feat: Mosquitto, db storage class, Homepage image bump, Proxmox proxy…

… sticky sessions (fix)
homecentr · Aug 9, 2023 · a2a7219 · a2a7219
1 parent 22f5a2b
commit a2a7219
Show file tree

Hide file tree

Showing 43 changed files with 776 additions and 29 deletions.
diff --git a/apps/_index/values.apps.yml b/apps/_index/values.apps.yml
@@ -42,6 +42,20 @@ applications:
  syncWave: -100
  deleteProtection: false
 
+- name: network-policies-nvidia
+ namespace: nvidia
+ path: apps/network-policies
+ type: helm
+ syncWave: -100
+ deleteProtection: false
+
+- name: network-policies-apps
+ namespace: apps
+ path: apps/network-policies
+ type: helm
+ syncWave: -100
+ deleteProtection: false
+
 - name: metallb-crd
  namespace: metallb-system
  type: raw
@@ -76,8 +90,17 @@ applications:
  namespace: kube-system
  deleteProtection: false
  valueFiles:
+ - values.yml
  - values.$env.yml
 
+- name: nvidia-device-plugin
+ type: helm
+ syncWave: -88
+ namespace: nvidia
+ deleteProtection: false
+ valueFiles:
+ - values.yml
+
 - name: cert-manager-crd
  type: raw
  syncWave: -80
@@ -140,8 +163,9 @@ applications:
  namespace: apps
  deleteProtection: false
  valueFiles:
- - values.$env.yml
+ - values.yml
  - values.config.yml
+ - values.$env.yml
 
 - name: kubernetes-dashboard
  type: helm
@@ -176,3 +200,21 @@ applications:
  valueFiles:
  - values.$env.yml
  - values.yml
+
+- name: mosquitto
+ type: helm
+ namespace: apps
+ deleteProtection: false
+ valueFiles:
+ - values.$env.yml
+ - values.yml
+
+# - name: frigate
+# type: helm
+# namespace: apps
+# deleteProtection: false
+# valueFiles:
+# - values.$env.yml
+# - values.yml
+# secretValueFiles:
+# - secrets.$env.yml
diff --git a/apps/cloudflared/templates/deployment.yml b/apps/cloudflared/templates/deployment.yml
@@ -20,6 +20,9 @@ spec:
  metadata:
  labels:
  {{- include "common.pod-labels" . | indent 8 }}
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/config-map.yml") $ | sha256sum }}
+ checksum/credentials: {{ include (print $.Template.BasePath "/secret-credentials.yml") $ | sha256sum }}
  spec:
  securityContext:
  runAsUser: 1000

diff --git a/apps/cloudflared/values.lab.yml b/apps/cloudflared/values.lab.yml
@@ -6,6 +6,7 @@ routes:
  - hostname: argocd-lab.homecentr.one
  - hostname: pve-lab.homecentr.one
  - hostname: cyberchef-lab.homecentr.one
+ - hostname: nvr-lab.homecentr.one
 
  external:
  - hostname: pve1-lab.homecentr.one

diff --git a/apps/cloudflared/values.prod.yml b/apps/cloudflared/values.prod.yml
@@ -6,6 +6,7 @@ routes:
  - hostname: argocd.homecentr.one
  - hostname: pve.homecentr.one
  - hostname: cyberchef.homecentr.one
+ - hostname: nvr.homecentr.one
 
  external:
  - hostname: pve1.homecentr.one

diff --git a/apps/cyberchef/templates/service.yml b/apps/cyberchef/templates/service.yml
@@ -1,10 +1,10 @@
 apiVersion: v1
 kind: Service
 metadata:
+ name: {{ .Release.Name }}
+ namespace: {{ $.Release.Namespace }}
  labels:
  {{- include "common.resource-labels" . | indent 4 }}
- name: cyberchef
- namespace: {{ $.Release.Namespace }}
 spec:
  ports:
  - name: http

diff --git a/apps/frigate/Chart.yaml b/apps/frigate/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v2
+name: frigate
+version: 1.0.0
+
+dependencies:
+ - name: common
+ version: 1.0.0
+ repository: file:https://../common
+
+ # - name: frigate
+ # version: 7.0.1
+ # repository: https://blakeblackshear.github.io/blakeshome-charts/
+
diff --git a/apps/frigate/secrets.lab.yml b/apps/frigate/secrets.lab.yml
@@ -0,0 +1,34 @@
+rtspUser: ENC[AES256_GCM,data:MuXiCQWvkA==,iv:Qbtmu/BR/KFStbBSWQ7j5o7qdLw6wNp1Ey+C+QrR3sA=,tag:xhwW8wvtCF2go4qiD8DbYw==,type:str]
+rtspPassword: ENC[AES256_GCM,data:qGl0cuy3MBbxqypQkH5AazkS0mk=,iv:GV2FGyOAA0sU7qz/VghztQmopY/LMyzsCqcI9wHeraA=,tag:MGujkxGiQZaqgKvFULSfaQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVnJyQmlHb3hGZnFUMG9p
+ b0FxbkFBMFVaQmR3eGNpUEw0TFJ6YTBHNGdvCjlXL0R1MzdFQklDaDYraGRPTUZT
+ N01FNVB1MnJpazd2ZzVDTktJSmIxRncKLS0tIHdyYkxSRjcrK3hGMTBvL2RBMVg1
+ eHpGcXZvempPTlNlY3hLeEk0NTFUcDAKKjrXZYChyNokGGfF1NqCjOib6X5tYCDk
+ 3Hgs0ERlurfrWfs6oydtk0Ih1xgdzc7spyJ9sy4fSsfsy1oxxyhScA==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age1thhmcq56csqrrd07eymtau54xl620yw6qkjykc8tvpyr975v03zqhq5uz4
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL1ZFakVHcmk5VjhKWTMr
+ UFVtM1lDb2NaZnB1SmZISmd0QkRKODhiRFNZCkZHeGhSNVJseGNWY2lhd2lrODhs
+ ODFuSFFGQm9lVXNGN3p6ejZNNEpud2sKLS0tIFdvaXhRcnUzWDhOQlFTR0w3cFNl
+ UmczekVFUFFUcW1EdGgxS0hYZUU3UnMKnUFWnnLE6oj09eSfbwB4okfUX8a8Pacu
+ 79qITPaYn54x1NbrC56jI7nAQPsiBfvITxH+zrg+vWHILkjzX0wHiQ==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2023-07-25T19:28:10Z"
+ mac: ENC[AES256_GCM,data:hVlDc1AvhLUIyk3X9pF7OUQ4cXXL4xf2LMY7EAVQR0H2Iyih0O7j06ddUK4Z59e/wVpCYMAlvsOAogH5RUp4WrDON9PQYNjG4EZHVimy2Y+evo/JL1CW9Ll5ETlCUs+yKxcDHjVOP52FtlruMGfJeV/Ke9yq/TX5guE6Ey+qls0=,iv:VvEX3dXLH3bn4cNNR0jdVv9RGaTOrpeXWj+AENX4CMQ=,tag:PKXTSVIAx7i3qdKzpfLZXA==,type:str]
+ pgp:
+ - created_at: "2023-07-24T15:31:55Z"
+ enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ//fVGKdSGAfNw70aGtih14vO7Xydkthu13SlNsPxR2p8MK\r\nu1JwbkYQq1NWrZ5/R7/v9xzKTSq52mqZZwB8AlXuSJdIUfR/PY1MgA1GHQ1xlVDf\r\nAk05DLVVUiHh092UTtFWGL5hSP6N8NxM0vuIgNPKRZ94KTlBF+DQH5OFl0sWrVc8\r\nudTBd/H6+ZS4fa+GwBuNB5UJHxkFHTnocb7k8O25b9CyuvQVgAxteKVn7EbWHvkr\r\nEZSormt7r26y1rcsbqJdyqWjjsynz11Dvel4mxD4/f5swTIiSpbBMoea+0N14ytV\r\nrEXGUf/jwo+HcI2O7brkVQa0VpXsr+kKexHZuEWL7f5+xAfYNaf6ldmjm5WpRsNv\r\n0eq7gEYNRVk9s4q23nO+Mt8sDPhtDkRUT35+VYJq53E3Rpr0AOuTnH8lEOb6syRr\r\nQY9OWpLbYv9YLF4/hUuvvROhIDfONfN/rgrFuV6IdOCL93PObdIJszFwbVNewhDp\r\nnbixqVgybeyc4ZZpflBKpzKAe8I9TO115Iw47GDnWwPFN6jbC4lX7A5jZIJlSBia\r\n2TBJ6CtSZ15stvKpEOZ7KUzJKNxK2vnlh26tYzEjaQcv0STcgjqjthjDy3xgtZa0\r\n5Iwh8FpsLPIjh9mhWjZoy4r6CXewwHptN+Ipcpya4w+3+78fIGCeQsC0+DynMxbS\r\nXgG9L7whnfELpqIeKrc/vz94eQ3SaAn+sKWTFIOmgMuCYOTh0nWGp1lyss+idO++\r\ncpc+07UF3CnCRBXEOvenFRxWSG7j3NdXg5T/Yym74RzZp0l3TocuzVTsjHdJsqs=\r\n=rQE4\r\n-----END PGP MESSAGE-----\r\n"
+ fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F
+ unencrypted_suffix: _unencrypted
+ version: 3.7.3
diff --git a/apps/frigate/templates/config-map.yml b/apps/frigate/templates/config-map.yml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Release.Name }}
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "common.resource-labels" . | indent 4 }}
+data:
+ frigate.yml: |
+ mqtt:
+ host: {{ .Values.mqtt.serviceName }}.{{ .Values.mqtt.namespace | default .Release.Namespace }}.svc.cluster.local
+
+ database:
+ path: /db/frigate.db
+
+ go2rtc:
+ streams:
+ {{- range .Values.cameras }}
+ {{ .name | quote }}:
+ - {{ .url | quote }}
+ {{- end }}
+
+ cameras:
+ {{- range .Values.cameras }}
+ {{ .name | quote }}:
+ enabled: True
+ ffmpeg:
+ inputs:
+ - path: rtsp:https://127.0.0.1:8554/{{ .name }}
+ input_args: preset-rtsp-restream
+ roles:
+ - record
+ # - detect
+ detect:
+ width: {{ .detectWidth }}
+ height: {{ .detectHeight }}
+ # motion:
+ # mask:
+ # - 0,461,3,0,1919,0,1919,843,1699,492,1344,458,1346,336,973,317,869,375,866,432
+ {{- end }}
diff --git a/apps/frigate/templates/deployment.yml b/apps/frigate/templates/deployment.yml
@@ -0,0 +1,179 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ .Release.Name }}
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "common.resource-labels" . | indent 4 }}
+spec:
+ replicas: 1
+ revisionHistoryLimit: 3
+ selector:
+ matchLabels:
+ {{- include "common.pod-labels" . | indent 6 }}
+ strategy:
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ {{- include "common.pod-labels" . | indent 8 }}
+ spec:
+ # TODO: runtimeClassName: {{ .Values.gpu.nvidia.runtimeClassName }}
+ affinity:
+ nodeAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 1
+ preference:
+ matchExpressions:
+ - key: homecentr.one/tpu
+ operator: In
+ values:
+ - "true"
+ - key: homecentr.one/gpu
+ operator: In
+ values:
+ - "true"
+ securityContext:
+ # runAsNonRoot: false
+ # fsGroupChangePolicy: Always
+ # seccompProfile:
+ # type: RuntimeDefault
+ # seLinuxOptions:
+ # user: system_u
+ # role: system_r
+ # type: container_t
+ # level: s0:c829,c861
+ automountServiceAccountToken: false
+ containers:
+ - name: frigate
+ image: 'ghcr.io/blakeblackshear/frigate:{{ .Values.imageTag }}'
+ imagePullPolicy: null
+ ports:
+ - name: http
+ protocol: TCP
+ containerPort: 5000
+ - name: rtmp
+ protocol: TCP
+ containerPort: 1935
+ env:
+ - name: S6_READ_ONLY_ROOT
+ value: "1"
+ - name: MPLCONFIGDIR
+ value: /tmp/matplot
+ - name: NVIDIA_DRIVER_CAPABILITIES
+ value: "all"
+ - name: NVIDIA_VISIBLE_DEVICES
+ value: "all"
+ - name: FRIGATE_RTSP_USER
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Release.Name }}
+ key: rtspUser
+ - name: FRIGATE_RTSP_PASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: {{ .Release.Name }}
+ key: rtspPassword
+ livenessProbe:
+ httpGet:
+ path: /api/version
+ port: http
+ failureThreshold: 3
+ periodSeconds: 10
+ timeoutSeconds: 1
+ initialDelaySeconds: 60
+ readinessProbe:
+ httpGet:
+ path: /api/version
+ port: http
+ failureThreshold: 3
+ periodSeconds: 10
+ timeoutSeconds: 1
+ initialDelaySeconds: 60
+ volumeMounts:
+ - name: coral-dev
+ mountPath: {{ .Values.coralHostPath }}
+ - name: database-pvc
+ mountPath: "/db"
+ - name: media-pvc
+ mountPath: "/media/frigate"
+ - name: dshm
+ mountPath: /dev/shm
+ - name: tmp
+ mountPath: /tmp
+ - name: run
+ mountPath: /run
+ - name: nginx-logs
+ mountPath: /usr/local/nginx/logs
+ - name: nginx-client-body-temp
+ mountPath: /usr/local/nginx/client_body_temp
+ - name: nginx-proxy-temp
+ mountPath: /usr/local/nginx/proxy_temp
+ - name: nginx-fastcgi-temp
+ mountPath: /usr/local/nginx/fastcgi_temp
+ - name: nginx-uwsgi-temp
+ mountPath: /usr/local/nginx/uwsgi_temp
+ - name: nginx-scgi-temp
+ mountPath: /usr/local/nginx/scgi_temp
+ - name: config
+ mountPath: "/config/config.yml"
+ subPath: frigate.yml
+ readOnly: true
+ securityContext:
+ privileged: true # To allow using Coral USB
+ runAsNonRoot: false
+ readOnlyRootFilesystem : true
+ procMount: Default
+ # allowPrivilegeEscalation: false
+ # capabilities:
+ # drop:
+ # - ALL
+ # seccompProfile:
+ # type: RuntimeDefault
+ # seLinuxOptions:
+ # user: system_u
+ # role: system_r
+ # type: container_t
+ # level: s0:c829,c861
+ resources: {{ .Values.resources | toYaml | nindent 14 }}
+ dnsPolicy: ClusterFirst
+ enableServiceLinks: true
+ volumes:
+ - name: coral-dev
+ hostPath:
+ path: {{ .Values.coralHostPath }}
+ - name: dshm
+ emptyDir:
+ medium: Memory
+ sizeLimit: {{ .Values.shmSize }}
+ - name: tmp
+ emptyDir:
+ medium: Memory
+ sizeLimit: {{ .Values.cacheSize }}
+ - name: run
+ emptyDir: {}
+ - name: nginx-logs
+ emptyDir: {}
+ - name: nginx-client-body-temp
+ emptyDir: {}
+ - name: nginx-proxy-temp
+ emptyDir: {}
+ - name: nginx-fastcgi-temp
+ emptyDir: {}
+ - name: nginx-uwsgi-temp
+ emptyDir: {}
+ - name: nginx-scgi-temp
+ emptyDir: {}
+ - name: database-pvc
+ persistentVolumeClaim:
+ claimName: {{ .Release.Name }}-database
+ - name: media-pvc
+ persistentVolumeClaim:
+ claimName: {{ .Release.Name }}-media
+ - name: config
+ configMap:
+ name: {{ .Release.Name }}
+ defaultMode: 0444
+ items:
+ - key: frigate.yml
+ path: frigate.yml