K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
172 Commits 1 Branch 0 Tags
main
Commit Graph

18 Commits

Author SHA1 Message Date
Mayne0213
ac4cd12c73 PERF(security): remove CPU limits for stability 
- Remove CPU limits from authelia, cert-manager, external-secrets, falco, vault
- Prevents CPU throttling issues
 2026-01-12 02:13:42 +09:00
Mayne0213
ec09ea403f PERF(security): optimize resources via VPA 
- authelia: CPU 15m/15m, memory 100Mi/144Mi
- authelia-redis: CPU 22m/32m, memory 100Mi/100Mi
- cert-manager: CPU 15m/15m, memory 100Mi/100Mi
- cert-manager-cainjector: CPU 15m/15m, memory 126Mi/248Mi
- cert-manager-webhook: CPU 15m/15m, memory 100Mi/100Mi
- external-secrets: CPU 15m/15m, memory 100Mi/109Mi
- external-secrets-cert-controller: CPU 15m/15m, memory 144Mi/297Mi
- external-secrets-webhook: CPU 15m/15m, memory 100Mi/100Mi
- falco: CPU 34m/53m, memory 93Mi/144Mi
- falcosidekick: CPU 15m/15m, memory 100Mi/100Mi
- vault: CPU 34m/53m, memory 126Mi/163Mi
 2026-01-12 01:08:45 +09:00
Mayne0213
d29651af7a REFACTOR(repo): remove control-plane scheduling 
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
 2026-01-10 18:35:15 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
119e86d482 PERF(vault): add high-priority class 
- Add high-priority PriorityClass
- Keep tolerations for HA across all nodes (3 replicas)
 2026-01-10 13:14:08 +09:00
Mayne0213
739ac544c7 REFACTOR(repo): standardize taint to control-plane 
- Remove deprecated master taint from falco
- Update vault tolerations to control-plane
- Change effect from NoExecute to NoSchedule
 2026-01-09 21:45:16 +09:00
Mayne0213
31007c5586 PERF(resources): remove CPU limits - keep memory limits only 
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
 2026-01-07 23:48:43 +09:00
Mayne0213
fd31dc3c65 REFACTOR(authelia): remove redirect to Vault 
- Remove redirect configuration to Vault
- Clean up authentication flow
 2026-01-05 00:40:26 +09:00
Mayne0213
cb4492f277 FEAT(authelia): add Authelia SSO to Vault and ArgoCD 
- Add Authelia SSO to vault and argocd ingress
- Enable single sign-on authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
5688b41026 PERF(vault): reduce Vault CPU request from 100m to 50m 
- Reduce based on actual usage (24-30m)
- Optimize resource allocation
 2026-01-04 23:41:39 +09:00
Mayne0213
2a0a239260 FEAT(vault): add master node toleration to Vault 
- Allows vault pods to run on master with NoExecute taint
 2026-01-04 23:41:39 +09:00
Mayne0213
dc31575f03 FIX(repo): set ha.config to empty to avoid duplicate listener 
- Set HA config to empty
- Prevent duplicate listener issue
 2026-01-04 23:41:39 +09:00
Mayne0213
207351a932 FEAT(postgresql): configure vault 
- to use externalsecret for postgresq...
- Add ExternalSecret to pull vault config from Vault itself
- Add RBAC for vault token reviewer (kubernetes auth)
- Update helm-values to mount secret as config
- Connection string is now stored in Vault, not in git
 2026-01-04 23:41:39 +09:00
Mayne0213
25379aebd0 PERF(authentik): increase replicas for HA 
- Traefik, CoreDNS, Authentik
- Traefik: 2 replicas
- CoreDNS: 2 replicas (new HelmChartConfig)
- Authentik: 2 replicas for server and worker
- Vault: Keep file storage (standalone)
 2026-01-04 23:41:39 +09:00
Mayne0213
f38cbedcba REFACTOR(traefik): switch from HAProxy 
- to Traefik ingress controller
- Update all ingress files to use ingressClassName: traefik
- Update cert-manager ClusterIssuer to use traefik class
- Remove haproxy.org annotations from ingress files
- Update vault helm-values to use traefik
 2026-01-04 23:41:39 +09:00
Mayne0213
1b139e53dc REFACTOR(postgresql): change vault storage 
- from pg to file st...
- Remove PostgreSQL backend dependency to avoid circular reference
- Vault no longer needs vault-pg-connection secret to start
- Use Longhorn PVC for data persistence
 2026-01-04 23:41:39 +09:00
Mayne0213
1aca10fb2d FEAT(cert-manager): add cert-manager annotation to Vault ingress 
- Add TLS certificate annotation
- Enable automatic certificate management
 2026-01-04 23:41:39 +09:00
Mayne0213
34a1c9f783 REFACTOR(repo): restructure infra folder structure 
- Remove argocd/, helm-values/, ingress/ subdirectories
- Move files to parent directory with standardized names
- Add namespace.yaml to all apps with Goldilocks labels
- Preserve vault/ subdirectories (falco, velero)
- Update main kustomization.yaml to reference argocd.yaml files directly
- Comment out argocd.yaml in each app's kustomization.yaml to prevent
  circular reference

Applications restructured:
- cert-manager (2 ArgoCD apps)
- external-secrets
- reloader
- vault (2 ArgoCD apps)
- velero (2 ArgoCD apps)
- falco
- cnpg
- haproxy
- metallb
- vpa
- argocd
 2026-01-04 23:41:39 +09:00