K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
171 Commits 1 Branch 0 Tags
ac4cd12c7351f9b2e32dffa3f3e07c2ac3835607
Commit Graph

56 Commits

Author SHA1 Message Date
Mayne0213
ac4cd12c73 PERF(security): remove CPU limits for stability 
- Remove CPU limits from authelia, cert-manager, external-secrets, falco, vault
- Prevents CPU throttling issues
 2026-01-12 02:13:42 +09:00
Mayne0213
ec09ea403f PERF(security): optimize resources via VPA 
- authelia: CPU 15m/15m, memory 100Mi/144Mi
- authelia-redis: CPU 22m/32m, memory 100Mi/100Mi
- cert-manager: CPU 15m/15m, memory 100Mi/100Mi
- cert-manager-cainjector: CPU 15m/15m, memory 126Mi/248Mi
- cert-manager-webhook: CPU 15m/15m, memory 100Mi/100Mi
- external-secrets: CPU 15m/15m, memory 100Mi/109Mi
- external-secrets-cert-controller: CPU 15m/15m, memory 144Mi/297Mi
- external-secrets-webhook: CPU 15m/15m, memory 100Mi/100Mi
- falco: CPU 34m/53m, memory 93Mi/144Mi
- falcosidekick: CPU 15m/15m, memory 100Mi/100Mi
- vault: CPU 34m/53m, memory 126Mi/163Mi
 2026-01-12 01:08:45 +09:00
Mayne0213
2cfcc586be refactor: update Vault secret paths to new categorized structure 
- authelia: postgresql → storage/postgresql, authelia → security/authelia
- external-secrets: zot → storage/zot (ClusterExternalSecret)
- vault: secret/data/vault/config → security/vault, authelia → security/authelia

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-11 22:36:33 +09:00
Mayne0213
5e717ff9b1 migrate: change repoURLs from GitHub to Gitea 
Update all ArgoCD Application references to use Gitea (github0213.com)
instead of GitHub for K3S-HOME/security repository.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-10 20:43:23 +09:00
Mayne0213
d29651af7a REFACTOR(repo): remove control-plane scheduling 
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
 2026-01-10 18:35:15 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
c78dec54d7 FEAT(authelia): add Zot OIDC client 
- Add Zot client to OIDC providers
- Add ZOT_CLIENT_SECRET to ExternalSecret
- Add volume mount for Zot client secret
 2026-01-10 01:16:58 +09:00
Mayne0213
5f9573133e FIX(authelia): configure OIDC claims and scopes 
- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)
 2026-01-10 01:16:58 +09:00
Mayne0213
fa4521e946 FIX(authelia): remove internal network bypass rule 
- All requests now require one_factor authentication
- Improve security posture
 2026-01-10 01:16:57 +09:00
Mayne0213
876708ccdf REFACTOR(authelia): simplify to single user 
- Change user from admin to bluemayne
- Remove other users from ClusterRoleBinding
 2026-01-10 01:16:57 +09:00
Mayne0213
8ccf5c5187 FIX(authelia): add users to OIDC ClusterRoleBinding 
- Add admin and bluemayne users
- Support multiple username formats for OIDC auth
 2026-01-10 01:16:57 +09:00
Mayne0213
bb4af2638e FIX(authelia): correct network definition schema 
- Move networks from access_control to definitions.network
- Fix Helm chart schema validation error
- Maintain bypass policy for internal cluster traffic
 2026-01-10 01:16:57 +09:00
Mayne0213
16dd9d88aa FEAT(authelia): bypass auth for cluster internal traffic 
- Add internal network definition (10.42.0.0/16, 10.43.0.0/16)
- Allow blackbox-exporter probes without authentication
- Apply bypass policy for *.kro.kr from internal networks
 2026-01-10 01:16:57 +09:00
Mayne0213
74d29aabfc CHORE(resources): set memory limits equal to memory requests 
- Align memory limits with memory requests for guaranteed QoS class
- falco: falcosidekick
- external-secrets: main, webhook, certController
- authelia: main, redis
 2026-01-10 01:16:56 +09:00
Mayne0213
756ddade15 FEAT(authelia): enable HA with DaemonSet and Redis 
- Change pod.kind from Deployment to DaemonSet
- Add Redis for session storage
- Configure Redis image and subchart settings
- Add toleration for control-plane
 2026-01-10 01:16:49 +09:00
Mayne0213
061489756a CHORE(authelia): update admin password hash 
- Update password hash for admin user
- Ensure secure authentication
 2026-01-10 01:16:48 +09:00
Mayne0213
369181717b REFACTOR(authelia): switch to Deployment mode 
- Change from DaemonSet to Deployment with 1 replica
- Remove Redis dependency (not needed for single replica)
 2026-01-09 21:45:16 +09:00
Mayne0213
45ab6592d6 FIX(authelia): disable Redis authentication 
- Remove password requirement for Redis
- Simplify internal cluster communication
 2026-01-09 21:45:16 +09:00
Mayne0213
e6f496c439 FEAT(authelia): add Redis for session storage 
- Enable Redis for HA session support
- Configure session.redis settings
 2026-01-09 21:45:16 +09:00
Mayne0213
8f449666b5 CHORE(authelia): Remove immich OIDC client 
- Remove IMMICH_CLIENT_SECRET from extraVolumes/extraVolumeMounts
- Remove immich OIDC client configuration
- Immich application removed

CHORE(authelia): Remove IMMICH_CLIENT_SECRET from ExternalSecret
 2026-01-09 21:45:16 +09:00
Mayne0213
870eea8664 CHORE(authelia): remove replica setting for DaemonSet 
- Remove pod.replicas from helm-values.yaml
- DaemonSet does not use replica configuration
- Each node runs one pod automatically
 2026-01-09 21:45:16 +09:00
Mayne0213
66d845140e FIX(authelia): move affinity to top level 
- Move affinity from pod.affinity to top-level affinity
- Fix Helm chart schema validation error
- Maintain soft anti-affinity configuration

FIX(security): remove unsupported affinity from authelia

- Remove affinity from authelia (chart schema limitation)
- Fix external-secrets duplicate webhook/certController sections
- Merge affinity into respective component sections
- Authelia chart does not support affinity in values.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
cbf00275e8 FEAT(security): enable HA with replica 2 and soft anti-affinity 
- Add replicaCount: 2 to authelia, external-secrets, falco
- Add soft pod anti-affinity for node distribution
- Configure affinity for all security components
 2026-01-08 13:07:56 +09:00
Mayne0213
31007c5586 PERF(resources): remove CPU limits - keep memory limits only 
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
 2026-01-07 23:48:43 +09:00
Mayne0213
41e8771889 FIX(authelia): fix Headlamp OIDC token auth 
- Change token_endpoint_auth_method to client_secret_basic
- Headlamp uses client_secret_basic by default
- Authelia was configured with client_secret_post
- Fix token exchange failure causing login redirect loop
 2026-01-07 02:23:50 +09:00
Mayne0213
384d73d1fa REFACTOR(secrets): flatten Vault paths 
- Change secret paths from <category>/<app> to <app>
- databases/postgresql → postgresql
- cluster-infrastructure/authelia → authelia
 2026-01-06 16:53:10 +09:00
Mayne0213
677214b848 REFACTOR(repo): move vault/ to manifests/ 
- Move ExternalSecret file from vault/ to manifests/secret.yaml
- Update kustomization.yaml references
- Remove vault/ folder

Apps: authelia
 2026-01-06 16:43:38 +09:00
Mayne0213
3c51bb3b5e FIX(authelia): keep ingress in manifests 
- Keep ingress in manifests/ due to chart schema complexity
- Authelia chart has complex ingress schema
 2026-01-06 15:27:17 +09:00
Mayne0213
52bc1b9d57 FIX(authelia): use rulesOverride for config 
- Use rulesOverride for access control configuration
- Fix invalid Helm values properties
 2026-01-06 15:26:24 +09:00
Mayne0213
875dbbc42c REFACTOR(authelia): integrate ingress in values 
- Move config.yaml, middleware.yaml, rbac.yaml to manifests/
- Add ingress configuration to helm-values.yaml
- Remove separate ingress.yaml
 2026-01-06 15:12:22 +09:00
Mayne0213
321685822f REFACTOR(repo): security repo structure 
- Add application.yaml for ArgoCD app-of-apps
- Add kustomization.yaml with security components
- Add renovate.json for automated updates
- Update all component argocd.yaml repoURLs to security repo

Components: authelia, vault, external-secrets, falco, trivy
 2026-01-05 00:40:26 +09:00
Mayne0213
9822441e38 REFACTOR(repo): migrate repoURL to K3S-HOME 
- Update repository URL to K3S-HOME organization
- Change from personal to organization repo
 2026-01-05 00:40:26 +09:00
Mayne0213
168193845b FIX(authelia): fix TOTP config for chart 0.10.x 
- Change enabled to disable for TOTP configuration
- Fix chart compatibility
 2026-01-05 00:40:26 +09:00
renovate[bot]
a6342a2fdd CHORE(authelia): update authelia to 0.10.x 
- Upgrade Authelia chart version
- Apply dependency updates
 2026-01-05 00:40:26 +09:00
Mayne0213
a9a4ed1bf3 FIX(authelia): increase Authelia memory limit 
- to 256Mi
OOMKilled with 128Mi limit. Increased to 256Mi for stability.
 2026-01-05 00:40:26 +09:00
Mayne0213
8d46ae9e49 FEAT(immich): add email to admin user for OAuth 
- Add email field to admin user
- Required for Immich OAuth integration
 2026-01-05 00:40:26 +09:00
Mayne0213
04bc972466 FEAT(authelia): add Immich as OIDC client in Authelia 
- Add Immich OIDC client configuration
- Enable OAuth authentication for Immich
 2026-01-05 00:40:26 +09:00
Mayne0213
ddc733d2d2 FEAT(authelia): add Vault as OIDC client in Authelia 
- Add Vault OIDC client configuration
- Add VAULT_CLIENT_SECRET to ExternalSecret
- Mount VAULT_CLIENT_SECRET in pod
 2026-01-05 00:40:26 +09:00
Mayne0213
159e135ee8 FEAT(authelia): add OIDC admin ClusterRoleBinding 
- Add ClusterRoleBinding for Authelia SSO
- Enable admin access via OIDC
 2026-01-05 00:40:26 +09:00
Mayne0213
0be0f4cb5a FEAT(authelia): add jwks config for authelia oidc 
- Mount jwks.pem from authelia-secrets
- Configure JWKS with RS256 algorithm
 2026-01-05 00:40:26 +09:00
Mayne0213
ef31735060 FIX(vault): fix OIDC HMAC secret key name 
- Change key name from secret to key
- Fix Vault secret reference
 2026-01-05 00:40:26 +09:00
Mayne0213
e4fb804b3d FEAT(headlamp): enable authelia oidc provider 
- with headlamp client
- Add OIDC identity provider configuration
- Add Headlamp as OIDC client
- Update ExternalSecret for OIDC secrets (HMAC, JWKS, Headlamp client
  secret)
 2026-01-04 23:41:39 +09:00
Mayne0213
d88cf75b95 FIX(authelia): fix Authelia secret key names 
- Update key names to match chart expectations
- Fix ExternalSecret configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
de5183469e FEAT(authelia): add JWT_HMAC_KEY to ExternalSecret 
- Add JWT_HMAC_KEY for password reset functionality
- Update ExternalSecret configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
a4d9adc273 FIX(authelia): fix OIDC client_secret with plaintext prefix 
- Use plaintext prefix for client secret
- Fix OIDC authentication
 2026-01-04 23:41:39 +09:00
Mayne0213
520261d36e FEAT(authelia): enable Authelia OIDC provider with MinIO client 
- Enable OIDC identity provider
- Add MinIO as OIDC client
- Configure secrets from Vault
 2026-01-04 23:41:39 +09:00
Mayne0213
2ce3a296ae REFACTOR(authelia): remove OIDC config files 
- Remove OIDC configuration files
- Clean up unused configurations
 2026-01-04 23:41:39 +09:00
Mayne0213
fe357836c3 FEAT(authelia): integrate Authelia secrets 
- Add ExternalSecret for Authelia
- Enable Vault integration for secrets
 2026-01-04 23:41:39 +09:00
Mayne0213
334c16f22a REFACTOR(postgresql): change Authelia PostgreSQL user 
- Change database user from app to bluemayne
- Update authentication configuration
 2026-01-04 23:41:39 +09:00
Mayne0213
db24350909 REFACTOR(repo): rename users-database.yaml 
- to config.yaml
 2026-01-04 23:41:39 +09:00