From cbf00275e81d2e741ce5a994ad23959c6a8a73e3 Mon Sep 17 00:00:00 2001 From: Mayne0213 Date: Thu, 8 Jan 2026 13:07:56 +0900 Subject: [PATCH] FEAT(security): enable HA with replica 2 and soft anti-affinity - Add replicaCount: 2 to authelia, external-secrets, falco - Add soft pod anti-affinity for node distribution - Configure affinity for all security components --- authelia/helm-values.yaml | 14 +++++++++++- external-secrets/helm-values.yaml | 38 +++++++++++++++++++++++++++++++ falco/helm-values.yaml | 13 ++++++++++- 3 files changed, 63 insertions(+), 2 deletions(-) diff --git a/authelia/helm-values.yaml b/authelia/helm-values.yaml index 998dccd..86905bb 100644 --- a/authelia/helm-values.yaml +++ b/authelia/helm-values.yaml @@ -7,7 +7,7 @@ ingress: # Pod configuration pod: - replicas: 1 + replicas: 2 resources: requests: cpu: 15m @@ -168,3 +168,15 @@ secret: existingSecret: authelia-secrets # No persistence needed - using PostgreSQL + +# Affinity - Soft Anti-Affinity to spread pods across nodes +pod: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: authelia + topologyKey: kubernetes.io/hostname diff --git a/external-secrets/helm-values.yaml b/external-secrets/helm-values.yaml index 24a5c38..3ec7a85 100644 --- a/external-secrets/helm-values.yaml +++ b/external-secrets/helm-values.yaml @@ -1,6 +1,9 @@ # External Secrets Operator Helm Values # Chart: https://github.com/external-secrets/external-secrets +# Replica count +replicaCount: 2 + # 리소스 제한 resources: requests: @@ -12,6 +15,7 @@ resources: # Webhook 설정 webhook: + replicaCount: 2 resources: requests: cpu: 2m # Reduced from 10m based on actual usage (1m) @@ -22,6 +26,7 @@ webhook: # CertController 설정 certController: + replicaCount: 2 resources: requests: cpu: 2m # Reduced from 10m based on actual usage (1m) @@ -39,3 +44,36 @@ logLevel: info # CRD 자동 설치 비활성화 (annotation 크기 제한 문제 회피) # CRD는 이미 설치되어 있으며, 업그레이드 시 수동으로 적용 필요 installCRDs: false + +# Affinity - Soft Anti-Affinity to spread pods across nodes +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: external-secrets + topologyKey: kubernetes.io/hostname + +webhook: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: external-secrets-webhook + topologyKey: kubernetes.io/hostname + +certController: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: external-secrets-cert-controller + topologyKey: kubernetes.io/hostname diff --git a/falco/helm-values.yaml b/falco/helm-values.yaml index de4a34d..5b52b6b 100644 --- a/falco/helm-values.yaml +++ b/falco/helm-values.yaml @@ -121,7 +121,7 @@ grafanaDashboard: falcosidekick: enabled: true fullfqdn: false - replicaCount: 1 + replicaCount: 2 resources: requests: @@ -154,6 +154,17 @@ falcosidekick: webui: enabled: false + # Affinity - Soft Anti-Affinity to spread pods across nodes + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: falcosidekick + topologyKey: kubernetes.io/hostname + # RBAC rbac: create: true