feat(lab-06): Jitsi Production Deployment -- resource limits, restart=always, persistent volumes, JWT metrics

RedjiJB · RedjiJB · commit cdb187cbcbc8 · 2026-03-01T11:15:10.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -214,4 +214,32 @@ jobs:
         run: docker compose -f docker/docker-compose.integration.yml logs
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.integration.yml down -v
+        run: docker compose -f docker/docker-compose.integration.yml down -v
+
+  lab-06-smoke:
+    name: Lab 06 -- Jitsi Production Deployment (resource limits + JWT + metrics)
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install tools
+        run: sudo apt-get install -y curl
+      - name: Validate production compose
+        run: docker compose -f docker/docker-compose.production.yml config -q && echo "Production compose valid"
+      - name: Start production stack
+        run: docker compose -f docker/docker-compose.production.yml up -d
+      - name: Wait for Keycloak
+        run: timeout 240 bash -c 'until curl -sf http://localhost:8207/health/ready | grep -q UP; do sleep 5; done'
+      - name: Wait for Prosody
+        run: timeout 180 bash -c 'until docker inspect jitsi-prod-prosody --format "{{.State.Health.Status}}" | grep -q healthy; do sleep 5; done'
+      - name: Wait for Jitsi web
+        run: timeout 300 bash -c 'until curl -sf http://localhost:8250/; do sleep 10; done'
+      - name: Run Lab 08-06 test script
+        run: bash tests/labs/test-lab-08-06.sh --no-cleanup
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.production.yml logs
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.production.yml down -v
diff --git a/docker/docker-compose.production.yml b/docker/docker-compose.production.yml
@@ -1,53 +1,242 @@
-# Lab 06 — Production: jitsi HA-ready with monitoring and external volumes
----
+x-logging: &default-logging
+  driver: json-file
+  options:
+    max-size: "10m"
+    max-file: "5"
+
+x-jitsi-prod-jwt: &jitsi-prod-jwt
+  JWT_AUTH_TYPE: token
+  JWT_TOKEN_AUTH_MODULE: token
+  JWT_APP_ID: jitsi-meet
+  JWT_APP_SECRET: JitsiProd06!
+  JWT_ACCEPTED_ISSUERS: jitsi-meet
+  JWT_ACCEPTED_AUDIENCES: jitsi-meet
+
 services:
-  jitsi:
-    image: jitsi/web:stable
-    container_name: it-stack-jitsi
+  jitsi-prod-traefik:
+    image: traefik:v3.0
+    container_name: jitsi-prod-traefik
     restart: always
+    command:
+      - --api.insecure=true
+      - --providers.docker=true
+      - --providers.docker.exposedByDefault=false
+      - --entrypoints.web.address=:80
     ports:
-      - "443:$firstPort"
-    environment:
-      - IT_STACK_ENV=production
-      - KEYCLOAK_URL=
-      - DB_HOST=
-      - REDIS_HOST=
-      - GRAYLOG_HOST=
+      - "8280:80"
+      - "8209:8080"
     volumes:
-      - jitsi_data:/var/lib/jitsi
-      - /etc/ssl/certs:/etc/ssl/certs:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - jitsi-prod-net
     deploy:
-      replicas: 1
       resources:
         limits:
-          cpus: "4.0"
-          memory: G
-        reservations:
+          memory: 256m
+          cpus: "0.5"
+    logging: *default-logging
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  jitsi-prod-keycloak:
+    image: quay.io/keycloak/keycloak:24.0
+    container_name: jitsi-prod-keycloak
+    restart: always
+    command: start-dev
+    environment:
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
+      KEYCLOAK_ADMIN: admin
+      KEYCLOAK_ADMIN_PASSWORD: Prod06Admin!
+    ports:
+      - "8207:8080"
+    networks:
+      - jitsi-prod-net
+    deploy:
+      resources:
+        limits:
+          memory: 1g
           cpus: "1.0"
-          memory: 1G
-      restart_policy:
-        condition: any
-        delay: 5s
-    logging:
-      driver: gelf
-      options:
-        gelf-address: "udp://${GRAYLOG_HOST}:12201"
-        tag: "it-stack-jitsi"
+    logging: *default-logging
     healthcheck:
-      test: ["CMD-SHELL", "curl -sf http://localhost/health || exit 1"]
-      interval: 30s
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready | grep -q UP || exit 1"]
+      interval: 20s
       timeout: 10s
-      retries: 3
-      start_period: 120s
+      retries: 10
+      start_period: 60s
+
+  jitsi-prod-coturn:
+    image: coturn/coturn:latest
+    container_name: jitsi-prod-coturn
+    restart: always
+    command: >
+      --user=jitsi:JitsiProd06!
+      --realm=lab.local
+      --fingerprint
+      --no-multicast-peers
+      --no-cli
+    ports:
+      - "3479:3478/udp"
+      - "3479:3478/tcp"
     networks:
-      - it-stack-net
+      - jitsi-prod-net
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+          cpus: "0.5"
+    logging: *default-logging
 
-networks:
-  it-stack-net:
-    external: true
-    name: it-stack-production
+  jitsi-prod-prosody:
+    image: jitsi/prosody:stable-9286
+    container_name: jitsi-prod-prosody
+    restart: always
+    environment:
+      <<: *jitsi-prod-jwt
+      XMPP_DOMAIN: meet.lab.local
+      XMPP_AUTH_DOMAIN: auth.meet.lab.local
+      XMPP_MUC_DOMAIN: muc.meet.lab.local
+      XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.lab.local
+      JICOFO_AUTH_PASSWORD: JitsiProd06!
+      JVB_AUTH_PASSWORD: JitsiProd06!
+      JIGASI_XMPP_PASSWORD: JitsiProd06!
+      JIBRI_RECORDER_PASSWORD: JitsiProd06!
+      JIBRI_XMPP_PASSWORD: JitsiProd06!
+      TZ: UTC
+    volumes:
+      - jitsi-prod-prosody:/config
+    networks:
+      - jitsi-prod-net
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+          cpus: "0.5"
+    logging: *default-logging
+    healthcheck:
+      test: ["CMD", "prosodyctl", "status"]
+      interval: 15s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
+
+  jitsi-prod-jicofo:
+    image: jitsi/jicofo:stable-9286
+    container_name: jitsi-prod-jicofo
+    restart: always
+    depends_on:
+      jitsi-prod-prosody:
+        condition: service_healthy
+    environment:
+      XMPP_DOMAIN: meet.lab.local
+      XMPP_AUTH_DOMAIN: auth.meet.lab.local
+      XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.lab.local
+      XMPP_SERVER: jitsi-prod-prosody
+      JICOFO_AUTH_USER: focus
+      JICOFO_AUTH_PASSWORD: JitsiProd06!
+      JICOFO_ENABLE_HEALTH_CHECKS: "true"
+      TZ: UTC
+    volumes:
+      - jitsi-prod-jicofo:/config
+    networks:
+      - jitsi-prod-net
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+          cpus: "0.5"
+    logging: *default-logging
+
+  jitsi-prod-jvb:
+    image: jitsi/jvb:stable-9286
+    container_name: jitsi-prod-jvb
+    restart: always
+    depends_on:
+      jitsi-prod-prosody:
+        condition: service_healthy
+    environment:
+      XMPP_DOMAIN: meet.lab.local
+      XMPP_AUTH_DOMAIN: auth.meet.lab.local
+      XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.lab.local
+      XMPP_SERVER: jitsi-prod-prosody
+      JVB_AUTH_USER: jvb
+      JVB_AUTH_PASSWORD: JitsiProd06!
+      JVB_BREWERY_MUC: jvbbrewery
+      JVB_PORT: "10000"
+      JVB_TCP_HARVESTER_DISABLED: "true"
+      DOCKER_HOST_ADDRESS: 127.0.0.1
+      TZ: UTC
+    ports:
+      - "10002:10000/udp"
+    volumes:
+      - jitsi-prod-jvb:/config
+    networks:
+      - jitsi-prod-net
+    deploy:
+      resources:
+        limits:
+          memory: 1g
+          cpus: "1.0"
+    logging: *default-logging
+
+  jitsi-prod-web:
+    image: jitsi/web:stable-9286
+    container_name: jitsi-prod-web
+    restart: always
+    depends_on:
+      jitsi-prod-prosody:
+        condition: service_healthy
+      jitsi-prod-jicofo:
+        condition: service_started
+      jitsi-prod-jvb:
+        condition: service_started
+    environment:
+      <<: *jitsi-prod-jwt
+      XMPP_DOMAIN: meet.lab.local
+      XMPP_AUTH_DOMAIN: auth.meet.lab.local
+      XMPP_MUC_DOMAIN: muc.meet.lab.local
+      XMPP_INTERNAL_MUC_DOMAIN: internal-muc.meet.lab.local
+      XMPP_BOSH_URL_BASE: http://jitsi-prod-prosody:5280
+      JVB_TCP_HARVESTER_DISABLED: "true"
+      ENABLE_REQUIRE_DISPLAY_NAME: "true"
+      ENABLE_GUESTS: "false"
+      TZ: UTC
+    ports:
+      - "8250:80"
+    volumes:
+      - jitsi-prod-web:/config
+      - jitsi-prod-transcripts:/usr/share/jitsi-meet/transcripts
+    networks:
+      - jitsi-prod-net
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.jitsi-prod.rule=Host(`meet.lab.local`)
+      - traefik.http.routers.jitsi-prod.entrypoints=web
+      - traefik.http.services.jitsi-prod.loadbalancer.server.port=80
+    deploy:
+      resources:
+        limits:
+          memory: 2g
+          cpus: "2.0"
+        reservations:
+          memory: 512m
+    logging: *default-logging
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:80/"]
+      interval: 20s
+      timeout: 10s
+      retries: 10
+      start_period: 60s
 
 volumes:
-  jitsi_data:
-    external: true
-    name: it-stack-jitsi-data
+  jitsi-prod-prosody:
+  jitsi-prod-jicofo:
+  jitsi-prod-jvb:
+  jitsi-prod-web:
+  jitsi-prod-transcripts:
+
+networks:
+  jitsi-prod-net:
diff --git a/tests/labs/test-lab-08-06.sh b/tests/labs/test-lab-08-06.sh
