ITEP-72660: [Kubernetes] Build and Deploy Automation critically broken (#213)

This PR restores the previously broken Kubernetes deployment and
introduces proxy configuration support, enabling the platform to run
reliably behind corporate proxies.

### Summary of Changes

#### Dockerfile Updates
- Updated Dockerfile paths and improved dependency installation for
secrets and models images.

#### Jobs & Scripts:
- Improved error handling in Kubernetes job templates.
- Minor corrections to paths in init jobs

#### Proxy Support
- Added proxy configuration to Helm charts (values.yaml) and deployment
templates.
- All containers now have proxy environment variables set (HTTP_PROXY,
HTTPS_PROXY, NO_PROXY and lowercase variants) if enabled at the chart
level.
- Kubernetes Makefile detects and automatically passes proxy env vars to
Helm.

#### Deployment Options
- Added CHART_DEBUG environment variable for enabling Helm chart debug
mode.
- Documented new environment variable and deployment scenarios in
README.md files.

#### Helm Chart & App Version
- Bumped Helm chart version to 1.2.1 and appVersion to 1.4.0-alpha.

### Testing


https://github.com/intel-innersource/frameworks.ai.scenescape-ci-open-edge-platform/actions/runs/16568408291/job/46854011149
<img width="442" height="94" alt="image"
src="https://github.com/user-attachments/assets/a6b9e2fe-df78-4a3f-9a3f-70f1be8e8a74"
/>

Manually tested **happy path only** described in [the
docs](https://github.com/open-edge-platform/scenescape/tree/main/kubernetes).

```sh
$ SKIP_BRINGUP=1 REQUIRED_FPS=0 ./deploy.sh
$ make -C kubernetes
...
NAME: scenescape-release-1
LAST DEPLOYED: Fri Jul 25 15:55:59 2025
NAMESPACE: scenescape
STATUS: deployed
REVISION: 1
TEST SUITE: None
make: Leaving directory '/home/jdanieck/repos/scenescape/kubernetes'

jdanieck@jdanieck-dev:~/repos/scenescape$ kubectl get pods -n scenescape 
NAME                                                              READY   STATUS    RESTARTS   AGE
scenescape-release-1-atag-qcam1-atag-qcam1-de57f5c8-video-wl8xb   1/1     Running   0          78s
scenescape-release-1-atag-qcam2-atag-qcam2-d41a19c2-video-f4p7v   1/1     Running   0          78s
scenescape-release-1-broker-dep-599b987cf7-gdf6z                  1/1     Running   0          4m22s
scenescape-release-1-camcalibration-dep-8667f5f9dd-282dv          1/1     Running   0          4m22s
scenescape-release-1-camera1-camera1-858d3192-video-dep-659hgnq   1/1     Running   0          78s
scenescape-release-1-camera2-camera2-f4b78bdb-video-dep-57p7s2h   1/1     Running   0          78s
scenescape-release-1-kubeclient-dep-7f99f85b65-gffzd              1/1     Running   0          4m22s
scenescape-release-1-ntp-dep-7fc76bdb75-7hvrc                     1/1     Running   0          4m22s
scenescape-release-1-pgserver-dep-77b5ddd7f4-8r67w                1/1     Running   0          4m22s
scenescape-release-1-scene-dep-b59678668-fm8wp                    1/1     Running   0          4m22s
scenescape-release-1-vdms-dep-5cfbd88dfb-mww8p                    1/1     Running   0          4m22s
scenescape-release-1-web-dep-c7877f6f4-nvbmx                      1/1     Running   0          4m22s
```
<img width="1224" height="879" alt="image"
src="https://github.com/user-attachments/assets/ebc60b3c-c683-41ba-8c68-cc517551aab8"
/>

<img width="1179" height="717" alt="image"
src="https://github.com/user-attachments/assets/50af44fc-2364-44ac-8175-85c2e6dd9a0c"
/>

Author: jdanieck

Makefile

@@ -36,7 +36,7 @@ endif
 
 # Secrets building variables
 SECRETSDIR ?= $(PWD)/manager/secrets
-CERTDOMAIN := scenescape.intel.com
+CERTDOMAIN ?= scenescape.intel.com
 
 # Demo variables
 DLSTREAMER_SAMPLE_VIDEOS := $(addprefix sample_data/,apriltag-cam1.ts apriltag-cam2.ts apriltag-cam3.ts qcam1.ts qcam2.ts)

kubernetes/Makefile

@@ -27,6 +27,11 @@ REGISTRY=localhost:$(KINDREGPORT)
 
 RELEASE=scenescape-release-1
 FORCE_VAAPI?=0
+CHART_DEBUG?=0
+
+# Proxy settings: if http_proxy, https_proxy, or no_proxy environment variables are set,
+# they will be automatically passed to the Helm chart during installation
+# Chart debug: set CHART_DEBUG=1 to enable chartdebug=true in Helm deployment
 
 # ITEP constants
 # REGISTRY=registry.test-public-maestro.edgeorch.net/scenescape
@@ -200,7 +205,30 @@ list-registry:
 # helm template -s templates/ingress.yaml kubernetes/scenescape-chart/
 # helm install scenescape-release-1 kubernetes/scenescape-chart/ --dry-run --debug
 install:
-	helm install $(RELEASE) scenescape-chart/ -n $(NAMESPACE) --create-namespace $(VALIDATION_FLAG)
+	@VALUES_FILE=""; \
+	if [ -n "$(http_proxy)" ] || [ -n "$(https_proxy)" ]; then \
+		VALUES_FILE="/tmp/scenescape-proxy-values.yaml"; \
+		echo "proxy:" > $$VALUES_FILE; \
+		echo "  enabled: true" >> $$VALUES_FILE; \
+		if [ -n "$(http_proxy)" ]; then \
+			echo "  httpProxy: \"$(http_proxy)\"" >> $$VALUES_FILE; \
+		fi; \
+		if [ -n "$(https_proxy)" ]; then \
+			echo "  httpsProxy: \"$(https_proxy)\"" >> $$VALUES_FILE; \
+		fi; \
+		if [ -n "$(no_proxy)" ]; then \
+			echo "  noProxy: \"$(no_proxy)\"" >> $$VALUES_FILE; \
+		fi; \
+		VALUES_FILE="-f $$VALUES_FILE"; \
+	fi; \
+	DEBUG_ARGS=""; \
+	if [ "$(CHART_DEBUG)" = "1" ]; then \
+		DEBUG_ARGS="--set chartdebug=true"; \
+	fi; \
+	helm install $(RELEASE) scenescape-chart/ -n $(NAMESPACE) --create-namespace $(VALIDATION_FLAG) $$DEBUG_ARGS $$VALUES_FILE; \
+	if [ -f "/tmp/scenescape-proxy-values.yaml" ]; then \
+		rm -f /tmp/scenescape-proxy-values.yaml; \
+	fi
 
 uninstall:
 	helm uninstall $(RELEASE) -n $(NAMESPACE) || true

kubernetes/README.md

@@ -43,6 +43,54 @@ $ make -C kubernetes
    $ make -C kubernetes clean-all
    ```
 
+## Environment Variables
+
+### Proxy Configuration
+
+If you're deploying SceneScape in an environment that requires proxy access, set these environment variables before running make commands:
+
+```console
+export http_proxy=http://your-proxy-server:port
+export https_proxy=https://your-proxy-server:port
+export no_proxy=localhost,127.0.0.1,.local,.svc,.svc.cluster.local,10.96.0.0/12,10.244.0.0/16,172.17.0.0/16
+make -C kubernetes install
+```
+
+**What to put in `no_proxy` and why:**
+
+- `localhost,127.0.0.1`: Ensures local traffic is not sent through the proxy.
+- `.local`: Excludes local network hostnames.
+- `.svc,.svc.cluster.local`: Excludes all Kubernetes service DNS names, so internal service-to-service traffic stays inside the cluster.
+- `10.96.0.0/12`: Default Kubernetes service CIDR (adjust if your cluster uses a different range).
+- `10.244.0.0/16`: Default pod CIDR for many CNI plugins (adjust if your cluster uses a different range).
+- `172.17.0.0/16`: Typical Docker bridge network used by kind (Kubernetes IN Docker). Adjust if your Docker network uses a different subnet.
+
+These values ensure that all internal cluster communication, including between pods and services, is not routed through the proxy. This is critical for correct operation of Kubernetes workloads, especially in kind clusters or any environment where internal networking must remain direct. Adjust the CIDRs if your cluster uses custom networking.
+
+The proxy settings will be automatically detected and passed to all SceneScape containers as environment variables.
+
+### Chart Debug Mode
+
+To enable Helm chart debugging (useful for troubleshooting deployment issues):
+
+```console
+export CHART_DEBUG=1
+make -C kubernetes install
+```
+
+This enables the `chartdebug=true` setting in the Helm chart, which keeps debugging resources after installation.
+
+### Validation Mode
+
+To deploy SceneScape in validation/testing mode:
+
+```console
+export VALIDATION=1
+make -C kubernetes install
+```
+
+This enables additional testing components and configurations.
+
 ## Detailed steps and explanation
 
 Run from the project directory (e.g. ~/scenescape)

kubernetes/init-images/Dockerfile-models

@@ -5,7 +5,7 @@
 
 FROM busybox
 
-COPY models /root/models
+COPY model_installer/models /root/models
 
 COPY sample_data /root/sample_data
 COPY controller/config/tracker-config.json /root/controller/tracker-config.json

kubernetes/init-images/Dockerfile-secrets

@@ -5,16 +5,17 @@
 
 FROM ubuntu:22.04
 
-COPY Makefile /root/Makefile
+COPY Makefile common.mk version.txt /root/
 COPY manager/config/user_access_config.json /root/docker/user_access_config.json
-COPY tools/certificates/Makefile /root/tools/certificates/Makefile
-COPY tools/certificates/openssl.cnf /root/tools/certificates/openssl.cnf
-COPY version.txt /root/sscape/version.txt
+COPY manager/Makefile /root/manager/
+COPY tools/certificates/ /root/tools/certificates/
+COPY tools/authsecrets/Makefile /root/tools/authsecrets/
 
-RUN apt-get update && apt-get install -y curl make python3
-
-RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-RUN chmod +x ./kubectl
-RUN mv ./kubectl /usr/local/bin/kubectl
+RUN apt-get update && apt-get install -y curl make python3 openssl \
+    && curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+    && chmod +x ./kubectl \
+    && mv ./kubectl /usr/local/bin/kubectl \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
 CMD ["/bin/bash"]

kubernetes/scenescape-chart/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: scenescape-chart
 description: A Helm chart for SceneScape
 type: application
-version: 1.2.0
-appVersion: "1.3.0"
+version: 1.2.1
+appVersion: "1.4.0-alpha"

kubernetes/scenescape-chart/README.md

@@ -55,3 +55,21 @@ Time server which maintains the reference clock and keeps clients, such as Perce
 ### SQL database
 
 PostgreSQL database server which stores static information used by the web UI and the scene controller. No video or object location data is stored by Intel® SceneScape.
+
+## Configuration
+
+### Proxy Settings
+
+If you're deploying SceneScape in an environment that requires proxy access to external resources, use the following best-practice values for `noProxy`:
+
+```yaml
+proxy:
+  enabled: true
+  httpProxy: "http://your-proxy-server:port"
+  httpsProxy: "https://your-proxy-server:port"
+  noProxy: "localhost,127.0.0.1,.local,.svc,.svc.cluster.local,10.96.0.0/12,10.244.0.0/16,172.17.0.0/16"
+```
+
+For a detailed explanation of what to put in `no_proxy` and why, see the [Proxy Configuration section in the top-level README](../README.md#proxy-configuration).
+
+These settings will be applied to all SceneScape containers as environment variables, enabling them to access external resources through your corporate proxy.

kubernetes/scenescape-chart/templates/broker-dep.yaml

@@ -23,7 +23,21 @@ spec:
           name: {{ .Release.Name }}-broker
           env:
           - name: REST_SERVER
-            value: web.{{ .Release.Namespace }}
+            value: web.{{ .Release.Namespace }}.svc.cluster.local
+{{- if .Values.proxy.enabled }}
+          - name: HTTP_PROXY
+            value: {{ .Values.proxy.httpProxy }}
+          - name: HTTPS_PROXY
+            value: {{ .Values.proxy.httpsProxy }}
+          - name: NO_PROXY
+            value: {{ .Values.proxy.noProxy }}
+          - name: http_proxy
+            value: {{ .Values.proxy.httpProxy }}
+          - name: https_proxy
+            value: {{ .Values.proxy.httpsProxy }}
+          - name: no_proxy
+            value: {{ .Values.proxy.noProxy }}
+{{- end }}
           imagePullPolicy: Always
           readinessProbe:
             exec:

kubernetes/scenescape-chart/templates/camcalibration-dep.yaml

@@ -23,19 +23,33 @@ spec:
       initContainers:
         - name: wait-for-web-initcontainer
           image: busybox
-          command: ["/bin/sh", "-c", "until wget -q --spider http://web.{{ .Release.Namespace }}; do sleep 1; done"]
+          command: ["/bin/sh", "-c", "until wget -q --spider http://web.{{ .Release.Namespace }}.svc.cluster.local; do sleep 1; done"]
       containers:
         - args:
           - camcalibration
           - --broker
-          - broker.{{ .Release.Namespace }}
+          - broker.{{ .Release.Namespace }}.svc.cluster.local
           - --resturl
-          - https://web.{{ .Release.Namespace }}/api/v1
+          - https://web.{{ .Release.Namespace }}.svc.cluster.local/api/v1
           image: {{ .Values.repository }}/{{ .Values.camcalibration.image }}:{{ .Chart.AppVersion }}
           name: {{ .Release.Name }}-camcalibration
           env:
           - name: EGL_PLATFORM
             value: surfaceless
+{{- if .Values.proxy.enabled }}
+          - name: HTTP_PROXY
+            value: {{ .Values.proxy.httpProxy }}
+          - name: HTTPS_PROXY
+            value: {{ .Values.proxy.httpsProxy }}
+          - name: NO_PROXY
+            value: {{ .Values.proxy.noProxy }}
+          - name: http_proxy
+            value: {{ .Values.proxy.httpProxy }}
+          - name: https_proxy
+            value: {{ .Values.proxy.httpsProxy }}
+          - name: no_proxy
+            value: {{ .Values.proxy.noProxy }}
+{{- end }}
           imagePullPolicy: Always
           securityContext:
             privileged: true

kubernetes/scenescape-chart/templates/kubeclient-dep.yaml

@@ -21,20 +21,20 @@ spec:
       initContainers:
       - name: wait-for-broker-initcontainer
         image: busybox
-        command: ["/bin/sh", "-c", "until nc -vz broker.{{ .Release.Namespace }} 1883; do sleep 1; done"]
+        command: ["/bin/sh", "-c", "until nc -vz broker.{{ .Release.Namespace }}.svc.cluster.local 1883; do sleep 1; done"]
       - name: wait-for-web-initcontainer
         image: busybox
-        command: ["/bin/sh", "-c", "until wget -q --spider http://web.{{ .Release.Namespace }}; do sleep 1; done"]
+        command: ["/bin/sh", "-c", "until wget -q --spider http://web.{{ .Release.Namespace }}.svc.cluster.local; do sleep 1; done"]
       containers:
         - args:
           - ./manage.py
           - kubecommand
           - --broker
-          - broker.{{ .Release.Namespace }}
+          - broker.{{ .Release.Namespace }}.svc.cluster.local
           - --resturl
-          - https://web.{{ .Release.Namespace }}/api/v1
+          - https://web.{{ .Release.Namespace }}.svc.cluster.local/api/v1
           - --ntp
-          - ntpserv.{{ .Release.Namespace }}
+          - ntpserv.{{ .Release.Namespace }}.svc.cluster.local
           - --auth
           - /run/secrets/percebro.auth
           image: {{ .Values.repository }}/{{ .Values.kubeclient.image }}:{{ .Chart.AppVersion }}
@@ -56,6 +56,20 @@ spec:
             value: {{ $pullSecret.name | quote }}
           {{- end }}
           {{- end }}
+{{- if .Values.proxy.enabled }}
+          - name: HTTP_PROXY
+            value: {{ .Values.proxy.httpProxy }}
+          - name: HTTPS_PROXY
+            value: {{ .Values.proxy.httpsProxy }}
+          - name: NO_PROXY
+            value: {{ .Values.proxy.noProxy }}
+          - name: http_proxy
+            value: {{ .Values.proxy.httpProxy }}
+          - name: https_proxy
+            value: {{ .Values.proxy.httpsProxy }}
+          - name: no_proxy
+            value: {{ .Values.proxy.noProxy }}
+{{- end }}
           imagePullPolicy: Always
           readinessProbe:
             exec: