Skip to content

Auto certs renew in turn server and another endpoints in helm livekit server #145

New issue
New issue
Open
Open
Auto certs renew in turn server and another endpoints in helm livekit server#145
@WrldEngine

Description

@WrldEngine
WrldEngine
opened on Dec 13, 2025

The example is:
https://github.com/livekit/livekit-helm/blob/master/server-sample.yaml

loadBalancer:
  # valid values: disable, alb, aws, gke, gke-managed-cert, gke-native-vpc, do
  # on AWS, we recommend using alb load balancer, which supports TLS termination
  # * in order to use alb, aws-ingress-controller must be installed
  #   https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
  # * for gke-managed-cert type follow https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
  #   and set staticIpName to your reserved static IP, and certificateName to be
  #   name of the managed cert
  # * for do uncomment clusterIssuer with your cert manager issuer
  type: disable
  # staticIpName: <nameofIpAddressCreated>
  # certificateName: <nameOfCert>
  # clusterIssuer: letsencrypt-prod
  tls:
  #   - hosts:
  #     - livekit.myhost.com
  #   with alb, certificates needs to reside in ACM for self-discovery
  #   with do, use cert-manager and create certificate for turn. Load balancer is autoamtic
  #   with gke, specify one or more secrets to use for the certificate
  #   see: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#specifying_certificates_for_your_ingress
  #     secretName: <mysecret>

I dont understand this part, for what is stands for? Can i enable on bare metal kubernetes? And how?
Why not to make configuration for MetaLLB

  1. I configured like that
livekit:
  log_level: info
  rtc:
    use_external_ip: true
    port_range_start: 50000
    port_range_end: 60000
    tcp_port: 7881
  redis:
    {}
  # one or more API key/secret pairs
  # see https://docs.livekit.io/guides/getting-started/#generate-api-key-and-secret
  keys:
    apikey: "secret"
  turn:
    enabled: true
    domain: turn-local-ssb.mycustomdomain.com
    tls_port: 3478
    udp_port: 3478
    secretName: livekit-server-tls
    serviceType: "LoadBalancer"
    tlsSecret: livekit-server-tls

how can i bound tls without manual providing cert files? I have cert-manager that renews and manages with certificates, and i want to use cert manager instead of static configuring, that anyway after year expires.

Livekit-server's config is confuses.
For example, why we need ingresses separatedly from livekit-server? Or it is another ingress, not livekit server's?
Why i cannot write ingress in the values.yaml of livekit-server ? To make wss and https also

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions