frigate: expose go2rtc on a dedicated MetalLB LB IP (RTSP 8554 + WebRTC 8555)
All checks were successful
ci/woodpecker/push/default Pipeline was successful

HA live video from the cluster Frigate hangs/fails because the only path
to Frigate is the Traefik HTTP(S) ingress (frigate-lan -> 10.0.20.203),
which cannot carry RTSP or WebRTC. The container already listens on
8554+8555 but only RTSP had a Service (NodePort), and WebRTC (8555) was
never exposed. Convert frigate-rtsp to a LoadBalancer on a dedicated MetalLB
IP (.204, ETP=Local, pod pinned to the GPU node) carrying RTSP 8554 +
WebRTC 8555 (TCP+UDP), giving HA Sofia + LAN browsers a stable cross-VLAN
endpoint for native HLS/WebRTC live (parity with the Hikvision NVR).
Companion non-Terraform steps are in the PR body.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
ebarzin 2026-06-30 07:15:22 +00:00
parent 9ea9cae073
commit 469cdd7507

View file

@ -275,26 +275,60 @@ resource "kubernetes_service" "frigate-rtsp" {
labels = {
"app" = "frigate"
}
annotations = {
# Dedicated MetalLB IP for go2rtc L4 traffic (RTSP restream + WebRTC).
# Pool 10.0.20.200-220; .200 shared, .201 Technitium, .202 KMS, .203
# Traefik -> .204 is the first free address (CONFIRM no conflict before
# merge). Gives HA Sofia (192.168.1.8) + LAN browsers a STABLE endpoint
# reachable cross-VLAN, instead of the Traefik HTTP(S) ingress which
# cannot carry RTSP/WebRTC. This is what unblocks native Frigate live in
# HA (today only go2rtc-MSE-over-Traefik works).
"metallb.io/loadBalancerIPs" = "10.0.20.204"
}
}
spec {
type = "NodePort" # Should always live on node1 where the gpu is
# Was NodePort. ETP=Local: the Frigate pod is pinned to the GPU node, so
# MetalLB advertises .204 only from that node -> no SNAT, real client IP
# preserved (same pattern as Traefik .203 / KMS .202).
type = "LoadBalancer"
external_traffic_policy = "Local"
selector = {
app = "frigate"
}
# item 2 - RTSP restream reachable from HA for native HLS. Companion (NOT
# Terraform): in HA -> Frigate integration set
# rtsp_url_template = rtsp://10.0.20.204:8554/{{ name }}
port {
name = "rtsp-tcp"
target_port = 8554
port = 8554
protocol = "TCP"
node_port = 30554
}
port {
name = "rtsp-udp"
target_port = 8554
port = 8554
protocol = "UDP"
node_port = 30554
}
# item 1 - go2rtc WebRTC. Container already listens on 8555 TCP+UDP but no
# Service exposed it, so WebRTC live in HA could never connect. Companion
# (NOT Terraform; lives in config.yml on the frigate-config PVC):
# go2rtc:
# webrtc:
# candidates:
# - 10.0.20.204:8555
port {
name = "webrtc-tcp"
target_port = 8555
port = 8555
protocol = "TCP"
}
port {
name = "webrtc-udp"
target_port = 8555
port = 8555
protocol = "UDP"
}
}
}