- from vault and falco
- Remove cpu line from limits section (not just set to null)
- Prevents Helm charts from applying default CPU limit values
- Eliminates CPU throttling for infrastructure components
- to prevent throttling
Removed CPU limits from all infrastructure components while keeping
memory limits for protection:
- cnpg: removed 500m CPU limit
- external-secrets: removed 200m, 100m CPU limits (operator, webhook,
certController)
- falco: removed 500m CPU limit (falcosidekick webui)
- vault: removed 500m CPU limit
- velero: removed 500m, 1000m CPU limits (server, node-agent)
Benefits:
- ✅ Prevents CPU throttling
- ✅ Better performance and lower latency
- ✅ More efficient resource utilization
- ✅ Simpler management (only requests to tune)
Memory limits are kept to prevent memory leaks and OOM issues.
- from NGINX to HAProxy
- Changed all ingressClassName from nginx to haproxy
- Updated NGINX to ClusterIP mode (backup)
- Set HAProxy as default ingress controller
- Affected files:
- ingress-nginx/ingress.yaml (22 ingresses)
- vault/helm-values/vault.yaml (1 ingress)
- haproxy/argocd/haproxy.yaml (controller config)
- ingress-nginx/helm-values/ingress-nginx.yaml (backup mode)
This completes the migration to HAProxy as the primary ingress
controller.
- for vault-backend
- Create cluster-wide secret store for External Secrets Operator
- Configure Kubernetes auth with external-secrets service account
- Enable all namespaces to access Vault secrets via ClusterSecretStore
