K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
166 Commits 1 Branch 0 Tags
5e717ff9b130c95340c3a4c01a4661141bb42d99
Commit Graph

67 Commits

Author SHA1 Message Date
Mayne0213
5e717ff9b1 migrate: change repoURLs from GitHub to Gitea 
Update all ArgoCD Application references to use Gitea (github0213.com)
instead of GitHub for K3S-HOME/security repository.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-10 20:43:23 +09:00
Mayne0213
d29651af7a REFACTOR(repo): remove control-plane scheduling 
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
 2026-01-10 18:35:15 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
736205e464 PERF(falco): reduce sidekick replicas to 1 
- Reduce falcosidekick replicas from 2 to 1
- DaemonSet tolerations kept for all-node coverage
 2026-01-10 13:15:56 +09:00
Mayne0213
74d29aabfc CHORE(resources): set memory limits equal to memory requests 
- Align memory limits with memory requests for guaranteed QoS class
- falco: falcosidekick
- external-secrets: main, webhook, certController
- authelia: main, redis
 2026-01-10 01:16:56 +09:00
Mayne0213
739ac544c7 REFACTOR(repo): standardize taint to control-plane 
- Remove deprecated master taint from falco
- Update vault tolerations to control-plane
- Change effect from NoExecute to NoSchedule
 2026-01-09 21:45:16 +09:00
Mayne0213
cbf00275e8 FEAT(security): enable HA with replica 2 and soft anti-affinity 
- Add replicaCount: 2 to authelia, external-secrets, falco
- Add soft pod anti-affinity for node distribution
- Configure affinity for all security components
 2026-01-08 13:07:56 +09:00
Mayne0213
c24313154d FIX(security): remove CPU limits from falco and trivy 
- falco: set cpu: null to disable chart default (1 core)
- trivy: set cpu: null for operator and scan jobs (500m default)
 2026-01-08 00:33:13 +09:00
Mayne0213
31007c5586 PERF(resources): remove CPU limits - keep memory limits only 
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
 2026-01-07 23:48:43 +09:00
Mayne0213
321685822f REFACTOR(repo): security repo structure 
- Add application.yaml for ArgoCD app-of-apps
- Add kustomization.yaml with security components
- Add renovate.json for automated updates
- Update all component argocd.yaml repoURLs to security repo

Components: authelia, vault, external-secrets, falco, trivy
 2026-01-05 00:40:26 +09:00
Mayne0213
27ba06b750 REFACTOR(grafana): remove Falco and Traefik UI 
- Use Grafana dashboards instead
- Delete falco-ui-secret ExternalSecret
- Delete traefik dashboard IngressRoute
 2026-01-05 00:40:26 +09:00
Mayne0213
c51cca27d8 CHORE(falco): disable sidekick-ui and Redis 
- Use Grafana dashboard instead
- Set webui.enabled: false (disables UI and Redis)
- Remove ingress.yaml for falco-ui
- Saves ~384Mi memory (Redis 256Mi + UI 128Mi)
 2026-01-05 00:40:26 +09:00
Mayne0213
c66801a166 FEAT(falco): add loki output to falcosidekick 
- Send Falco events directly to Loki
- Enables viewing detailed events in Grafana with all fields
- Same data as Falco UI but queryable in Grafana
 2026-01-05 00:40:26 +09:00
Mayne0213
76c5fd8343 FIX(falco): use SM create instead of enabled 
- Falco chart uses 'serviceMonitor.create' not 'enabled'
- Add release: prometheus label for Prometheus discovery
 2026-01-05 00:40:26 +09:00
Mayne0213
d4b84305a2 FIX(redis): use customConfig for maxmemory 
- extraArgs was not being applied to Redis container
- Use customConfig which is the correct way to set Redis directives
- maxmemory 800mb with allkeys-lru policy
 2026-01-05 00:40:26 +09:00
Mayne0213
94dcb7d585 FEAT(falco): add 6h TTL to sidekick-ui 
- to prevent Redis OOM
- Events older than 6 hours are auto-deleted
- Prevents linear memory growth in Redis
 2026-01-05 00:40:26 +09:00
Mayne0213
9822441e38 REFACTOR(repo): migrate repoURL to K3S-HOME 
- Update repository URL to K3S-HOME organization
- Change from personal to organization repo
 2026-01-05 00:40:26 +09:00
Mayne0213
1cd89f6bae REFACTOR(falco): remove CPU limit 
- Set cpu: null to override chart default (1 core)
- Prevents CPU throttling under high load
 2026-01-05 00:40:26 +09:00
Mayne0213
c67b720ee4 FIX(falco): falco oom issues 
- increase memory limits
- Falco: add 512Mi memory limit
- Falcosidekick: increase memory limit 256Mi -> 512Mi
- Redis: increase memory limit 512Mi -> 1Gi (was 84 restarts)
- Redis: increase maxmemory 400mb -> 800mb
 2026-01-05 00:40:26 +09:00
Mayne0213
ede767498d PERF(redis): increase Redis memory limit to 512Mi 
- Increase memory limit to prevent OOM
- Optimize Redis configuration
 2026-01-05 00:40:26 +09:00
Mayne0213
1a551b47ca PERF(falco): optimize falco rules 
- and add sidekick memory limit
- Add macros to exclude trivy, postgres, minio, vault from rules
- Disable Container Drift Detection (too noisy)
- Remove /etc/passwd from sensitive file access (normal lookups)
- Add 256Mi memory limit to falcosidekick (was using 1.1GB)
 2026-01-05 00:40:26 +09:00
Mayne0213
4d4ecb13d6 FIX(falco): add NoExecute tolerations 
- and enable Redis persistence
- Add NoExecute tolerations for master/control-plane nodes to run Falco
  DaemonSet on all nodes
- Enable Redis storage to persist index data across pod restarts
 2026-01-04 23:41:39 +09:00
Mayne0213
7de57fc936 CHORE(authelia): disable falco-ui basic auth 
- Use Authelia SSO instead
- Remove basic auth configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
2a4d84a0bc CHORE(deps): upgrade Falco to 0.40.0 
- Upgrade for kernel 6.14 support
- Apply dependency updates
 2026-01-04 23:41:39 +09:00
Mayne0213
5f197a607b FIX(falco): falco config errors 
- Remove unsupported outputs_queue_capacity option
- Fix Container Drift Detection rule (remove undefined rename macro)
 2026-01-04 23:41:39 +09:00
Mayne0213
765104bb4e REFACTOR(authelia): remove falco-ui-secret 
- Use Authelia SSO instead
- Remove basic auth secret
 2026-01-04 23:41:39 +09:00
Mayne0213
b523935f3b FIX(argocd): falco ArgoCD 
- to use multiple sources for ingress deployment
- Change from single source to multiple sources
- Add kustomize path to deploy ingress.yaml
- Add Authelia middleware to ingress
 2026-01-04 23:41:39 +09:00
Mayne0213
87b16d13e3 FEAT(falco): configure falco redis 
- with 200mb maxmemory and lru eviction
 2026-01-04 23:41:39 +09:00
Mayne0213
27d1e5c4b1 FIX(falco): re-enable falco webui 
- with redis memory limit 128mi
 2026-01-04 23:41:39 +09:00
Mayne0213
26e40d234a CHORE(falco): disable sidekick web ui 
- to save 535mb redis memory
 2026-01-04 23:41:39 +09:00
Mayne0213
368f7b5f5a PERF(falco): reduce falcosidekick replicas to 1 
- Scale down to single replica
- Reduce resource usage
 2026-01-04 23:41:39 +09:00
Mayne0213
d392bbc57a REFACTOR(argocd): remove serversideapply 
- from argocd applications
- Fixes OutOfSync issues caused by operator-added default values
- ServerSideApply causes stricter field management that conflicts with
  CRD defaults
 2026-01-04 23:41:39 +09:00
Mayne0213
f38cbedcba REFACTOR(traefik): switch from HAProxy 
- to Traefik ingress controller
- Update all ingress files to use ingressClassName: traefik
- Update cert-manager ClusterIssuer to use traefik class
- Remove haproxy.org annotations from ingress files
- Update vault helm-values to use traefik
 2026-01-04 23:41:39 +09:00
Mayne0213
64aeb36e78 CHORE(external-secrets): update ESO API version from v1beta1 to v1 
- Update ExternalSecret API version
- Migrate to stable API
 2026-01-04 23:41:39 +09:00
Mayne0213
a2682e292b REFACTOR(goldilocks): use managedNamespaceMetadata for namespace labels 
- Remove namespace.yaml files
- Add managedNamespaceMetadata with Goldilocks label
- Set CreateNamespace=true in syncOptions
- Update kustomization.yaml to remove namespace.yaml references
 2026-01-04 23:41:39 +09:00
Mayne0213
7653a33ffa CHORE(repo): clean kustomization files 
- Remove unused entries from kustomization
- Clean up configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
34a1c9f783 REFACTOR(repo): restructure infra folder structure 
- Remove argocd/, helm-values/, ingress/ subdirectories
- Move files to parent directory with standardized names
- Add namespace.yaml to all apps with Goldilocks labels
- Preserve vault/ subdirectories (falco, velero)
- Update main kustomization.yaml to reference argocd.yaml files directly
- Comment out argocd.yaml in each app's kustomization.yaml to prevent
  circular reference

Applications restructured:
- cert-manager (2 ArgoCD apps)
- external-secrets
- reloader
- vault (2 ArgoCD apps)
- velero (2 ArgoCD apps)
- falco
- cnpg
- haproxy
- metallb
- vpa
- argocd
 2026-01-04 23:41:39 +09:00
Mayne0213
cedb4ec0d4 FIX(falco): falco sync loop by updating ignoreDiff 
- Remove optional operator (?) from jqPathExpressions
- Add apiVersion and kind to ignored fields for volumeClaimTemplates
- Prevents continuous sync loop caused by Kubernetes removing these
  fields from StatefulSet
 2026-01-04 23:41:39 +09:00
Mayne0213
5c918b64fc REFACTOR(falco): use falco-ui-secret 
- for sidekick webui authenti...
 2026-01-04 23:41:39 +09:00
Mayne0213
4e0d10e581 FIX(falco): falco UI auth: use 
- FALCOSIDEKICK_UI_USER format
 2026-01-04 23:41:39 +09:00
Mayne0213
90c7883c37 FEAT(velero): add velero and falco UI auth 
- secrets from Vault
 2026-01-04 23:41:39 +09:00
Mayne0213
50ceb6d98d FIX(argocd): falco cpu requests in argocd 
- application
- Falco: 100m → 30m
- Falcosidekick Web UI: 50m → 30m

The previous commit only updated helm-values/falco.yaml which wasn't
being used. The ArgoCD Application uses inline helm values.
 2026-01-04 23:41:39 +09:00
Mayne0213
4d2a0f5169 PERF(cnpg): reduce cpu requests 
- to allow cnpg join pod scheduling
- Falco: 40m → 30m
- Falcosidekick Web UI: 50m → 30m
- Velero UI: 50m → 30m

This frees up ~40m CPU on worker nodes to allow CNPG join pods
(which request 500m) to be scheduled successfully.
 2026-01-04 23:41:39 +09:00
Mayne0213
27d26cdfb3 CHORE(falco): ignore volumeClaimTemplates status 
- in falco StatefulSet
 2026-01-04 23:41:39 +09:00
Mayne0213
8a398a3bdc REFACTOR(falco): use cpu: null 
- to delete Helm chart default CPU limit...
Following Helm best practice to override default values with null.
 2026-01-04 23:41:39 +09:00
Mayne0213
6e1304f703 FIX(falco): re-enable auto-sync 
- for falco and use Helm chart defaults
Let Helm chart apply default CPU limits like other apps.
 2026-01-04 23:41:39 +09:00
Mayne0213
d6b9fe6a01 CHORE(falco): disable auto-sync for falco 
- to allow manual CPU limit r...
Will manually patch DaemonSet to remove CPU limits after this is
applied.
 2026-01-04 23:41:39 +09:00
Mayne0213
85ef6e8c9f CHORE(falco): set Falco CPU limit to empty string 
- Override Helm default CPU limit
- Prevent throttling
 2026-01-04 23:41:39 +09:00
Mayne0213
10211f35bc REFACTOR(falco): remove invalid empty string CPU 
- limit from falco
Kubernetes rejects cpu: "" as invalid quantity format. Will allow
DaemonSet
to be created with default CPU limit, then manually patch and disable
auto-sync.
 2026-01-04 23:41:39 +09:00
Mayne0213
fa98684528 CHORE(falco): set Falco CPU limit to empty string 
- Override Helm default CPU limit
- Prevent throttling
 2026-01-04 23:41:39 +09:00