Initial commit

camtiler/.gitignore

@@ -0,0 +1 @@
+deployments/

camtiler/README.md

@@ -0,0 +1,29 @@
+To apply changes:
+
+```
+kubectl apply -n camtiler -f application.yml -f mongoexpress.yml -f mongodb-support.yml -f networkpolicy-base.yml -f minio-support.yml
+```
+
+To deploy changes:
+
+```
+kubectl -n camtiler rollout restart deployment.apps/camtiler
+```
+
+To initialize secrets:
+
+```
+kubectl create secret generic -n camtiler mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
+kubectl create secret generic -n camtiler mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
+kubectl create secret generic -n camtiler minio-secret \
+    --from-literal=accesskey=application \
+    --from-literal=secretkey=$(cat /dev/urandom | base64 | head -c 30)
+kubectl create secret generic -n camtiler minio-env-configuration \
+    --from-literal="MINIO_BROWSER=off" \
+    --from-literal="MINIO_ROOT_USER=root" \
+    --from-literal="MINIO_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)" \
+    --from-literal="MINIO_STORAGE_CLASS_STANDARD=EC:4"
+kubectl -n camtiler create secret generic camera-secrets \
+    --from-literal=username=... \
+    --from-literal=password=...
+```

camtiler/application.yml

@@ -0,0 +1,474 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: camtiler
+  annotations:
+    keel.sh/policy: force
+    keel.sh/trigger: poll
+spec:
+  revisionHistoryLimit: 0
+  replicas: 1
+  selector:
+    matchLabels:
+      app: camtiler
+  template:
+    metadata:
+      labels:
+        app: camtiler
+        component: camtiler
+    spec:
+      serviceAccountName: camtiler
+      containers:
+        - name: camtiler
+          image: harbor.k-space.ee/k-space/camera-tiler:latest
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: log-viewer-frontend
+  annotations:
+    keel.sh/policy: force
+    keel.sh/trigger: poll
+spec:
+  revisionHistoryLimit: 0
+  replicas: 2
+  selector:
+    matchLabels:
+      app: log-viewer-frontend
+  template:
+    metadata:
+      labels:
+        app: log-viewer-frontend
+    spec:
+      containers:
+        - name: log-viewer-frontend
+          image: harbor.k-space.ee/k-space/log-viewer-frontend:latest
+#          securityContext:
+#            readOnlyRootFilesystem: true
+#            runAsNonRoot: true
+#            runAsUser: 1000
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: log-viewer-backend
+  annotations:
+    keel.sh/policy: force
+    keel.sh/trigger: poll
+spec:
+  revisionHistoryLimit: 0
+  replicas: 3
+  selector:
+    matchLabels:
+      app: log-viewer-backend
+  template:
+    metadata:
+      labels:
+        app: log-viewer-backend
+    spec:
+      containers:
+        - name: log-backend-backend
+          image: harbor.k-space.ee/k-space/log-viewer:latest
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          env:
+            - name: MONGO_URI
+              valueFrom:
+                secretKeyRef:
+                  name: mongodb-application-readwrite
+                  key: connectionString.standard
+            - name: MINIO_BUCKET
+              value: application
+            - name: MINIO_HOSTNAME
+              value: cams-s3.k-space.ee
+            - name: MINIO_PORT
+              value: "443"
+            - name: MINIO_SCHEME
+              value: "https"
+            - name: MINIO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-secret
+                  key: secretkey
+            - name: MINIO_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio-secret
+                  key: accesskey
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: log-viewer-frontend
+spec:
+  type: ClusterIP
+  selector:
+    app: log-viewer-frontend
+  ports:
+  - protocol: TCP
+    port: 3003
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: log-viewer-backend
+spec:
+  type: ClusterIP
+  selector:
+    app: log-viewer-backend
+  ports:
+  - protocol: TCP
+    port: 3002
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: camtiler
+  annotations:
+    prometheus.io/scrape: 'true'
+  labels:
+    component: camtiler
+spec:
+  type: ClusterIP
+  selector:
+    app: camtiler
+    component: camtiler
+  ports:
+  - protocol: TCP
+    port: 5001
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: camtiler
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camtiler
+rules:
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["list"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camtiler
+subjects:
+- kind: ServiceAccount
+  name: camtiler
+  apiGroup: ""
+roleRef:
+  kind: Role
+  name: camtiler
+  apiGroup: ""
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: camtiler
+  annotations:
+    kubernetes.io/ingress.class: traefik
+
+    # Following specifies the certificate issuer defined in
+    # ../cert-manager/issuer.yml
+    # This is where the HTTPS certificates for the
+    # `tls:` section below are obtained from
+    cert-manager.io/cluster-issuer: default
+
+    # This tells Traefik this Ingress object is associated with the
+    # https:// entrypoint
+    # Global http:// to https:// redirect is enabled in
+    # ../traefik/values.yml using `globalArguments`
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+
+    # Following enables Authelia intercepting middleware
+    # which makes sure user is authenticated and then
+    # proceeds to inject Remote-User header for the application
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
+
+    traefik.ingress.kubernetes.io/router.tls: "true"
+
+    # Following tells external-dns to add CNAME entry which makes
+    # cams.k-space.ee point to same IP address as traefik.k-space.ee
+    # The A record for traefik.k-space.ee is created via annotation
+    # added in ../traefik/ingress.yml
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: cams.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/tiled"
+        backend:
+          service:
+            name: camtiler
+            port:
+              number: 5001
+      - pathType: Prefix
+        path: "/events"
+        backend:
+          service:
+            name: log-viewer-backend
+            port:
+              number: 3002
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: log-viewer-frontend
+            port:
+              number: 3003
+  tls:
+  - hosts:
+    - cams.k-space.ee
+    secretName: camtiler-tls
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: camera-operator
+  annotations:
+    keel.sh/policy: force
+    keel.sh/trigger: poll
+spec:
+  revisionHistoryLimit: 0
+  replicas: 1
+  serviceName: camera-operator
+  selector:
+    matchLabels:
+      app: camera-operator
+  template:
+    metadata:
+      labels:
+        app: camera-operator
+    spec:
+      serviceAccount: camera-operator
+      containers:
+        - name: camera-operator
+          image: harbor.k-space.ee/k-space/camera-operator:latest
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+          env:
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: camera-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - list
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - list
+  - update
+- apiGroups:
+  - k-space.ee
+  resources:
+  - cams
+  verbs:
+  - get
+  - list
+  - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: camera-operator
+subjects:
+- kind: ServiceAccount
+  name: camera-operator
+roleRef:
+  kind: Role
+  name: camera-operator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: camera-operator
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: camera-motion-detect
+spec:
+  podSelector:
+    matchLabels:
+      component: camdetect
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          component: camtiler
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
+      podSelector:
+        matchLabels:
+          app: prometheus
+  egress:
+    - to:
+        - ipBlock:
+            # Permit access to cameras outside the cluster
+            cidr: 100.102.0.0/16
+    - to:
+      - podSelector:
+          matchLabels:
+            app: mongodb-svc
+      ports:
+      - port: 27017
+    - to:
+      - podSelector:
+          matchLabels:
+            v1.min.io/tenant: minio
+      ports:
+      - port: 9000
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: camera-tiler
+spec:
+  podSelector:
+    matchLabels:
+      component: camtiler
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          component: camdetect
+    ports:
+    - port: 5000
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: monitoring
+      podSelector:
+        matchLabels:
+          app: prometheus
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-viewer-backend
+spec:
+  podSelector:
+    matchLabels:
+      app: log-viewer-backend
+  policyTypes:
+  - Ingress
+  - Egress
+  egress:
+    - to:
+      - podSelector:
+          matchLabels:
+            app: mongodb-svc
+    - to:
+      - podSelector:
+          matchLabels:
+            v1.min.io/tenant: minio
+      ports:
+      - port: 9000
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: log-viewer-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app: log-viewer-frontend
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: traefik
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: traefik
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: minio
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: default
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: cams-s3.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: minio
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - cams-s3.k-space.ee
+    secretName: cams-s3-tls

camtiler/minio-support.yml

@@ -0,0 +1 @@
+../shared/minio-support.yml

camtiler/mongodb-support.yml

@@ -0,0 +1 @@
+../mongodb-operator/mongodb-support.yml

camtiler/mongoexpress.yml

@@ -0,0 +1 @@
+../shared/mongoexpress.yml

camtiler/networkpolicy-base.yml

@@ -0,0 +1 @@
+../shared/networkpolicy-base.yml

camtiler/persistence.yml

@@ -0,0 +1,126 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: mongodb
+spec:
+  members: 3
+  type: ReplicaSet
+  version: "5.0.9"
+  security:
+    authentication:
+      modes: ["SCRAM"]
+  users:
+    - name: readwrite
+      db: application
+      passwordSecretRef:
+        name: mongodb-application-readwrite-password
+      roles:
+        - name: readWrite
+          db: application
+      scramCredentialsSecretName: mongodb-application-readwrite
+    - name: readonly
+      db: application
+      passwordSecretRef:
+        name: mongodb-application-readonly-password
+      roles:
+        - name: readOnly
+          db: application
+      scramCredentialsSecretName: mongodb-application-readonly
+  statefulSet:
+    spec:
+      template:
+        spec:
+          affinity:
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchExpressions:
+                      - key: app
+                        operator: In
+                        values:
+                          - mongodb-svc
+                  topologyKey: kubernetes.io/hostname
+          nodeSelector:
+            dedicated: storage
+          tolerations:
+            - key: dedicated
+              operator: Equal
+              value: storage
+              effect: NoSchedule
+      volumeClaimTemplates:
+        - metadata:
+            name: logs-volume
+          spec:
+            storageClassName: local-path
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 512Mi
+        - metadata:
+            name: data-volume
+          spec:
+            storageClassName: local-path
+            accessModes:
+            - ReadWriteOnce
+            resources:
+              requests:
+                storage: 2Gi
+---
+apiVersion: minio.min.io/v2
+kind: Tenant
+metadata:
+  name: minio
+  annotations:
+    prometheus.io/path: /minio/prometheus/metrics
+    prometheus.io/port: "9000"
+    prometheus.io/scrape: "true"
+spec:
+  credsSecret:
+    name: minio-secret
+  buckets:
+    - name: application
+  requestAutoCert: false
+  users:
+    - name: minio-user-0
+  pools:
+    - name: pool-0
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: v1.min.io/tenant
+                    operator: In
+                    values:
+                      - minio
+                  - key: v1.min.io/pool
+                    operator: In
+                    values:
+                      - pool-0
+              topologyKey: kubernetes.io/hostname
+      resources:
+        requests:
+          cpu: '1'
+          memory: 512Mi
+      servers: 4
+      volumesPerServer: 1
+      volumeClaimTemplate:
+        metadata:
+          name: data
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: '30Gi'
+          storageClassName: local-path
+        status: {}
+      nodeSelector:
+        dedicated: storage
+      tolerations:
+        - key: dedicated
+          operator: Equal
+          value: storage
+          effect: NoSchedule