FEAT(velero): Add Velero, Falco,

- and CNPG infrastructure components
Add three critical infrastructure components via GitOps:

- Velero: Backup and disaster recovery solution
  - Configured with Minio S3 backend
  - Daily full cluster backups (30-day retention)
  - Hourly backups for critical namespaces (7-day retention)
  - Credentials managed via External Secrets from Vault

- Falco: Runtime security monitoring
  - eBPF-based threat detection
  - Custom rules for container security
  - Falcosidekick for alert forwarding
  - Prometheus metrics enabled

- CNPG (CloudNativePG): PostgreSQL operator
  - Kubernetes-native PostgreSQL management
  - Automated failover and backups
  - Will replace Bitnami PostgreSQL

All components follow existing GitOps patterns:
- Helm charts deployed via ArgoCD
- Values managed in Git
- Automated sync with selfHeal enabled

velero/argocd/velero.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: velero
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  sources:
+    # Helm chart from VMware Tanzu repository
+    - repoURL: https://vmware-tanzu.github.io/helm-charts
+      chart: velero
+      targetRevision: 11.2.0
+      helm:
+        valueFiles:
+          - $values/velero/helm-values/velero.yaml
+    # Values file from Git repository
+    - repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git
+      targetRevision: main
+      ref: values
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: velero
+
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+
+    syncOptions:
+      - CreateNamespace=true
+      - PrunePropagationPolicy=foreground
+      - PruneLast=true
+      - ServerSideApply=true
+
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+
+  revisionHistoryLimit: 10

velero/external-secret.yaml

@@ -0,0 +1,33 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: velero-s3-credentials
+  namespace: velero
+spec:
+  refreshInterval: 1h
+
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+
+  target:
+    name: velero-s3-credentials
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        cloud: |
+          [default]
+          aws_access_key_id={{ .minioAccessKey }}
+          aws_secret_access_key={{ .minioSecretKey }}
+
+  data:
+    - secretKey: minioAccessKey
+      remoteRef:
+        key: secret/data/minio
+        property: accessKey
+
+    - secretKey: minioSecretKey
+      remoteRef:
+        key: secret/data/minio
+        property: secretKey

velero/helm-values/velero.yaml

@@ -0,0 +1,113 @@
+# Velero Helm Values
+# Chart: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero
+
+# Image configuration
+image:
+  repository: velero/velero
+  tag: v1.15.0
+  pullPolicy: IfNotPresent
+
+# Resource requests
+resources:
+  requests:
+    cpu: 50m
+    memory: 128Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+# Init containers for plugins
+initContainers:
+  # AWS plugin for S3-compatible storage (Minio)
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:v1.11.0
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
+
+# Configuration for backup storage
+configuration:
+  # Use existing BackupStorageLocation and VolumeSnapshotLocation
+  backupStorageLocation:
+    - name: default
+      provider: aws
+      bucket: velero-backups
+      config:
+        region: minio
+        s3ForcePathStyle: "true"
+        s3Url: http://minio.minio.svc.cluster.local:9000
+        publicUrl: https://s3.minio0213.kro.kr
+
+  volumeSnapshotLocation:
+    - name: default
+      provider: aws
+      config:
+        region: minio
+
+  # Default backup retention
+  defaultBackupTTL: 720h  # 30 days
+
+  # Restore only mode (for disaster recovery)
+  restoreOnlyMode: false
+
+# Credentials for S3 access (from Vault via External Secrets)
+credentials:
+  useSecret: true
+  existingSecret: velero-s3-credentials
+  secretContents: {}
+
+# Backup schedules
+schedules:
+  # Daily full cluster backup
+  daily-backup:
+    disabled: false
+    schedule: "0 2 * * *"  # 2 AM daily
+    template:
+      ttl: 720h  # 30 days
+      includedNamespaces:
+        - "*"
+      excludedNamespaces:
+        - kube-system
+        - kube-public
+        - kube-node-lease
+      snapshotVolumes: true
+
+  # Hourly backup for critical namespaces
+  hourly-critical-backup:
+    disabled: false
+    schedule: "0 * * * *"  # Every hour
+    template:
+      ttl: 168h  # 7 days
+      includedNamespaces:
+        - postgresql
+        - postgresql-dev
+        - vault
+        - gitea
+        - harbor
+      snapshotVolumes: true
+
+# Metrics
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: true
+  prometheusRule:
+    enabled: false
+
+# RBAC
+serviceAccount:
+  server:
+    create: true
+    name: velero
+
+rbac:
+  create: true
+
+# Node selector (optional)
+nodeSelector: {}
+
+# Tolerations (optional)
+tolerations: []
+
+# Affinity (optional)
+affinity: {}

velero/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # ArgoCD Application 리소스는 root kustomization.yaml에서 관리
+  # - argocd/velero.yaml
+
+  # Velero credentials from Vault
+  - external-secret.yaml