Skip to content

Frigate NVR on K3s (caneast-site1-node4)

Status: Tier 3 Operational Reference Last Updated: 2026-05-02 WI: WI-395

Overview

Frigate is a self-hosted network video recorder (NVR) deployed on the k3s cluster running on caneast-site1-node4. It ingests RTSP streams from camera nodes (e.g., caneast-site1-ot2-cam01), records them to persistent storage, and provides a web UI and REST API for event management and playback.

Frigate does NOT perform inference; it is a stateless relay and storage service only. Vision inference (VL model evaluation) happens on the source camera node or cloud backends.

Deployment Details

Helm Chart

Property Value
Chart blakeshome/frigate
Chart Version 7.8.0
Helm Release Name archon-frigate
Namespace archon-vision
Container Image ghcr.io/blakeblackshear/frigate:0.14.1

Install command (reference): 

helm repo add blakeshome https://blakeshome.com/charts
helm install archon-frigate blakeshome/frigate \
  --namespace archon-vision \
  --create-namespace \
  --values frigate-values.yaml

Namespace

Frigate runs in the archon-vision namespace. This namespace is dedicated to vision-related workloads and may house future ML inference pods (Phase 2+).

Verify: 

kubectl get pods -n archon-vision

Intel GPU Support

Intel UHD 630 on caneast-site1-node4

The caneast-site1-node4 CPU (Intel Core REDACTED) has an integrated UHD 630 iGPU. Frigate can use this GPU for OpenVino hardware-accelerated object detection (future feature; not yet enabled).

GPU Resource

The Intel GPU is exposed as a Kubernetes resource via the intel-device-plugins-for-kubernetes DaemonSet:

Resource name: gpu.intel.com/i915

Capacity (caneast-site1-node4): 1 (one iGPU per node)

Pod limits (Frigate): 

resources:
  limits:
    gpu.intel.com/i915: 1

Verification: 

kubectl describe node caneast-site1-node4 | grep -A 5 "gpu.intel.com"

Expected output: 

Allocatable:
  gpu.intel.com/i915: 1
Allocated resources:
  (... other resources ...)
  gpu.intel.com/i915: 1

Why Intel i915 Over CPU-Only

  • Intel UHD 630 offloads object detection and encoding tasks from CPU
  • Frigate's OpenVino detector runs much faster on GPU (5-10 FPS vs <1 FPS CPU)
  • Single iGPU sufficient for one NVR instance (Frigate); future multi-camera deployment may require additional GPUs

Storage

Persistent Volume Claim (PVC)

Frigate uses a PVC backed by local-path StorageClass on caneast-site1-node4:

Property Value
StorageClass local-path
Size 100 GB (adjustable in values.yaml)
Retention Per OBS-0001 (7 days rolling buffer by default)
Location caneast-site1-node4 local disk (/var/lib/rancher/k3s/storage/)

Frigate data directories: - /media/frigate/config - frozen configuration (read-only after init) - /media/frigate/clips - event-based clips (90s before/after event) - /media/frigate/recordings - continuous rolling buffer (24h default) - /media/frigate/cache - temp data (snapshot JPEG, thumbnails)

PVC Monitoring

Monitor PVC usage: 

kubectl get pvc -n archon-vision
kubectl exec -it deployment/archon-frigate -n archon-vision -- du -sh /media/frigate/*

If near capacity, either: 1. Reduce retention window in frigate config (YAML edit + pod restart) 2. Expand PVC size (requires StorageClass support; local-path does not support dynamic expansion)

MQTT Integration

Frigate publishes events to MQTT and consumes commands from MQTT. This enables coordination with the Archon Platform event backbone.

MQTT Credentials

**Secret:REDACTED frigate-mqtt-credentials (Kubernetes Secret in archon-vision namespace)

Sourced from: ESO ExternalSecret that pulls /k3s/FRIGATE_MQTT_PASSWORD from Infisical

ExternalSecret config: 

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: frigate-mqtt-credentials
  namespace: archon-vision
spec:
  secretStoreRef:
    name: infisical-archon-platform
    kind: ClusterSecretStore
  target:
    name: frigate-mqtt-credentials
    template:
      engineVersion: v2
      data:
        FRIGATE_MQTT_PASSWORD: REDACTED .password }}'
  data:
    - secretKey: password
      remoteRef:
        key: /k3s/FRIGATE_MQTT_PASSWORD

MQTT Configuration

In frigate config (values.yaml), MQTT is defined as:

mqtt:
  host: caneast-site1-mqtt1.peries.ca  # or REDACTED
  port: 1883
  topic_prefix: frigate
  user: frigate
  password: REDACTED
  retain_events: true

MQTT topics published by Frigate:

Topic Message Trigger
frigate/events Event JSON New event detected (object, motion, etc.)
frigate/stats JSON Every 30s (Frigate health, FPS, CPU)
frigate//detect JSON Per-camera object detections

Topics consumed by Frigate:

Topic Message Action
frigate/restart (ignored) Trigger Frigate restart

Ingress and TLS

Traefik IngressRoute

Frigate web UI is exposed via Traefik at: https://frigate.peries.ca

IngressRoute config (reference): 

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: frigate
  namespace: archon-vision
spec:
  entryPoints:
    - websecure
  hosts:
    - frigate.peries.ca
  tls:
    secretName: frigate-tls
  routes:
    - match: Host(`frigate.peries.ca`)
      kind: Rule
      services:
        - name: archon-frigate-frigate
          port: 5000

TLS Certificate

Certificate is issued by cert-manager using letsencrypt-prod ClusterIssuer.

Renew manually (if needed): 

kubectl delete secret frigate-tls -n archon-vision
# cert-manager will auto-recreate after ~1 min

Camera Configuration

cam01 RTSP Stream

Camera node: caneast-site1-ot2-cam01 (Pi 5, 192.168.2.x via Wi-Fi DHCP)

RTSP stream URL: rtsp://<cam01-ip>:[REDACTED]/cam01

Frigate config: 

cameras:
  cam01:
    ffmpeg:
      inputs:
        - path: rtsp://192.168.2.x:[REDACTED]/cam01
          roles:
            - detect
            - record
      global_args: "-c:v libx264 -preset ultrafast"
    detect:
      enabled: true
      width: 1920
      height: 1080
      fps: 5
      max_disappeared: 5
    record:
      enabled: true
      retain:
        default: 7

Note: cam01 IP is not static; ensure DHCP reservation is in place on the Wi-Fi AP.

Accessing Frigate

Web UI

Navigate to: https://frigate.peries.ca

Default credentials: Check Infisical at /k3s/FRIGATE_ADMIN_USER and /k3s/FRIGATE_ADMIN_PASSWORD (Not yet stored; manual login required; WI-TBD to migrate to Infisical)

Port-Forward (Direct K8s Access)

If Traefik is unavailable: 

kubectl port-forward -n archon-vision svc/archon-frigate-frigate 5000:[REDACTED]
# Then navigate to http://localhost:[REDACTED]

REST API

Frigate exposes a REST API on port 5000:

List all events: 

curl https://frigate.peries.ca/api/events

Get specific event clips: 

curl https://frigate.peries.ca/api/events/<event-id>/clips

Available endpoints: See https://docs.frigate.video/configuration/http_api/

Health Checks

Pod Health

kubectl get pods -n archon-vision
kubectl logs deployment/archon-frigate -n archon-vision -f

Frigate Health Endpoint

curl https://frigate.peries.ca/api/version

Expected response: 

{
  "version": "0.14.1",
  "nvidia_version": null,
  "coral_version": null
}

Troubleshooting

Symptom Diagnosis Fix
Frigate pod stuck in CrashLoopBackOff Config error or insufficient storage Check logs; verify PVC has space
RTSP stream not connecting Camera offline or network unreachable SSH to Pi 5 and check MediaMTX; verify IP routing
GPU not being used intel-device-plugins not running Check DaemonSet in default namespace; may require node reboot
MQTT events not appearing MQTT credentials wrong or broker down Verify FRIGATE_MQTT_PASSWORD in Infisical; check caneast-site1-mqtt1 service
403 Forbidden on frigate.peries.ca TLS cert expired or Traefik misconfigured Verify cert is in Kubernetes Secret; check Traefik logs
  • docs/architecture/cam01-capture-pipeline.md - cam01 event-driven inference pipeline
  • docs/adr/it/OBS/OBS-0001-observability-stack.md - Recording retention and archival policy
  • docs/adr/it/PLAT/PLAT-0006-traefik-ingressroutes-tls.md - Traefik TLS pattern
  • docs/platform/network/dns-architecture.md - Traefik DNS records (frigate.peries.ca)