K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
172 Commits 1 Branch 0 Tags
main
Commit Graph

172 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mayne0213
99ab720835 FIX(falco): explicitly set cpu limit to null 
- Helm chart has default CPU limit of 1000m
- Must explicitly set to null to remove it
 2026-01-12 02:42:36 +09:00
Mayne0213
ac4cd12c73 PERF(security): remove CPU limits for stability 
- Remove CPU limits from authelia, cert-manager, external-secrets, falco, vault
- Prevents CPU throttling issues
 2026-01-12 02:13:42 +09:00
Mayne0213
e5ca2a3f36 PERF(falco): remove CPU limit for stability 
- Remove CPU limit to prevent throttling
 2026-01-12 02:01:14 +09:00
Mayne0213
eba6d898ba PERF(falco): increase memory limit to upperBound 
- Memory limit 144Mi was causing segfault
- Increase to 177Mi (VPA upperBound)
 2026-01-12 01:51:49 +09:00
Mayne0213
ec09ea403f PERF(security): optimize resources via VPA 
- authelia: CPU 15m/15m, memory 100Mi/144Mi
- authelia-redis: CPU 22m/32m, memory 100Mi/100Mi
- cert-manager: CPU 15m/15m, memory 100Mi/100Mi
- cert-manager-cainjector: CPU 15m/15m, memory 126Mi/248Mi
- cert-manager-webhook: CPU 15m/15m, memory 100Mi/100Mi
- external-secrets: CPU 15m/15m, memory 100Mi/109Mi
- external-secrets-cert-controller: CPU 15m/15m, memory 144Mi/297Mi
- external-secrets-webhook: CPU 15m/15m, memory 100Mi/100Mi
- falco: CPU 34m/53m, memory 93Mi/144Mi
- falcosidekick: CPU 15m/15m, memory 100Mi/100Mi
- vault: CPU 34m/53m, memory 126Mi/163Mi
 2026-01-12 01:08:45 +09:00
Mayne0213
2cfcc586be refactor: update Vault secret paths to new categorized structure 
- authelia: postgresql → storage/postgresql, authelia → security/authelia
- external-secrets: zot → storage/zot (ClusterExternalSecret)
- vault: secret/data/vault/config → security/vault, authelia → security/authelia

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-11 22:36:33 +09:00
Mayne0213
5e717ff9b1 migrate: change repoURLs from GitHub to Gitea 
Update all ArgoCD Application references to use Gitea (github0213.com)
instead of GitHub for K3S-HOME/security repository.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-10 20:43:23 +09:00
Mayne0213
96c3c92069 REFACTOR(cert-manager): move from platform repo 
- Add cert-manager Application and helm values
- Add ClusterIssuer manifests
- Update kustomization references
 2026-01-10 19:57:58 +09:00
Mayne0213
d29651af7a REFACTOR(repo): remove control-plane scheduling 
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
 2026-01-10 18:35:15 +09:00
Mayne0213
8194fc6707 PERF(external-secrets): use 20% memory increase instead of VPA 
- Update operator memory 128Mi→154Mi (+20%)
- Update webhook memory 128Mi→154Mi (+20%)
- Update certController memory 256Mi→307Mi (+20%)
 2026-01-10 14:37:21 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
c2d6958407 PERF(external-secrets): reduce replicas to 1 
- Reduce external-secrets replicas to 1
- Reduce cert-controller replicas to 1
- Reduce webhook replicas to 1
 2026-01-10 13:31:52 +09:00
Mayne0213
736205e464 PERF(falco): reduce sidekick replicas to 1 
- Reduce falcosidekick replicas from 2 to 1
- DaemonSet tolerations kept for all-node coverage
 2026-01-10 13:15:56 +09:00
Mayne0213
119e86d482 PERF(vault): add high-priority class 
- Add high-priority PriorityClass
- Keep tolerations for HA across all nodes (3 replicas)
 2026-01-10 13:14:08 +09:00
Mayne0213
ac6eaef446 CHORE(external-secrets): increase certController memory 
- Increase certController memory request and limit from 128Mi to 256Mi
- Maintain CPU request at 2m
 2026-01-10 02:09:28 +09:00
Mayne0213
c78dec54d7 FEAT(authelia): add Zot OIDC client 
- Add Zot client to OIDC providers
- Add ZOT_CLIENT_SECRET to ExternalSecret
- Add volume mount for Zot client secret
 2026-01-10 01:16:58 +09:00
Mayne0213
5f9573133e FIX(authelia): configure OIDC claims and scopes 
- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)
 2026-01-10 01:16:58 +09:00
Mayne0213
fa4521e946 FIX(authelia): remove internal network bypass rule 
- All requests now require one_factor authentication
- Improve security posture
 2026-01-10 01:16:57 +09:00
Mayne0213
876708ccdf REFACTOR(authelia): simplify to single user 
- Change user from admin to bluemayne
- Remove other users from ClusterRoleBinding
 2026-01-10 01:16:57 +09:00
Mayne0213
8ccf5c5187 FIX(authelia): add users to OIDC ClusterRoleBinding 
- Add admin and bluemayne users
- Support multiple username formats for OIDC auth
 2026-01-10 01:16:57 +09:00
Mayne0213
507cb61ec4 FEAT(vault): add OIDC auth for Authelia SSO 
- Add ExternalSecret for VAULT_CLIENT_SECRET
- Configure default and admin roles for OIDC login
- Fix claim settings (use sub instead of preferred_username)
- Remove oidc-setup-job (already configured)
 2026-01-10 01:16:57 +09:00
Mayne0213
bb4af2638e FIX(authelia): correct network definition schema 
- Move networks from access_control to definitions.network
- Fix Helm chart schema validation error
- Maintain bypass policy for internal cluster traffic
 2026-01-10 01:16:57 +09:00
Mayne0213
16dd9d88aa FEAT(authelia): bypass auth for cluster internal traffic 
- Add internal network definition (10.42.0.0/16, 10.43.0.0/16)
- Allow blackbox-exporter probes without authentication
- Apply bypass policy for *.kro.kr from internal networks
 2026-01-10 01:16:57 +09:00
Mayne0213
c368d2e983 FIX(external-secrets): increase certController memory to 128Mi 
- cert-controller uses ~73Mi at runtime, 64Mi causes OOMKilled
 2026-01-10 01:16:57 +09:00
Mayne0213
871882927b FIX(external-secrets): increase memory limits for webhook and certController 
- Increase memory from 32Mi to 64Mi to prevent OOMKilled
- Remove duplicate webhook/certController sections (keep ones with affinity)
 2026-01-10 01:16:57 +09:00
Mayne0213
74d29aabfc CHORE(resources): set memory limits equal to memory requests 
- Align memory limits with memory requests for guaranteed QoS class
- falco: falcosidekick
- external-secrets: main, webhook, certController
- authelia: main, redis
 2026-01-10 01:16:56 +09:00
Mayne0213
4dc04bd904 FEAT(repo): add App of Apps self-reference 
- Add application.yaml for ArgoCD self-registration
- Update kustomization.yaml to include application.yaml
- Set prune: false to prevent cascade deletion
 2026-01-10 01:16:49 +09:00
Mayne0213
756ddade15 FEAT(authelia): enable HA with DaemonSet and Redis 
- Change pod.kind from Deployment to DaemonSet
- Add Redis for session storage
- Configure Redis image and subchart settings
- Add toleration for control-plane
 2026-01-10 01:16:49 +09:00
Mayne0213
061489756a CHORE(authelia): update admin password hash 
- Update password hash for admin user
- Ensure secure authentication
 2026-01-10 01:16:48 +09:00
Mayne0213
5ea9ad9dc1 CHORE(repo): remove application.yaml reference 
- Remove from kustomization.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
130da5c76d CHORE(repo): remove self-referencing application.yaml 
- Delete application.yaml (managed by platform)
 2026-01-09 21:45:16 +09:00
Mayne0213
369181717b REFACTOR(authelia): switch to Deployment mode 
- Change from DaemonSet to Deployment with 1 replica
- Remove Redis dependency (not needed for single replica)
 2026-01-09 21:45:16 +09:00
Mayne0213
45ab6592d6 FIX(authelia): disable Redis authentication 
- Remove password requirement for Redis
- Simplify internal cluster communication
 2026-01-09 21:45:16 +09:00
Mayne0213
e6f496c439 FEAT(authelia): add Redis for session storage 
- Enable Redis for HA session support
- Configure session.redis settings
 2026-01-09 21:45:16 +09:00
Mayne0213
739ac544c7 REFACTOR(repo): standardize taint to control-plane 
- Remove deprecated master taint from falco
- Update vault tolerations to control-plane
- Change effect from NoExecute to NoSchedule
 2026-01-09 21:45:16 +09:00
Mayne0213
8f449666b5 CHORE(authelia): Remove immich OIDC client 
- Remove IMMICH_CLIENT_SECRET from extraVolumes/extraVolumeMounts
- Remove immich OIDC client configuration
- Immich application removed

CHORE(authelia): Remove IMMICH_CLIENT_SECRET from ExternalSecret
 2026-01-09 21:45:16 +09:00
Mayne0213
870eea8664 CHORE(authelia): remove replica setting for DaemonSet 
- Remove pod.replicas from helm-values.yaml
- DaemonSet does not use replica configuration
- Each node runs one pod automatically
 2026-01-09 21:45:16 +09:00
Mayne0213
66d845140e FIX(authelia): move affinity to top level 
- Move affinity from pod.affinity to top-level affinity
- Fix Helm chart schema validation error
- Maintain soft anti-affinity configuration

FIX(security): remove unsupported affinity from authelia

- Remove affinity from authelia (chart schema limitation)
- Fix external-secrets duplicate webhook/certController sections
- Merge affinity into respective component sections
- Authelia chart does not support affinity in values.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
cbf00275e8 FEAT(security): enable HA with replica 2 and soft anti-affinity 
- Add replicaCount: 2 to authelia, external-secrets, falco
- Add soft pod anti-affinity for node distribution
- Configure affinity for all security components
 2026-01-08 13:07:56 +09:00
Mayne0213
56c7c0d29d CHORE(trivy): remove Trivy vulnerability scanner 
- Delete trivy directory and configuration files
- Remove trivy from kustomization.yaml
- Reduce cluster resource usage
 2026-01-08 01:28:01 +09:00
Mayne0213
c24313154d FIX(security): remove CPU limits from falco and trivy 
- falco: set cpu: null to disable chart default (1 core)
- trivy: set cpu: null for operator and scan jobs (500m default)
 2026-01-08 00:33:13 +09:00
Mayne0213
31007c5586 PERF(resources): remove CPU limits - keep memory limits only 
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
 2026-01-07 23:48:43 +09:00
Mayne0213
5e161fca8a FEAT(external-secrets): add ClusterExternalSecret for Zot 
- Add zot-registry-credentials ClusterExternalSecret
- Auto-create dockerconfigjson in labeled namespaces
- API version v1 (v1beta1 deprecated)
 2026-01-07 14:28:58 +09:00
Mayne0213
41e8771889 FIX(authelia): fix Headlamp OIDC token auth 
- Change token_endpoint_auth_method to client_secret_basic
- Headlamp uses client_secret_basic by default
- Authelia was configured with client_secret_post
- Fix token exchange failure causing login redirect loop
 2026-01-07 02:23:50 +09:00
Mayne0213
7cdc4f1e9e FIX(external-secrets): disable CRD installation via Helm 
- Set installCRDs: false to avoid annotation size limit
- CRDs already installed, manual upgrade when needed
 2026-01-07 01:24:07 +09:00
Mayne0213
661659acdb FIX(external-secrets): ignore CRD status in diff 
- Add /status to ignoreDifferences for CRDs
- Fix comparison error with terminatingReplicas field
 2026-01-07 01:20:02 +09:00
Mayne0213
3ea8b0d7c9 REVERT(external-secrets): remove ServerSideApply 
- ServerSideApply causes schema compatibility issues
- Removed annotations directly from CRDs instead
 2026-01-07 01:18:44 +09:00
Mayne0213
835395f7ec FIX(external-secrets): add ServerSideApply for CRD sync 
- Fix CRD annotation size limit exceeded error
- ServerSideApply avoids last-applied-configuration annotation
 2026-01-07 01:15:03 +09:00
Mayne0213
384d73d1fa REFACTOR(secrets): flatten Vault paths 
- Change secret paths from <category>/<app> to <app>
- databases/postgresql → postgresql
- cluster-infrastructure/authelia → authelia
 2026-01-06 16:53:10 +09:00
Mayne0213
677214b848 REFACTOR(repo): move vault/ to manifests/ 
- Move ExternalSecret file from vault/ to manifests/secret.yaml
- Update kustomization.yaml references
- Remove vault/ folder

Apps: authelia
 2026-01-06 16:43:38 +09:00