- from vault and falco
- Remove cpu line from limits section (not just set to null)
- Prevents Helm charts from applying default CPU limit values
- Eliminates CPU throttling for infrastructure components
- from infrastructure components
- velero-ui: Remove 200m CPU limit
- metallb controller: Remove 100m CPU limit
- metallb speaker: Remove 100m CPU limit (300m total across 3 nodes)
- falco: Remove 1000m CPU limit (3000m total across 3 nodes)
Total CPU limits removed: ~3600m
This eliminates CPU throttling and reduces CPU limits overcommit from
131% to 0%.
- to prevent throttling
Removed CPU limits from all infrastructure components while keeping
memory limits for protection:
- cnpg: removed 500m CPU limit
- external-secrets: removed 200m, 100m CPU limits (operator, webhook,
certController)
- falco: removed 500m CPU limit (falcosidekick webui)
- vault: removed 500m CPU limit
- velero: removed 500m, 1000m CPU limits (server, node-agent)
Benefits:
- ✅ Prevents CPU throttling
- ✅ Better performance and lower latency
- ✅ More efficient resource utilization
- ✅ Simpler management (only requests to tune)
Memory limits are kept to prevent memory leaks and OOM issues.
- for worker-node-2
Reduced Falco DaemonSet CPU request to prevent node-agent
scheduling failures:
- Falco: 50m → 40m (actual usage ~39m)
This optimization frees up 10m CPU per node. On worker-node-2,
this contributes to the total 110m CPU savings needed for
Velero node-agent (30m request) to be scheduled successfully.
Worker-node-2 CPU allocation before: 840m/1000m (84%)
Worker-node-2 CPU allocation after: 730m/1000m (73%)
- from NGINX to HAProxy
- Changed all ingressClassName from nginx to haproxy
- Updated NGINX to ClusterIP mode (backup)
- Set HAProxy as default ingress controller
- Affected files:
- ingress-nginx/ingress.yaml (22 ingresses)
- vault/helm-values/vault.yaml (1 ingress)
- haproxy/argocd/haproxy.yaml (controller config)
- ingress-nginx/helm-values/ingress-nginx.yaml (backup mode)
This completes the migration to HAProxy as the primary ingress
controller.
- for vault-backend
- Create cluster-wide secret store for External Secrets Operator
- Configure Kubernetes auth with external-secrets service account
- Enable all namespaces to access Vault secrets via ClusterSecretStore
