From 469cdd7507012ba3dd15422a92a9e619c17d04da Mon Sep 17 00:00:00 2001 From: ebarzin Date: Tue, 30 Jun 2026 07:15:22 +0000 Subject: [PATCH] frigate: expose go2rtc on a dedicated MetalLB LB IP (RTSP 8554 + WebRTC 8555) HA live video from the cluster Frigate hangs/fails because the only path to Frigate is the Traefik HTTP(S) ingress (frigate-lan -> 10.0.20.203), which cannot carry RTSP or WebRTC. The container already listens on 8554+8555 but only RTSP had a Service (NodePort), and WebRTC (8555) was never exposed. Convert frigate-rtsp to a LoadBalancer on a dedicated MetalLB IP (.204, ETP=Local, pod pinned to the GPU node) carrying RTSP 8554 + WebRTC 8555 (TCP+UDP), giving HA Sofia + LAN browsers a stable cross-VLAN endpoint for native HLS/WebRTC live (parity with the Hikvision NVR). Companion non-Terraform steps are in the PR body. Co-Authored-By: Claude Opus 4.8 --- stacks/frigate/main.tf | 40 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf index aa4846e0..c3fd9167 100644 --- a/stacks/frigate/main.tf +++ b/stacks/frigate/main.tf @@ -275,26 +275,60 @@ resource "kubernetes_service" "frigate-rtsp" { labels = { "app" = "frigate" } + annotations = { + # Dedicated MetalLB IP for go2rtc L4 traffic (RTSP restream + WebRTC). + # Pool 10.0.20.200-220; .200 shared, .201 Technitium, .202 KMS, .203 + # Traefik -> .204 is the first free address (CONFIRM no conflict before + # merge). Gives HA Sofia (192.168.1.8) + LAN browsers a STABLE endpoint + # reachable cross-VLAN, instead of the Traefik HTTP(S) ingress which + # cannot carry RTSP/WebRTC. This is what unblocks native Frigate live in + # HA (today only go2rtc-MSE-over-Traefik works). + "metallb.io/loadBalancerIPs" = "10.0.20.204" + } } spec { - type = "NodePort" # Should always live on node1 where the gpu is + # Was NodePort. ETP=Local: the Frigate pod is pinned to the GPU node, so + # MetalLB advertises .204 only from that node -> no SNAT, real client IP + # preserved (same pattern as Traefik .203 / KMS .202). + type = "LoadBalancer" + external_traffic_policy = "Local" selector = { app = "frigate" } + # item 2 - RTSP restream reachable from HA for native HLS. Companion (NOT + # Terraform): in HA -> Frigate integration set + # rtsp_url_template = rtsp://10.0.20.204:8554/{{ name }} port { name = "rtsp-tcp" target_port = 8554 port = 8554 protocol = "TCP" - node_port = 30554 } port { name = "rtsp-udp" target_port = 8554 port = 8554 protocol = "UDP" - node_port = 30554 + } + # item 1 - go2rtc WebRTC. Container already listens on 8555 TCP+UDP but no + # Service exposed it, so WebRTC live in HA could never connect. Companion + # (NOT Terraform; lives in config.yml on the frigate-config PVC): + # go2rtc: + # webrtc: + # candidates: + # - 10.0.20.204:8555 + port { + name = "webrtc-tcp" + target_port = 8555 + port = 8555 + protocol = "TCP" + } + port { + name = "webrtc-udp" + target_port = 8555 + port = 8555 + protocol = "UDP" } } }