added HA conf for argo, outline and traefik

apps/argocd-config-app.yaml

@@ -16,3 +16,7 @@ spec:
     automated:
       prune: false # Safety: Don't delete ArgoCD resources not managed by this app
       selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      # WICHTIG: ServerSideApply für Patches
+      - ServerSideApply=true

apps/argocd-config/argocd-ha-patch.yaml

@@ -0,0 +1,38 @@
+# ArgoCD HA Patch
+# Patches das argocd-server Deployment für High Availability
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-server
+  namespace: argocd
+spec:
+  replicas: 2  # HA: Mindestens 2 Replicas für Ausfallsicherheit
+  template:
+    spec:
+      affinity:
+        podAntiAffinity:
+          # Hard Rule: Pods müssen auf verschiedenen Nodes laufen
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app.kubernetes.io/name
+                    operator: In
+                    values:
+                      - argocd-server
+              topologyKey: kubernetes.io/hostname
+      # WICHTIG: Controller flag für HA Mode
+      # --disable-auth sollte NICHT gesetzt werden in HA Mode
+      # --insecure wird bereits vom Standard-Manifest gesetzt
+
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: argocd-server
+  namespace: argocd
+spec:
+  minAvailable: 1  # Mindestens 1 Pod muss immer verfügbar sein
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server

apps/argocd-config/kustomization.yaml

@@ -3,4 +3,5 @@ kind: Kustomization
 resources:
   - external-secret.yaml
   - argocd-cm.yaml
-  - argocd-rbac-cm.yaml
+  - argocd-rbac-cm.yaml
+  - argocd-ha-patch.yaml  # HA: 2 Replicas + Anti-Affinity + PDB

apps/outline/deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     app: outline
 spec:
-  replicas: 1
+  replicas: 2  # HA: Mindestens 2 Replicas für Ausfallsicherheit
   selector:
     matchLabels:
       app: outline
@@ -15,6 +15,17 @@ spec:
       labels:
         app: outline
     spec:
+      affinity:
+        podAntiAffinity:
+          # Hard Rule: Pods müssen auf verschiedenen Nodes laufen
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: app
+                    operator: In
+                    values:
+                      - outline
+              topologyKey: kubernetes.io/hostname
       containers:
         - name: outline
           image: outlinewiki/outline:latest

apps/outline/pdb.yaml

@@ -0,0 +1,12 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: outline
+  namespace: outline
+  labels:
+    app: outline
+spec:
+  minAvailable: 1  # Mindestens 1 Pod muss immer verfügbar sein
+  selector:
+    matchLabels:
+      app: outline

infrastructure/traefik-app.yaml

@@ -17,16 +17,16 @@ spec:
           replicas: 3  # HA: Einer pro Node
           affinity:
             podAntiAffinity:
-              preferredDuringSchedulingIgnoredDuringExecution:
-                - weight: 100
-                  podAffinityTerm:
-                    labelSelector:
-                      matchExpressions:
-                        - key: app.kubernetes.io/name
-                          operator: In
-                          values:
-                            - traefik
-                    topologyKey: kubernetes.io/hostname
+              # WICHTIG: requiredDuringSchedulingIgnoredDuringExecution = Hard Rule
+              # Verhindert, dass Pods auf dem gleichen Node laufen
+              requiredDuringSchedulingIgnoredDuringExecution:
+                - labelSelector:
+                    matchExpressions:
+                      - key: app.kubernetes.io/name
+                        operator: In
+                        values:
+                          - traefik
+                  topologyKey: kubernetes.io/hostname
         service:
           enabled: true
           type: LoadBalancer