apiVersion: apps/v1 kind: Deployment metadata: name: camtiler annotations: keel.sh/policy: force keel.sh/trigger: poll spec: revisionHistoryLimit: 0 replicas: 1 selector: matchLabels: app: camtiler template: metadata: labels: app: camtiler component: camtiler spec: serviceAccountName: camtiler containers: - name: camtiler image: harbor.k-space.ee/k-space/camera-tiler:latest securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 --- apiVersion: apps/v1 kind: Deployment metadata: name: log-viewer-frontend annotations: keel.sh/policy: force keel.sh/trigger: poll spec: revisionHistoryLimit: 0 replicas: 2 selector: matchLabels: app: log-viewer-frontend template: metadata: labels: app: log-viewer-frontend spec: containers: - name: log-viewer-frontend image: harbor.k-space.ee/k-space/log-viewer-frontend:latest # securityContext: # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 --- apiVersion: apps/v1 kind: Deployment metadata: name: log-viewer-backend annotations: keel.sh/policy: force keel.sh/trigger: poll spec: revisionHistoryLimit: 0 replicas: 3 selector: matchLabels: app: log-viewer-backend template: metadata: labels: app: log-viewer-backend spec: containers: - name: log-backend-backend image: harbor.k-space.ee/k-space/log-viewer:latest securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 env: - name: MONGO_URI valueFrom: secretKeyRef: name: mongodb-application-readwrite key: connectionString.standard - name: MINIO_BUCKET value: application - name: MINIO_HOSTNAME value: cams-s3.k-space.ee - name: MINIO_PORT value: "443" - name: MINIO_SCHEME value: "https" - name: MINIO_SECRET_KEY valueFrom: secretKeyRef: name: minio-secret key: secretkey - name: MINIO_ACCESS_KEY valueFrom: secretKeyRef: name: minio-secret key: accesskey --- apiVersion: v1 kind: Service metadata: name: log-viewer-frontend spec: type: ClusterIP selector: app: log-viewer-frontend ports: - protocol: TCP port: 3003 --- apiVersion: v1 kind: Service metadata: name: log-viewer-backend spec: type: ClusterIP selector: app: log-viewer-backend ports: - protocol: TCP port: 3002 --- apiVersion: v1 kind: Service metadata: name: camtiler annotations: prometheus.io/scrape: 'true' labels: component: camtiler spec: type: ClusterIP selector: app: camtiler component: camtiler ports: - protocol: TCP port: 5001 --- apiVersion: v1 kind: ServiceAccount metadata: name: camtiler --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camtiler rules: - apiGroups: [""] resources: ["services"] verbs: ["list"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camtiler subjects: - kind: ServiceAccount name: camtiler apiGroup: "" roleRef: kind: Role name: camtiler apiGroup: "" --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: camtiler annotations: kubernetes.io/ingress.class: traefik # Following specifies the certificate issuer defined in # ../cert-manager/issuer.yml # This is where the HTTPS certificates for the # `tls:` section below are obtained from cert-manager.io/cluster-issuer: default # This tells Traefik this Ingress object is associated with the # https:// entrypoint # Global http:// to https:// redirect is enabled in # ../traefik/values.yml using `globalArguments` traefik.ingress.kubernetes.io/router.entrypoints: websecure # Following enables Authelia intercepting middleware # which makes sure user is authenticated and then # proceeds to inject Remote-User header for the application traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" # Following tells external-dns to add CNAME entry which makes # cams.k-space.ee point to same IP address as traefik.k-space.ee # The A record for traefik.k-space.ee is created via annotation # added in ../traefik/ingress.yml external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - host: cams.k-space.ee http: paths: - pathType: Prefix path: "/tiled" backend: service: name: camtiler port: number: 5001 - pathType: Prefix path: "/events" backend: service: name: log-viewer-backend port: number: 3002 - pathType: Prefix path: "/" backend: service: name: log-viewer-frontend port: number: 3003 tls: - hosts: - cams.k-space.ee secretName: camtiler-tls --- apiVersion: apps/v1 kind: StatefulSet metadata: name: camera-operator annotations: keel.sh/policy: force keel.sh/trigger: poll spec: revisionHistoryLimit: 0 replicas: 1 serviceName: camera-operator selector: matchLabels: app: camera-operator template: metadata: labels: app: camera-operator spec: serviceAccount: camera-operator containers: - name: camera-operator image: harbor.k-space.ee/k-space/camera-operator:latest securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 env: - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: camera-operator rules: - apiGroups: - "" resources: - secrets verbs: - get - apiGroups: - "" resources: - services verbs: - create - delete - list - update - apiGroups: - apps resources: - deployments verbs: - create - delete - list - update - apiGroups: - k-space.ee resources: - cams verbs: - get - list - watch --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: camera-operator subjects: - kind: ServiceAccount name: camera-operator roleRef: kind: Role name: camera-operator apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata: name: camera-operator --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: camera-motion-detect spec: podSelector: matchLabels: component: camdetect policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: component: camtiler - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring podSelector: matchLabels: app: prometheus egress: - to: - ipBlock: # Permit access to cameras outside the cluster cidr: 100.102.0.0/16 - to: - podSelector: matchLabels: app: mongodb-svc ports: - port: 27017 - to: - podSelector: matchLabels: v1.min.io/tenant: minio ports: - port: 9000 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: camera-tiler spec: podSelector: matchLabels: component: camtiler policyTypes: - Ingress - Egress egress: - to: - podSelector: matchLabels: component: camdetect ports: - port: 5000 ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring podSelector: matchLabels: app: prometheus - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik podSelector: matchLabels: app.kubernetes.io/name: traefik --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: log-viewer-backend spec: podSelector: matchLabels: app: log-viewer-backend policyTypes: - Ingress - Egress egress: - to: - podSelector: matchLabels: app: mongodb-svc - to: - podSelector: matchLabels: v1.min.io/tenant: minio ports: - port: 9000 ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik podSelector: matchLabels: app.kubernetes.io/name: traefik --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: log-viewer-frontend spec: podSelector: matchLabels: app: log-viewer-frontend policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik podSelector: matchLabels: app.kubernetes.io/name: traefik --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: minio annotations: kubernetes.io/ingress.class: traefik cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - host: cams-s3.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: minio port: number: 80 tls: - hosts: - cams-s3.k-space.ee secretName: cams-s3-tls