d29651af7a
REFACTOR(repo): remove control-plane scheduling
...
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
2026-01-10 18:35:15 +09:00
5acc1c7f9e
PERF(security): adjust resources based on VPA
...
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
2026-01-10 14:32:33 +09:00
c78dec54d7
FEAT(authelia): add Zot OIDC client
...
- Add Zot client to OIDC providers
- Add ZOT_CLIENT_SECRET to ExternalSecret
- Add volume mount for Zot client secret
2026-01-10 01:16:58 +09:00
5f9573133e
FIX(authelia): configure OIDC claims and scopes
...
- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)
2026-01-10 01:16:58 +09:00
fa4521e946
FIX(authelia): remove internal network bypass rule
...
- All requests now require one_factor authentication
- Improve security posture
2026-01-10 01:16:57 +09:00
bb4af2638e
FIX(authelia): correct network definition schema
...
- Move networks from access_control to definitions.network
- Fix Helm chart schema validation error
- Maintain bypass policy for internal cluster traffic
2026-01-10 01:16:57 +09:00
16dd9d88aa
FEAT(authelia): bypass auth for cluster internal traffic
...
- Add internal network definition (10.42.0.0/16, 10.43.0.0/16)
- Allow blackbox-exporter probes without authentication
- Apply bypass policy for *.kro.kr from internal networks
2026-01-10 01:16:57 +09:00
74d29aabfc
CHORE(resources): set memory limits equal to memory requests
...
- Align memory limits with memory requests for guaranteed QoS class
- falco: falcosidekick
- external-secrets: main, webhook, certController
- authelia: main, redis
2026-01-10 01:16:56 +09:00
756ddade15
FEAT(authelia): enable HA with DaemonSet and Redis
...
- Change pod.kind from Deployment to DaemonSet
- Add Redis for session storage
- Configure Redis image and subchart settings
- Add toleration for control-plane
2026-01-10 01:16:49 +09:00
369181717b
REFACTOR(authelia): switch to Deployment mode
...
- Change from DaemonSet to Deployment with 1 replica
- Remove Redis dependency (not needed for single replica)
2026-01-09 21:45:16 +09:00
45ab6592d6
FIX(authelia): disable Redis authentication
...
- Remove password requirement for Redis
- Simplify internal cluster communication
2026-01-09 21:45:16 +09:00
e6f496c439
FEAT(authelia): add Redis for session storage
...
- Enable Redis for HA session support
- Configure session.redis settings
2026-01-09 21:45:16 +09:00
8f449666b5
CHORE(authelia): Remove immich OIDC client
...
- Remove IMMICH_CLIENT_SECRET from extraVolumes/extraVolumeMounts
- Remove immich OIDC client configuration
- Immich application removed
CHORE(authelia): Remove IMMICH_CLIENT_SECRET from ExternalSecret
2026-01-09 21:45:16 +09:00
870eea8664
CHORE(authelia): remove replica setting for DaemonSet
...
- Remove pod.replicas from helm-values.yaml
- DaemonSet does not use replica configuration
- Each node runs one pod automatically
2026-01-09 21:45:16 +09:00
66d845140e
FIX(authelia): move affinity to top level
...
- Move affinity from pod.affinity to top-level affinity
- Fix Helm chart schema validation error
- Maintain soft anti-affinity configuration
FIX(security): remove unsupported affinity from authelia
- Remove affinity from authelia (chart schema limitation)
- Fix external-secrets duplicate webhook/certController sections
- Merge affinity into respective component sections
- Authelia chart does not support affinity in values.yaml
2026-01-09 21:45:16 +09:00
cbf00275e8
FEAT(security): enable HA with replica 2 and soft anti-affinity
...
- Add replicaCount: 2 to authelia, external-secrets, falco
- Add soft pod anti-affinity for node distribution
- Configure affinity for all security components
2026-01-08 13:07:56 +09:00
31007c5586
PERF(resources): remove CPU limits - keep memory limits only
...
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
2026-01-07 23:48:43 +09:00
41e8771889
FIX(authelia): fix Headlamp OIDC token auth
...
- Change token_endpoint_auth_method to client_secret_basic
- Headlamp uses client_secret_basic by default
- Authelia was configured with client_secret_post
- Fix token exchange failure causing login redirect loop
2026-01-07 02:23:50 +09:00
3c51bb3b5e
FIX(authelia): keep ingress in manifests
...
- Keep ingress in manifests/ due to chart schema complexity
- Authelia chart has complex ingress schema
2026-01-06 15:27:17 +09:00
52bc1b9d57
FIX(authelia): use rulesOverride for config
...
- Use rulesOverride for access control configuration
- Fix invalid Helm values properties
2026-01-06 15:26:24 +09:00
875dbbc42c
REFACTOR(authelia): integrate ingress in values
...
- Move config.yaml, middleware.yaml, rbac.yaml to manifests/
- Add ingress configuration to helm-values.yaml
- Remove separate ingress.yaml
2026-01-06 15:12:22 +09:00
168193845b
FIX(authelia): fix TOTP config for chart 0.10.x
...
- Change enabled to disable for TOTP configuration
- Fix chart compatibility
2026-01-05 00:40:26 +09:00
a9a4ed1bf3
FIX(authelia): increase Authelia memory limit
...
- to 256Mi
OOMKilled with 128Mi limit. Increased to 256Mi for stability.
2026-01-05 00:40:26 +09:00
04bc972466
FEAT(authelia): add Immich as OIDC client in Authelia
...
- Add Immich OIDC client configuration
- Enable OAuth authentication for Immich
2026-01-05 00:40:26 +09:00
ddc733d2d2
FEAT(authelia): add Vault as OIDC client in Authelia
...
- Add Vault OIDC client configuration
- Add VAULT_CLIENT_SECRET to ExternalSecret
- Mount VAULT_CLIENT_SECRET in pod
2026-01-05 00:40:26 +09:00
0be0f4cb5a
FEAT(authelia): add jwks config for authelia oidc
...
- Mount jwks.pem from authelia-secrets
- Configure JWKS with RS256 algorithm
2026-01-05 00:40:26 +09:00
ef31735060
FIX(vault): fix OIDC HMAC secret key name
...
- Change key name from secret to key
- Fix Vault secret reference
2026-01-05 00:40:26 +09:00
e4fb804b3d
FEAT(headlamp): enable authelia oidc provider
...
- with headlamp client
- Add OIDC identity provider configuration
- Add Headlamp as OIDC client
- Update ExternalSecret for OIDC secrets (HMAC, JWKS, Headlamp client
secret)
2026-01-04 23:41:39 +09:00
d88cf75b95
FIX(authelia): fix Authelia secret key names
...
- Update key names to match chart expectations
- Fix ExternalSecret configuration
2026-01-04 23:41:39 +09:00
a4d9adc273
FIX(authelia): fix OIDC client_secret with plaintext prefix
...
- Use plaintext prefix for client secret
- Fix OIDC authentication
2026-01-04 23:41:39 +09:00
520261d36e
FEAT(authelia): enable Authelia OIDC provider with MinIO client
...
- Enable OIDC identity provider
- Add MinIO as OIDC client
- Configure secrets from Vault
2026-01-04 23:41:39 +09:00
334c16f22a
REFACTOR(postgresql): change Authelia PostgreSQL user
...
- Change database user from app to bluemayne
- Update authentication configuration
2026-01-04 23:41:39 +09:00
db24350909
REFACTOR(repo): rename users-database.yaml
...
- to config.yaml
2026-01-04 23:41:39 +09:00
a22f4240b5
FIX(authelia): authelia secret keys
...
- to dot notation
2026-01-04 23:41:39 +09:00
f8d383f02e
REFACTOR(postgresql): switch authelia
...
- to pg storage, fix secr...
2026-01-04 23:41:39 +09:00
0ec31ac5a9
FEAT(authentik): add authelia sso
...
- replacing authentik
2026-01-04 23:41:39 +09:00
