From 0639719e5c2e3aacbac151c117ec5da4bd9ae035 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 1 Mar 2026 14:18:54 +0000
Subject: [PATCH] [ci skip] add Traefik topology spread, PDB (minAvailable=2),
 and 30s response timeout

---
 stacks/platform/modules/traefik/main.tf | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/stacks/platform/modules/traefik/main.tf b/stacks/platform/modules/traefik/main.tf
index 1c5c4ca8..e73d58df 100644
--- a/stacks/platform/modules/traefik/main.tf
+++ b/stacks/platform/modules/traefik/main.tf
@@ -186,7 +186,7 @@ resource "helm_release" "traefik" {
       "--serversTransport.insecureSkipVerify=true",
       # Increase timeouts for services like Immich
       "--serversTransport.forwardingTimeouts.dialTimeout=60s",
-      "--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s",
+      "--serversTransport.forwardingTimeouts.responseHeaderTimeout=30s",
       "--serversTransport.forwardingTimeouts.idleConnTimeout=90s",
       # Use forwarded headers from trusted proxies
       "--entryPoints.websecure.forwardedHeaders.insecure=false",
@@ -207,6 +207,22 @@ resource "helm_release" "traefik" {
     }
 
     tolerations = []
+
+    topologySpreadConstraints = [{
+      maxSkew           = 1
+      topologyKey       = "kubernetes.io/hostname"
+      whenUnsatisfiable = "DoNotSchedule"
+      labelSelector = {
+        matchLabels = {
+          "app.kubernetes.io/name" = "traefik"
+        }
+      }
+    }]
+
+    podDisruptionBudget = {
+      enabled      = true
+      minAvailable = 2
+    }
   })]
 }