K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
162 Commits 1 Branch 0 Tags
5acc1c7f9e89c66d7a793be642a44e4c32c2f820
Commit Graph

162 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mayne0213
d4b84305a2 FIX(redis): use customConfig for maxmemory 
- extraArgs was not being applied to Redis container
- Use customConfig which is the correct way to set Redis directives
- maxmemory 800mb with allkeys-lru policy
 2026-01-05 00:40:26 +09:00
Mayne0213
94dcb7d585 FEAT(falco): add 6h TTL to sidekick-ui 
- to prevent Redis OOM
- Events older than 6 hours are auto-deleted
- Prevents linear memory growth in Redis
 2026-01-05 00:40:26 +09:00
Mayne0213
9822441e38 REFACTOR(repo): migrate repoURL to K3S-HOME 
- Update repository URL to K3S-HOME organization
- Change from personal to organization repo
 2026-01-05 00:40:26 +09:00
Mayne0213
4e4be3109a FIX(external-secrets): fix ESO CRD OutOfSync 
- Add ignoreDifferences for CRD caBundle and spec/versions
- Add RespectIgnoreDifferences syncOption
- Prevents ArgoCD from detecting drift on CRD fields managed by webhook
 2026-01-05 00:40:26 +09:00
Mayne0213
168193845b FIX(authelia): fix TOTP config for chart 0.10.x 
- Change enabled to disable for TOTP configuration
- Fix chart compatibility
 2026-01-05 00:40:26 +09:00
renovate[bot]
a6342a2fdd CHORE(authelia): update authelia to 0.10.x 
- Upgrade Authelia chart version
- Apply dependency updates
 2026-01-05 00:40:26 +09:00
renovate[bot]
8fd3daa65f CHORE(external-secrets): update ESO to v1.2.1 
- Upgrade External Secrets Operator chart
- Apply dependency updates
 2026-01-05 00:40:26 +09:00
Mayne0213
fd31dc3c65 REFACTOR(authelia): remove redirect to Vault 
- Remove redirect configuration to Vault
- Clean up authentication flow
 2026-01-05 00:40:26 +09:00
Mayne0213
1cd89f6bae REFACTOR(falco): remove CPU limit 
- Set cpu: null to override chart default (1 core)
- Prevents CPU throttling under high load
 2026-01-05 00:40:26 +09:00
Mayne0213
bce1bdf12b FIX(trivy): fix Trivy resource limits 
- Operator: add 512Mi memory limit
- Scan jobs: increase memory limit 500M -> 768Mi
- Reduce concurrent scan jobs 3 -> 2
 2026-01-05 00:40:26 +09:00
Mayne0213
c67b720ee4 FIX(falco): falco oom issues 
- increase memory limits
- Falco: add 512Mi memory limit
- Falcosidekick: increase memory limit 256Mi -> 512Mi
- Redis: increase memory limit 512Mi -> 1Gi (was 84 restarts)
- Redis: increase maxmemory 400mb -> 800mb
 2026-01-05 00:40:26 +09:00
Mayne0213
a9a4ed1bf3 FIX(authelia): increase Authelia memory limit 
- to 256Mi
OOMKilled with 128Mi limit. Increased to 256Mi for stability.
 2026-01-05 00:40:26 +09:00
Mayne0213
589b98a875 REFACTOR(trivy): remove Trivy scan job CPU limit 
- Remove CPU limit to prevent throttling
- Optimize scan job performance
 2026-01-05 00:40:26 +09:00
Mayne0213
ede767498d PERF(redis): increase Redis memory limit to 512Mi 
- Increase memory limit to prevent OOM
- Optimize Redis configuration
 2026-01-05 00:40:26 +09:00
Mayne0213
a0e483a8c4 FEAT(trivy): add ignoreDiff for trivy-ui CPU limit 
- Add ignoreDifferences for CPU limit field
- Prevent ArgoCD sync drift
 2026-01-05 00:40:26 +09:00
Mayne0213
59b834c250 REFACTOR(resources): use tilde for null CPU 
- Use ~ (tilde) for null CPU limit values
- YAML best practice for null
 2026-01-05 00:40:26 +09:00
Mayne0213
e1ecf43096 REFACTOR(trivy): remove trivy-ui CPU limit 
- Remove CPU limit to prevent throttling
- Optimize resource configuration
 2026-01-05 00:40:26 +09:00
Mayne0213
1a551b47ca PERF(falco): optimize falco rules 
- and add sidekick memory limit
- Add macros to exclude trivy, postgres, minio, vault from rules
- Disable Container Drift Detection (too noisy)
- Remove /etc/passwd from sensitive file access (normal lookups)
- Add 256Mi memory limit to falcosidekick (was using 1.1GB)
 2026-01-05 00:40:26 +09:00
Mayne0213
8d46ae9e49 FEAT(immich): add email to admin user for OAuth 
- Add email field to admin user
- Required for Immich OAuth integration
 2026-01-05 00:40:26 +09:00
Mayne0213
04bc972466 FEAT(authelia): add Immich as OIDC client in Authelia 
- Add Immich OIDC client configuration
- Enable OAuth authentication for Immich
 2026-01-05 00:40:26 +09:00
Mayne0213
ddc733d2d2 FEAT(authelia): add Vault as OIDC client in Authelia 
- Add Vault OIDC client configuration
- Add VAULT_CLIENT_SECRET to ExternalSecret
- Mount VAULT_CLIENT_SECRET in pod
 2026-01-05 00:40:26 +09:00
Mayne0213
159e135ee8 FEAT(authelia): add OIDC admin ClusterRoleBinding 
- Add ClusterRoleBinding for Authelia SSO
- Enable admin access via OIDC
 2026-01-05 00:40:26 +09:00
Mayne0213
0be0f4cb5a FEAT(authelia): add jwks config for authelia oidc 
- Mount jwks.pem from authelia-secrets
- Configure JWKS with RS256 algorithm
 2026-01-05 00:40:26 +09:00
Mayne0213
ef31735060 FIX(vault): fix OIDC HMAC secret key name 
- Change key name from secret to key
- Fix Vault secret reference
 2026-01-05 00:40:26 +09:00
Mayne0213
e4fb804b3d FEAT(headlamp): enable authelia oidc provider 
- with headlamp client
- Add OIDC identity provider configuration
- Add Headlamp as OIDC client
- Update ExternalSecret for OIDC secrets (HMAC, JWKS, Headlamp client
  secret)
 2026-01-04 23:41:39 +09:00
Mayne0213
4d4ecb13d6 FIX(falco): add NoExecute tolerations 
- and enable Redis persistence
- Add NoExecute tolerations for master/control-plane nodes to run Falco
  DaemonSet on all nodes
- Enable Redis storage to persist index data across pod restarts
 2026-01-04 23:41:39 +09:00
Mayne0213
d88cf75b95 FIX(authelia): fix Authelia secret key names 
- Update key names to match chart expectations
- Fix ExternalSecret configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
de5183469e FEAT(authelia): add JWT_HMAC_KEY to ExternalSecret 
- Add JWT_HMAC_KEY for password reset functionality
- Update ExternalSecret configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
a4d9adc273 FIX(authelia): fix OIDC client_secret with plaintext prefix 
- Use plaintext prefix for client secret
- Fix OIDC authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
520261d36e FEAT(authelia): enable Authelia OIDC provider with MinIO client 
- Enable OIDC identity provider
- Add MinIO as OIDC client
- Configure secrets from Vault
 2026-01-04 23:41:39 +09:00
Mayne0213
7de57fc936 CHORE(authelia): disable falco-ui basic auth 
- Use Authelia SSO instead
- Remove basic auth configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
7abf679d5e FEAT(goldilocks): add Authelia SSO 
- Add Authelia SSO to goldilocks, karma, trivy ingress
- Enable single sign-on authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
2a4d84a0bc CHORE(deps): upgrade Falco to 0.40.0 
- Upgrade for kernel 6.14 support
- Apply dependency updates
 2026-01-04 23:41:39 +09:00
Mayne0213
5f197a607b FIX(falco): falco config errors 
- Remove unsupported outputs_queue_capacity option
- Fix Container Drift Detection rule (remove undefined rename macro)
 2026-01-04 23:41:39 +09:00
Mayne0213
765104bb4e REFACTOR(authelia): remove falco-ui-secret 
- Use Authelia SSO instead
- Remove basic auth secret
 2026-01-04 23:41:39 +09:00
Mayne0213
b523935f3b FIX(argocd): falco ArgoCD 
- to use multiple sources for ingress deployment
- Change from single source to multiple sources
- Add kustomize path to deploy ingress.yaml
- Add Authelia middleware to ingress
 2026-01-04 23:41:39 +09:00
Mayne0213
2ce3a296ae REFACTOR(authelia): remove OIDC config files 
- Remove OIDC configuration files
- Clean up unused configurations
 2026-01-04 23:41:39 +09:00
Mayne0213
cb4492f277 FEAT(authelia): add Authelia SSO to Vault and ArgoCD 
- Add Authelia SSO to vault and argocd ingress
- Enable single sign-on authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
fe357836c3 FEAT(authelia): integrate Authelia secrets 
- Add ExternalSecret for Authelia
- Enable Vault integration for secrets
 2026-01-04 23:41:39 +09:00
Mayne0213
95c756bc7f FEAT(trivy): add trivy-ui Application with ingress 
- Add trivy-ui as separate ArgoCD Application with inline values
- Create ingress.yaml for trivy0213.kro.kr
- Update kustomization.yaml to include ingress
 2026-01-04 23:41:39 +09:00
Mayne0213
a3d971b986 FEAT(trivy): enable Trivy operator for security scanning 
- Uncomment trivy/argocd.yaml in kustomization.yaml
- Enable automated sync in trivy argocd.yaml
 2026-01-04 23:41:39 +09:00
Mayne0213
334c16f22a REFACTOR(postgresql): change Authelia PostgreSQL user 
- Change database user from app to bluemayne
- Update authentication configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
5688b41026 PERF(vault): reduce Vault CPU request from 100m to 50m 
- Reduce based on actual usage (24-30m)
- Optimize resource allocation
 2026-01-04 23:41:39 +09:00
Mayne0213
2a0a239260 FEAT(vault): add master node toleration to Vault 
- Allows vault pods to run on master with NoExecute taint
 2026-01-04 23:41:39 +09:00
Mayne0213
114307fa4b CHORE(goldilocks): disable Goldilocks and Trivy 
- Comment out goldilocks/argocd.yaml from kustomization
- Comment out trivy/argocd.yaml from kustomization
- Disable autoSync in both applications
- Server overload mitigation
 2026-01-04 23:41:39 +09:00
Mayne0213
8da74949b8 FEAT(trivy): add trivy operator 
- for container vulnerability scanning
- Add Trivy Operator Helm chart (v0.31.0)
- Configure ServiceMonitor for Prometheus integration
- Enable vulnerability, config audit, and RBAC scanners
- Use Longhorn storage class for Trivy DB
- Exclude kube-system namespaces from scanning
 2026-01-04 23:41:39 +09:00
Mayne0213
dc31575f03 FIX(repo): set ha.config to empty to avoid duplicate listener 
- Set HA config to empty
- Prevent duplicate listener issue
 2026-01-04 23:41:39 +09:00
Mayne0213
207351a932 FEAT(postgresql): configure vault 
- to use externalsecret for postgresq...
- Add ExternalSecret to pull vault config from Vault itself
- Add RBAC for vault token reviewer (kubernetes auth)
- Update helm-values to mount secret as config
- Connection string is now stored in Vault, not in git
 2026-01-04 23:41:39 +09:00
Mayne0213
db24350909 REFACTOR(repo): rename users-database.yaml 
- to config.yaml
 2026-01-04 23:41:39 +09:00
Mayne0213
a22f4240b5 FIX(authelia): authelia secret keys 
- to dot notation
 2026-01-04 23:41:39 +09:00