Deploy to Kubernetes

LiveKit streamlines deployment to Kubernetes. We publish a Helm chart that help you set up a distributed deployment of LiveKit, along with a Service and Ingress to correctly route traffic. Our Helm chart supports Google GKE, Amazon EKS, and Digital Ocean DOKS out of the box, and can serve as a guide on your custom Kubernetes installations.

important:

LiveKit does not support deployment to serverless and/or private clusters. Private clusters have additional layers of NAT that make it unsuitable for WebRTC traffic.

Understanding the deployment

LiveKit pods requires direct access to the network with host networking. This means that the rtc.udp/tcp ports that are open on those nodes are directly handled by LiveKit server. With that direct requirement of specific ports, it means we'll be limited to one LiveKit pod per node. It's possible to run other workload on those nodes.

Termination of TLS/SSL is left as a responsibility of the Ingress. Our Helm chart will configure TLS termination for GKE and ALB load balancers. To use ALB on EKS, AWS Load Balancer Controller needs to be installed separately.

Kubernetes Deployment

Graceful restarts

During an upgrade deployment, older pods will need to be terminated. This could be extremely disruptive if there are active sessions running on those pods. LiveKit handles this by allowing that instance to drain prior to shutting down.

We also set terminationGracePeriodSeconds to 5 hours in the helm chart, ensuring Kubernetes gives sufficient time for the pod to gracefully shut down.

Using the Helm Chart

Pre-requisites

To deploy a multi-node cluster that autoscales, you'll need:

  • a Redis instance
  • SSL certificates for primary domain and TURN/TLS
  • a Kubernetes cluster on AWS, GCloud, or DO
  • Helm is installed on your machine.

Then add the LiveKit repo

$ helm repo add livekit https://helm.livekit.io

Depending on your cloud provider, the following pre-requisites may be required

On AWS, it's recommended to use ALB Ingress Controller as the main load balancer for LiveKit's signal connection. You can find installation instructions here.

With ALB, you could also used ACM to handle TLS termination for the primary domain. However, a SSL certificate is still needed in order to use the embedded TURN/TLS server.

Create a values.yaml for your deployment, using server-sample.yaml as a template.

Checkout Helm examples for AWS, Google Cloud, and Digital Ocean.

Importing SSL Certificates

In order to set up TURN/TLS and HTTPS on the load balancer, you may need to import your SSL certificate(s) into as a Kubernetes Secret. This can be done with:

kubectl create secret tls <NAME> --cert <CERT-FILE> --key <KEY-FILE> --namespace <NAMESPACE>

Note, please ensure that the secret is created in the same namespace as the deployment.

Install & Upgrade

helm install <INSTANCE_NAME> livekit/livekit-server --namespace <NAMESPACE> --values values.yaml

We'll publish new version of the chart with new server releases. To fetch these updates and upgrade your installation, perform

helm repo update
helm upgrade <INSTANCE_NAME> livekit/livekit-server --namespace <NAMESPACE> --values values.yaml

If any configuration has changed, you may need to trigger a restart of the deployment. Kubernetes triggers a restart only when the pod itself has changed, but does not when the changes took place in the ConfigMap.

Firewall

Ensure that your firewall is configured properly to allow traffic into LiveKit ports.