feat(ha): add drain-safe PDBs to the remaining critical controllers and apps

[devantler]

🤖 Generated by the Daily AI Assistant

Summary

Completes the #1880/#1882 drain-safe PDB sweep so node drains, Talos upgrades and autoscaler scale-down never take out a whole platform component at once — and never deadlock. Every change uses the house pattern maxUnavailable: 1, which the disruption controller evaluates against the live replica count, so it stays drainable even if a replica floor drops.

Chart-native values (chart supports the maxUnavailable shape)

Component	What gets a PDB
keda 2.20.0	operator, metrics-apiserver, admission-webhooks
external-secrets 2.5.0	controller, webhook, cert-controller (minAvailable: null removes the chart's default minAvailable shape that validate-pdb-drain-safe flags)
vpa 4.11.0	recommender + updater (mirrors the existing admissionController PDB)
kyverno 3.8.1	background/reports/cleanup controllers — the chart auto-enables their PDBs at replicas > 1 and defaults them to minAvailable: 1, so prod (3 replicas each) has been running the flagged shape; this pins maxUnavailable: 1 instead

Raw PDB manifests (no usable chart knob)

Component	Why raw
flagger	chart only offers minAvailable
keda-add-ons-http external scaler	chart ships a PDB only for the interceptor; the scaler is on the scale-from-zero decision path
snapshot-controller (hetzner)	piraeus chart has no PDB value; keeps Velero CSI snapshots from hanging mid-drain
umami	Flagger target — selector keys on app.kubernetes.io/instance because Flagger rewrites /name to umami-umami-primary on the primary (see canary.yaml); provision-tenants Job pods carry different labels and are not matched
actual-budget	KEDA scale-to-zero, inert at 0 replicas, never blocks a drain at 1

Explicitly unchanged

• OpenBao: at openbao_replicas: 3 the chart's default server.ha.disruptionBudget already renders maxUnavailable: 1 (verified against the 0.28.3 template math).
• Velero, flux-operator, external-dns, spire-server, coroot: intentional singletons / operator-managed, per validate-replica-floor exemptions.

Validation

• ksail workload validate: green (320 files)
• ksail --config ksail.prod.yaml workload validate: only failure is the pre-existing coroot schema gap in the upstream datreeio CRDs-catalog (fixed upstream by CRDs-catalog#896, unrelated)
• Every chart-value shape verified by rendering the exact chart version with helm template and inspecting the produced PDBs (all render maxUnavailable: 1; kyverno verified via its kyverno.pdb.spec helper which forbids setting both fields)

🤖 Generated with Claude Code

[devantler]

🤖 Generated by the Daily AI Assistant

System-test status: the first run failed in ~3 min on a transient schema-fetch error during ksail workload validate (bases/apps ... validation failed: EOF — also hit #1995, which touches no manifests). On rerun, validate passed (✔ 320 files validated — including every PDB added here) and the job ran the full ~53 min, failing at reconcile with infrastructure Progressing / apps blocked — the known repo-wide OpenBao label-patch 422 wedge being probed in #1990 (same signature and duration as #1987/#1989, pre-existing on main). Nothing in this PR participates in the OpenBao seeding chain; it can go green once the 422 regression is fixed.