K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
159 Commits 1 Branch 0 Tags
119e86d4821e42f73cc6f580169793de180adbfd
Commit Graph

14 Commits

Author SHA1 Message Date
Mayne0213
119e86d482 PERF(vault): add high-priority class 
- Add high-priority PriorityClass
- Keep tolerations for HA across all nodes (3 replicas)
 2026-01-10 13:14:08 +09:00
Mayne0213
739ac544c7 REFACTOR(repo): standardize taint to control-plane 
- Remove deprecated master taint from falco
- Update vault tolerations to control-plane
- Change effect from NoExecute to NoSchedule
 2026-01-09 21:45:16 +09:00
Mayne0213
31007c5586 PERF(resources): remove CPU limits - keep memory limits only 
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
 2026-01-07 23:48:43 +09:00
Mayne0213
fd31dc3c65 REFACTOR(authelia): remove redirect to Vault 
- Remove redirect configuration to Vault
- Clean up authentication flow
 2026-01-05 00:40:26 +09:00
Mayne0213
cb4492f277 FEAT(authelia): add Authelia SSO to Vault and ArgoCD 
- Add Authelia SSO to vault and argocd ingress
- Enable single sign-on authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
5688b41026 PERF(vault): reduce Vault CPU request from 100m to 50m 
- Reduce based on actual usage (24-30m)
- Optimize resource allocation
 2026-01-04 23:41:39 +09:00
Mayne0213
2a0a239260 FEAT(vault): add master node toleration to Vault 
- Allows vault pods to run on master with NoExecute taint
 2026-01-04 23:41:39 +09:00
Mayne0213
dc31575f03 FIX(repo): set ha.config to empty to avoid duplicate listener 
- Set HA config to empty
- Prevent duplicate listener issue
 2026-01-04 23:41:39 +09:00
Mayne0213
207351a932 FEAT(postgresql): configure vault 
- to use externalsecret for postgresq...
- Add ExternalSecret to pull vault config from Vault itself
- Add RBAC for vault token reviewer (kubernetes auth)
- Update helm-values to mount secret as config
- Connection string is now stored in Vault, not in git
 2026-01-04 23:41:39 +09:00
Mayne0213
25379aebd0 PERF(authentik): increase replicas for HA 
- Traefik, CoreDNS, Authentik
- Traefik: 2 replicas
- CoreDNS: 2 replicas (new HelmChartConfig)
- Authentik: 2 replicas for server and worker
- Vault: Keep file storage (standalone)
 2026-01-04 23:41:39 +09:00
Mayne0213
f38cbedcba REFACTOR(traefik): switch from HAProxy 
- to Traefik ingress controller
- Update all ingress files to use ingressClassName: traefik
- Update cert-manager ClusterIssuer to use traefik class
- Remove haproxy.org annotations from ingress files
- Update vault helm-values to use traefik
 2026-01-04 23:41:39 +09:00
Mayne0213
1b139e53dc REFACTOR(postgresql): change vault storage 
- from pg to file st...
- Remove PostgreSQL backend dependency to avoid circular reference
- Vault no longer needs vault-pg-connection secret to start
- Use Longhorn PVC for data persistence
 2026-01-04 23:41:39 +09:00
Mayne0213
1aca10fb2d FEAT(cert-manager): add cert-manager annotation to Vault ingress 
- Add TLS certificate annotation
- Enable automatic certificate management
 2026-01-04 23:41:39 +09:00
Mayne0213
34a1c9f783 REFACTOR(repo): restructure infra folder structure 
- Remove argocd/, helm-values/, ingress/ subdirectories
- Move files to parent directory with standardized names
- Add namespace.yaml to all apps with Goldilocks labels
- Preserve vault/ subdirectories (falco, velero)
- Update main kustomization.yaml to reference argocd.yaml files directly
- Comment out argocd.yaml in each app's kustomization.yaml to prevent
  circular reference

Applications restructured:
- cert-manager (2 ArgoCD apps)
- external-secrets
- reloader
- vault (2 ArgoCD apps)
- velero (2 ArgoCD apps)
- falco
- cnpg
- haproxy
- metallb
- vpa
- argocd
 2026-01-04 23:41:39 +09:00