Update all ArgoCD Application references to use Gitea (github0213.com)
instead of GitHub for K3S-HOME/storage repository.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Set replicaCount to 1 (Velero doesn't support multiple replicas)
- Add nodeSelector for master node
- Add toleration for master NoExecute taint
- Remove podAntiAffinity (not needed with single replica)
- Ensures backup availability even if worker nodes fail
- Add replicaCount: 2 to cnpg, pgweb, velero-ui, minio-console
- Add soft pod anti-affinity for node distribution
- Configure affinity for all storage components
- and restore authelia
- Delete kanidm folder
- Remove oauth2-proxy from velero
- Restore velero ingress to use authelia middleware
- Update kustomization.yaml to use authelia instead of kanidm
- for velero with Kanidm OIDC
- Replace authelia middleware with oauth2-proxy
- Configure OIDC authentication via Kanidm
- Update ingress to route through oauth2-proxy
- with traefik forwardauth
- Add Authentik helm chart and ArgoCD application
- Configure Traefik ForwardAuth middleware for SSO
- Add External Secrets for Vault integration
- Apply SSO middleware to Velero UI as test
- from argocd applications
- Fixes OutOfSync issues caused by operator-added default values
- ServerSideApply causes stricter field management that conflicts with
CRD defaults
- to Traefik ingress controller
- Update all ingress files to use ingressClassName: traefik
- Update cert-manager ClusterIssuer to use traefik class
- Remove haproxy.org annotations from ingress files
- Update vault helm-values to use traefik
- to allow cnpg join pod scheduling
- Falco: 40m → 30m
- Falcosidekick Web UI: 50m → 30m
- Velero UI: 50m → 30m
This frees up ~40m CPU on worker nodes to allow CNPG join pods
(which request 500m) to be scheduled successfully.
- to prevent throttling
Removed CPU limits from all infrastructure components while keeping
memory limits for protection:
- cnpg: removed 500m CPU limit
- external-secrets: removed 200m, 100m CPU limits (operator, webhook,
certController)
- falco: removed 500m CPU limit (falcosidekick webui)
- vault: removed 500m CPU limit
- velero: removed 500m, 1000m CPU limits (server, node-agent)
Benefits:
- ✅ Prevents CPU throttling
- ✅ Better performance and lower latency
- ✅ More efficient resource utilization
- ✅ Simpler management (only requests to tune)
Memory limits are kept to prevent memory leaks and OOM issues.
- for selective velero backup
Added pod annotation to exclude PVC data from Velero backups while
preserving MinIO resource definitions:
- backup.velero.io/backup-volumes-excludes: export
This prevents circular backup of the velero-backups bucket while
still backing up MinIO StatefulSet, Services, and configuration.
Note: MinIO bucket data (bucket, bucket-dev, velero-backups) will
NOT be backed up. Consider separate backup strategy for critical
bucket data if needed.
- resources and prevent circul...
- Reduce node-agent CPU request from 100m to 50m
- Fixes scheduling issue on mayne-worker-2 (was at 99% CPU)
- Enables node-agent to run on all 3 nodes for complete backup
coverage
- Exclude minio namespace from backups
- Prevents circular backup (backing up the backup storage)
- Minio config is in Git and can be recreated
- Saves significant storage space
