From 3948a5072c102235b1ecd9418f9bdc7e5e4f556b Mon Sep 17 00:00:00 2001 From: Sowmya Ramanchandran Date: Thu, 20 Nov 2025 13:33:35 +0530 Subject: [PATCH 1/6] fix trivy for nginx-reverce-proxy --- .../templates/nginx/nginx-reverse-proxy.yaml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml index 1e2729199..987ad7e98 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml @@ -192,12 +192,28 @@ spec: labels: app: nginx-reverse-proxy spec: + securityContext: + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + seccompProfile: + type: RuntimeDefault containers: - name: nginx image: nginx:alpine ports: - containerPort: 80 - containerPort: 443 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true env: - name: http_proxy value: {{ .Values.http_proxy }} @@ -212,6 +228,12 @@ spec: - name: nginx-tls mountPath: /etc/nginx/ssl readOnly: true + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-run + mountPath: /var/run + - name: nginx-tmp + mountPath: /tmp volumes: - name: nginx-config configMap: @@ -219,6 +241,12 @@ spec: - name: nginx-tls secret: secretName: nginx-reverse-proxy-tls + - name: nginx-cache + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-tmp + emptyDir: {} --- apiVersion: v1 From 924d998dbea5430898d52078d0bbf22e0290dabf Mon Sep 17 00:00:00 2001 From: Sowmya Ramanchandran Date: Thu, 20 Nov 2025 17:35:45 +0530 Subject: [PATCH 2/6] fix trivy config error for smart intersession. --- .../helm-chart/templates/broker.yaml | 24 ++++++++++++ .../deployment.yaml | 3 ++ .../chart/templates/grafana/deployment.yaml | 4 ++ .../chart/templates/influxdb/deployment.yaml | 4 ++ .../chart/templates/nodered/deployment.yaml | 6 ++- .../chart/templates/ntpserver/deployment.yaml | 4 ++ .../chart/templates/pgserver/deployment.yaml | 4 ++ .../chart/templates/scene/deployment.yaml | 4 ++ .../chart/templates/web/deployment.yaml | 4 ++ .../templates/nginx-reverse-proxy.yaml | 39 +++++++++++++++++++ 10 files changed, 95 insertions(+), 1 deletion(-) diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml index 26db11b4b..0048dddaa 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml @@ -15,6 +15,13 @@ spec: labels: app: broker spec: + securityContext: + runAsNonRoot: true + runAsUser: 1883 + runAsGroup: 1883 + fsGroup: 1883 + seccompProfile: + type: RuntimeDefault containers: - name: mqtt image: {{ $.Values.mqtt_broker.image }}:{{ $.Values.mqtt_broker.imageTag }} @@ -28,13 +35,30 @@ spec: value: {{ $.Values.env.https_proxy }} - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1883 + runAsGroup: 1883 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - name: mosquitto-config-volume mountPath: /mosquitto/config + - name: mosquitto-data + mountPath: /mosquitto/data + - name: mosquitto-log + mountPath: /mosquitto/log volumes: - name: mosquitto-config-volume configMap: name: broker + - name: mosquitto-data + emptyDir: {} + - name: mosquitto-log + emptyDir: {} --- apiVersion: v1 kind: Service diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml index c896e9a29..edbfdf459 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml @@ -16,6 +16,9 @@ spec: spec: securityContext: supplementalGroups: [109,110,992] + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault volumes: - name: dev hostPath: diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml index f2f3a5506..9e8b29aab 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml @@ -17,6 +17,10 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: + securityContext: + fsGroup: 472 + seccompProfile: + type: RuntimeDefault containers: - name: grafana image: "{{ .Values.grafana.repository }}:{{ .Values.grafana.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml index b452dc8ae..655ca73b1 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml @@ -15,6 +15,10 @@ spec: labels: app: {{ .Release.Name }}-influxdb spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: influxdb image: "{{ .Values.influxdb.repository }}:{{ .Values.influxdb.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml index d79cc567a..6887c06e1 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml @@ -14,8 +14,12 @@ spec: labels: app: {{ .Release.Name }}-nodered annotations: - checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath \"/app-secrets.yaml\") . | sha256sum }} spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault volumes: - name: nodered-config configMap: diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml index 885027a6a..3b4130f51 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml @@ -14,6 +14,10 @@ spec: labels: app: {{ .Release.Name }}-ntpserver spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault shareProcessNamespace: true containers: - envFrom: diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml index fddb08e51..08a283918 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml @@ -17,6 +17,10 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault initContainers: - name: init-smart-intersection-ri image: "{{ .Values.images.alpine.repository }}:{{ .Values.images.alpine.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml index 38b9cc961..50fb1baac 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml @@ -17,6 +17,10 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault initContainers: - name: wait-for-db-ready image: "{{ .Values.images.curl.repository }}:{{ .Values.images.curl.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml index 78d4e4645..98afb695f 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml @@ -17,6 +17,10 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault # initContainers: # - name: init-smart-intersection-ri-web # image: busybox diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml index 486bf6fd3..8cfce8e99 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml @@ -61,17 +61,35 @@ spec: labels: app: nginx-reverse-proxy spec: + securityContext: + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + seccompProfile: + type: RuntimeDefault initContainers: - name: generate-certs image: alpine/openssl:3.5.4 command: - /bin/sh - /scripts/generate_certs.sh + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - name: nginx-ssl mountPath: /etc/nginx/ssl - name: nginx-scripts mountPath: /scripts + - name: tmp + mountPath: /tmp containers: - name: nginx-reverse-proxy image: {{ .Values.nginx.image }}:{{ .Values.nginx.imageTag }} @@ -79,6 +97,15 @@ spec: ports: - containerPort: {{ .Values.config.nginx.int.http_port }} - containerPort: {{ .Values.config.nginx.int.https_port }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true env: - name: http_proxy value: {{ $.Values.env.http_proxy }} @@ -94,6 +121,12 @@ spec: subPath: nginx.conf - name: nginx-ssl mountPath: /etc/nginx/ssl + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-run + mountPath: /var/run + - name: tmp + mountPath: /tmp resources: requests: memory: "64Mi" @@ -116,4 +149,10 @@ spec: path: generate_certs.sh mode: 0755 - name: nginx-ssl + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: tmp emptyDir: {} \ No newline at end of file From dd88577943d4a7bacbc5f3358b5fe69227e83077 Mon Sep 17 00:00:00 2001 From: Sowmya Ramanchandran Date: Thu, 20 Nov 2025 18:21:01 +0530 Subject: [PATCH 3/6] fix for loitering. --- .../helm-chart/templates/coturn.yaml | 16 ++ .../helm-chart/templates/mediamtx.yaml | 26 +++ .../templates/nginx-reverse-proxy.yaml | 197 ++++++++++-------- 3 files changed, 147 insertions(+), 92 deletions(-) diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml index 33e6e6053..e7f5e3b84 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml @@ -37,6 +37,13 @@ spec: labels: app: coturn spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth @@ -45,6 +52,15 @@ spec: containers: - name: coturn image: {{ $.Values.coturn.image }}:{{ $.Values.coturn.imageTag }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true args: ["-v"] # Enable verbose logging ports: - containerPort: {{ $.Values.config.coturn.int.coturn_tcp_port }} diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml index ffdddadf7..0849b2369 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml @@ -46,12 +46,28 @@ spec: labels: app: mediamtx spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth {{- end }} containers: - name: mediamtx + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true env: - name: http_proxy value: {{ $.Values.env.http_proxy }} @@ -87,4 +103,14 @@ spec: value: "10s" image: {{ $.Values.mediamtx.image }}:{{ $.Values.mediamtx.imageTag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + volumeMounts: + - name: mediamtx-tmp + mountPath: /tmp + - name: mediamtx-recordings + mountPath: /recordings + volumes: + - name: mediamtx-tmp + emptyDir: {} + - name: mediamtx-recordings + emptyDir: {} restartPolicy: Always diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml index 486bf6fd3..7957c9676 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml @@ -1,84 +1,76 @@ -# Copyright (c) 2024 Intel Corporation. -apiVersion: v1 -kind: ConfigMap -metadata: - name: nginx-conf - namespace: {{ .Values.namespace }} -data: - nginx.conf: |- -{{ (.Files.Get "config/nginx/nginx.conf") | indent 4 }} - generate_certs.sh: | - #!/bin/sh - set -e - SSL_DIR="/etc/nginx/ssl" - mkdir -p "$SSL_DIR" - if ! command -v openssl >/dev/null 2>&1; then - echo "Installing openssl..." - apk add --no-cache openssl - fi - if [ ! -f "$SSL_DIR/server.crt" ] || [ ! -f "$SSL_DIR/server.key" ]; then - echo "🔐 Generating self-signed SSL certificate..." - openssl req -x509 -nodes -days 365 \ - -newkey rsa:2048 \ - -keyout "$SSL_DIR/server.key" \ - -out "$SSL_DIR/server.crt" \ - -subj "/C=US/ST=CA/L=San Francisco/O=Intel/OU=Edge AI/CN=localhost" - fi ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-reverse-proxy - namespace: {{ .Values.namespace }} -spec: - type: NodePort - selector: - app: nginx-reverse-proxy - ports: - - name: http - port: {{ .Values.config.nginx.int.http_port }} - targetPort: {{ .Values.config.nginx.int.http_port }} - nodePort: {{ .Values.config.nginx.ext.http_port }} - - name: https - port: {{ .Values.config.nginx.int.https_port }} - targetPort: {{ .Values.config.nginx.int.https_port }} - nodePort: {{ .Values.config.nginx.ext.https_port }} ---- apiVersion: apps/v1 kind: Deployment metadata: + name: deployment-node-red + namespace: {{ $.Values.namespace }} labels: - app: nginx-reverse-proxy - name: deployment-nginx-reverse-proxy - namespace: {{ .Values.namespace }} + app: node-red spec: replicas: 1 selector: matchLabels: - app: nginx-reverse-proxy + app: node-red template: metadata: labels: - app: nginx-reverse-proxy + app: node-red spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault initContainers: - - name: generate-certs - image: alpine/openssl:3.5.4 - command: + - name: intel-plugin-downloader + image: curlimages/curl:latest + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + command: - /bin/sh - - /scripts/generate_certs.sh + - -c + - | + mkdir -p /tmp/data + mkdir -p /tmp/data/public/videos/ + curl -L https://github.com/open-edge-platform/edge-ai-suites/archive/refs/tags/v1.0.0.zip -o /tmp/main.zip + unzip -q /tmp/main.zip -d /tmp && \ + cp -r /tmp/edge-ai-suites-1.0.0/metro-ai-suite/loitering-detection/node-red/* /tmp/data/ + rm -rf /tmp/main.zip /tmp/edge-ai-suites-1.0.0 + mkdir -p /tmp/data/public/videos + curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000101.mp4 -o /tmp/data/public/videos/VIRAT_S_000101.mp4 + curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000102.mp4 -o /tmp/data/public/videos/VIRAT_S_000102.mp4 + curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000103.mp4 -o /tmp/data/public/videos/VIRAT_S_000103.mp4 + curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000104.mp4 -o /tmp/data/public/videos/VIRAT_S_000104.mp4 + rm /tmp/data/flows.json + cp -f /tmp/flows.json /tmp/data/flows.json + env: + - name: http_proxy + value: {{ $.Values.env.http_proxy }} + - name: https_proxy + value: {{ $.Values.env.https_proxy }} + - name: no_proxy + value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" volumeMounts: - - name: nginx-ssl - mountPath: /etc/nginx/ssl - - name: nginx-scripts - mountPath: /scripts + - name: node-red-data + mountPath: /tmp/data + - name: node-red-flows-config + mountPath: /tmp/flows.json + subPath: flows.json + - name: tmp + mountPath: /tmp containers: - - name: nginx-reverse-proxy - image: {{ .Values.nginx.image }}:{{ .Values.nginx.imageTag }} - imagePullPolicy: IfNotPresent + - name: node-red + image: {{ $.Values.node_red.image }}:{{ $.Values.node_red.imageTag }} + command: ["/bin/bash", "-c"] + args: ["/data/install_package.sh && /usr/src/node-red/entrypoint.sh"] ports: - - containerPort: {{ .Values.config.nginx.int.http_port }} - - containerPort: {{ .Values.config.nginx.int.https_port }} + - containerPort: {{ $.Values.config.node_red.int.web_ui_port }} + name: http env: - name: http_proxy value: {{ $.Values.env.http_proxy }} @@ -86,34 +78,55 @@ spec: value: {{ $.Values.env.https_proxy }} - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" - - name: NO_PROXY - value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx/nginx.conf - subPath: nginx.conf - - name: nginx-ssl - mountPath: /etc/nginx/ssl - resources: - requests: - memory: "64Mi" - cpu: "100m" - limits: - memory: "128Mi" - cpu: "200m" + - name: node-red-data + mountPath: /data + - name: node-red-src + mountPath: /usr/src/node-red + - name: tmp + mountPath: /tmp volumes: - - name: nginx-conf - configMap: - name: nginx-conf - items: - - key: nginx.conf - path: nginx.conf - - name: nginx-scripts + - name: node-red-data + emptyDir: {} + - name: node-red-flows-config configMap: - name: nginx-conf - items: - - key: generate_certs.sh - path: generate_certs.sh - mode: 0755 - - name: nginx-ssl - emptyDir: {} \ No newline at end of file + name: node-red-flows-config + - name: node-red-src + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: node-red + namespace: {{ $.Values.namespace }} + labels: + app: node-red +spec: + type: ClusterIP + ports: + - port: {{ $.Values.config.node_red.int.web_ui_port }} + targetPort: {{ $.Values.config.node_red.int.web_ui_port }} + protocol: TCP + name: http + selector: + app: node-red +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Values.namespace }} + name: node-red-flows-config +data: + flows.json: |- +{{ .Files.Get "config/node-red/flows.json" | indent 4 }} From f210bf97ca2b7e3a2102f48168af13776c3b42fd Mon Sep 17 00:00:00 2001 From: Sowmya Ramanchandran Date: Thu, 20 Nov 2025 20:06:43 +0530 Subject: [PATCH 4/6] fix for smart parking. --- .../helm-chart/templates/broker.yaml | 22 ++++++++++++ .../helm-chart/templates/coturn.yaml | 24 +++++++++++++ .../helm-chart/templates/mediamtx.yaml | 24 +++++++++++++ .../templates/nginx-reverse-proxy.yaml | 6 ++-- .../helm-chart/templates/node-red.yaml | 34 +++++++++++++++++-- 5 files changed, 105 insertions(+), 5 deletions(-) diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml index 26db11b4b..598262fc4 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/broker.yaml @@ -15,9 +15,23 @@ spec: labels: app: broker spec: + securityContext: + runAsNonRoot: true + runAsUser: 1883 + runAsGroup: 1883 + fsGroup: 1883 + seccompProfile: + type: RuntimeDefault containers: - name: mqtt image: {{ $.Values.mqtt_broker.image }}:{{ $.Values.mqtt_broker.imageTag }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true ports: - containerPort: {{ $.Values.config.mqtt_broker.int.mqtt_port }} name: mqtt @@ -31,10 +45,18 @@ spec: volumeMounts: - name: mosquitto-config-volume mountPath: /mosquitto/config + - name: mosquitto-data + mountPath: /mosquitto/data + - name: mosquitto-log + mountPath: /mosquitto/log volumes: - name: mosquitto-config-volume configMap: name: broker + - name: mosquitto-data + emptyDir: {} + - name: mosquitto-log + emptyDir: {} --- apiVersion: v1 kind: Service diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml index 33e6e6053..aa469544c 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/coturn.yaml @@ -37,6 +37,13 @@ spec: labels: app: coturn spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth @@ -45,6 +52,13 @@ spec: containers: - name: coturn image: {{ $.Values.coturn.image }}:{{ $.Values.coturn.imageTag }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true args: ["-v"] # Enable verbose logging ports: - containerPort: {{ $.Values.config.coturn.int.coturn_tcp_port }} @@ -59,4 +73,14 @@ spec: value: {{ $.Values.env.https_proxy }} - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" + volumeMounts: + - name: tmp + mountPath: /tmp + - name: var-tmp + mountPath: /var/tmp + volumes: + - name: tmp + emptyDir: {} + - name: var-tmp + emptyDir: {} restartPolicy: Always diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml index ffdddadf7..bdc3cbcbb 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/mediamtx.yaml @@ -46,12 +46,26 @@ spec: labels: app: mediamtx spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault {{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }} imagePullSecrets: - name: registryauth {{- end }} containers: - name: mediamtx + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true env: - name: http_proxy value: {{ $.Values.env.http_proxy }} @@ -87,4 +101,14 @@ spec: value: "10s" image: {{ $.Values.mediamtx.image }}:{{ $.Values.mediamtx.imageTag }} imagePullPolicy: {{ .Values.imagePullPolicy }} + volumeMounts: + - name: mediamtx-tmp + mountPath: /tmp + - name: mediamtx-recordings + mountPath: /recordings + volumes: + - name: mediamtx-tmp + emptyDir: {} + - name: mediamtx-recordings + emptyDir: {} restartPolicy: Always diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml index 8cfce8e99..e1aaca034 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/nginx-reverse-proxy.yaml @@ -94,9 +94,6 @@ spec: - name: nginx-reverse-proxy image: {{ .Values.nginx.image }}:{{ .Values.nginx.imageTag }} imagePullPolicy: IfNotPresent - ports: - - containerPort: {{ .Values.config.nginx.int.http_port }} - - containerPort: {{ .Values.config.nginx.int.https_port }} securityContext: allowPrivilegeEscalation: false runAsNonRoot: true @@ -106,6 +103,9 @@ spec: drop: - ALL readOnlyRootFilesystem: true + ports: + - containerPort: {{ .Values.config.nginx.int.http_port }} + - containerPort: {{ .Values.config.nginx.int.https_port }} env: - name: http_proxy value: {{ $.Values.env.http_proxy }} diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml index 24e7aae47..d034fa095 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-parking/helm-chart/templates/node-red.yaml @@ -15,9 +15,22 @@ spec: labels: app: node-red spec: + securityContext: + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault initContainers: - name: intel-plugin-downloader image: curlimages/curl:latest + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true command: - /bin/sh - -c @@ -48,6 +61,8 @@ spec: - name: node-red-flows-config mountPath: /tmp/flows.json subPath: flows.json + - name: tmp + mountPath: /tmp containers: - name: node-red image: {{ $.Values.node_red.image }}:{{ $.Values.node_red.imageTag }} @@ -64,16 +79,31 @@ spec: - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" securityContext: - runAsUser: 0 # root user + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true volumeMounts: - name: node-red-data mountPath: /data + - name: node-red-src + mountPath: /usr/src/node-red + - name: tmp + mountPath: /tmp volumes: - name: node-red-data emptyDir: {} - name: node-red-flows-config configMap: - name: node-red-flows-config + name: node-red-flows-config + - name: node-red-src + emptyDir: {} + - name: tmp + emptyDir: {} --- apiVersion: v1 kind: Service From 9a2139e3b0c89662061934dc1d26cb40254dc0d0 Mon Sep 17 00:00:00 2001 From: Sowmya Ramanchandran Date: Mon, 24 Nov 2025 18:03:42 +0530 Subject: [PATCH 5/6] reverting SI changes. --- .../deployment.yaml | 3 -- .../chart/templates/grafana/deployment.yaml | 4 --- .../chart/templates/influxdb/deployment.yaml | 4 --- .../templates/nginx/nginx-reverse-proxy.yaml | 28 ------------------- .../chart/templates/nodered/deployment.yaml | 6 +--- .../chart/templates/ntpserver/deployment.yaml | 4 --- .../chart/templates/pgserver/deployment.yaml | 4 --- .../chart/templates/scene/deployment.yaml | 4 --- .../chart/templates/web/deployment.yaml | 4 --- 9 files changed, 1 insertion(+), 60 deletions(-) diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml index edbfdf459..c896e9a29 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml @@ -16,9 +16,6 @@ spec: spec: securityContext: supplementalGroups: [109,110,992] - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault volumes: - name: dev hostPath: diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml index 9e8b29aab..f2f3a5506 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml @@ -17,10 +17,6 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: - securityContext: - fsGroup: 472 - seccompProfile: - type: RuntimeDefault containers: - name: grafana image: "{{ .Values.grafana.repository }}:{{ .Values.grafana.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml index 655ca73b1..b452dc8ae 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml @@ -15,10 +15,6 @@ spec: labels: app: {{ .Release.Name }}-influxdb spec: - securityContext: - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault containers: - name: influxdb image: "{{ .Values.influxdb.repository }}:{{ .Values.influxdb.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml index 987ad7e98..1e2729199 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nginx/nginx-reverse-proxy.yaml @@ -192,28 +192,12 @@ spec: labels: app: nginx-reverse-proxy spec: - securityContext: - runAsNonRoot: true - runAsUser: 101 - runAsGroup: 101 - fsGroup: 101 - seccompProfile: - type: RuntimeDefault containers: - name: nginx image: nginx:alpine ports: - containerPort: 80 - containerPort: 443 - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 101 - runAsGroup: 101 - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true env: - name: http_proxy value: {{ .Values.http_proxy }} @@ -228,12 +212,6 @@ spec: - name: nginx-tls mountPath: /etc/nginx/ssl readOnly: true - - name: nginx-cache - mountPath: /var/cache/nginx - - name: nginx-run - mountPath: /var/run - - name: nginx-tmp - mountPath: /tmp volumes: - name: nginx-config configMap: @@ -241,12 +219,6 @@ spec: - name: nginx-tls secret: secretName: nginx-reverse-proxy-tls - - name: nginx-cache - emptyDir: {} - - name: nginx-run - emptyDir: {} - - name: nginx-tmp - emptyDir: {} --- apiVersion: v1 diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml index 6887c06e1..d79cc567a 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/nodered/deployment.yaml @@ -14,12 +14,8 @@ spec: labels: app: {{ .Release.Name }}-nodered annotations: - checksum/secrets: {{ include (print $.Template.BasePath \"/app-secrets.yaml\") . | sha256sum }} + checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: - securityContext: - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault volumes: - name: nodered-config configMap: diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml index 3b4130f51..885027a6a 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/ntpserver/deployment.yaml @@ -14,10 +14,6 @@ spec: labels: app: {{ .Release.Name }}-ntpserver spec: - securityContext: - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault shareProcessNamespace: true containers: - envFrom: diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml index 08a283918..fddb08e51 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/pgserver/deployment.yaml @@ -17,10 +17,6 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: - securityContext: - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault initContainers: - name: init-smart-intersection-ri image: "{{ .Values.images.alpine.repository }}:{{ .Values.images.alpine.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml index 50fb1baac..38b9cc961 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/scene/deployment.yaml @@ -17,10 +17,6 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: - securityContext: - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault initContainers: - name: wait-for-db-ready image: "{{ .Values.images.curl.repository }}:{{ .Values.images.curl.tag }}" diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml index 98afb695f..78d4e4645 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/web/deployment.yaml @@ -17,10 +17,6 @@ spec: annotations: checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }} spec: - securityContext: - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault # initContainers: # - name: init-smart-intersection-ri-web # image: busybox From 2e10fcf3f2d8e3dbc3855d827078ef4df803602d Mon Sep 17 00:00:00 2001 From: Sowmya Ramanchandran Date: Tue, 25 Nov 2025 20:44:13 +0530 Subject: [PATCH 6/6] reverting loitering nginx changes. --- .../templates/nginx-reverse-proxy.yaml | 197 ++++++++---------- 1 file changed, 92 insertions(+), 105 deletions(-) diff --git a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml index 7957c9676..486bf6fd3 100644 --- a/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml +++ b/metro-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml @@ -1,76 +1,84 @@ +# Copyright (c) 2024 Intel Corporation. +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-conf + namespace: {{ .Values.namespace }} +data: + nginx.conf: |- +{{ (.Files.Get "config/nginx/nginx.conf") | indent 4 }} + generate_certs.sh: | + #!/bin/sh + set -e + SSL_DIR="/etc/nginx/ssl" + mkdir -p "$SSL_DIR" + if ! command -v openssl >/dev/null 2>&1; then + echo "Installing openssl..." + apk add --no-cache openssl + fi + if [ ! -f "$SSL_DIR/server.crt" ] || [ ! -f "$SSL_DIR/server.key" ]; then + echo "🔐 Generating self-signed SSL certificate..." + openssl req -x509 -nodes -days 365 \ + -newkey rsa:2048 \ + -keyout "$SSL_DIR/server.key" \ + -out "$SSL_DIR/server.crt" \ + -subj "/C=US/ST=CA/L=San Francisco/O=Intel/OU=Edge AI/CN=localhost" + fi +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-reverse-proxy + namespace: {{ .Values.namespace }} +spec: + type: NodePort + selector: + app: nginx-reverse-proxy + ports: + - name: http + port: {{ .Values.config.nginx.int.http_port }} + targetPort: {{ .Values.config.nginx.int.http_port }} + nodePort: {{ .Values.config.nginx.ext.http_port }} + - name: https + port: {{ .Values.config.nginx.int.https_port }} + targetPort: {{ .Values.config.nginx.int.https_port }} + nodePort: {{ .Values.config.nginx.ext.https_port }} +--- apiVersion: apps/v1 kind: Deployment metadata: - name: deployment-node-red - namespace: {{ $.Values.namespace }} labels: - app: node-red + app: nginx-reverse-proxy + name: deployment-nginx-reverse-proxy + namespace: {{ .Values.namespace }} spec: replicas: 1 selector: matchLabels: - app: node-red + app: nginx-reverse-proxy template: metadata: labels: - app: node-red + app: nginx-reverse-proxy spec: - securityContext: - fsGroup: 1000 - seccompProfile: - type: RuntimeDefault initContainers: - - name: intel-plugin-downloader - image: curlimages/curl:latest - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - command: + - name: generate-certs + image: alpine/openssl:3.5.4 + command: - /bin/sh - - -c - - | - mkdir -p /tmp/data - mkdir -p /tmp/data/public/videos/ - curl -L https://github.com/open-edge-platform/edge-ai-suites/archive/refs/tags/v1.0.0.zip -o /tmp/main.zip - unzip -q /tmp/main.zip -d /tmp && \ - cp -r /tmp/edge-ai-suites-1.0.0/metro-ai-suite/loitering-detection/node-red/* /tmp/data/ - rm -rf /tmp/main.zip /tmp/edge-ai-suites-1.0.0 - mkdir -p /tmp/data/public/videos - curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000101.mp4 -o /tmp/data/public/videos/VIRAT_S_000101.mp4 - curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000102.mp4 -o /tmp/data/public/videos/VIRAT_S_000102.mp4 - curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000103.mp4 -o /tmp/data/public/videos/VIRAT_S_000103.mp4 - curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000104.mp4 -o /tmp/data/public/videos/VIRAT_S_000104.mp4 - rm /tmp/data/flows.json - cp -f /tmp/flows.json /tmp/data/flows.json - env: - - name: http_proxy - value: {{ $.Values.env.http_proxy }} - - name: https_proxy - value: {{ $.Values.env.https_proxy }} - - name: no_proxy - value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" + - /scripts/generate_certs.sh volumeMounts: - - name: node-red-data - mountPath: /tmp/data - - name: node-red-flows-config - mountPath: /tmp/flows.json - subPath: flows.json - - name: tmp - mountPath: /tmp + - name: nginx-ssl + mountPath: /etc/nginx/ssl + - name: nginx-scripts + mountPath: /scripts containers: - - name: node-red - image: {{ $.Values.node_red.image }}:{{ $.Values.node_red.imageTag }} - command: ["/bin/bash", "-c"] - args: ["/data/install_package.sh && /usr/src/node-red/entrypoint.sh"] + - name: nginx-reverse-proxy + image: {{ .Values.nginx.image }}:{{ .Values.nginx.imageTag }} + imagePullPolicy: IfNotPresent ports: - - containerPort: {{ $.Values.config.node_red.int.web_ui_port }} - name: http + - containerPort: {{ .Values.config.nginx.int.http_port }} + - containerPort: {{ .Values.config.nginx.int.https_port }} env: - name: http_proxy value: {{ $.Values.env.http_proxy }} @@ -78,55 +86,34 @@ spec: value: {{ $.Values.env.https_proxy }} - name: no_proxy value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true + - name: NO_PROXY + value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}" volumeMounts: - - name: node-red-data - mountPath: /data - - name: node-red-src - mountPath: /usr/src/node-red - - name: tmp - mountPath: /tmp + - name: nginx-conf + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: nginx-ssl + mountPath: /etc/nginx/ssl + resources: + requests: + memory: "64Mi" + cpu: "100m" + limits: + memory: "128Mi" + cpu: "200m" volumes: - - name: node-red-data - emptyDir: {} - - name: node-red-flows-config + - name: nginx-conf configMap: - name: node-red-flows-config - - name: node-red-src - emptyDir: {} - - name: tmp - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: node-red - namespace: {{ $.Values.namespace }} - labels: - app: node-red -spec: - type: ClusterIP - ports: - - port: {{ $.Values.config.node_red.int.web_ui_port }} - targetPort: {{ $.Values.config.node_red.int.web_ui_port }} - protocol: TCP - name: http - selector: - app: node-red ---- -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: {{ .Values.namespace }} - name: node-red-flows-config -data: - flows.json: |- -{{ .Files.Get "config/node-red/flows.json" | indent 4 }} + name: nginx-conf + items: + - key: nginx.conf + path: nginx.conf + - name: nginx-scripts + configMap: + name: nginx-conf + items: + - key: generate_certs.sh + path: generate_certs.sh + mode: 0755 + - name: nginx-ssl + emptyDir: {} \ No newline at end of file