- to use externalsecret for postgresq...
- Add ExternalSecret to pull vault config from Vault itself
- Add RBAC for vault token reviewer (kubernetes auth)
- Update helm-values to mount secret as config
- Connection string is now stored in Vault, not in git
- to Traefik ingress controller
- Update all ingress files to use ingressClassName: traefik
- Update cert-manager ClusterIssuer to use traefik class
- Remove haproxy.org annotations from ingress files
- Update vault helm-values to use traefik
- from pg to file st...
- Remove PostgreSQL backend dependency to avoid circular reference
- Vault no longer needs vault-pg-connection secret to start
- Use Longhorn PVC for data persistence
- from vault and falco
- Remove cpu line from limits section (not just set to null)
- Prevents Helm charts from applying default CPU limit values
- Eliminates CPU throttling for infrastructure components
- to prevent throttling
Removed CPU limits from all infrastructure components while keeping
memory limits for protection:
- cnpg: removed 500m CPU limit
- external-secrets: removed 200m, 100m CPU limits (operator, webhook,
certController)
- falco: removed 500m CPU limit (falcosidekick webui)
- vault: removed 500m CPU limit
- velero: removed 500m, 1000m CPU limits (server, node-agent)
Benefits:
- ✅ Prevents CPU throttling
- ✅ Better performance and lower latency
- ✅ More efficient resource utilization
- ✅ Simpler management (only requests to tune)
Memory limits are kept to prevent memory leaks and OOM issues.
- from NGINX to HAProxy
- Changed all ingressClassName from nginx to haproxy
- Updated NGINX to ClusterIP mode (backup)
- Set HAProxy as default ingress controller
- Affected files:
- ingress-nginx/ingress.yaml (22 ingresses)
- vault/helm-values/vault.yaml (1 ingress)
- haproxy/argocd/haproxy.yaml (controller config)
- ingress-nginx/helm-values/ingress-nginx.yaml (backup mode)
This completes the migration to HAProxy as the primary ingress
controller.
- for vault-backend
- Create cluster-wide secret store for External Secrets Operator
- Configure Kubernetes auth with external-secrets service account
- Enable all namespaces to access Vault secrets via ClusterSecretStore
