From fd8be9f23feaf7b7de1d78e8b8ee79ce4414fd55 Mon Sep 17 00:00:00 2001 From: cruizba Date: Sat, 14 Jun 2025 02:02:29 +0200 Subject: [PATCH] openvidu-deployment: - AWS HA - Add experimental TURN TLS --- .../pro/ha/aws/cf-openvidu-ha.yaml | 107 ++++++++++++++++-- 1 file changed, 96 insertions(+), 11 deletions(-) diff --git a/openvidu-deployment/pro/ha/aws/cf-openvidu-ha.yaml b/openvidu-deployment/pro/ha/aws/cf-openvidu-ha.yaml index 82ee0eea..3af7d6c9 100644 --- a/openvidu-deployment/pro/ha/aws/cf-openvidu-ha.yaml +++ b/openvidu-deployment/pro/ha/aws/cf-openvidu-ha.yaml @@ -416,9 +416,24 @@ Metadata: Conditions: TurnTLSIsEnabled: !Or [!Not [!Equals [!Ref TurnDomainName, ""]], !Not [!Equals [!Ref TurnCertificateARN, ""]]] - TurnTLSIsNotEnabled: !Or [!Equals [!Ref TurnDomainName, ""], !Equals [!Ref TurnCertificateARN, ""]] CreateRecordingsBucket: !Equals [!Ref S3AppDataBucketName, ""] CreateClusterDataBucket: !Equals [!Ref S3ClusterDataBucketName, ""] + # --- + # Experimental TURN TLS with main domain + ExperimentalTurnTLSWithMainDomain: + Fn::Not: + - Fn::Equals: + - !Ref AdditionalInstallFlags + - !Select [0, !Split ["--experimental-turn-tls-with-main-domain", !Ref AdditionalInstallFlags]] + NotExperimentalTurnTLSWithMainDomain: + Fn::Or: + - Fn::Equals: + - !Ref AdditionalInstallFlags + - !Select [0, !Split ["--experimental-turn-tls-with-main-domain", !Ref AdditionalInstallFlags]] + - Fn::Equals: + - !Ref AdditionalInstallFlags + - "" + # --- Resources: @@ -2113,16 +2128,6 @@ Resources: ToPort: 5349 SourceSecurityGroupId: !Ref OpenViduTurnTLSLoadBalancerSG - OpenViduLoadBalancerTurnTLSMasterNodeToMediaNodeIngressSG: - Type: AWS::EC2::SecurityGroupIngress - Condition: "TurnTLSIsNotEnabled" - Properties: - GroupId: !Ref OpenViduMediaNodeSG - IpProtocol: tcp - FromPort: 5349 - ToPort: 5349 - SourceSecurityGroupId: !Ref OpenViduMasterNodeSG - OpenViduLoadBalancerTurnTLSToMediaNodeHealthCheckSG: Type: AWS::EC2::SecurityGroupIngress Condition: TurnTLSIsEnabled @@ -2152,6 +2157,29 @@ Resources: ToPort: 8080 SourceSecurityGroupId: !Ref OpenViduMasterNodeSG + # --- + # Experimental TURN TLS with main domain + OpenViduTurnTLSMasterNodeToMediaNodeIngressSG: + Type: AWS::EC2::SecurityGroupIngress + Condition: ExperimentalTurnTLSWithMainDomain + Properties: + GroupId: !Ref OpenViduMediaNodeSG + IpProtocol: tcp + FromPort: 5349 + ToPort: 5349 + SourceSecurityGroupId: !Ref OpenViduMasterNodeSG + + OpenViduTurnTLSLoadBalancerToMediaNodeIngressSG: + Type: AWS::EC2::SecurityGroupIngress + Condition: ExperimentalTurnTLSWithMainDomain + Properties: + GroupId: !Ref OpenViduMasterNodeSG + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + SourceSecurityGroupId: !Ref OpenViduLoadBalancerSG + # --- + OpenViduLoadBalancerSG: Type: AWS::EC2::SecurityGroup Properties: @@ -2242,6 +2270,7 @@ Resources: OpenViduMasterNodeListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' + Condition: NotExperimentalTurnTLSWithMainDomain Properties: DefaultActions: - Type: forward @@ -2252,6 +2281,22 @@ Resources: Certificates: - CertificateArn: !Ref OpenViduCertificateARN + # --- + # Experimental TURN TLS with main domain + OpenViduMasterNodeWithTurnTLSListener: + Type: 'AWS::ElasticLoadBalancingV2::Listener' + Condition: ExperimentalTurnTLSWithMainDomain + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref OpenViduMasterNodeWithTurnTLSTG + LoadBalancerArn: !Ref LoadBalancer + Port: 443 + Protocol: TLS + Certificates: + - CertificateArn: !Ref OpenViduCertificateARN + # --- + OpenViduRTMPMediaNodeListener: Type: 'AWS::ElasticLoadBalancingV2::Listener' Properties: @@ -2279,6 +2324,7 @@ Resources: OpenViduMasterNodeTG: Type: AWS::ElasticLoadBalancingV2::TargetGroup + Condition: NotExperimentalTurnTLSWithMainDomain Properties: Name: Fn::Join: @@ -2312,6 +2358,45 @@ Resources: - Key: Name Value: !Sub ${AWS::StackName} - OpenVidu HA - Master Target Group + # --- + # Experimental TURN TLS with main domain + OpenViduMasterNodeWithTurnTLSTG: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Condition: ExperimentalTurnTLSWithMainDomain + Properties: + Name: + Fn::Join: + # Generate a not too long and unique target id + # Getting a unique identifier from the stack id + - '' + - - OVTurnTLSMaster- + - !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]] + TargetType: instance + Targets: + - Id: !Ref OpenViduMasterNode1 + - Id: !Ref OpenViduMasterNode2 + - Id: !Ref OpenViduMasterNode3 + - Id: !Ref OpenViduMasterNode4 + VpcId: !Ref OpenViduVPC + Port: 443 + Protocol: TCP + Matcher: + HttpCode: '200' + HealthCheckIntervalSeconds: 10 + HealthCheckPath: /health/caddy + HealthCheckProtocol: HTTP + HealthCheckPort: '7880' + HealthCheckTimeoutSeconds: 5 + HealthyThresholdCount: 3 + UnhealthyThresholdCount: 4 + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 60 + Tags: + - Key: Name + Value: !Sub ${AWS::StackName} - OpenVidu HA - TURN TLS Master Target Group + # --- + OpenViduMediaNodeRTMPTG: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: