FIX(authelia): move affinity to top level

- Move affinity from pod.affinity to top-level affinity
- Fix Helm chart schema validation error
- Maintain soft anti-affinity configuration

FIX(security): remove unsupported affinity from authelia

- Remove affinity from authelia (chart schema limitation)
- Fix external-secrets duplicate webhook/certController sections
- Merge affinity into respective component sections
- Authelia chart does not support affinity in values.yaml

authelia/helm-values.yaml

@@ -169,14 +169,8 @@ secret:
 
 # No persistence needed - using PostgreSQL
 
-# Affinity - Soft Anti-Affinity to spread pods across nodes
+# Note: Authelia Helm chart does not support affinity configuration
-pod:
+# in values.yaml due to strict schema validation (beta chart).
-  affinity:
+# Replica count is set to 2 for HA, but soft anti-affinity cannot
-    podAntiAffinity:
+# be configured via Helm values. Consider using post-render hooks
-      preferredDuringSchedulingIgnoredDuringExecution:
+# or manual patching if node distribution is critical.
-        - weight: 100
-          podAffinityTerm:
-            labelSelector:
-              matchLabels:
-                app.kubernetes.io/name: authelia
-            topologyKey: kubernetes.io/hostname

external-secrets/helm-values.yaml

@@ -45,18 +45,17 @@ logLevel: info
 # CRD는 이미 설치되어 있으며, 업그레이드 시 수동으로 적용 필요
 installCRDs: false
 
-# Affinity - Soft Anti-Affinity to spread pods across nodes
+# Webhook 설정
-affinity:
-  podAntiAffinity:
-    preferredDuringSchedulingIgnoredDuringExecution:
-      - weight: 100
-        podAffinityTerm:
-          labelSelector:
-            matchLabels:
-              app.kubernetes.io/name: external-secrets
-          topologyKey: kubernetes.io/hostname
-
 webhook:
+  replicaCount: 2
+  resources:
+    requests:
+      cpu: 2m  # Reduced from 10m based on actual usage (1m)
+      memory: 32Mi
+    limits:
+      # cpu: removed to prevent throttling
+      memory: 128Mi
+  # Affinity - Soft Anti-Affinity to spread pods across nodes
   affinity:
     podAntiAffinity:
       preferredDuringSchedulingIgnoredDuringExecution:
@@ -67,7 +66,17 @@ webhook:
                 app.kubernetes.io/name: external-secrets-webhook
             topologyKey: kubernetes.io/hostname
 
+# CertController 설정
 certController:
+  replicaCount: 2
+  resources:
+    requests:
+      cpu: 2m  # Reduced from 10m based on actual usage (1m)
+      memory: 32Mi
+    limits:
+      # cpu: removed to prevent throttling
+      memory: 128Mi
+  # Affinity - Soft Anti-Affinity to spread pods across nodes
   affinity:
     podAntiAffinity:
       preferredDuringSchedulingIgnoredDuringExecution:
@@ -77,3 +86,14 @@ certController:
               matchLabels:
                 app.kubernetes.io/name: external-secrets-cert-controller
             topologyKey: kubernetes.io/hostname
+
+# Affinity - Soft Anti-Affinity to spread pods across nodes
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: external-secrets
+          topologyKey: kubernetes.io/hostname