K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: K3S-HOME:fa4521e946c05623474e9e75e2288d54390b3cbd
Branches Tags
K3S-HOME:main
...
compare: K3S-HOME:main
Branches Tags
K3S-HOME:main

17 Commits
fa4521e946 ... main

Author SHA1 Message Date
Mayne0213
99ab720835 FIX(falco): explicitly set cpu limit to null 
- Helm chart has default CPU limit of 1000m
- Must explicitly set to null to remove it
 2026-01-12 02:42:36 +09:00
Mayne0213
ac4cd12c73 PERF(security): remove CPU limits for stability 
- Remove CPU limits from authelia, cert-manager, external-secrets, falco, vault
- Prevents CPU throttling issues
 2026-01-12 02:13:42 +09:00
Mayne0213
e5ca2a3f36 PERF(falco): remove CPU limit for stability 
- Remove CPU limit to prevent throttling
 2026-01-12 02:01:14 +09:00
Mayne0213
eba6d898ba PERF(falco): increase memory limit to upperBound 
- Memory limit 144Mi was causing segfault
- Increase to 177Mi (VPA upperBound)
 2026-01-12 01:51:49 +09:00
Mayne0213
ec09ea403f PERF(security): optimize resources via VPA 
- authelia: CPU 15m/15m, memory 100Mi/144Mi
- authelia-redis: CPU 22m/32m, memory 100Mi/100Mi
- cert-manager: CPU 15m/15m, memory 100Mi/100Mi
- cert-manager-cainjector: CPU 15m/15m, memory 126Mi/248Mi
- cert-manager-webhook: CPU 15m/15m, memory 100Mi/100Mi
- external-secrets: CPU 15m/15m, memory 100Mi/109Mi
- external-secrets-cert-controller: CPU 15m/15m, memory 144Mi/297Mi
- external-secrets-webhook: CPU 15m/15m, memory 100Mi/100Mi
- falco: CPU 34m/53m, memory 93Mi/144Mi
- falcosidekick: CPU 15m/15m, memory 100Mi/100Mi
- vault: CPU 34m/53m, memory 126Mi/163Mi
 2026-01-12 01:08:45 +09:00
Mayne0213
2cfcc586be refactor: update Vault secret paths to new categorized structure 
- authelia: postgresql → storage/postgresql, authelia → security/authelia
- external-secrets: zot → storage/zot (ClusterExternalSecret)
- vault: secret/data/vault/config → security/vault, authelia → security/authelia

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-11 22:36:33 +09:00
Mayne0213
5e717ff9b1 migrate: change repoURLs from GitHub to Gitea 
Update all ArgoCD Application references to use Gitea (github0213.com)
instead of GitHub for K3S-HOME/security repository.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-10 20:43:23 +09:00
Mayne0213
96c3c92069 REFACTOR(cert-manager): move from platform repo 
- Add cert-manager Application and helm values
- Add ClusterIssuer manifests
- Update kustomization references
 2026-01-10 19:57:58 +09:00
Mayne0213
d29651af7a REFACTOR(repo): remove control-plane scheduling 
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
 2026-01-10 18:35:15 +09:00
Mayne0213
8194fc6707 PERF(external-secrets): use 20% memory increase instead of VPA 
- Update operator memory 128Mi→154Mi (+20%)
- Update webhook memory 128Mi→154Mi (+20%)
- Update certController memory 256Mi→307Mi (+20%)
 2026-01-10 14:37:21 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
c2d6958407 PERF(external-secrets): reduce replicas to 1 
- Reduce external-secrets replicas to 1
- Reduce cert-controller replicas to 1
- Reduce webhook replicas to 1
 2026-01-10 13:31:52 +09:00
Mayne0213
736205e464 PERF(falco): reduce sidekick replicas to 1 
- Reduce falcosidekick replicas from 2 to 1
- DaemonSet tolerations kept for all-node coverage
 2026-01-10 13:15:56 +09:00
Mayne0213
119e86d482 PERF(vault): add high-priority class 
- Add high-priority PriorityClass
- Keep tolerations for HA across all nodes (3 replicas)
 2026-01-10 13:14:08 +09:00
Mayne0213
ac6eaef446 CHORE(external-secrets): increase certController memory 
- Increase certController memory request and limit from 128Mi to 256Mi
- Maintain CPU request at 2m
 2026-01-10 02:09:28 +09:00
Mayne0213
c78dec54d7 FEAT(authelia): add Zot OIDC client 
- Add Zot client to OIDC providers
- Add ZOT_CLIENT_SECRET to ExternalSecret
- Add volume mount for Zot client secret
 2026-01-10 01:16:58 +09:00
Mayne0213
5f9573133e FIX(authelia): configure OIDC claims and scopes 
- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)
 2026-01-10 01:16:58 +09:00
20 changed files with 254 additions and 164 deletions
Expand all files Collapse all files

2
application.yaml
View File

@@ -9,7 +9,7 @@ spec:
project: default
source:
repoURL: https://github.com/K3S-HOME/security.git
repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
path: .

4
authelia/argocd.yaml
View File

@@ -14,10 +14,10 @@ spec:
helm:
valueFiles:
- $values/authelia/helm-values.yaml
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
ref: values
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
path: authelia
destination:

45
authelia/helm-values.yaml
View File

@@ -8,16 +8,13 @@ ingress:
# Pod configuration
pod:
kind: DaemonSet
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 15m
memory: 256Mi
memory: 100Mi
limits:
memory: 256Mi
memory: 144Mi
extraVolumes:
- name: users-database
configMap:
@@ -30,6 +27,8 @@ pod:
path: HEADLAMP_CLIENT_SECRET
- key: VAULT_CLIENT_SECRET
path: VAULT_CLIENT_SECRET
- key: ZOT_CLIENT_SECRET
path: ZOT_CLIENT_SECRET
- key: identity_providers.oidc.jwks.key
path: jwks.pem
extraVolumeMounts:
@@ -45,6 +44,10 @@ pod:
mountPath: /secrets/VAULT_CLIENT_SECRET
subPath: VAULT_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/ZOT_CLIENT_SECRET
subPath: ZOT_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/jwks.pem
subPath: jwks.pem
@@ -122,6 +125,12 @@ configMap:
use: 'sig'
key:
path: /secrets/jwks.pem
claims_policies:
default:
id_token:
- name
- preferred_username
- email
cors:
endpoints:
- authorization
@@ -137,13 +146,13 @@ configMap:
path: /secrets/HEADLAMP_CLIENT_SECRET
public: false
authorization_policy: one_factor
claims_policy: default
redirect_uris:
- https://kubernetes0213.kro.kr/oidc-callback
scopes:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_basic
- client_id: vault
client_name: Vault
@@ -158,7 +167,20 @@ configMap:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_post
- client_id: zot
client_name: Zot Registry
client_secret:
path: /secrets/ZOT_CLIENT_SECRET
public: false
authorization_policy: one_factor
claims_policy: default
redirect_uris:
- https://zot0213.kro.kr/zot/auth/callback/oidc
scopes:
- openid
- profile
- email
token_endpoint_auth_method: client_secret_post
# Secret configuration - use existing secret from Vault
@@ -174,11 +196,12 @@ redis:
image:
tag: latest
master:
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 10m
memory: 64Mi
cpu: 22m
memory: 100Mi
limits:
memory: 64Mi
memory: 100Mi
# No persistence needed - using PostgreSQL

21
authelia/manifests/secret.yaml
View File

@@ -15,40 +15,45 @@ spec:
# Storage password (PostgreSQL)
- secretKey: storage.postgres.password.txt
remoteRef:
key: postgresql
key: storage/postgresql
property: PASSWORD
# Session encryption key
- secretKey: session.encryption.key
remoteRef:
key: authelia
key: security/authelia
property: SESSION_SECRET
# Storage encryption key
- secretKey: storage.encryption.key
remoteRef:
key: authelia
key: security/authelia
property: STORAGE_ENCRYPTION_KEY
# JWT HMAC key for identity validation (password reset)
- secretKey: identity_validation.reset_password.jwt.hmac.key
remoteRef:
key: authelia
key: security/authelia
property: JWT_HMAC_KEY
# OIDC HMAC key
- secretKey: identity_providers.oidc.hmac.key
remoteRef:
key: authelia
key: security/authelia
property: OIDC_HMAC_SECRET
# OIDC JWKS private key
- secretKey: identity_providers.oidc.jwks.key
remoteRef:
key: authelia
key: security/authelia
property: OIDC_JWKS_PRIVATE_KEY
# Headlamp OIDC client secret
- secretKey: HEADLAMP_CLIENT_SECRET
remoteRef:
key: authelia
key: security/authelia
property: HEADLAMP_CLIENT_SECRET
# Vault OIDC client secret
- secretKey: VAULT_CLIENT_SECRET
remoteRef:
key: authelia
key: security/authelia
property: VAULT_CLIENT_SECRET
# Zot OIDC client secret
- secretKey: ZOT_CLIENT_SECRET
remoteRef:
key: security/authelia
property: ZOT_CLIENT_SECRET

44
cert-manager/argocd.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.16.2
helm:
valueFiles:
- $values/cert-manager/helm-values.yaml
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
ref: values
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
path: cert-manager
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
managedNamespaceMetadata:
labels:
goldilocks.fairwinds.com/enabled: 'true'
revisionHistoryLimit: 10

73
cert-manager/helm-values.yaml Normal file
View File

@@ -0,0 +1,73 @@
# Cert-Manager Helm Values
# Chart: https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
# Install CRDs with Helm
installCRDs: true
replicaCount: 1
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 15m
memory: 100Mi
limits:
memory: 100Mi
webhook:
replicaCount: 1
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 15m
memory: 100Mi
limits:
memory: 100Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: cert-manager-webhook
topologyKey: kubernetes.io/hostname
cainjector:
replicaCount: 1
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 15m
memory: 126Mi
limits:
memory: 248Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: cert-manager-cainjector
topologyKey: kubernetes.io/hostname
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: cert-manager
topologyKey: kubernetes.io/hostname
# Prometheus metrics
prometheus:
enabled: true
servicemonitor:
enabled: false

4
cert-manager/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- manifests/cluster-issuer.yaml

41
cert-manager/manifests/cluster-issuer.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Let's Encrypt Production 서버
# 실제 운영 환경에서 사용
# Rate limit: 50 certificates per registered domain per week
server: https://acme-v02.api.letsencrypt.org/directory
# 인증서 만료 알림을 받을 이메일 주소
email: bluemayne0213@icloud.com
# ACME 계정의 private key를 저장할 Secret 이름
privateKeySecretRef:
name: letsencrypt-prod
# HTTP-01 challenge를 사용하여 도메인 소유권 검증
# Traefik Ingress를 통해 /.well-known/acme-challenge/ 경로로 검증
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Let's Encrypt Staging 서버
# 테스트용 - 브라우저에서 신뢰하지 않지만 rate limit 없음
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: bluemayne0213@icloud.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: traefik

4
external-secrets/argocd.yaml
View File

@@ -21,10 +21,10 @@ spec:
helm:
valueFiles:
- $values/external-secrets/helm-values.yaml
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
ref: values
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
path: external-secrets/manifests
destination:

31
external-secrets/helm-values.yaml
View File

@@ -2,16 +2,15 @@
# Chart: https://github.com/external-secrets/external-secrets
# Replica count
replicaCount: 2
replicaCount: 1
# 리소스 제한
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 5m # Reduced from 20m based on actual usage (1m)
memory: 64Mi
cpu: 15m
memory: 100Mi
limits:
# cpu: removed to prevent throttling
memory: 64Mi
memory: 109Mi
# 동시 실행 제한
concurrent: 3
@@ -25,14 +24,14 @@ installCRDs: false
# Webhook 설정
webhook:
replicaCount: 2
replicaCount: 1
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 2m # Reduced from 10m based on actual usage (1m)
memory: 64Mi
cpu: 15m
memory: 100Mi
limits:
# cpu: removed to prevent throttling
memory: 64Mi
memory: 100Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
@@ -46,14 +45,14 @@ webhook:
# CertController 설정
certController:
replicaCount: 2
replicaCount: 1
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 2m # Reduced from 10m based on actual usage (1m)
memory: 128Mi
cpu: 15m
memory: 144Mi
limits:
# cpu: removed to prevent throttling
memory: 128Mi
memory: 297Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:

4
external-secrets/manifests/zot-cluster-secret.yaml
View File

@@ -23,9 +23,9 @@ spec:
data:
- secretKey: USERNAME
remoteRef:
key: zot
key: storage/zot
property: USERNAME
- secretKey: PASSWORD
remoteRef:
key: zot
key: storage/zot
property: PASSWORD

4
falco/argocd.yaml
View File

@@ -14,10 +14,10 @@ spec:
helm:
valueFiles:
- $values/falco/helm-values.yaml
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
ref: values
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
path: falco
kustomize: {}

27
falco/helm-values.yaml
View File

@@ -12,14 +12,14 @@ image:
repository: falcosecurity/falco
tag: 0.40.0
# Resource requests
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 49m
memory: 263Mi
cpu: 34m
memory: 93Mi
limits:
cpu: null # Disable chart default (1 core)
memory: 263Mi
cpu: null
memory: 177Mi
# Falco configuration
falco:
@@ -121,14 +121,15 @@ grafanaDashboard:
falcosidekick:
enabled: true
fullfqdn: false
replicaCount: 2
replicaCount: 1
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 10m
memory: 128Mi
cpu: 15m
memory: 100Mi
limits:
memory: 128Mi
memory: 100Mi
config:
# Output to stdout/logs
@@ -174,14 +175,6 @@ serviceAccount:
create: true
name: falco
# Node selector to run on all nodes
nodeSelector: {}
# Tolerations to run on all nodes including control-plane
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
# Run as DaemonSet on all nodes
daemonset:
updateStrategy:

1
kustomization.yaml
View File

@@ -5,6 +5,7 @@ resources:
# Self-reference for App of Apps pattern
- application.yaml
- cert-manager/argocd.yaml
- authelia/argocd.yaml
- vault/argocd.yaml
- external-secrets/argocd.yaml

4
vault/argocd.yaml
View File

@@ -14,10 +14,10 @@ spec:
helm:
valueFiles:
- $values/vault/helm-values.yaml
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
ref: values
- repoURL: https://github.com/K3S-HOME/security.git
- repoURL: https://github0213.com/K3S-HOME/security.git
targetRevision: main
path: vault
destination:

15
vault/helm-values.yaml
View File

@@ -43,13 +43,13 @@ server:
# Extra args to use config from secret
extraArgs: "-config=/vault/userconfig/extraconfig-from-values.hcl"
# 리소스 제한
# Resource settings (no CPU limit for stability)
resources:
requests:
cpu: 35m
memory: 263Mi
cpu: 34m
memory: 126Mi
limits:
memory: 263Mi
memory: 163Mi
# Ingress 설정
ingress:
@@ -72,11 +72,8 @@ server:
type: ClusterIP
port: 8200
# Tolerations for control-plane node
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
# High priority for critical secrets management
priorityClassName: high-priority
# UI 활성화
ui:

1
vault/kustomization.yaml
View File

@@ -5,4 +5,3 @@ resources:
- manifests/external-secret.yaml
- manifests/rbac.yaml
- manifests/oidc-secret.yaml
- manifests/oidc-setup-job.yaml

2
vault/manifests/external-secret.yaml
View File

@@ -14,5 +14,5 @@ spec:
data:
- secretKey: extraconfig-from-values.hcl
remoteRef:
key: secret/data/vault/config
key: security/vault
property: extraconfig-from-values.hcl

2
vault/manifests/oidc-secret.yaml
View File

@@ -14,5 +14,5 @@ spec:
data:
- secretKey: VAULT_CLIENT_SECRET
remoteRef:
key: authelia
key: security/authelia
property: VAULT_CLIENT_SECRET

89
vault/manifests/oidc-setup-job.yaml
View File

@@ -1,89 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-oidc-setup
namespace: vault
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: vault
restartPolicy: OnFailure
containers:
- name: vault-oidc-setup
image: hashicorp/vault:1.17.2
env:
- name: VAULT_ADDR
value: "http://vault.vault.svc.cluster.local:8200"
- name: VAULT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-oidc-secret
key: VAULT_CLIENT_SECRET
command:
- /bin/sh
- -c
- |
set -e
# Login with Kubernetes auth
echo "Logging in with Kubernetes auth..."
VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
role=vault-setup \
jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
export VAULT_TOKEN
# Check if OIDC is already enabled
if vault auth list | grep -q "oidc/"; then
echo "OIDC auth method already enabled"
else
echo "Enabling OIDC auth method..."
vault auth enable oidc
fi
# Configure OIDC with Authelia
echo "Configuring OIDC..."
vault write auth/oidc/config \
oidc_discovery_url="https://auth0213.kro.kr" \
oidc_client_id="vault" \
oidc_client_secret="${VAULT_CLIENT_SECRET}" \
default_role="default"
# Create default role
echo "Creating default role..."
vault write auth/oidc/role/default \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
# Create admin policy
echo "Creating admin policy..."
vault policy write admin - <<POLICY
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
POLICY
# Create admin role
echo "Creating admin role..."
vault write auth/oidc/role/admin \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
echo "OIDC setup complete!"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"