chrome-service: in-cluster headed Chromium pool for f1-stream verifier

The f1-stream verifier's in-process headless Chromium kept tripping hmembeds' disable-devtool.js Performance detector (CDP latency on console.log vs console.table) and getting redirected to google.com. This adds a single-replica chrome-service stack running Playwright launch-server under Xvfb so callers can connect via WS+token to a shared headed browser. f1-stream's _ensure_browser now prefers chromium.connect(CHROME_WS_URL/CHROME_WS_TOKEN) and adds a vendored stealth init script (webdriver/plugins/languages/Permissions/WebGL spoofs + querySelector hijack to disarm disable-devtool-auto) on every new context. Falls back to in-process headless if the env vars aren't set. Encrypted PVC for profile + npm cache, NetworkPolicy to TCP/3000 gated by client-namespace label, 6h tar.gz backup CronJob to NFS, Authentik-gated nginx sidecar at chrome.viktorbarzin.me for human liveness checks. Image pinned to playwright:v1.48.0-noble in lockstep with the Python client's playwright==1.48.0. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 10:43:40 +00:00 · 2026-05-07 10:43:40 +00:00 · f18cd1d314
commit f18cd1d314
parent 41655096c7
9 changed files with 901 additions and 14 deletions
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@ -11,7 +11,8 @@ resource "kubernetes_namespace" "f1-stream" {
    name = "f1-stream"
    labels = {
      "istio-injection" : "disabled"
-      tier = local.tiers.aux
+      tier                                    = local.tiers.aux
+      "chrome-service.viktorbarzin.me/client" = "true"
    }
  }
  lifecycle {
@ -47,6 +48,35 @@ resource "kubernetes_manifest" "external_secret" {
  depends_on = [kubernetes_namespace.f1-stream]
 }

+# Pull the chrome-service bearer token into this namespace as a separate
+# Secret so the verifier can reach the in-cluster Playwright pool.
+resource "kubernetes_manifest" "chrome_service_client_secret" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ExternalSecret"
+    metadata = {
+      name      = "chrome-service-client-secrets"
+      namespace = "f1-stream"
+    }
+    spec = {
+      refreshInterval = "15m"
+      secretStoreRef = {
+        name = "vault-kv"
+        kind = "ClusterSecretStore"
+      }
+      target = {
+        name = "chrome-service-client-secrets"
+      }
+      dataFrom = [{
+        extract = {
+          key = "chrome-service"
+        }
+      }]
+    }
+  }
+  depends_on = [kubernetes_namespace.f1-stream]
+}
+
 resource "kubernetes_persistent_volume_claim" "data_proxmox" {
  wait_until_bound = false
  metadata {
@ -127,6 +157,29 @@ resource "kubernetes_deployment" "f1-stream" {
            name  = "DISCORD_CHANNELS"
            value = var.discord_f1_channel_ids
          }
+          # Verifier connects to in-cluster headed Chromium pool — see
+          # stacks/chrome-service/. Falls back to in-process headless if unset.
+          env {
+            name  = "CHROME_WS_URL"
+            value = "ws://chrome-service.chrome-service.svc.cluster.local:3000"
+          }
+          env {
+            name = "CHROME_WS_TOKEN"
+            value_from {
+              secret_key_ref {
+                name = "chrome-service-client-secrets"
+                key  = "api_bearer_token"
+              }
+            }
+          }
+          # The embed proxy (this pod's /embed?url=…) must be reachable from
+          # the remote chrome-service pod. Default 127.0.0.1 only works for
+          # in-process Chromium — for the remote browser we point it at our
+          # own ClusterIP service.
+          env {
+            name  = "PLAYBACK_VERIFY_PROXY_BASE"
+            value = "http://f1.f1-stream.svc.cluster.local"
+          }
          volume_mount {
            name       = "data"
            mount_path = "/data"