Skip to content

[Metro-Vision]Trivy config fixes. #1142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: release-2025.2.0
Choose a base branch
from
Open

[Metro-Vision]Trivy config fixes. #1142

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3948a50
fix trivy for nginx-reverce-proxy
sowmiar1 Nov 20, 2025
924d998
fix trivy config error for smart intersession.
sowmiar1 Nov 20, 2025
dd88577
fix for loitering.
sowmiar1 Nov 20, 2025
f210bf9
fix for smart parking.
sowmiar1 Nov 20, 2025
2ca4497
Merge branch 'release-2025.2.0' into sowmya/fix_trivy_config
sowmiar1 Nov 24, 2025
9a2139e
reverting SI changes.
sowmiar1 Nov 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions ...-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/broker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ spec:
labels:
app: broker
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1883
runAsGroup: 1883
fsGroup: 1883
seccompProfile:
type: RuntimeDefault
containers:
- name: mqtt
image: {{ $.Values.mqtt_broker.image }}:{{ $.Values.mqtt_broker.imageTag }}
Expand All @@ -28,13 +35,30 @@ spec:
value: {{ $.Values.env.https_proxy }}
- name: no_proxy
value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}"
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1883
runAsGroup: 1883
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- name: mosquitto-config-volume
mountPath: /mosquitto/config
- name: mosquitto-data
mountPath: /mosquitto/data
- name: mosquitto-log
mountPath: /mosquitto/log
volumes:
- name: mosquitto-config-volume
configMap:
name: broker
- name: mosquitto-data
emptyDir: {}
- name: mosquitto-log
emptyDir: {}
---
apiVersion: v1
kind: Service
Expand Down
16 changes: 16 additions & 0 deletions ...-ai-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/coturn.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,13 @@ spec:
labels:
app: coturn
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
{{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }}
imagePullSecrets:
- name: registryauth
Expand All @@ -45,6 +52,15 @@ spec:
containers:
- name: coturn
image: {{ $.Values.coturn.image }}:{{ $.Values.coturn.imageTag }}
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
args: ["-v"] # Enable verbose logging
ports:
- containerPort: {{ $.Values.config.coturn.int.coturn_tcp_port }}
Expand Down
26 changes: 26 additions & 0 deletions ...i-suite/metro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/mediamtx.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,28 @@ spec:
labels:
app: mediamtx
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
{{- if and .Values.DOCKER_USERNAME .Values.DOCKER_PASSWORD }}
imagePullSecrets:
- name: registryauth
{{- end }}
containers:
- name: mediamtx
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
env:
- name: http_proxy
value: {{ $.Values.env.http_proxy }}
Expand Down Expand Up @@ -87,4 +103,14 @@ spec:
value: "10s"
image: {{ $.Values.mediamtx.image }}:{{ $.Values.mediamtx.imageTag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
volumeMounts:
- name: mediamtx-tmp
mountPath: /tmp
- name: mediamtx-recordings
mountPath: /recordings
volumes:
- name: mediamtx-tmp
emptyDir: {}
- name: mediamtx-recordings
emptyDir: {}
restartPolicy: Always
197 changes: 105 additions & 92 deletions ...ro-vision-ai-app-recipe/loitering-detection/helm-chart/templates/nginx-reverse-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,119 +1,132 @@
# Copyright (c) 2024 Intel Corporation.
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
namespace: {{ .Values.namespace }}
data:
nginx.conf: |-
{{ (.Files.Get "config/nginx/nginx.conf") | indent 4 }}
generate_certs.sh: |
#!/bin/sh
set -e
SSL_DIR="/etc/nginx/ssl"
mkdir -p "$SSL_DIR"
if ! command -v openssl >/dev/null 2>&1; then
echo "Installing openssl..."
apk add --no-cache openssl
fi
if [ ! -f "$SSL_DIR/server.crt" ] || [ ! -f "$SSL_DIR/server.key" ]; then
echo "🔐 Generating self-signed SSL certificate..."
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout "$SSL_DIR/server.key" \
-out "$SSL_DIR/server.crt" \
-subj "/C=US/ST=CA/L=San Francisco/O=Intel/OU=Edge AI/CN=localhost"
fi
---
apiVersion: v1
kind: Service
metadata:
name: nginx-reverse-proxy
namespace: {{ .Values.namespace }}
spec:
type: NodePort
selector:
app: nginx-reverse-proxy
ports:
- name: http
port: {{ .Values.config.nginx.int.http_port }}
targetPort: {{ .Values.config.nginx.int.http_port }}
nodePort: {{ .Values.config.nginx.ext.http_port }}
- name: https
port: {{ .Values.config.nginx.int.https_port }}
targetPort: {{ .Values.config.nginx.int.https_port }}
nodePort: {{ .Values.config.nginx.ext.https_port }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-node-red
namespace: {{ $.Values.namespace }}
labels:
app: nginx-reverse-proxy
name: deployment-nginx-reverse-proxy
namespace: {{ .Values.namespace }}
app: node-red
spec:
replicas: 1
selector:
matchLabels:
app: nginx-reverse-proxy
app: node-red
template:
metadata:
labels:
app: nginx-reverse-proxy
app: node-red
spec:
securityContext:
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
initContainers:
- name: generate-certs
image: alpine/openssl:3.5.4
command:
- name: intel-plugin-downloader
image: curlimages/curl:latest
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
command:
- /bin/sh
- /scripts/generate_certs.sh
- -c
- |
mkdir -p /tmp/data
mkdir -p /tmp/data/public/videos/
curl -L https://github.com/open-edge-platform/edge-ai-suites/archive/refs/tags/v1.0.0.zip -o /tmp/main.zip
unzip -q /tmp/main.zip -d /tmp && \
cp -r /tmp/edge-ai-suites-1.0.0/metro-ai-suite/loitering-detection/node-red/* /tmp/data/
rm -rf /tmp/main.zip /tmp/edge-ai-suites-1.0.0
mkdir -p /tmp/data/public/videos
curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000101.mp4 -o /tmp/data/public/videos/VIRAT_S_000101.mp4
curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000102.mp4 -o /tmp/data/public/videos/VIRAT_S_000102.mp4
curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000103.mp4 -o /tmp/data/public/videos/VIRAT_S_000103.mp4
curl -L https://github.com/intel/metro-ai-suite/raw/refs/heads/videos/videos/VIRAT_S_000104.mp4 -o /tmp/data/public/videos/VIRAT_S_000104.mp4
rm /tmp/data/flows.json
cp -f /tmp/flows.json /tmp/data/flows.json
env:
- name: http_proxy
value: {{ $.Values.env.http_proxy }}
- name: https_proxy
value: {{ $.Values.env.https_proxy }}
- name: no_proxy
value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}"
volumeMounts:
- name: nginx-ssl
mountPath: /etc/nginx/ssl
- name: nginx-scripts
mountPath: /scripts
- name: node-red-data
mountPath: /tmp/data
- name: node-red-flows-config
mountPath: /tmp/flows.json
subPath: flows.json
- name: tmp
mountPath: /tmp
containers:
- name: nginx-reverse-proxy
image: {{ .Values.nginx.image }}:{{ .Values.nginx.imageTag }}
imagePullPolicy: IfNotPresent
- name: node-red
image: {{ $.Values.node_red.image }}:{{ $.Values.node_red.imageTag }}
command: ["/bin/bash", "-c"]
args: ["/data/install_package.sh && /usr/src/node-red/entrypoint.sh"]
ports:
- containerPort: {{ .Values.config.nginx.int.http_port }}
- containerPort: {{ .Values.config.nginx.int.https_port }}
- containerPort: {{ $.Values.config.node_red.int.web_ui_port }}
name: http
env:
- name: http_proxy
value: {{ $.Values.env.http_proxy }}
- name: https_proxy
value: {{ $.Values.env.https_proxy }}
- name: no_proxy
value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}"
- name: NO_PROXY
value: "{{ $.Values.env.no_proxy }},{{ $.Values.env.HOST_IP }}"
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: nginx-ssl
mountPath: /etc/nginx/ssl
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "200m"
- name: node-red-data
mountPath: /data
- name: node-red-src
mountPath: /usr/src/node-red
- name: tmp
mountPath: /tmp
volumes:
- name: nginx-conf
configMap:
name: nginx-conf
items:
- key: nginx.conf
path: nginx.conf
- name: nginx-scripts
- name: node-red-data
emptyDir: {}
- name: node-red-flows-config
configMap:
name: nginx-conf
items:
- key: generate_certs.sh
path: generate_certs.sh
mode: 0755
- name: nginx-ssl
emptyDir: {}
name: node-red-flows-config
- name: node-red-src
emptyDir: {}
- name: tmp
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: node-red
namespace: {{ $.Values.namespace }}
labels:
app: node-red
spec:
type: ClusterIP
ports:
- port: {{ $.Values.config.node_red.int.web_ui_port }}
targetPort: {{ $.Values.config.node_red.int.web_ui_port }}
protocol: TCP
name: http
selector:
app: node-red
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: {{ .Values.namespace }}
name: node-red-flows-config
data:
flows.json: |-
{{ .Files.Get "config/node-red/flows.json" | indent 4 }}
3 changes: 3 additions & 0 deletions ...-app-recipe/smart-intersection/chart/templates/dlstreamer-pipeline-server/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ spec:
spec:
securityContext:
supplementalGroups: [109,110,992]
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
volumes:
- name: dev
hostPath:
Expand Down
4 changes: 4 additions & 0 deletions ...ite/metro-vision-ai-app-recipe/smart-intersection/chart/templates/grafana/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ spec:
annotations:
checksum/secrets: {{ include (print $.Template.BasePath "/app-secrets.yaml") . | sha256sum }}
spec:
securityContext:
fsGroup: 472
seccompProfile:
type: RuntimeDefault
containers:
- name: grafana
image: "{{ .Values.grafana.repository }}:{{ .Values.grafana.tag }}"
Expand Down
4 changes: 4 additions & 0 deletions ...te/metro-vision-ai-app-recipe/smart-intersection/chart/templates/influxdb/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ spec:
labels:
app: {{ .Release.Name }}-influxdb
spec:
securityContext:
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: influxdb
image: "{{ .Values.influxdb.repository }}:{{ .Values.influxdb.tag }}"
Expand Down
Loading