Update Helm release ollama to v1.23.0

Makefile

@@ -3,7 +3,7 @@ install-router:
 
 gen-talos-config:
 	mkdir -p talos/generated
-	talosctl gen config --with-secrets secrets.yaml --config-patch @talos/patches/controlplane.patch --config-patch @talos/patches/openebs.patch --config-patch @talos/patches/openbao.patch --config-patch @talos/patches/anapistula-delrosalae.patch --output-types controlplane -o talos/generated/anapistula-delrosalae.yaml homelab https://kube-api.homelab.lumpiasty.xyz:6443
+	talosctl gen config --with-secrets secrets.yaml --config-patch @talos/patches/controlplane.patch --config-patch @talos/patches/openebs.patch --config-patch @talos/patches/openbao.patch --config-patch @talos/patches/ollama.patch --config-patch @talos/patches/frigate.patch --config-patch @talos/patches/anapistula-delrosalae.patch --output-types controlplane -o talos/generated/anapistula-delrosalae.yaml homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl gen config --with-secrets secrets.yaml --config-patch @talos/patches/controlplane.patch --output-types worker -o talos/generated/worker.yaml homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl gen config --with-secrets secrets.yaml --output-types talosconfig -o talos/generated/talosconfig homelab https://kube-api.homelab.lumpiasty.xyz:6443
 	talosctl config endpoint kube-api.homelab.lumpiasty.xyz

apps/frigate/kustomization.yaml

@@ -2,4 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
+  - secret.yaml
   - release.yaml
+  - webrtc-svc.yaml

apps/frigate/release.yaml

@@ -27,22 +27,111 @@ spec:
     config: |
       mqtt:
         enabled: False
+
+      tls:
+        enabled: False
+
+      auth:
+        enabled: True
+        cookie_secure: True
+
+      record:
+        enabled: True
+        retain:
+          days: 90
+          mode: motion
+
       cameras:
-        dummy_camera:
-          enabled: False
+        dom:
+          enabled: True
           ffmpeg:
             inputs:
-              - path: rtsp://127.0.0.1:554/rtsp
+              - path: rtsp://127.0.0.1:8554/dom
                 roles:
+                  - audio
                   - detect
+                  - record
+            output_args:
+              record: preset-record-generic-audio-copy
+        garaz:
+          enabled: True
+          ffmpeg:
+            inputs:
+              - path: rtsp://127.0.0.1:8554/garaz
+                roles:
+                  - audio
+                  - detect
+                  - record
+            output_args:
+              record: preset-record-generic-audio-copy
+
+      ffmpeg:
+        hwaccel_args: preset-vaapi
+
+      detectors:
+        ov_0:
+          type: openvino
+          device: CPU
+      model:
+        width: 300
+        height: 300
+        input_tensor: nhwc
+        input_pixel_format: bgr
+        path: /openvino-model/ssdlite_mobilenet_v2.xml
+        labelmap_path: /openvino-model/coco_91cl_bkgr.txt
+
+      go2rtc:
+        streams:
+          dom:
+            - rtsp://{FRIGATE_RTSP_DOM_USER}:{FRIGATE_RTSP_DOM_PASSWORD_URLENCODED}@192.168.3.10:554/Streaming/Channels/101
+          garaz:
+            - rtsp://{FRIGATE_RTSP_GARAZ_USER}:{FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED}@192.168.3.11:554/Streaming/Channels/101
+        webrtc:
+          candidates:
+            - frigate-rtc.lumpiasty.xyz:8555
     persistence:
       media:
         enabled: true
-        size: 100Gi
+        size: 500Gi
         storageClass: mayastor-single-hdd
         skipuninstall: true
       config:
         enabled: true
-        size: 100Mi
+        size: 1Gi
         storageClass: mayastor-single-hdd
         skipuninstall: true
+    envFromSecrets:
+      - frigate-camera-rtsp
+
+    ingress:
+      enabled: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+        nginx.org/websocket-services: frigate
+      hosts:
+        - host: frigate.lumpiasty.xyz
+          paths:
+            - path: /
+              portName: http-auth
+      tls:
+        - hosts:
+            - frigate.lumpiasty.xyz
+          secretName: frigate-ingress
+
+    nodeSelector:
+      kubernetes.io/hostname: anapistula-delrosalae
+
+    # GPU access
+    extraVolumes:
+      - name: dri
+        hostPath:
+          path: /dev/dri/renderD128
+          type: CharDevice
+
+    extraVolumeMounts:
+      - name: dri
+        mountPath: /dev/dri/renderD128
+
+    securityContext:
+      # Not ideal
+      privileged: true

apps/frigate/secret.yaml

@@ -0,0 +1,43 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: camera
+  namespace: frigate
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: camera
+  namespace: frigate
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: frigate-camera
+    serviceAccount: camera
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: frigate-camera-rtsp
+  namespace: frigate
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: cameras
+
+  destination:
+    create: true
+    name: frigate-camera-rtsp
+    type: Opaque
+    transformation:
+      excludeRaw: true
+      templates:
+        FRIGATE_RTSP_DOM_PASSWORD_URLENCODED:
+          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_DOM_PASSWORD") }}'
+        FRIGATE_RTSP_GARAZ_PASSWORD_URLENCODED:
+          text: '{{ urlquery (get .Secrets "FRIGATE_RTSP_GARAZ_PASSWORD") }}'
+
+  vaultAuthRef: camera

apps/frigate/webrtc-svc.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: go2rtc
+  namespace: frigate
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/instance: frigate
+    app.kubernetes.io/name: frigate
+  ipFamilyPolicy: RequireDualStack
+  ports:
+    - name: webrtc-tcp
+      protocol: TCP
+      port: 8555
+      targetPort: webrtc-tcp
+    - name: webrtc-udp
+      protocol: UDP
+      port: 8555
+      targetPort: webrtc-udp

apps/ollama/release.yaml

@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: ollama
-      version: 1.22.0
+      version: 1.23.0
       sourceRef:
         kind: HelmRepository
         name: ollama-helm

infra/configs/single-hdd-sc.yaml

@@ -16,3 +16,5 @@ parameters:
   poolAffinityTopologyLabel: |
     type: hdd
 provisioner: io.openebs.csi-mayastor
+# Allow expansion of volumes
+allowVolumeExpansion: true

talos/patches/frigate.patch

@@ -0,0 +1,11 @@
+# CSI driver requirement
+cluster:
+  apiServer:
+    admissionControl:
+      - name: PodSecurity
+        configuration:
+          apiVersion: pod-security.admission.config.k8s.io/v1beta1
+          kind: PodSecurityConfiguration
+          exemptions:
+            namespaces:
+              - frigate

vault/kubernetes-roles/frigate-camera.yaml

@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - camera
+bound_service_account_namespaces:
+  - frigate
+token_policies:
+  - frigate

vault/policy/frigate.hcl

@@ -0,0 +1,4 @@
+
+path "secret/data/cameras" {
+    capabilities = ["read"]
+}