From 1470cea86234a756504f8194f1a80da035540425 Mon Sep 17 00:00:00 2001 From: jenkins Date: Thu, 21 May 2026 02:07:17 -0300 Subject: [PATCH] game-stream: deploy Wolf foundation --- .../game-stream/kustomization.yaml | 29 +++++ .../applications/kustomization.yaml | 1 + infrastructure/core/coredns-custom.yaml | 2 + services/game-stream/certificate.yaml | 13 ++ services/game-stream/ingress.yaml | 26 ++++ services/game-stream/kustomization.yaml | 11 ++ services/game-stream/namespace.yaml | 6 + services/game-stream/oauth2-proxy-wolf.yaml | 120 ++++++++++++++++++ .../game-stream/vault-serviceaccount.yaml | 7 + services/game-stream/wolf-service.yaml | 16 +++ services/game-stream/wolf-statefulset.yaml | 79 ++++++++++++ services/maintenance/ariadne-deployment.yaml | 22 ++++ services/maintenance/ariadne-rbac.yaml | 8 ++ services/openclaw/ollama-deployment.yaml | 1 - .../vault/scripts/vault_k8s_auth_configure.sh | 2 + 15 files changed, 342 insertions(+), 1 deletion(-) create mode 100644 clusters/atlas/flux-system/applications/game-stream/kustomization.yaml create mode 100644 services/game-stream/certificate.yaml create mode 100644 services/game-stream/ingress.yaml create mode 100644 services/game-stream/kustomization.yaml create mode 100644 services/game-stream/namespace.yaml create mode 100644 services/game-stream/oauth2-proxy-wolf.yaml create mode 100644 services/game-stream/vault-serviceaccount.yaml create mode 100644 services/game-stream/wolf-service.yaml create mode 100644 services/game-stream/wolf-statefulset.yaml diff --git a/clusters/atlas/flux-system/applications/game-stream/kustomization.yaml b/clusters/atlas/flux-system/applications/game-stream/kustomization.yaml new file mode 100644 index 00000000..af9b43c1 --- /dev/null +++ b/clusters/atlas/flux-system/applications/game-stream/kustomization.yaml @@ -0,0 +1,29 @@ +# clusters/atlas/flux-system/applications/game-stream/kustomization.yaml +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: game-stream + namespace: flux-system + annotations: + kustomize.toolkit.fluxcd.io/ssa: IfNotPresent +spec: + interval: 10m + path: ./services/game-stream + targetNamespace: game-stream + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + dependsOn: + - name: cert-manager + - name: keycloak + - name: traefik + - name: vault + healthChecks: + - apiVersion: apps/v1 + kind: Deployment + name: oauth2-proxy-wolf + namespace: game-stream + wait: false + timeout: 10m diff --git a/clusters/atlas/flux-system/applications/kustomization.yaml b/clusters/atlas/flux-system/applications/kustomization.yaml index 441d50e7..32229f61 100644 --- a/clusters/atlas/flux-system/applications/kustomization.yaml +++ b/clusters/atlas/flux-system/applications/kustomization.yaml @@ -27,6 +27,7 @@ resources: - jenkins/kustomization.yaml - ai-llm/kustomization.yaml - openclaw/kustomization.yaml + - game-stream/kustomization.yaml - typhon/kustomization.yaml - nextcloud/kustomization.yaml - nextcloud-mail-sync/kustomization.yaml diff --git a/infrastructure/core/coredns-custom.yaml b/infrastructure/core/coredns-custom.yaml index 2cb87bdc..9e8e4386 100644 --- a/infrastructure/core/coredns-custom.yaml +++ b/infrastructure/core/coredns-custom.yaml @@ -29,6 +29,7 @@ data: 192.168.22.9 matrix.live.bstein.dev 192.168.22.9 metrics.bstein.dev 192.168.22.9 monero.bstein.dev + 192.168.22.26 moonlight.bstein.dev 10.43.6.87 money.bstein.dev 192.168.22.9 notes.bstein.dev 192.168.22.9 office.bstein.dev @@ -41,6 +42,7 @@ data: 192.168.22.9 secret.bstein.dev 192.168.22.9 sso.bstein.dev 192.168.22.9 stream.bstein.dev + 192.168.22.9 wolf.bstein.dev 192.168.22.9 tasks.bstein.dev 192.168.22.9 vault.bstein.dev fallthrough diff --git a/services/game-stream/certificate.yaml b/services/game-stream/certificate.yaml new file mode 100644 index 00000000..745d2677 --- /dev/null +++ b/services/game-stream/certificate.yaml @@ -0,0 +1,13 @@ +# services/game-stream/certificate.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wolf-tls + namespace: game-stream +spec: + secretName: wolf-tls + issuerRef: + kind: ClusterIssuer + name: letsencrypt + dnsNames: + - wolf.bstein.dev diff --git a/services/game-stream/ingress.yaml b/services/game-stream/ingress.yaml new file mode 100644 index 00000000..7c3a9825 --- /dev/null +++ b/services/game-stream/ingress.yaml @@ -0,0 +1,26 @@ +# services/game-stream/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: wolf + namespace: game-stream + annotations: + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" +spec: + ingressClassName: traefik + tls: + - hosts: ["wolf.bstein.dev"] + secretName: wolf-tls + rules: + - host: wolf.bstein.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: oauth2-proxy-wolf + port: + number: 80 diff --git a/services/game-stream/kustomization.yaml b/services/game-stream/kustomization.yaml new file mode 100644 index 00000000..cf3a378e --- /dev/null +++ b/services/game-stream/kustomization.yaml @@ -0,0 +1,11 @@ +# services/game-stream/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - vault-serviceaccount.yaml + - wolf-service.yaml + - wolf-statefulset.yaml + - oauth2-proxy-wolf.yaml + - certificate.yaml + - ingress.yaml diff --git a/services/game-stream/namespace.yaml b/services/game-stream/namespace.yaml new file mode 100644 index 00000000..16679bb5 --- /dev/null +++ b/services/game-stream/namespace.yaml @@ -0,0 +1,6 @@ +# services/game-stream/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: game-stream + diff --git a/services/game-stream/oauth2-proxy-wolf.yaml b/services/game-stream/oauth2-proxy-wolf.yaml new file mode 100644 index 00000000..278a63b3 --- /dev/null +++ b/services/game-stream/oauth2-proxy-wolf.yaml @@ -0,0 +1,120 @@ +# services/game-stream/oauth2-proxy-wolf.yaml +apiVersion: v1 +kind: Service +metadata: + name: oauth2-proxy-wolf + namespace: game-stream + labels: + app: oauth2-proxy-wolf +spec: + ports: + - name: http + port: 80 + targetPort: 4180 + selector: + app: oauth2-proxy-wolf + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy-wolf + namespace: game-stream + labels: + app: oauth2-proxy-wolf +spec: + replicas: 2 + selector: + matchLabels: + app: oauth2-proxy-wolf + template: + metadata: + labels: + app: oauth2-proxy-wolf + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "game-stream" + vault.hashicorp.com/agent-inject-secret-oidc-config: "kv/data/atlas/game-stream/wolf-oidc" + vault.hashicorp.com/agent-inject-template-oidc-config: | + {{- with secret "kv/data/atlas/game-stream/wolf-oidc" -}} + client_id = "{{ .Data.data.client_id }}" + client_secret = "{{ .Data.data.client_secret }}" + cookie_secret = "{{ .Data.data.cookie_secret }}" + {{- end -}} + spec: + serviceAccountName: game-stream-vault + nodeSelector: + node-role.kubernetes.io/worker: "true" + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: ["amd64","arm64"] + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: hardware + operator: In + values: ["rpi5"] + - weight: 80 + preference: + matchExpressions: + - key: hardware + operator: In + values: ["rpi4"] + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + imagePullPolicy: IfNotPresent + args: + - --provider=oidc + - --config=/vault/secrets/oidc-config + - --redirect-url=https://wolf.bstein.dev/oauth2/callback + - --oidc-issuer-url=https://sso.bstein.dev/realms/atlas + - --scope=openid profile email groups + - --email-domain=* + - --allowed-group=game-stream-users + - --allowed-group=/game-stream-users + - --allowed-group=admin + - --allowed-group=/admin + - --set-xauthrequest=true + - --pass-access-token=true + - --set-authorization-header=true + - --cookie-secure=true + - --cookie-samesite=lax + - --cookie-refresh=20m + - --cookie-expire=24h + - --insecure-oidc-allow-unverified-email=true + - --upstream=http://ariadne.maintenance.svc.cluster.local:8080 + - --http-address=0.0.0.0:4180 + - --skip-provider-button=true + - --approval-prompt=auto + - --skip-jwt-bearer-tokens=true + - --oidc-groups-claim=groups + - --cookie-domain=wolf.bstein.dev + ports: + - containerPort: 4180 + name: http + readinessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /ping + port: 4180 + initialDelaySeconds: 20 + periodSeconds: 20 + resources: + requests: + cpu: 25m + memory: 64Mi + limits: + cpu: 250m + memory: 256Mi diff --git a/services/game-stream/vault-serviceaccount.yaml b/services/game-stream/vault-serviceaccount.yaml new file mode 100644 index 00000000..d0540de6 --- /dev/null +++ b/services/game-stream/vault-serviceaccount.yaml @@ -0,0 +1,7 @@ +# services/game-stream/vault-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: game-stream-vault + namespace: game-stream + diff --git a/services/game-stream/wolf-service.yaml b/services/game-stream/wolf-service.yaml new file mode 100644 index 00000000..123e48be --- /dev/null +++ b/services/game-stream/wolf-service.yaml @@ -0,0 +1,16 @@ +# services/game-stream/wolf-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: wolf + namespace: game-stream + labels: + app: wolf +spec: + clusterIP: None + selector: + app: wolf + ports: + - name: placeholder + port: 47989 + targetPort: 47989 diff --git a/services/game-stream/wolf-statefulset.yaml b/services/game-stream/wolf-statefulset.yaml new file mode 100644 index 00000000..ec0f254e --- /dev/null +++ b/services/game-stream/wolf-statefulset.yaml @@ -0,0 +1,79 @@ +# services/game-stream/wolf-statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: wolf + namespace: game-stream + labels: + app: wolf +spec: + serviceName: wolf + replicas: 1 + selector: + matchLabels: + app: wolf + template: + metadata: + labels: + app: wolf + atlas.bstein.dev/game-mode: wolf + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + runtimeClassName: nvidia + nodeSelector: + kubernetes.io/hostname: titan-24 + tolerations: + - key: nvidia.com/gpu + operator: Exists + effect: NoSchedule + containers: + - name: wolf + image: ghcr.io/games-on-whales/wolf:stable + imagePullPolicy: IfNotPresent + env: + - name: WOLF_LOG_LEVEL + value: INFO + - name: WOLF_DOCKER_SOCKET + value: /var/run/docker.sock + - name: NVIDIA_DRIVER_CAPABILITIES + value: all + - name: NVIDIA_VISIBLE_DEVICES + value: all + securityContext: + privileged: true + resources: + requests: + cpu: "2" + memory: 4Gi + nvidia.com/gpu.shared: 1 + limits: + cpu: "12" + memory: 32Gi + nvidia.com/gpu.shared: 1 + volumeMounts: + - name: wolf-state + mountPath: /etc/wolf + - name: docker-socket + mountPath: /var/run/docker.sock + - name: dev + mountPath: /dev + - name: udev + mountPath: /run/udev + volumes: + - name: wolf-state + hostPath: + path: /etc/wolf + type: DirectoryOrCreate + - name: docker-socket + hostPath: + path: /var/run/docker.sock + type: Socket + - name: dev + hostPath: + path: /dev + type: Directory + - name: udev + hostPath: + path: /run/udev + type: Directory diff --git a/services/maintenance/ariadne-deployment.yaml b/services/maintenance/ariadne-deployment.yaml index 1a807d39..ab36e42c 100644 --- a/services/maintenance/ariadne-deployment.yaml +++ b/services/maintenance/ariadne-deployment.yaml @@ -31,6 +31,9 @@ spec: export ARIADNE_DATABASE_URL="{{ .Data.data.database_url }}" export JENKINS_API_USER="{{ .Data.data.jenkins_api_user }}" export JENKINS_API_TOKEN="{{ .Data.data.jenkins_api_token }}" + {{- if .Data.data.game_mode_hook_token }} + export GAME_MODE_HOOK_TOKEN="{{ .Data.data.game_mode_hook_token }}" + {{- end }} {{ end }} {{ with secret "kv/data/atlas/portal/atlas-portal-db" }} export PORTAL_DATABASE_URL="{{ .Data.data.PORTAL_DATABASE_URL }}" @@ -277,6 +280,25 @@ spec: value: vault-admin - name: VAULT_K8S_ROLE_TTL value: 1h + - name: GAME_MODE_NODE_NAME + value: titan-24 + - name: GAME_MODE_DISPLACE_WORKLOADS + value: >- + [{"kind":"Deployment","namespace":"openclaw","name":"openclaw-ollama","restoreReplicas":1}] + - name: WOLF_OIDC_CLIENT_ID + value: wolf + - name: WOLF_OIDC_BASE_URL + value: https://wolf.bstein.dev + - name: WOLF_OIDC_VAULT_PATH + value: game-stream/wolf-oidc + - name: ARIADNE_SCHEDULE_WOLF_OIDC + value: "17 */6 * * *" + - name: GAME_STREAM_USER_GROUP + value: game-stream-users + - name: GAME_STREAM_ADMIN_GROUP + value: admin + - name: GAME_STREAM_PROFILE_GROUP_PREFIX + value: game-stream-profile- - name: COMMS_NAMESPACE value: comms - name: COMMS_SYNAPSE_BASE diff --git a/services/maintenance/ariadne-rbac.yaml b/services/maintenance/ariadne-rbac.yaml index 5f184e52..73c5e3b5 100644 --- a/services/maintenance/ariadne-rbac.yaml +++ b/services/maintenance/ariadne-rbac.yaml @@ -32,6 +32,14 @@ rules: - list - watch - delete + - apiGroups: ["apps"] + resources: + - deployments/scale + - statefulsets/scale + verbs: + - get + - patch + - update - apiGroups: [""] resources: - persistentvolumeclaims diff --git a/services/openclaw/ollama-deployment.yaml b/services/openclaw/ollama-deployment.yaml index dc604d3e..422658fb 100644 --- a/services/openclaw/ollama-deployment.yaml +++ b/services/openclaw/ollama-deployment.yaml @@ -7,7 +7,6 @@ metadata: labels: app: openclaw-ollama spec: - replicas: 1 revisionHistoryLimit: 2 strategy: type: Recreate diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index e7a5129d..adb72748 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -236,6 +236,8 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ "crypto/* shared/harbor-pull" "" write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" +write_policy_and_role "game-stream" "game-stream" "game-stream-vault" \ + "game-stream/*" "" write_policy_and_role "openclaw" "openclaw" "agent-vault" \ "openclaw/*" "" write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync,metis" \