apiVersion: v1
kind: ConfigMap
metadata:
  name: coturn-config
  namespace: matrix
data:
  turnserver.conf: |
    # TURN Server configuration
    realm=axion1337.chat

    # Listen ports
    listening-port=3478
    listening-ip=0.0.0.0
    alt-listening-port=5349
    alt-listening-ip=0.0.0.0

    # External IPs (for clients behind NAT)
    relay-ip=49.13.132.245
    external-ip=49.13.132.245

    # Relay port range
    min-bps=0
    bps-capacity=0

    # Authentication
    use-auth-secret
    static-auth-secret=$TURN_SECRET

    # HTTPS/TLS
    cert=/etc/coturn/tls/tls.crt
    pkey=/etc/coturn/tls/tls.key

    # Performance tuning
    max-bps=0
    bps-capacity=0
    log-file=stdout

    # Logging
    verbose
---
apiVersion: v1
kind: Service
metadata:
  name: coturn
  namespace: matrix
spec:
  type: ClusterIP
  ports:
    - name: stun-udp
      port: 3478
      protocol: UDP
    - name: stun-tcp
      port: 3478
      protocol: TCP
    - name: turns-tcp
      port: 5349
      protocol: TCP
  selector:
    app: coturn
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: coturn
  namespace: matrix
spec:
  replicas: 1
  selector:
    matchLabels:
      app: coturn
  template:
    metadata:
      labels:
        app: coturn
      annotations:
        prometheus.io/scrape: "false"
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      initContainers:
      - name: init-config
        image: busybox:1.28
        command:
        - sh
        - -c
        - |
          TURN_SECRET=$(cat /etc/coturn-secret/TURN_SECRET)
          sed "s|\$TURN_SECRET|$TURN_SECRET|g" /etc/coturn-template/turnserver.conf > /etc/coturn/turnserver.conf
          chmod 644 /etc/coturn/turnserver.conf
        resources:
          limits:
            cpu: 100m
            memory: 64Mi
          requests:
            cpu: 50m
            memory: 32Mi
        volumeMounts:
        - name: config-template
          mountPath: /etc/coturn-template
        - name: config
          mountPath: /etc/coturn
        - name: secret
          mountPath: /etc/coturn-secret
          readOnly: true
      containers:
      - name: coturn
        image: coturn/coturn:latest
        imagePullPolicy: IfNotPresent
        ports:
        - name: stun-udp
          containerPort: 3478
          protocol: UDP
        - name: stun-tcp
          containerPort: 3478
          protocol: TCP
        - name: turns-tcp
          containerPort: 5349
          protocol: TCP
        volumeMounts:
        - name: config
          mountPath: /etc/coturn
        - name: tls
          mountPath: /etc/coturn/tls
          readOnly: true
        resources:
          limits:
            cpu: 500m
            memory: 256Mi
          requests:
            cpu: 100m
            memory: 128Mi
        livenessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - "netstat -uln | grep 3478 || exit 1"
          initialDelaySeconds: 30
          periodSeconds: 10
      volumes:
      - name: config
        emptyDir: {}
      - name: config-template
        configMap:
          name: coturn-config
      - name: secret
        secret:
          secretName: coturn-secret
          defaultMode: 0400
      - name: tls
        secret:
          secretName: turn-axion1337-chat-tls
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            preference:
              matchExpressions:
              - key: kubernetes.io/hostname
                operator: In
                values:
                - matrix