Skip to content

Toggle SFU room creation restrictions to on #926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
benbz merged 1 commit into from
Dec 11, 2025
Merged

Toggle SFU room creation restrictions to on #926

benbz merged 1 commit into from
Dec 11, 2025

Conversation

@benbz
Copy link
Member

@benbz benbz commented Dec 8, 2025

Added in #635 with 0.3.0 of the MatrixRTC authoriser service. Controls whether LIVEKIT_FULL_ACCESS_HOMESERVERS is set to $.Values.serverName (true) or * (false).

Unsure if this can be toggled yet, so draft and cc @fkwp for advice

@github-actions
Copy link

github-actions bot commented Dec 8, 2025
edited
Loading

dyff of changes in rendered templates of CI manifests

Full contents of manifests and dyffs are available in https://github.com/element-hq/ess-helm/actions/runs/20129756391/artifacts/4836039124

example-default-enabled-components-checkov-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ ess.localhost
example-default-enabled-components-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ ess.localhost
pytest-matrix-rtc-synapse-wellknown-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ ess.localhost
quick-setup-certificates-pg-external-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld
quick-setup-certificates-pg-with-helm-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld
quick-setup-external-cert-pg-external-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld
quick-setup-external-cert-pg-with-helm-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld
quick-setup-letsencrypt-pg-external-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld
quick-setup-letsencrypt-pg-with-helm-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld
quick-setup-wildcard-cert-pg-external-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld
quick-setup-wildcard-cert-pg-with-helm-values.yaml 
@@ Deployment/ess-ci/release-name-matrix-rtc-authorisation-service - spec.template.spec.containers.matrix-rtc-authorisation-service.env.LIVEKIT_FULL_ACCESS_HOMESERVERS.value @@
- *
+ your.tld

@benbz benbz force-pushed the bbz/default-restrict-matrixrtc branch from 562de93 to a72f38e Compare December 8, 2025 13:37
@fkwp
Copy link

fkwp commented Dec 8, 2025

does this change also configures the SFU to restrict room creation ?

room:
  auto_create: false

@benbz
Copy link
Member Author

benbz commented Dec 8, 2025

does this change also configures the SFU to restrict room creation ?

room:
  auto_create: false

That is hard-coded off regardless of the value of matrixRTC.restrictRoomCreationToLocalUsers.

@fkwp
Copy link

fkwp commented Dec 8, 2025

Added in #635 with 0.3.0 of the MatrixRTC authoriser service. Controls whether LIVEKIT_FULL_ACCESS_HOMESERVERS is set to $.Values.serverName (true) or * (false).

Unsure if this can be toggled yet, so draft and cc @fkwp for advice

It would work. It's important that the lk-jwt-service can reach out to the SFU to create the room in advance. However, that's already the case as the config is currently defaulting to *

@benbz
Copy link
Member Author

benbz commented Dec 8, 2025

Added in #635 with 0.3.0 of the MatrixRTC authoriser service. Controls whether LIVEKIT_FULL_ACCESS_HOMESERVERS is set to $.Values.serverName (true) or * (false).
Unsure if this can be toggled yet, so draft and cc @fkwp for advice

It would work. It's important that the lk-jwt-service can reach out to the SFU to create the room in advance. However, that's already the case as the config is currently defaulting to *

So as per the original comment until clients are upgraded to support the new mechanism, enough clients now support the new mechanism and enough time has passed since they gained support for it?

@fkwp
Copy link

fkwp commented Dec 8, 2025

Added in #635 with 0.3.0 of the MatrixRTC authoriser service. Controls whether LIVEKIT_FULL_ACCESS_HOMESERVERS is set to $.Values.serverName (true) or * (false).
Unsure if this can be toggled yet, so draft and cc @fkwp for advice

It would work. It's important that the lk-jwt-service can reach out to the SFU to create the room in advance. However, that's already the case as the config is currently defaulting to *

So as per the original comment until clients are upgraded to support the new mechanism, enough clients now support the new mechanism and enough time has passed since they gained support for it?

I See, it should be fine.

@benbz benbz marked this pull request as ready for review December 9, 2025 14:46
@benbz benbz requested a review from a team as a code owner December 9, 2025 14:46
jaywink
jaywink approved these changes Dec 9, 2025
View reviewed changes
Copy link
Member

@jaywink jaywink left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change ok. I am wondering however if this should be listed in the breaking changes section of the changelog? On the fence so not pushing for it.

@benbz
Copy link
Member Author

benbz commented Dec 11, 2025

Change ok. I am wondering however if this should be listed in the breaking changes section of the changelog? On the fence so not pushing for it.

I don't think it is particularly important, but let's do it just in case

@benbz benbz force-pushed the bbz/default-restrict-matrixrtc branch from a72f38e to 98e80d2 Compare December 11, 2025 10:14
@benbz benbz force-pushed the bbz/default-restrict-matrixrtc branch from 98e80d2 to 04650ce Compare December 11, 2025 10:20
@benbz benbz merged commit 875143e into main Dec 11, 2025
73 checks passed
@benbz benbz deleted the bbz/default-restrict-matrixrtc branch December 11, 2025 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaywink jaywink jaywink approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@benbz @fkwp @jaywink