k3s/argocd/apps/mattermost/mattermnost.yaml

# 1. Namespace erstellen
apiVersion: v1
kind: Namespace
metadata:
  name: mattermost
  labels:
    pod-security.kubernetes.io/enforce: "privileged"

---
# 2. Manuelles Secret mit KORREKTEM DSN (ohne mysql:// Prefix)
apiVersion: v1
kind: Secret
metadata:
  name: mattermost-mattermost-team-edition-mattermost-dbsecret
  namespace: mattermost
  annotations:
    # Verhindert, dass ArgoCD dieses Secret überschreibt
    argocd.argoproj.io/sync-options: "Prune=false"
type: Opaque
stringData:
  mattermost.dbsecret: "mmdbuser:mmdbpwd@tcp(mattermost-mysql:3306)/mattermost?charset=utf8mb4,utf8&readTimeout=30s&writeTimeout=30s"

---
# 3. ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: mattermost
spec:
  project: default
  source:
    repoURL: 'https://helm.mattermost.com'
    targetRevision: 6.*.*
    chart: mattermost-team-edition
    helm:
      valuesObject:

        # Persistence für Mattermost Daten
        persistence:
          data:
            enabled: true
            size: 10Gi
            storageClass: "longhorn"
            accessMode: ReadWriteOnce
          plugins:
            enabled: true
            size: 1Gi
            storageClass: "longhorn"
            accessMode: ReadWriteOnce

        # MySQL SubChart
        mysql:
          enabled: true
          mysqlRootPassword: "mmROOT12345"
          mysqlUser: "mmdbuser"
          mysqlPassword: "mmdbpwd"
          mysqlDatabase: mattermost
          testFramework:
            enabled: false
          persistence:
            enabled: true
            storageClass: "longhorn"
            accessMode: ReadWriteOnce
            size: 10Gi

        # Ingress Konfiguration
        ingress:
          enabled: true
          hosts:
            - mattermost.innovation-hub-niedersachsen.de
          tls:
            - hosts:
                - mattermost.innovation-hub-niedersachsen.de
              secretName: mattermost-tls
          annotations:
            kubernetes.io/ingress.class: traefik
            cert-manager.io/cluster-issuer: lets-encrypt-staging

  destination:
    server: 'https://kubernetes.default.svc'
    namespace: mattermost

  syncPolicy:
    automated:
      selfHeal: true
      prune: true
    syncOptions:
      - CreateNamespace=false
      # WICHTIG: Respektiere Ressourcen die nicht vom Chart kommen
      - RespectIgnoreDifferences=true
  
  # Ignoriere Änderungen am manuell erstellten Secret
  ignoreDifferences:
    - group: ""
      kind: Secret
      name: mattermost-mattermost-team-edition-mattermost-dbsecret
      jsonPointers:
        - /data
        - /stringData