# Secure Smart Intersection Deployment with Trusted Compute This comprehensive guide walks you through deploying a Smart Intersection application within a Trusted Compute (TC) environment. The Smart Intersection serves as a powerful reference implementation that demonstrates how to achieve secure video analytics for intelligent traffic management systems. Built on the robust DL Streamer Pipeline Server architecture, this solution employs pre-trained object detection models to analyze complex traffic patterns and generate actionable real-time insights. When deployed within a Trusted Compute environment, the entire video analytics pipeline benefits from hardware-backed isolation, creating a secure execution environment that safeguards sensitive traffic data and AI models from other workloads on the same device. ## System Prerequisites Ensure your deployment environment meets these essential requirements before proceeding: - **Trusted Compute Infrastructure**: A fully operational TC environment is required for secure deployment - Complete installation procedures are documented in the [TC Installation Guide](https://github.com/open-edge-platform/trusted-compute/blob/main/docs/trusted_compute_baremetal.md) - **Container Orchestration Platform**: K3s (lightweight Kubernetes distribution) for efficient workload management - **Package Management Tool**: Helm for streamlined Kubernetes application deployment and lifecycle management ## Implementation Guide ### Step 1: Infrastructure Foundation Setup **Deploy K3s Kubernetes Platform:** ```bash # Download and install K3s curl -sfL https://get.k3s.io | sh - # Verify the installation sudo systemctl status k3s # Check cluster readiness sudo k3s kubectl get nodes # Configure kubectl access mkdir -p ~/.kube sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config sudo chown $USER:$USER ~/.kube/config chmod 600 ~/.kube/config # Set environment variable for kubectl export KUBECONFIG=/etc/rancher/k3s/k3s.yaml echo 'export KUBECONFIG=/etc/rancher/k3s/k3s.yaml' >> ~/.bashrc source ~/.bashrc ``` **Install Helm Package Manager:** ```bash # Download Helm installation script curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 chmod +x get_helm.sh # Install Helm ./get_helm.sh # Verify installation helm version ``` ### Step 2: Source Code Acquisition Retrieve the Smart Intersection application from the Edge AI Suites repository: ```bash # Clone the release branch git clone https://github.com/open-edge-platform/edge-ai-suites.git -b release-2026.0.0 # Navigate to the Smart Intersection directory cd edge-ai-suites/metro-ai-suite/metro-vision-ai-app-recipe/ ``` ### Step 3: Enable Trusted Compute Security Configure the deployment to leverage Kata Containers runtime for enhanced security isolation: ```bash # Navigate to DL Streamer Pipeline Server templates cd smart-intersection/chart/templates/dlstreamer-pipeline-server/ ``` **Option 1: Manual Runtime Configuration** Integrate the `runtimeClassName: kata-qemu` directive into your deployment template: ```yaml spec: replicas: 1 selector: matchLabels: app: {{ .Release.Name }}-dlstreamer-pipeline-server template: metadata: labels: app: {{ .Release.Name }}-dlstreamer-pipeline-server spec: runtimeClassName: kata-qemu securityContext: supplementalGroups: [109,110,992] volumes: ``` **Option 2: Automated Runtime Configuration** Apply the runtime configuration automatically using this command: ```bash sed -i '/template:/,/volumes:/ { /spec:/a\ runtimeClassName: kata-qemu }' deployment.yaml ``` **Network Configuration Setup:** Configure the WebRTC signaling server settings in `configmap.yaml`: **Option 1: Manual Network Configuration** ```yaml # Replace: WEBRTC_SIGNALING_SERVER: "ws://localhost:8443" # With (substitute your host IP): WEBRTC_SIGNALING_SERVER: "ws://:8443" ``` **Option 2: Automated Network Configuration** ```bash # Run the following command DEVICE_IP=$(hostname -I | awk '{print $1}') && sed -i "s|ws://localhost:8443|ws://$DEVICE_IP:8443|g" configmap.yaml ``` ### Step 4: Application Deployment Launch the Smart Intersection application using Helm with the configured Trusted Compute settings. For comprehensive deployment procedures and advanced configuration options, consult the official documentation: [Complete Helm Chart Deployment Guide](../get-started/deploy-with-helm.md#steps-to-deploy) ### Step 5: Deployment Verification and Monitoring **Confirm Secure Isolation:** Verify that the DL Streamer Pipeline Server is operating within a Trusted Compute virtual machine environment: ```bash ps aux | grep qemu ``` Successful Trusted Compute deployment will display a QEMU process containing: - Complete VM launch parameters and configuration - Allocated CPU cores and memory resources - Unique process identifier (PID) for monitoring **Performance Monitoring:** Monitor application health and performance metrics by examining DL Streamer logs: ```bash kubectl logs -n smart-intersection ``` ## Application Management ### Uninstalling the Smart Intersection Application Before deploying a new Smart Intersection instance, ensure any existing deployment is properly removed: ```bash # Uninstall the current application deployment helm uninstall smart-intersection -n smart-intersection # Remove the namespace and all associated resources kubectl delete namespace smart-intersection ``` ## Enhanced Security Architecture This Trusted Compute implementation delivers comprehensive security advantages through multiple layers of protection: - **Complete Workload Isolation**: Video analytics pipelines execute within dedicated, hardware-isolated virtual machines, preventing cross-contamination between workloads - **Memory Encryption**: Provides runtime protection for sensitive traffic video and detection models by safeguarding against cold boot attacks and physical threats to the memory subsystem - **Secure Boot Process**: Ensures only authenticated and verified code executes within the trusted environment - **Full Disk Encryption (FDE) Process**: Prevents unauthorized access to disk data, particularly in scenarios involving device theft, loss, or physical compromise This robust isolated execution environment ensures that all traffic analysis operations maintain the highest standards of security and data protection while delivering uncompromised functionality and performance. The hardware-backed security guarantees provide protection for traffic management systems.