL_ADMIN_USER) export MEET_INITIAL_ADMIN_PASSWORD=$(gcloud secrets versions access latest --secret=MEET_INITIAL_ADMIN_PASSWORD) - export MEET_INITIAL_API_KEY=$(gcloud secrets versions access latest --secret=MEET_INITIAL_API_KEY) + if [[ "${var.initialMeetApiKey}" != '' ]]; then + export MEET_INITIAL_API_KEY=$(gcloud secrets versions access latest --secret=MEET_INITIAL_API_KEY) + fi export ENABLED_MODULES=$(gcloud secrets versions access latest --secret=ENABLED_MODULES) @@ -455,7 +449,9 @@ locals { sed -i "s/LIVEKIT_API_SECRET=.*/LIVEKIT_API_SECRET=$LIVEKIT_API_SECRET/" "$${CONFIG_DIR}/openvidu.env" sed -i "s/MEET_INITIAL_ADMIN_USER=.*/MEET_INITIAL_ADMIN_USER=$MEET_INITIAL_ADMIN_USER/" "$${CONFIG_DIR}/meet.env" sed -i "s/MEET_INITIAL_ADMIN_PASSWORD=.*/MEET_INITIAL_ADMIN_PASSWORD=$MEET_INITIAL_ADMIN_PASSWORD/" "$${CONFIG_DIR}/meet.env" - sed -i "s/MEET_INITIAL_API_KEY=.*/MEET_INITIAL_API_KEY=$MEET_INITIAL_API_KEY/" "$${CONFIG_DIR}/meet.env" + if [[ "${var.initialMeetApiKey}" != '' ]]; then + sed -i "s/MEET_INITIAL_API_KEY=.*/MEET_INITIAL_API_KEY=$MEET_INITIAL_API_KEY/" "$${CONFIG_DIR}/meet.env" + fi sed -i "s/ENABLED_MODULES=.*/ENABLED_MODULES=$ENABLED_MODULES/" "$${CONFIG_DIR}/openvidu.env" @@ -503,7 +499,9 @@ locals { LIVEKIT_API_SECRET="$(/usr/local/bin/get_value_from_config.sh LIVEKIT_API_SECRET "$${CONFIG_DIR}/openvidu.env")" MEET_INITIAL_ADMIN_USER="$(/usr/local/bin/get_value_from_config.sh MEET_INITIAL_ADMIN_USER "$${CONFIG_DIR}/meet.env")" MEET_INITIAL_ADMIN_PASSWORD="$(/usr/local/bin/get_value_from_config.sh MEET_INITIAL_ADMIN_PASSWORD "$${CONFIG_DIR}/meet.env")" - MEET_INITIAL_API_KEY="$(/usr/local/bin/get_value_from_config.sh MEET_INITIAL_API_KEY "$${CONFIG_DIR}/meet.env")" + if [[ "${var.initialMeetApiKey}" != '' ]]; then + MEET_INITIAL_API_KEY="$(/usr/local/bin/get_value_from_config.sh MEET_INITIAL_API_KEY "$${CONFIG_DIR}/meet.env")" + fi ENABLED_MODULES="$(/usr/local/bin/get_value_from_config.sh ENABLED_MODULES "$${CONFIG_DIR}/openvidu.env")" @@ -524,7 +522,9 @@ locals { echo -n "$LIVEKIT_API_SECRET" | gcloud secrets versions add LIVEKIT_API_SECRET --data-file=- echo -n "$MEET_INITIAL_ADMIN_USER" | gcloud secrets versions add MEET_INITIAL_ADMIN_USER --data-file=- echo -n "$MEET_INITIAL_ADMIN_PASSWORD" | gcloud secrets versions add MEET_INITIAL_ADMIN_PASSWORD --data-file=- - echo -n "$MEET_INITIAL_API_KEY" | gcloud secrets versions add MEET_INITIAL_API_KEY --data-file=- + if [[ "${var.initialMeetApiKey}" != '' ]]; then + echo -n "$MEET_INITIAL_API_KEY" | gcloud secrets versions add MEET_INITIAL_API_KEY --data-file=- + fi echo -n "$ENABLED_MODULES" | gcloud secrets versions add ENABLED_MODULES --data-file=- EOF @@ -681,7 +681,6 @@ locals { CONFIG_S3_EOF chmod +x /usr/local/bin/config_s3.sh - apt-get update && apt-get install -y # Install google cli diff --git a/openvidu-deployment/community/singlenode/gcp/variables.tf b/openvidu-deployment/community/singlenode/gcp/variables.tf index 13864f11..030485f0 100644 --- a/openvidu-deployment/community/singlenode/gcp/variables.tf +++ b/openvidu-deployment/community/singlenode/gcp/variables.tf @@ -2,29 +2,29 @@ # Variables used by the configuration variable "projectId" { - description = "GCP project id" + description = "GCP project id where the resourw es will be created." type = string } variable "region" { - description = "GCP region" + description = "GCP region where resources will be created." type = string default = "europe-west1" } variable "zone" { - description = "GCP zone" + description = "GCP zone that some resources will use." type = string default = "europe-west1-b" } variable "stackName" { - description = "Stack name for OpenVidu deployment" + description = "Stack name for OpenVidu deployment." type = string } variable "certificateType" { - description = "[selfsigned] Not recommended for production use. If you don't have a FQDN, (DomainName parameter) you can use this option to generate a self-signed certificate. [owncert] Valid for productions environments. If you have a FQDN, (DomainName parameter) and an Elastic IP, you can use this option to use your own certificate. [letsencrypt] Valid for production environments. If you have a FQDN, (DomainName parameter) and an Elastic IP, you can use this option to generate a Let's Encrypt certificate." + description = "[selfsigned] Not recommended for production use. Just for testing purposes or development environments. You don't need a FQDN to use this option. [owncert] Valid for production environments. Use your own certificate. You need a FQDN to use this option. [letsencrypt] Valid for production environments. Can be used with or without a FQDN (if no FQDN is provided, a random sslip.io domain will be used)." type = string default = "letsencrypt" validation { @@ -34,67 +34,97 @@ variable "certificateType" { } variable "publicIpAddress" { - description = "Previously created Public IP address for the OpenVidu Deployment. Blank will generate a public IP" + description = "Previously created Public IP address for the OpenVidu Deployment. Blank will generate a public IP." type = string default = "" + validation { + condition = can(regex("^$|^([01]?\\d{1,2}|2[0-4]\\d|25[0-5])\\.([01]?\\d{1,2}|2[0-4]\\d|25[0-5])\\.([01]?\\d{1,2}|2[0-4]\\d|25[0-5])\\.([01]?\\d{1,2}|2[0-4]\\d|25[0-5])$", var.publicIpAddress)) + error_message = "The Public Elastic IP does not have a valid IPv4 format" + } } variable "domainName" { - description = "Optional domain name for the deployment" + description = "Domain name for the OpenVidu Deployment." type = string default = "" + validation { + condition = can(regex("^$|^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\\.)+[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$", var.domainName)) + error_message = "The domain name does not have a valid domain name format" + } } variable "ownPublicCertificate" { - description = "If owncert: URL to fullchain.pem" + description = "If certificate type is 'owncert', this parameter will be used to specify the public certificate" type = string default = "" } variable "ownPrivateCertificate" { - description = "If owncert: URL to privkey.pem" + description = "If certificate type is 'owncert', this parameter will be used to specify the private certificate" type = string default = "" } +variable "initialMeetAdminPassword" { + description = "Initial password for the 'admin' user in OpenVidu Meet. If not provided, a random password will be generated." + type = string + default = "" + validation { + condition = can(regex("^[A-Za-z0-9_-]*$", var.initialMeetAdminPassword)) + error_message = "Must contain only alphanumeric characters (A-Z, a-z, 0-9). Leave empty to generate a random password." + } +} + +variable "initialMeetApiKey" { + description = "Initial API key for OpenVidu Meet. If not provided, no API key will be set and the user can set it later from Meet Console." + type = string + default = "" + validation { + condition = can(regex("^[A-Za-z0-9_-]*$", var.initialMeetApiKey)) + error_message = "Must contain only alphanumeric characters (A-Z, a-z, 0-9). Leave empty to not set an initial API key." + } +} + variable "additionalInstallFlags" { - description = "Comma-separated additional flags passed to the OpenVidu installer" + description = "Additional optional flags to pass to the OpenVidu installer (comma-separated, e.g.,'--flag1=value, --flag2')." type = string default = "" + validation { + condition = can(regex("^[A-Za-z0-9, =_.\\-]*$", var.additionalInstallFlags)) + error_message = "Must be a comma-separated list of flags (for example, --flag=value, --bool-flag)." + } } variable "turnDomainName" { - description = "Optional TURN server TLS domain" + description = "(Optional) Domain name for the TURN server with TLS. Only needed if your users are behind restrictive firewalls" type = string default = "" } variable "turnOwnPublicCertificate" { - description = "Optional TURN public cert URL for owncert" + description = "(Optional) This setting is applicable if the certificate type is set to 'owncert' and the TurnDomainName is specified." type = string default = "" } variable "turnOwnPrivateCertificate" { - description = "Optional TURN private key URL for owncert" + description = "(Optional) This setting is applicable if the certificate type is set to 'owncert' and the TurnDomainName is specified." type = string default = "" } variable "instanceType" { - description = "GCE machine type" + description = "Specifies the GCE machine type for your OpenVidu instance" type = string default = "e2-standard-8" + validation { + condition = can(regex("^(e2-(micro|small|medium|standard-[2-9]|standard-1[0-6]|highmem-[2-9]|highmem-1[0-6]|highcpu-[2-9]|highcpu-1[0-6])|n1-(standard-[1-9]|standard-[1-9][0-9]|highmem-[2-9]|highmem-[1-9][0-9]|highcpu-[1-9]|highcpu-[1-9][0-9])|n2-(standard-[2-9]|standard-[1-9][0-9]|standard-1[0-2][0-8]|highmem-[2-9]|highmem-[1-9][0-9]|highmem-1[0-2][0-8]|highcpu-[1-9][0-9]|highcpu-1[0-2][0-8])|n2d-(standard-[2-9]|standard-[1-9][0-9]|standard-2[0-2][0-4]|highmem-[2-9]|highmem-[1-9][0-9]|highmem-9[0-6]|highcpu-[1-9][0-9]|highcpu-2[0-2][0-4])|c2-(standard-[4-9]|standard-[1-5][0-9]|standard-60)|c2d-(standard-[2-9]|standard-[1-9][0-9]|standard-1[0-1][0-2]|highmem-[2-9]|highmem-[1-9][0-9]|highmem-1[0-1][0-2]|highcpu-[1-9][0-9]|highcpu-1[0-1][0-2])|m1-(ultramem-[4-9][0-9]|ultramem-160)|m2-(ultramem-208|ultramem-416|megamem-416)|m3-(ultramem-32|ultramem-64|ultramem-128|megamem-64|megamem-128)|a2-(standard-[1-9]|standard-[1-9][0-9]|standard-96|highmem-1g|ultramem-1g|megamem-1g)|a3-(standard-[1-9]|standard-[1-9][0-9]|standard-80|highmem-1g|megamem-1g)|g2-(standard-[4-9]|standard-[1-9][0-9]|standard-96)|t2d-(standard-[1-9]|standard-[1-9][0-9]|standard-60)|t2a-(standard-[1-9]|standard-[1-9][0-9]|standard-48)|h3-(standard-88)|f1-(micro)|t4g-(micro|small|medium|standard-[1-9]|standard-[1-9][0-9]))$", var.instanceType)) + error_message = "The instance type is not valid" + } } variable "bucketName" { - description = "If empty, a GCS bucket will be created for app data and recordings" - type = string - default = "" -} - -variable "meetInitialAdminPassword" { - description = "Initial admin password for OpenVidu Meet" + description = "Name of the S3 bucket to store data and recordings. If empty, a bucket will be created" type = string default = "" }