K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
155 Commits 1 Branch 0 Tags
fa4521e946c05623474e9e75e2288d54390b3cbd
Commit Graph

155 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mayne0213
fa4521e946 FIX(authelia): remove internal network bypass rule 
- All requests now require one_factor authentication
- Improve security posture
 2026-01-10 01:16:57 +09:00
Mayne0213
876708ccdf REFACTOR(authelia): simplify to single user 
- Change user from admin to bluemayne
- Remove other users from ClusterRoleBinding
 2026-01-10 01:16:57 +09:00
Mayne0213
8ccf5c5187 FIX(authelia): add users to OIDC ClusterRoleBinding 
- Add admin and bluemayne users
- Support multiple username formats for OIDC auth
 2026-01-10 01:16:57 +09:00
Mayne0213
507cb61ec4 FEAT(vault): add OIDC auth for Authelia SSO 
- Add ExternalSecret for VAULT_CLIENT_SECRET
- Configure default and admin roles for OIDC login
- Fix claim settings (use sub instead of preferred_username)
- Remove oidc-setup-job (already configured)
 2026-01-10 01:16:57 +09:00
Mayne0213
bb4af2638e FIX(authelia): correct network definition schema 
- Move networks from access_control to definitions.network
- Fix Helm chart schema validation error
- Maintain bypass policy for internal cluster traffic
 2026-01-10 01:16:57 +09:00
Mayne0213
16dd9d88aa FEAT(authelia): bypass auth for cluster internal traffic 
- Add internal network definition (10.42.0.0/16, 10.43.0.0/16)
- Allow blackbox-exporter probes without authentication
- Apply bypass policy for *.kro.kr from internal networks
 2026-01-10 01:16:57 +09:00
Mayne0213
c368d2e983 FIX(external-secrets): increase certController memory to 128Mi 
- cert-controller uses ~73Mi at runtime, 64Mi causes OOMKilled
 2026-01-10 01:16:57 +09:00
Mayne0213
871882927b FIX(external-secrets): increase memory limits for webhook and certController 
- Increase memory from 32Mi to 64Mi to prevent OOMKilled
- Remove duplicate webhook/certController sections (keep ones with affinity)
 2026-01-10 01:16:57 +09:00
Mayne0213
74d29aabfc CHORE(resources): set memory limits equal to memory requests 
- Align memory limits with memory requests for guaranteed QoS class
- falco: falcosidekick
- external-secrets: main, webhook, certController
- authelia: main, redis
 2026-01-10 01:16:56 +09:00
Mayne0213
4dc04bd904 FEAT(repo): add App of Apps self-reference 
- Add application.yaml for ArgoCD self-registration
- Update kustomization.yaml to include application.yaml
- Set prune: false to prevent cascade deletion
 2026-01-10 01:16:49 +09:00
Mayne0213
756ddade15 FEAT(authelia): enable HA with DaemonSet and Redis 
- Change pod.kind from Deployment to DaemonSet
- Add Redis for session storage
- Configure Redis image and subchart settings
- Add toleration for control-plane
 2026-01-10 01:16:49 +09:00
Mayne0213
061489756a CHORE(authelia): update admin password hash 
- Update password hash for admin user
- Ensure secure authentication
 2026-01-10 01:16:48 +09:00
Mayne0213
5ea9ad9dc1 CHORE(repo): remove application.yaml reference 
- Remove from kustomization.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
130da5c76d CHORE(repo): remove self-referencing application.yaml 
- Delete application.yaml (managed by platform)
 2026-01-09 21:45:16 +09:00
Mayne0213
369181717b REFACTOR(authelia): switch to Deployment mode 
- Change from DaemonSet to Deployment with 1 replica
- Remove Redis dependency (not needed for single replica)
 2026-01-09 21:45:16 +09:00
Mayne0213
45ab6592d6 FIX(authelia): disable Redis authentication 
- Remove password requirement for Redis
- Simplify internal cluster communication
 2026-01-09 21:45:16 +09:00
Mayne0213
e6f496c439 FEAT(authelia): add Redis for session storage 
- Enable Redis for HA session support
- Configure session.redis settings
 2026-01-09 21:45:16 +09:00
Mayne0213
739ac544c7 REFACTOR(repo): standardize taint to control-plane 
- Remove deprecated master taint from falco
- Update vault tolerations to control-plane
- Change effect from NoExecute to NoSchedule
 2026-01-09 21:45:16 +09:00
Mayne0213
8f449666b5 CHORE(authelia): Remove immich OIDC client 
- Remove IMMICH_CLIENT_SECRET from extraVolumes/extraVolumeMounts
- Remove immich OIDC client configuration
- Immich application removed

CHORE(authelia): Remove IMMICH_CLIENT_SECRET from ExternalSecret
 2026-01-09 21:45:16 +09:00
Mayne0213
870eea8664 CHORE(authelia): remove replica setting for DaemonSet 
- Remove pod.replicas from helm-values.yaml
- DaemonSet does not use replica configuration
- Each node runs one pod automatically
 2026-01-09 21:45:16 +09:00
Mayne0213
66d845140e FIX(authelia): move affinity to top level 
- Move affinity from pod.affinity to top-level affinity
- Fix Helm chart schema validation error
- Maintain soft anti-affinity configuration

FIX(security): remove unsupported affinity from authelia

- Remove affinity from authelia (chart schema limitation)
- Fix external-secrets duplicate webhook/certController sections
- Merge affinity into respective component sections
- Authelia chart does not support affinity in values.yaml
 2026-01-09 21:45:16 +09:00
Mayne0213
cbf00275e8 FEAT(security): enable HA with replica 2 and soft anti-affinity 
- Add replicaCount: 2 to authelia, external-secrets, falco
- Add soft pod anti-affinity for node distribution
- Configure affinity for all security components
 2026-01-08 13:07:56 +09:00
Mayne0213
56c7c0d29d CHORE(trivy): remove Trivy vulnerability scanner 
- Delete trivy directory and configuration files
- Remove trivy from kustomization.yaml
- Reduce cluster resource usage
 2026-01-08 01:28:01 +09:00
Mayne0213
c24313154d FIX(security): remove CPU limits from falco and trivy 
- falco: set cpu: null to disable chart default (1 core)
- trivy: set cpu: null for operator and scan jobs (500m default)
 2026-01-08 00:33:13 +09:00
Mayne0213
31007c5586 PERF(resources): remove CPU limits - keep memory limits only 
- CPU throttling prevents app startup, not crashes
- Memory OOM is the real cascading failure cause
- CPU request ensures fair scheduling
 2026-01-07 23:48:43 +09:00
Mayne0213
5e161fca8a FEAT(external-secrets): add ClusterExternalSecret for Zot 
- Add zot-registry-credentials ClusterExternalSecret
- Auto-create dockerconfigjson in labeled namespaces
- API version v1 (v1beta1 deprecated)
 2026-01-07 14:28:58 +09:00
Mayne0213
41e8771889 FIX(authelia): fix Headlamp OIDC token auth 
- Change token_endpoint_auth_method to client_secret_basic
- Headlamp uses client_secret_basic by default
- Authelia was configured with client_secret_post
- Fix token exchange failure causing login redirect loop
 2026-01-07 02:23:50 +09:00
Mayne0213
7cdc4f1e9e FIX(external-secrets): disable CRD installation via Helm 
- Set installCRDs: false to avoid annotation size limit
- CRDs already installed, manual upgrade when needed
 2026-01-07 01:24:07 +09:00
Mayne0213
661659acdb FIX(external-secrets): ignore CRD status in diff 
- Add /status to ignoreDifferences for CRDs
- Fix comparison error with terminatingReplicas field
 2026-01-07 01:20:02 +09:00
Mayne0213
3ea8b0d7c9 REVERT(external-secrets): remove ServerSideApply 
- ServerSideApply causes schema compatibility issues
- Removed annotations directly from CRDs instead
 2026-01-07 01:18:44 +09:00
Mayne0213
835395f7ec FIX(external-secrets): add ServerSideApply for CRD sync 
- Fix CRD annotation size limit exceeded error
- ServerSideApply avoids last-applied-configuration annotation
 2026-01-07 01:15:03 +09:00
Mayne0213
384d73d1fa REFACTOR(secrets): flatten Vault paths 
- Change secret paths from <category>/<app> to <app>
- databases/postgresql → postgresql
- cluster-infrastructure/authelia → authelia
 2026-01-06 16:53:10 +09:00
Mayne0213
677214b848 REFACTOR(repo): move vault/ to manifests/ 
- Move ExternalSecret file from vault/ to manifests/secret.yaml
- Update kustomization.yaml references
- Remove vault/ folder

Apps: authelia
 2026-01-06 16:43:38 +09:00
Mayne0213
3c51bb3b5e FIX(authelia): keep ingress in manifests 
- Keep ingress in manifests/ due to chart schema complexity
- Authelia chart has complex ingress schema
 2026-01-06 15:27:17 +09:00
Mayne0213
52bc1b9d57 FIX(authelia): use rulesOverride for config 
- Use rulesOverride for access control configuration
- Fix invalid Helm values properties
 2026-01-06 15:26:24 +09:00
Mayne0213
875dbbc42c REFACTOR(authelia): integrate ingress in values 
- Move config.yaml, middleware.yaml, rbac.yaml to manifests/
- Add ingress configuration to helm-values.yaml
- Remove separate ingress.yaml
 2026-01-06 15:12:22 +09:00
Mayne0213
6fbf2b16c2 REFACTOR(vault): move resources to manifests 
- Move additional resources to manifests/ folder
- Separate from Helm chart configuration
 2026-01-06 01:38:33 +09:00
Mayne0213
321685822f REFACTOR(repo): security repo structure 
- Add application.yaml for ArgoCD app-of-apps
- Add kustomization.yaml with security components
- Add renovate.json for automated updates
- Update all component argocd.yaml repoURLs to security repo

Components: authelia, vault, external-secrets, falco, trivy
 2026-01-05 00:40:26 +09:00
Mayne0213
27ba06b750 REFACTOR(grafana): remove Falco and Traefik UI 
- Use Grafana dashboards instead
- Delete falco-ui-secret ExternalSecret
- Delete traefik dashboard IngressRoute
 2026-01-05 00:40:26 +09:00
Mayne0213
c90574aee2 REFACTOR(grafana): remove Trivy UI 
- Use Grafana dashboard instead
- Delete trivy-ui ArgoCD Application
- Delete trivy ingress.yaml
- Update kustomization.yaml
 2026-01-05 00:40:26 +09:00
Mayne0213
c51cca27d8 CHORE(falco): disable sidekick-ui and Redis 
- Use Grafana dashboard instead
- Set webui.enabled: false (disables UI and Redis)
- Remove ingress.yaml for falco-ui
- Saves ~384Mi memory (Redis 256Mi + UI 128Mi)
 2026-01-05 00:40:26 +09:00
Mayne0213
c66801a166 FEAT(falco): add loki output to falcosidekick 
- Send Falco events directly to Loki
- Enables viewing detailed events in Grafana with all fields
- Same data as Falco UI but queryable in Grafana
 2026-01-05 00:40:26 +09:00
Mayne0213
76c5fd8343 FIX(falco): use SM create instead of enabled 
- Falco chart uses 'serviceMonitor.create' not 'enabled'
- Add release: prometheus label for Prometheus discovery
 2026-01-05 00:40:26 +09:00
Mayne0213
d4b84305a2 FIX(redis): use customConfig for maxmemory 
- extraArgs was not being applied to Redis container
- Use customConfig which is the correct way to set Redis directives
- maxmemory 800mb with allkeys-lru policy
 2026-01-05 00:40:26 +09:00
Mayne0213
94dcb7d585 FEAT(falco): add 6h TTL to sidekick-ui 
- to prevent Redis OOM
- Events older than 6 hours are auto-deleted
- Prevents linear memory growth in Redis
 2026-01-05 00:40:26 +09:00
Mayne0213
9822441e38 REFACTOR(repo): migrate repoURL to K3S-HOME 
- Update repository URL to K3S-HOME organization
- Change from personal to organization repo
 2026-01-05 00:40:26 +09:00
Mayne0213
4e4be3109a FIX(external-secrets): fix ESO CRD OutOfSync 
- Add ignoreDifferences for CRD caBundle and spec/versions
- Add RespectIgnoreDifferences syncOption
- Prevents ArgoCD from detecting drift on CRD fields managed by webhook
 2026-01-05 00:40:26 +09:00
Mayne0213
168193845b FIX(authelia): fix TOTP config for chart 0.10.x 
- Change enabled to disable for TOTP configuration
- Fix chart compatibility
 2026-01-05 00:40:26 +09:00
renovate[bot]
a6342a2fdd CHORE(authelia): update authelia to 0.10.x 
- Upgrade Authelia chart version
- Apply dependency updates
 2026-01-05 00:40:26 +09:00
renovate[bot]
8fd3daa65f CHORE(external-secrets): update ESO to v1.2.1 
- Upgrade External Secrets Operator chart
- Apply dependency updates
 2026-01-05 00:40:26 +09:00