From 66d845140e7bbe4805a0d06ade37e6ef0c31accd Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Thu, 8 Jan 2026 13:09:02 +0900 Subject: [PATCH] FIX(authelia): move affinity to top level - Move affinity from pod.affinity to top-level affinity - Fix Helm chart schema validation error - Maintain soft anti-affinity configuration FIX(security): remove unsupported affinity from authelia - Remove affinity from authelia (chart schema limitation) - Fix external-secrets duplicate webhook/certController sections - Merge affinity into respective component sections - Authelia chart does not support affinity in values.yaml --- authelia/helm-values.yaml | 16 ++++-------- external-secrets/helm-values.yaml | 42 +++++++++++++++++++++++-------- 2 files changed, 36 insertions(+), 22 deletions(-) diff --git a/authelia/helm-values.yaml b/authelia/helm-values.yaml index 86905bb..080826f 100644 --- a/authelia/helm-values.yaml +++ b/authelia/helm-values.yaml @@ -169,14 +169,8 @@ secret: # No persistence needed - using PostgreSQL -# Affinity - Soft Anti-Affinity to spread pods across nodes -pod: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: authelia - topologyKey: kubernetes.io/hostname +# Note: Authelia Helm chart does not support affinity configuration +# in values.yaml due to strict schema validation (beta chart). +# Replica count is set to 2 for HA, but soft anti-affinity cannot +# be configured via Helm values. Consider using post-render hooks +# or manual patching if node distribution is critical. diff --git a/external-secrets/helm-values.yaml b/external-secrets/helm-values.yaml index 3ec7a85..f5894aa 100644 --- a/external-secrets/helm-values.yaml +++ b/external-secrets/helm-values.yaml @@ -45,18 +45,17 @@ logLevel: info # CRD는 이미 설치되어 있으며, 업그레이드 시 수동으로 적용 필요 installCRDs: false -# Affinity - Soft Anti-Affinity to spread pods across nodes -affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: external-secrets - topologyKey: kubernetes.io/hostname - +# Webhook 설정 webhook: + replicaCount: 2 + resources: + requests: + cpu: 2m # Reduced from 10m based on actual usage (1m) + memory: 32Mi + limits: + # cpu: removed to prevent throttling + memory: 128Mi + # Affinity - Soft Anti-Affinity to spread pods across nodes affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -67,7 +66,17 @@ webhook: app.kubernetes.io/name: external-secrets-webhook topologyKey: kubernetes.io/hostname +# CertController 설정 certController: + replicaCount: 2 + resources: + requests: + cpu: 2m # Reduced from 10m based on actual usage (1m) + memory: 32Mi + limits: + # cpu: removed to prevent throttling + memory: 128Mi + # Affinity - Soft Anti-Affinity to spread pods across nodes affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -77,3 +86,14 @@ certController: matchLabels: app.kubernetes.io/name: external-secrets-cert-controller topologyKey: kubernetes.io/hostname + +# Affinity - Soft Anti-Affinity to spread pods across nodes +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: external-secrets + topologyKey: kubernetes.io/hostname