K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
93 Commits 1 Branch 0 Tags
04bc9724664abbe65da7a323c2ed372b3432e290
Commit Graph

93 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mayne0213
04bc972466 FEAT(authelia): add Immich as OIDC client in Authelia 
- Add Immich OIDC client configuration
- Enable OAuth authentication for Immich
 2026-01-05 00:40:26 +09:00
Mayne0213
ddc733d2d2 FEAT(authelia): add Vault as OIDC client in Authelia 
- Add Vault OIDC client configuration
- Add VAULT_CLIENT_SECRET to ExternalSecret
- Mount VAULT_CLIENT_SECRET in pod
 2026-01-05 00:40:26 +09:00
Mayne0213
159e135ee8 FEAT(authelia): add OIDC admin ClusterRoleBinding 
- Add ClusterRoleBinding for Authelia SSO
- Enable admin access via OIDC
 2026-01-05 00:40:26 +09:00
Mayne0213
0be0f4cb5a FEAT(authelia): add jwks config for authelia oidc 
- Mount jwks.pem from authelia-secrets
- Configure JWKS with RS256 algorithm
 2026-01-05 00:40:26 +09:00
Mayne0213
ef31735060 FIX(vault): fix OIDC HMAC secret key name 
- Change key name from secret to key
- Fix Vault secret reference
 2026-01-05 00:40:26 +09:00
Mayne0213
e4fb804b3d FEAT(headlamp): enable authelia oidc provider 
- with headlamp client
- Add OIDC identity provider configuration
- Add Headlamp as OIDC client
- Update ExternalSecret for OIDC secrets (HMAC, JWKS, Headlamp client
  secret)
 2026-01-04 23:41:39 +09:00
Mayne0213
4d4ecb13d6 FIX(falco): add NoExecute tolerations 
- and enable Redis persistence
- Add NoExecute tolerations for master/control-plane nodes to run Falco
  DaemonSet on all nodes
- Enable Redis storage to persist index data across pod restarts
 2026-01-04 23:41:39 +09:00
Mayne0213
d88cf75b95 FIX(authelia): fix Authelia secret key names 
- Update key names to match chart expectations
- Fix ExternalSecret configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
de5183469e FEAT(authelia): add JWT_HMAC_KEY to ExternalSecret 
- Add JWT_HMAC_KEY for password reset functionality
- Update ExternalSecret configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
a4d9adc273 FIX(authelia): fix OIDC client_secret with plaintext prefix 
- Use plaintext prefix for client secret
- Fix OIDC authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
520261d36e FEAT(authelia): enable Authelia OIDC provider with MinIO client 
- Enable OIDC identity provider
- Add MinIO as OIDC client
- Configure secrets from Vault
 2026-01-04 23:41:39 +09:00
Mayne0213
7de57fc936 CHORE(authelia): disable falco-ui basic auth 
- Use Authelia SSO instead
- Remove basic auth configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
7abf679d5e FEAT(goldilocks): add Authelia SSO 
- Add Authelia SSO to goldilocks, karma, trivy ingress
- Enable single sign-on authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
2a4d84a0bc CHORE(deps): upgrade Falco to 0.40.0 
- Upgrade for kernel 6.14 support
- Apply dependency updates
 2026-01-04 23:41:39 +09:00
Mayne0213
5f197a607b FIX(falco): falco config errors 
- Remove unsupported outputs_queue_capacity option
- Fix Container Drift Detection rule (remove undefined rename macro)
 2026-01-04 23:41:39 +09:00
Mayne0213
765104bb4e REFACTOR(authelia): remove falco-ui-secret 
- Use Authelia SSO instead
- Remove basic auth secret
 2026-01-04 23:41:39 +09:00
Mayne0213
b523935f3b FIX(argocd): falco ArgoCD 
- to use multiple sources for ingress deployment
- Change from single source to multiple sources
- Add kustomize path to deploy ingress.yaml
- Add Authelia middleware to ingress
 2026-01-04 23:41:39 +09:00
Mayne0213
2ce3a296ae REFACTOR(authelia): remove OIDC config files 
- Remove OIDC configuration files
- Clean up unused configurations
 2026-01-04 23:41:39 +09:00
Mayne0213
cb4492f277 FEAT(authelia): add Authelia SSO to Vault and ArgoCD 
- Add Authelia SSO to vault and argocd ingress
- Enable single sign-on authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
fe357836c3 FEAT(authelia): integrate Authelia secrets 
- Add ExternalSecret for Authelia
- Enable Vault integration for secrets
 2026-01-04 23:41:39 +09:00
Mayne0213
95c756bc7f FEAT(trivy): add trivy-ui Application with ingress 
- Add trivy-ui as separate ArgoCD Application with inline values
- Create ingress.yaml for trivy0213.kro.kr
- Update kustomization.yaml to include ingress
 2026-01-04 23:41:39 +09:00
Mayne0213
a3d971b986 FEAT(trivy): enable Trivy operator for security scanning 
- Uncomment trivy/argocd.yaml in kustomization.yaml
- Enable automated sync in trivy argocd.yaml
 2026-01-04 23:41:39 +09:00
Mayne0213
334c16f22a REFACTOR(postgresql): change Authelia PostgreSQL user 
- Change database user from app to bluemayne
- Update authentication configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
5688b41026 PERF(vault): reduce Vault CPU request from 100m to 50m 
- Reduce based on actual usage (24-30m)
- Optimize resource allocation
 2026-01-04 23:41:39 +09:00
Mayne0213
2a0a239260 FEAT(vault): add master node toleration to Vault 
- Allows vault pods to run on master with NoExecute taint
 2026-01-04 23:41:39 +09:00
Mayne0213
114307fa4b CHORE(goldilocks): disable Goldilocks and Trivy 
- Comment out goldilocks/argocd.yaml from kustomization
- Comment out trivy/argocd.yaml from kustomization
- Disable autoSync in both applications
- Server overload mitigation
 2026-01-04 23:41:39 +09:00
Mayne0213
8da74949b8 FEAT(trivy): add trivy operator 
- for container vulnerability scanning
- Add Trivy Operator Helm chart (v0.31.0)
- Configure ServiceMonitor for Prometheus integration
- Enable vulnerability, config audit, and RBAC scanners
- Use Longhorn storage class for Trivy DB
- Exclude kube-system namespaces from scanning
 2026-01-04 23:41:39 +09:00
Mayne0213
dc31575f03 FIX(repo): set ha.config to empty to avoid duplicate listener 
- Set HA config to empty
- Prevent duplicate listener issue
 2026-01-04 23:41:39 +09:00
Mayne0213
207351a932 FEAT(postgresql): configure vault 
- to use externalsecret for postgresq...
- Add ExternalSecret to pull vault config from Vault itself
- Add RBAC for vault token reviewer (kubernetes auth)
- Update helm-values to mount secret as config
- Connection string is now stored in Vault, not in git
 2026-01-04 23:41:39 +09:00
Mayne0213
db24350909 REFACTOR(repo): rename users-database.yaml 
- to config.yaml
 2026-01-04 23:41:39 +09:00
Mayne0213
a22f4240b5 FIX(authelia): authelia secret keys 
- to dot notation
 2026-01-04 23:41:39 +09:00
Mayne0213
9081778d80 FIX(postgresql): postgresql password property key 2026-01-04 23:41:39 +09:00
Mayne0213
d049fd42f3 FIX(authelia): authelia secret key format 
- dot notation
 2026-01-04 23:41:39 +09:00
Mayne0213
f8d383f02e REFACTOR(postgresql): switch authelia 
- to pg storage, fix secr...
 2026-01-04 23:41:39 +09:00
Mayne0213
9af3f96546 CHORE(authelia): update Authelia admin password 
- hash
 2026-01-04 23:41:39 +09:00
Mayne0213
0ec31ac5a9 FEAT(authentik): add authelia sso 
- replacing authentik
 2026-01-04 23:41:39 +09:00
Mayne0213
87b16d13e3 FEAT(falco): configure falco redis 
- with 200mb maxmemory and lru eviction
 2026-01-04 23:41:39 +09:00
Mayne0213
27d1e5c4b1 FIX(falco): re-enable falco webui 
- with redis memory limit 128mi
 2026-01-04 23:41:39 +09:00
Mayne0213
26e40d234a CHORE(falco): disable sidekick web ui 
- to save 535mb redis memory
 2026-01-04 23:41:39 +09:00
Mayne0213
368f7b5f5a PERF(falco): reduce falcosidekick replicas to 1 
- Scale down to single replica
- Reduce resource usage
 2026-01-04 23:41:39 +09:00
Mayne0213
25379aebd0 PERF(authentik): increase replicas for HA 
- Traefik, CoreDNS, Authentik
- Traefik: 2 replicas
- CoreDNS: 2 replicas (new HelmChartConfig)
- Authentik: 2 replicas for server and worker
- Vault: Keep file storage (standalone)
 2026-01-04 23:41:39 +09:00
Mayne0213
d392bbc57a REFACTOR(argocd): remove serversideapply 
- from argocd applications
- Fixes OutOfSync issues caused by operator-added default values
- ServerSideApply causes stricter field management that conflicts with
  CRD defaults
 2026-01-04 23:41:39 +09:00
Mayne0213
f38cbedcba REFACTOR(traefik): switch from HAProxy 
- to Traefik ingress controller
- Update all ingress files to use ingressClassName: traefik
- Update cert-manager ClusterIssuer to use traefik class
- Remove haproxy.org annotations from ingress files
- Update vault helm-values to use traefik
 2026-01-04 23:41:39 +09:00
Mayne0213
1b139e53dc REFACTOR(postgresql): change vault storage 
- from pg to file st...
- Remove PostgreSQL backend dependency to avoid circular reference
- Vault no longer needs vault-pg-connection secret to start
- Use Longhorn PVC for data persistence
 2026-01-04 23:41:39 +09:00
Mayne0213
64aeb36e78 CHORE(external-secrets): update ESO API version from v1beta1 to v1 
- Update ExternalSecret API version
- Migrate to stable API
 2026-01-04 23:41:39 +09:00
Mayne0213
fe484fb4a1 FEAT(external-secrets): add ServerSideApply=true to ESO 
- Enable ServerSideApply for External Secrets Operator
- Fix CRD management
 2026-01-04 23:41:39 +09:00
Mayne0213
0a8c4bde16 REFACTOR(gitea): migrate repoURL from Gitea to GitHub 
- Update repository URL to GitHub
- Change source control provider
 2026-01-04 23:41:39 +09:00
Mayne0213
970b69cedc CHORE(deps): upgrade ESO to 1.2.0 for v1 API support 
- Upgrade External Secrets Operator
- Enable v1 API support
 2026-01-04 23:41:39 +09:00
Mayne0213
a2682e292b REFACTOR(goldilocks): use managedNamespaceMetadata for namespace labels 
- Remove namespace.yaml files
- Add managedNamespaceMetadata with Goldilocks label
- Set CreateNamespace=true in syncOptions
- Update kustomization.yaml to remove namespace.yaml references
 2026-01-04 23:41:39 +09:00
Mayne0213
1aca10fb2d FEAT(cert-manager): add cert-manager annotation to Vault ingress 
- Add TLS certificate annotation
- Enable automatic certificate management
 2026-01-04 23:41:39 +09:00