K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
164 Commits 1 Branch 0 Tags
d29651af7aab2862111331eec94330eed756780d
Commit Graph

164 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mayne0213
d29651af7a REFACTOR(repo): remove control-plane scheduling 
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
 2026-01-10 18:35:15 +09:00
Mayne0213
8194fc6707 PERF(external-secrets): use 20% memory increase instead of VPA 
- Update operator memory 128Mi→154Mi (+20%)
- Update webhook memory 128Mi→154Mi (+20%)
- Update certController memory 256Mi→307Mi (+20%)
 2026-01-10 14:37:21 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
c2d6958407 PERF(external-secrets): reduce replicas to 1 
- Reduce external-secrets replicas to 1
- Reduce cert-controller replicas to 1
- Reduce webhook replicas to 1
 2026-01-10 13:31:52 +09:00
Mayne0213
736205e464 PERF(falco): reduce sidekick replicas to 1 
- Reduce falcosidekick replicas from 2 to 1
- DaemonSet tolerations kept for all-node coverage
 2026-01-10 13:15:56 +09:00
Mayne0213
119e86d482 PERF(vault): add high-priority class 
- Add high-priority PriorityClass
- Keep tolerations for HA across all nodes (3 replicas)
 2026-01-10 13:14:08 +09:00
Mayne0213
ac6eaef446 CHORE(external-secrets): increase certController memory 
- Increase certController memory request and limit from 128Mi to 256Mi
- Maintain CPU request at 2m
 2026-01-10 02:09:28 +09:00
Mayne0213
c78dec54d7 FEAT(authelia): add Zot OIDC client 
- Add Zot client to OIDC providers
- Add ZOT_CLIENT_SECRET to ExternalSecret
- Add volume mount for Zot client secret
 2026-01-10 01:16:58 +09:00
Mayne0213
5f9573133e FIX(authelia): configure OIDC claims and scopes 
- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)
 2026-01-10 01:16:58 +09:00
Mayne0213
fa4521e946 FIX(authelia): remove internal network bypass rule 
- All requests now require one_factor authentication
- Improve security posture
 2026-01-10 01:16:57 +09:00
Mayne0213
876708ccdf REFACTOR(authelia): simplify to single user 
- Change user from admin to bluemayne
- Remove other users from ClusterRoleBinding
 2026-01-10 01:16:57 +09:00
Mayne0213
8ccf5c5187 FIX(authelia): add users to OIDC ClusterRoleBinding 
- Add admin and bluemayne users
- Support multiple username formats for OIDC auth
 2026-01-10 01:16:57 +09:00
Mayne0213
507cb61ec4 FEAT(vault): add OIDC auth for Authelia SSO 
- Add ExternalSecret for VAULT_CLIENT_SECRET
- Configure default and admin roles for OIDC login
- Fix claim settings (use sub instead of preferred_username)
- Remove oidc-setup-job (already configured)
 2026-01-10 01:16:57 +09:00
Mayne0213
bb4af2638e FIX(authelia): correct network definition schema 
- Move networks from access_control to definitions.network
- Fix Helm chart schema validation error
- Maintain bypass policy for internal cluster traffic
 2026-01-10 01:16:57 +09:00
Mayne0213
16dd9d88aa FEAT(authelia): bypass auth for cluster internal traffic 
- Add internal network definition (10.42.0.0/16, 10.43.0.0/16)
- Allow blackbox-exporter probes without authentication
- Apply bypass policy for *.kro.kr from internal networks
 2026-01-10 01:16:57 +09:00
Mayne0213
c368d2e983 FIX(external-secrets): increase certController memory to 128Mi 
- cert-controller uses ~73Mi at runtime, 64Mi causes OOMKilled
 2026-01-10 01:16:57 +09:00
Mayne0213
871882927b FIX(external-secrets): increase memory limits for webhook and certController 
- Increase memory from 32Mi to 64Mi to prevent OOMKilled
- Remove duplicate webhook/certController sections (keep ones with affinity)
 2026-01-10 01:16:57 +09:00
Mayne0213
74d29aabfc CHORE(resources): set memory limits equal to memory requests 
- Align memory limits with memory requests for guaranteed QoS class
- falco: falcosidekick
- external-secrets: main, webhook, certController
- authelia: main, redis
 2026-01-10 01:16:56 +09:00
Mayne0213
4dc04bd904 FEAT(repo): add App of Apps self-reference 
- Add application.yaml for ArgoCD self-registration
- Update kustomization.yaml to include application.yaml
- Set prune: false to prevent cascade deletion
 2026-01-10 01:16:49 +09:00
Mayne0213
756ddade15 FEAT(authelia): enable HA with DaemonSet and Redis 
- Change pod.kind from Deployment to DaemonSet
- Add Redis for session storage
- Configure Redis image and subchart settings
- Add toleration for control-plane
 2026-01-10 01:16:49 +09:00
Mayne0213
061489756a CHORE(authelia): update admin password hash 
- Update password hash for admin user
- Ensure secure authentication
 2026-01-10 01:16:48 +09:00
Mayne0213
5ea9ad9dc1 CHORE(repo): remove application.yaml reference 
- Remove from kustomization.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
130da5c76d CHORE(repo): remove self-referencing application.yaml 
- Delete application.yaml (managed by platform)
 2026-01-09 21:45:16 +09:00
Mayne0213
369181717b REFACTOR(authelia): switch to Deployment mode 
- Change from DaemonSet to Deployment with 1 replica
- Remove Redis dependency (not needed for single replica)
 2026-01-09 21:45:16 +09:00
Mayne0213
45ab6592d6 FIX(authelia): disable Redis authentication 
- Remove password requirement for Redis
- Simplify internal cluster communication
 2026-01-09 21:45:16 +09:00
Mayne0213
e6f496c439 FEAT(authelia): add Redis for session storage 
- Enable Redis for HA session support
- Configure session.redis settings
 2026-01-09 21:45:16 +09:00
Mayne0213
739ac544c7 REFACTOR(repo): standardize taint to control-plane 
- Remove deprecated master taint from falco
- Update vault tolerations to control-plane
- Change effect from NoExecute to NoSchedule
 2026-01-09 21:45:16 +09:00
Mayne0213
8f449666b5 CHORE(authelia): Remove immich OIDC client 
- Remove IMMICH_CLIENT_SECRET from extraVolumes/extraVolumeMounts
- Remove immich OIDC client configuration
- Immich application removed

CHORE(authelia): Remove IMMICH_CLIENT_SECRET from ExternalSecret
 2026-01-09 21:45:16 +09:00
Mayne0213
870eea8664 CHORE(authelia): remove replica setting for DaemonSet 
- Remove pod.replicas from helm-values.yaml
- DaemonSet does not use replica configuration
- Each node runs one pod automatically
 2026-01-09 21:45:16 +09:00
Mayne0213
66d845140e FIX(authelia): move affinity to top level 
- Move affinity from pod.affinity to top-level affinity
- Fix Helm chart schema validation error
- Maintain soft anti-affinity configuration

FIX(security): remove unsupported affinity from authelia

- Remove affinity from authelia (chart schema limitation)
- Fix external-secrets duplicate webhook/certController sections
- Merge affinity into respective component sections
- Authelia chart does not support affinity in values.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
cbf00275e8 FEAT(security): enable HA with replica 2 and soft anti-affinity 
- Add replicaCount: 2 to authelia, external-secrets, falco
- Add soft pod anti-affinity for node distribution
- Configure affinity for all security components
 2026-01-08 13:07:56 +09:00
Mayne0213
56c7c0d29d CHORE(trivy): remove Trivy vulnerability scanner 
- Delete trivy directory and configuration files
- Remove trivy from kustomization.yaml
- Reduce cluster resource usage
 2026-01-08 01:28:01 +09:00
Mayne0213
c24313154d FIX(security): remove CPU limits from falco and trivy 
- falco: set cpu: null to disable chart default (1 core)
- trivy: set cpu: null for operator and scan jobs (500m default)
 2026-01-08 00:33:13 +09:00
Mayne0213
31007c5586 PERF(resources): remove CPU limits - keep memory limits only 
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
 2026-01-07 23:48:43 +09:00
Mayne0213
5e161fca8a FEAT(external-secrets): add ClusterExternalSecret for Zot 
- Add zot-registry-credentials ClusterExternalSecret
- Auto-create dockerconfigjson in labeled namespaces
- API version v1 (v1beta1 deprecated)
 2026-01-07 14:28:58 +09:00
Mayne0213
41e8771889 FIX(authelia): fix Headlamp OIDC token auth 
- Change token_endpoint_auth_method to client_secret_basic
- Headlamp uses client_secret_basic by default
- Authelia was configured with client_secret_post
- Fix token exchange failure causing login redirect loop
 2026-01-07 02:23:50 +09:00
Mayne0213
7cdc4f1e9e FIX(external-secrets): disable CRD installation via Helm 
- Set installCRDs: false to avoid annotation size limit
- CRDs already installed, manual upgrade when needed
 2026-01-07 01:24:07 +09:00
Mayne0213
661659acdb FIX(external-secrets): ignore CRD status in diff 
- Add /status to ignoreDifferences for CRDs
- Fix comparison error with terminatingReplicas field
 2026-01-07 01:20:02 +09:00
Mayne0213
3ea8b0d7c9 REVERT(external-secrets): remove ServerSideApply 
- ServerSideApply causes schema compatibility issues
- Removed annotations directly from CRDs instead
 2026-01-07 01:18:44 +09:00
Mayne0213
835395f7ec FIX(external-secrets): add ServerSideApply for CRD sync 
- Fix CRD annotation size limit exceeded error
- ServerSideApply avoids last-applied-configuration annotation
 2026-01-07 01:15:03 +09:00
Mayne0213
384d73d1fa REFACTOR(secrets): flatten Vault paths 
- Change secret paths from <category>/<app> to <app>
- databases/postgresql → postgresql
- cluster-infrastructure/authelia → authelia
 2026-01-06 16:53:10 +09:00
Mayne0213
677214b848 REFACTOR(repo): move vault/ to manifests/ 
- Move ExternalSecret file from vault/ to manifests/secret.yaml
- Update kustomization.yaml references
- Remove vault/ folder

Apps: authelia
 2026-01-06 16:43:38 +09:00
Mayne0213
3c51bb3b5e FIX(authelia): keep ingress in manifests 
- Keep ingress in manifests/ due to chart schema complexity
- Authelia chart has complex ingress schema
 2026-01-06 15:27:17 +09:00
Mayne0213
52bc1b9d57 FIX(authelia): use rulesOverride for config 
- Use rulesOverride for access control configuration
- Fix invalid Helm values properties
 2026-01-06 15:26:24 +09:00
Mayne0213
875dbbc42c REFACTOR(authelia): integrate ingress in values 
- Move config.yaml, middleware.yaml, rbac.yaml to manifests/
- Add ingress configuration to helm-values.yaml
- Remove separate ingress.yaml
 2026-01-06 15:12:22 +09:00
Mayne0213
6fbf2b16c2 REFACTOR(vault): move resources to manifests 
- Move additional resources to manifests/ folder
- Separate from Helm chart configuration
 2026-01-06 01:38:33 +09:00
Mayne0213
321685822f REFACTOR(repo): security repo structure 
- Add application.yaml for ArgoCD app-of-apps
- Add kustomization.yaml with security components
- Add renovate.json for automated updates
- Update all component argocd.yaml repoURLs to security repo

Components: authelia, vault, external-secrets, falco, trivy
 2026-01-05 00:40:26 +09:00
Mayne0213
27ba06b750 REFACTOR(grafana): remove Falco and Traefik UI 
- Use Grafana dashboards instead
- Delete falco-ui-secret ExternalSecret
- Delete traefik dashboard IngressRoute
 2026-01-05 00:40:26 +09:00
Mayne0213
c90574aee2 REFACTOR(grafana): remove Trivy UI 
- Use Grafana dashboard instead
- Delete trivy-ui ArgoCD Application
- Delete trivy ingress.yaml
- Update kustomization.yaml
 2026-01-05 00:40:26 +09:00
Mayne0213
c51cca27d8 CHORE(falco): disable sidekick-ui and Redis 
- Use Grafana dashboard instead
- Set webui.enabled: false (disables UI and Redis)
- Remove ingress.yaml for falco-ui
- Saves ~384Mi memory (Redis 256Mi + UI 128Mi)
 2026-01-05 00:40:26 +09:00