K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: K3S-HOME:fa4521e946c05623474e9e75e2288d54390b3cbd
Branches Tags
K3S-HOME:main
..
compare: K3S-HOME:96c3c92069bc0a206be12f43fbd43b846660001c
Branches Tags
K3S-HOME:main

10 Commits
fa4521e946 ... 96c3c92069

Author SHA1 Message Date
Mayne0213
96c3c92069 REFACTOR(cert-manager): move from platform repo 
- Add cert-manager Application and helm values
- Add ClusterIssuer manifests
- Update kustomization references
 2026-01-10 19:57:58 +09:00
Mayne0213
d29651af7a REFACTOR(repo): remove control-plane scheduling 
- Remove nodeSelector for control-plane node
- Remove tolerations for control-plane taint
- Allow pods to schedule on any available node
 2026-01-10 18:35:15 +09:00
Mayne0213
8194fc6707 PERF(external-secrets): use 20% memory increase instead of VPA 
- Update operator memory 128Mi→154Mi (+20%)
- Update webhook memory 128Mi→154Mi (+20%)
- Update certController memory 256Mi→307Mi (+20%)
 2026-01-10 14:37:21 +09:00
Mayne0213
5acc1c7f9e PERF(security): adjust resources based on VPA 
- Update authelia memory 256Mi→194Mi
- Update authelia redis cpu 10m→23m, memory 64Mi→100Mi
- Update falco memory 263Mi→283Mi
- Update falcosidekick cpu 10m→15m, memory 128Mi→100Mi
- Update external-secrets operator cpu 5m→15m, memory 128Mi→100Mi
- Update external-secrets webhook cpu 2m→15m, memory 128Mi→100Mi
- Update external-secrets certController cpu 2m→15m, memory 256Mi→283Mi
- Update vault cpu 35m→49m, memory 263Mi→175Mi
 2026-01-10 14:32:33 +09:00
Mayne0213
c2d6958407 PERF(external-secrets): reduce replicas to 1 
- Reduce external-secrets replicas to 1
- Reduce cert-controller replicas to 1
- Reduce webhook replicas to 1
 2026-01-10 13:31:52 +09:00
Mayne0213
736205e464 PERF(falco): reduce sidekick replicas to 1 
- Reduce falcosidekick replicas from 2 to 1
- DaemonSet tolerations kept for all-node coverage
 2026-01-10 13:15:56 +09:00
Mayne0213
119e86d482 PERF(vault): add high-priority class 
- Add high-priority PriorityClass
- Keep tolerations for HA across all nodes (3 replicas)
 2026-01-10 13:14:08 +09:00
Mayne0213
ac6eaef446 CHORE(external-secrets): increase certController memory 
- Increase certController memory request and limit from 128Mi to 256Mi
- Maintain CPU request at 2m
 2026-01-10 02:09:28 +09:00
Mayne0213
c78dec54d7 FEAT(authelia): add Zot OIDC client 
- Add Zot client to OIDC providers
- Add ZOT_CLIENT_SECRET to ExternalSecret
- Add volume mount for Zot client secret
 2026-01-10 01:16:58 +09:00
Mayne0213
5f9573133e FIX(authelia): configure OIDC claims and scopes 
- Remove groups scope (not provided by Authelia)
- Add claims_policy for preferred_username
- Remove sub from claims_policy (standard claim)
 2026-01-10 01:16:58 +09:00
12 changed files with 221 additions and 139 deletions
Expand all files Collapse all files

43
authelia/helm-values.yaml
View File

@@ -8,16 +8,12 @@ ingress:
# Pod configuration
pod:
kind: DaemonSet
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Exists
effect: NoSchedule
resources:
requests:
cpu: 15m
memory: 256Mi
memory: 194Mi
limits:
memory: 256Mi
memory: 194Mi
extraVolumes:
- name: users-database
configMap:
@@ -30,6 +26,8 @@ pod:
path: HEADLAMP_CLIENT_SECRET
- key: VAULT_CLIENT_SECRET
path: VAULT_CLIENT_SECRET
- key: ZOT_CLIENT_SECRET
path: ZOT_CLIENT_SECRET
- key: identity_providers.oidc.jwks.key
path: jwks.pem
extraVolumeMounts:
@@ -45,6 +43,10 @@ pod:
mountPath: /secrets/VAULT_CLIENT_SECRET
subPath: VAULT_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/ZOT_CLIENT_SECRET
subPath: ZOT_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/jwks.pem
subPath: jwks.pem
@@ -122,6 +124,12 @@ configMap:
use: 'sig'
key:
path: /secrets/jwks.pem
claims_policies:
default:
id_token:
- name
- preferred_username
- email
cors:
endpoints:
- authorization
@@ -137,13 +145,13 @@ configMap:
path: /secrets/HEADLAMP_CLIENT_SECRET
public: false
authorization_policy: one_factor
claims_policy: default
redirect_uris:
- https://kubernetes0213.kro.kr/oidc-callback
scopes:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_basic
- client_id: vault
client_name: Vault
@@ -158,7 +166,20 @@ configMap:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_post
- client_id: zot
client_name: Zot Registry
client_secret:
path: /secrets/ZOT_CLIENT_SECRET
public: false
authorization_policy: one_factor
claims_policy: default
redirect_uris:
- https://zot0213.kro.kr/zot/auth/callback/oidc
scopes:
- openid
- profile
- email
token_endpoint_auth_method: client_secret_post
# Secret configuration - use existing secret from Vault
@@ -176,9 +197,9 @@ redis:
master:
resources:
requests:
cpu: 10m
memory: 64Mi
cpu: 23m
memory: 100Mi
limits:
memory: 64Mi
memory: 100Mi
# No persistence needed - using PostgreSQL

5
authelia/manifests/secret.yaml
View File

@@ -52,3 +52,8 @@ spec:
remoteRef:
key: authelia
property: VAULT_CLIENT_SECRET
# Zot OIDC client secret
- secretKey: ZOT_CLIENT_SECRET
remoteRef:
key: authelia
property: ZOT_CLIENT_SECRET

44
cert-manager/argocd.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.16.2
helm:
valueFiles:
- $values/cert-manager/helm-values.yaml
- repoURL: https://github.com/K3S-HOME/security.git
targetRevision: main
ref: values
- repoURL: https://github.com/K3S-HOME/security.git
targetRevision: main
path: cert-manager
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
managedNamespaceMetadata:
labels:
goldilocks.fairwinds.com/enabled: 'true'
revisionHistoryLimit: 10

70
cert-manager/helm-values.yaml Normal file
View File

@@ -0,0 +1,70 @@
# Cert-Manager Helm Values
# Chart: https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
# Install CRDs with Helm
installCRDs: true
replicaCount: 1
resources:
requests:
cpu: 23m
memory: 115Mi
limits:
memory: 115Mi
webhook:
replicaCount: 1
resources:
requests:
cpu: 23m
memory: 115Mi
limits:
memory: 115Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: cert-manager-webhook
topologyKey: kubernetes.io/hostname
cainjector:
replicaCount: 1
resources:
requests:
cpu: 23m
memory: 230Mi
limits:
memory: 230Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: cert-manager-cainjector
topologyKey: kubernetes.io/hostname
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: cert-manager
topologyKey: kubernetes.io/hostname
# Prometheus metrics
prometheus:
enabled: true
servicemonitor:
enabled: false

4
cert-manager/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- manifests/cluster-issuer.yaml

41
cert-manager/manifests/cluster-issuer.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Let's Encrypt Production 서버
# 실제 운영 환경에서 사용
# Rate limit: 50 certificates per registered domain per week
server: https://acme-v02.api.letsencrypt.org/directory
# 인증서 만료 알림을 받을 이메일 주소
email: bluemayne0213@icloud.com
# ACME 계정의 private key를 저장할 Secret 이름
privateKeySecretRef:
name: letsencrypt-prod
# HTTP-01 challenge를 사용하여 도메인 소유권 검증
# Traefik Ingress를 통해 /.well-known/acme-challenge/ 경로로 검증
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Let's Encrypt Staging 서버
# 테스트용 - 브라우저에서 신뢰하지 않지만 rate limit 없음
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: bluemayne0213@icloud.com
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- http01:
ingress:
class: traefik

29
external-secrets/helm-values.yaml
View File

@@ -2,16 +2,15 @@
# Chart: https://github.com/external-secrets/external-secrets
# Replica count
replicaCount: 2
replicaCount: 1
# 리소스 제한
# 리소스 제한 (20% increase from original)
resources:
requests:
cpu: 5m # Reduced from 20m based on actual usage (1m)
memory: 64Mi
cpu: 5m
memory: 154Mi
limits:
# cpu: removed to prevent throttling
memory: 64Mi
memory: 154Mi
# 동시 실행 제한
concurrent: 3
@@ -25,14 +24,13 @@ installCRDs: false
# Webhook 설정
webhook:
replicaCount: 2
replicaCount: 1
resources:
requests:
cpu: 2m # Reduced from 10m based on actual usage (1m)
memory: 64Mi
cpu: 2m
memory: 154Mi
limits:
# cpu: removed to prevent throttling
memory: 64Mi
memory: 154Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:
@@ -46,14 +44,13 @@ webhook:
# CertController 설정
certController:
replicaCount: 2
replicaCount: 1
resources:
requests:
cpu: 2m # Reduced from 10m based on actual usage (1m)
memory: 128Mi
cpu: 2m
memory: 307Mi
limits:
# cpu: removed to prevent throttling
memory: 128Mi
memory: 307Mi
# Affinity - Soft Anti-Affinity to spread pods across nodes
affinity:
podAntiAffinity:

20
falco/helm-values.yaml
View File

@@ -16,10 +16,10 @@ image:
resources:
requests:
cpu: 49m
memory: 263Mi
memory: 283Mi
limits:
cpu: null # Disable chart default (1 core)
memory: 263Mi
memory: 283Mi
# Falco configuration
falco:
@@ -121,14 +121,14 @@ grafanaDashboard:
falcosidekick:
enabled: true
fullfqdn: false
replicaCount: 2
replicaCount: 1
resources:
requests:
cpu: 10m
memory: 128Mi
cpu: 15m
memory: 100Mi
limits:
memory: 128Mi
memory: 100Mi
config:
# Output to stdout/logs
@@ -174,14 +174,6 @@ serviceAccount:
create: true
name: falco
# Node selector to run on all nodes
nodeSelector: {}
# Tolerations to run on all nodes including control-plane
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
# Run as DaemonSet on all nodes
daemonset:
updateStrategy:

1
kustomization.yaml
View File

@@ -5,6 +5,7 @@ resources:
# Self-reference for App of Apps pattern
- application.yaml
- cert-manager/argocd.yaml
- authelia/argocd.yaml
- vault/argocd.yaml
- external-secrets/argocd.yaml

13
vault/helm-values.yaml
View File

@@ -46,10 +46,10 @@ server:
# 리소스 제한
resources:
requests:
cpu: 35m
memory: 263Mi
cpu: 49m
memory: 175Mi
limits:
memory: 263Mi
memory: 175Mi
# Ingress 설정
ingress:
@@ -72,11 +72,8 @@ server:
type: ClusterIP
port: 8200
# Tolerations for control-plane node
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
# High priority for critical secrets management
priorityClassName: high-priority
# UI 활성화
ui:

1
vault/kustomization.yaml
View File

@@ -5,4 +5,3 @@ resources:
- manifests/external-secret.yaml
- manifests/rbac.yaml
- manifests/oidc-secret.yaml
- manifests/oidc-setup-job.yaml

89
vault/manifests/oidc-setup-job.yaml
View File

@@ -1,89 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
name: vault-oidc-setup
namespace: vault
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
ttlSecondsAfterFinished: 300
template:
spec:
serviceAccountName: vault
restartPolicy: OnFailure
containers:
- name: vault-oidc-setup
image: hashicorp/vault:1.17.2
env:
- name: VAULT_ADDR
value: "http://vault.vault.svc.cluster.local:8200"
- name: VAULT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vault-oidc-secret
key: VAULT_CLIENT_SECRET
command:
- /bin/sh
- -c
- |
set -e
# Login with Kubernetes auth
echo "Logging in with Kubernetes auth..."
VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login \
role=vault-setup \
jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
export VAULT_TOKEN
# Check if OIDC is already enabled
if vault auth list | grep -q "oidc/"; then
echo "OIDC auth method already enabled"
else
echo "Enabling OIDC auth method..."
vault auth enable oidc
fi
# Configure OIDC with Authelia
echo "Configuring OIDC..."
vault write auth/oidc/config \
oidc_discovery_url="https://auth0213.kro.kr" \
oidc_client_id="vault" \
oidc_client_secret="${VAULT_CLIENT_SECRET}" \
default_role="default"
# Create default role
echo "Creating default role..."
vault write auth/oidc/role/default \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
# Create admin policy
echo "Creating admin policy..."
vault policy write admin - <<POLICY
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
POLICY
# Create admin role
echo "Creating admin role..."
vault write auth/oidc/role/admin \
user_claim="sub" \
groups_claim="" \
allowed_redirect_uris="https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback" \
allowed_redirect_uris="http://localhost:8250/oidc/callback" \
token_policies="admin" \
token_ttl="1h" \
token_max_ttl="24h"
echo "OIDC setup complete!"
tolerations:
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"