diff --git a/argocd/apps/keycloak/values-keycloak.yaml b/argocd/apps/keycloak/values-keycloak.yaml
index 73d7706..fbc7bce 100644
--- a/argocd/apps/keycloak/values-keycloak.yaml
+++ b/argocd/apps/keycloak/values-keycloak.yaml
@@ -40,19 +40,3 @@ spec:
   externalName: keycloak.innohub.local
   ports:
     - port: 8080
-
-
-#---
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: keycloak-tls
-#  namespace: kube-system
-#spec:
-#  secretName: keycloak-tls
-#  issuerRef:
-#    name: lets-encrypt
-#    kind: ClusterIssuer
-#  dnsNames:
-#    - keycloak.innovation-hub-niedersachsen.de
-#
diff --git a/argocd/apps/mrknow/traefik-mrknow.yaml b/argocd/apps/mrknow/traefik-mrknow.yaml
new file mode 100644
index 0000000..db28721
--- /dev/null
+++ b/argocd/apps/mrknow/traefik-mrknow.yaml
@@ -0,0 +1,165 @@
+# =============================================================================
+# Traefik IngressRoute Konfiguration für MR.KNOW / BPM Inspire
+# =============================================================================
+# Anpassen:
+#   - Host: mrknow.innovation-hub-niedersachsen.de (oder gewünschte Domain)
+#   - externalName: IP/Hostname des Portainer/Docker Hosts
+#   - secretName: TLS-Zertifikat Secret
+# =============================================================================
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: mrknow-headers
+  namespace: kube-system
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+      X-Forwarded-Port: "443"
+
+---
+# =============================================================================
+# IngressRoute für InForm (Frontend / Root-Pfad)
+# =============================================================================
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mrknow-inform
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && !PathPrefix(`/insign`) && !PathPrefix(`/inspire`) && !PathPrefix(`/pgadmin`)
+      kind: Rule
+      middlewares:
+        - name: mrknow-headers
+      services:
+        - name: mrknow-inform-external
+          port: 8080
+  tls:
+    secretName: mrknow-tls
+
+---
+# =============================================================================
+# IngressRoute für InSign
+# =============================================================================
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mrknow-insign
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/insign`)
+      kind: Rule
+      middlewares:
+        - name: mrknow-headers
+      services:
+        - name: mrknow-insign-external
+          port: 8081
+  tls:
+    secretName: mrknow-tls
+
+---
+# =============================================================================
+# IngressRoute für InSpire
+# =============================================================================
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mrknow-inspire
+  namespace: kube-system
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/inspire`)
+      kind: Rule
+      middlewares:
+        - name: mrknow-headers
+      services:
+        - name: mrknow-inspire-external
+          port: 8082
+  tls:
+    secretName: mrknow-tls
+
+# ---
+# =============================================================================
+# IngressRoute für PgAdmin (optional)
+# =============================================================================
+# apiVersion: traefik.io/v1alpha1
+# kind: IngressRoute
+# metadata:
+#   name: mrknow-pgadmin
+#   namespace: kube-system
+# spec:
+#   entryPoints:
+#     - websecure
+#   routes:
+#     - match: Host(`mrknow.innovation-hub-niedersachsen.de`) && PathPrefix(`/pgadmin`)
+#       kind: Rule
+#       middlewares:
+#         - name: mrknow-headers
+#       services:
+#         - name: mrknow-pgadmin-external
+#           port: 5050
+#   tls:
+#     secretName: mrknow-tls
+
+---
+# =============================================================================
+# External Services - Verbindung zum Portainer/Docker Host
+# =============================================================================
+# WICHTIG: externalName auf den Hostnamen/IP deines Docker-Hosts anpassen!
+# =============================================================================
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-inform-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 8080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-insign-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 8081
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-inspire-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 8082
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mrknow-pgadmin-external
+  namespace: kube-system
+spec:
+  type: ExternalName
+  externalName: mrknow.innohub.local
+  ports:
+    - port: 5050