K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
172 Commits 1 Branch 0 Tags
99ab720835d105eb56e01ebbb650888fe542fb46
Commit Graph

14 Commits

Author SHA1 Message Date
Mayne0213
ac4cd12c73 PERF(security): remove CPU limits for stability 
- Remove CPU limits from authelia, cert-manager, external-secrets, falco, vault
- Prevents CPU throttling issues
 2026-01-12 02:13:42 +09:00
Mayne0213
ec09ea403f PERF(security): optimize resources via VPA 
- authelia: CPU 15m/15m, memory 100Mi/144Mi
- authelia-redis: CPU 22m/32m, memory 100Mi/100Mi
- cert-manager: CPU 15m/15m, memory 100Mi/100Mi
- cert-manager-cainjector: CPU 15m/15m, memory 126Mi/248Mi
- cert-manager-webhook: CPU 15m/15m, memory 100Mi/100Mi
- external-secrets: CPU 15m/15m, memory 100Mi/109Mi
- external-secrets-cert-controller: CPU 15m/15m, memory 144Mi/297Mi
- external-secrets-webhook: CPU 15m/15m, memory 100Mi/100Mi
- falco: CPU 34m/53m, memory 93Mi/144Mi
- falcosidekick: CPU 15m/15m, memory 100Mi/100Mi
- vault: CPU 34m/53m, memory 126Mi/163Mi
 2026-01-12 01:08:45 +09:00
Mayne0213
8194fc6707 PERF(external-secrets): use 20% memory increase instead of VPA 
- Update operator memory 128Mi→154Mi (+20%)
- Update webhook memory 128Mi→154Mi (+20%)
- Update certController memory 256Mi→307Mi (+20%)
 2026-01-10 14:37:21 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
c2d6958407 PERF(external-secrets): reduce replicas to 1 
- Reduce external-secrets replicas to 1
- Reduce cert-controller replicas to 1
- Reduce webhook replicas to 1
 2026-01-10 13:31:52 +09:00
Mayne0213
ac6eaef446 CHORE(external-secrets): increase certController memory 
- Increase certController memory request and limit from 128Mi to 256Mi
- Maintain CPU request at 2m
 2026-01-10 02:09:28 +09:00
Mayne0213
5f9573133e FIX(authelia): configure OIDC claims and scopes 
- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)
 2026-01-10 01:16:58 +09:00
Mayne0213
c368d2e983 FIX(external-secrets): increase certController memory to 128Mi 
- cert-controller uses ~73Mi at runtime, 64Mi causes OOMKilled
 2026-01-10 01:16:57 +09:00
Mayne0213
871882927b FIX(external-secrets): increase memory limits for webhook and certController 
- Increase memory from 32Mi to 64Mi to prevent OOMKilled
- Remove duplicate webhook/certController sections (keep ones with affinity)
 2026-01-10 01:16:57 +09:00
Mayne0213
74d29aabfc CHORE(resources): set memory limits equal to memory requests 
- Align memory limits with memory requests for guaranteed QoS class
- falco: falcosidekick
- external-secrets: main, webhook, certController
- authelia: main, redis
 2026-01-10 01:16:56 +09:00
Mayne0213
66d845140e FIX(authelia): move affinity to top level 
- Move affinity from pod.affinity to top-level affinity
- Fix Helm chart schema validation error
- Maintain soft anti-affinity configuration

FIX(security): remove unsupported affinity from authelia

- Remove affinity from authelia (chart schema limitation)
- Fix external-secrets duplicate webhook/certController sections
- Merge affinity into respective component sections
- Authelia chart does not support affinity in values.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
cbf00275e8 FEAT(security): enable HA with replica 2 and soft anti-affinity 
- Add replicaCount: 2 to authelia, external-secrets, falco
- Add soft pod anti-affinity for node distribution
- Configure affinity for all security components
 2026-01-08 13:07:56 +09:00
Mayne0213
7cdc4f1e9e FIX(external-secrets): disable CRD installation via Helm 
- Set installCRDs: false to avoid annotation size limit
- CRDs already installed, manual upgrade when needed
 2026-01-07 01:24:07 +09:00
Mayne0213
34a1c9f783 REFACTOR(repo): restructure infra folder structure 
- Remove argocd/, helm-values/, ingress/ subdirectories
- Move files to parent directory with standardized names
- Add namespace.yaml to all apps with Goldilocks labels
- Preserve vault/ subdirectories (falco, velero)
- Update main kustomization.yaml to reference argocd.yaml files directly
- Comment out argocd.yaml in each app's kustomization.yaml to prevent
  circular reference

Applications restructured:
- cert-manager (2 ArgoCD apps)
- external-secrets
- reloader
- vault (2 ArgoCD apps)
- velero (2 ArgoCD apps)
- falco
- cnpg
- haproxy
- metallb
- vpa
- argocd
 2026-01-04 23:41:39 +09:00