- with traefik forwardauth
- Add Authentik helm chart and ArgoCD application
- Configure Traefik ForwardAuth middleware for SSO
- Add External Secrets for Vault integration
- Apply SSO middleware to Velero UI as test
- from argocd applications
- Fixes OutOfSync issues caused by operator-added default values
- ServerSideApply causes stricter field management that conflicts with
CRD defaults
- to Traefik ingress controller
- Update all ingress files to use ingressClassName: traefik
- Update cert-manager ClusterIssuer to use traefik class
- Remove haproxy.org annotations from ingress files
- Update vault helm-values to use traefik
- to allow cnpg join pod scheduling
- Falco: 40m → 30m
- Falcosidekick Web UI: 50m → 30m
- Velero UI: 50m → 30m
This frees up ~40m CPU on worker nodes to allow CNPG join pods
(which request 500m) to be scheduled successfully.
- to prevent throttling
Removed CPU limits from all infrastructure components while keeping
memory limits for protection:
- cnpg: removed 500m CPU limit
- external-secrets: removed 200m, 100m CPU limits (operator, webhook,
certController)
- falco: removed 500m CPU limit (falcosidekick webui)
- vault: removed 500m CPU limit
- velero: removed 500m, 1000m CPU limits (server, node-agent)
Benefits:
- ✅ Prevents CPU throttling
- ✅ Better performance and lower latency
- ✅ More efficient resource utilization
- ✅ Simpler management (only requests to tune)
Memory limits are kept to prevent memory leaks and OOM issues.
- for selective velero backup
Added pod annotation to exclude PVC data from Velero backups while
preserving MinIO resource definitions:
- backup.velero.io/backup-volumes-excludes: export
This prevents circular backup of the velero-backups bucket while
still backing up MinIO StatefulSet, Services, and configuration.
Note: MinIO bucket data (bucket, bucket-dev, velero-backups) will
NOT be backed up. Consider separate backup strategy for critical
bucket data if needed.
- resources and prevent circul...
- Reduce node-agent CPU request from 100m to 50m
- Fixes scheduling issue on mayne-worker-2 (was at 99% CPU)
- Enables node-agent to run on all 3 nodes for complete backup
coverage
- Exclude minio namespace from backups
- Prevents circular backup (backing up the backup storage)
- Minio config is in Git and can be recreated
- Saves significant storage space
- management to per-applicati...
- Moved ArgoCD ingress to argocd/ingress/
- Moved Velero ingress to velero/ingress/
- Removed centralized ingress/ingresses.yaml (single point of failure)
- Updated root kustomization.yaml to reference argocd and velero
directories
- Each application now manages its own ingress independently
