feat: podpora high-availability a multi-replica nasazení

- Socket.io Redis adapter pro sdílený stav přes repliky
- graceful shutdown serveru
- WATCH/MULTI v updateData pro race-condition-safe aktualizace
- lease mechanismus pro push reminder (zabrání duplicitnímu odesílání)
- k8s/ manifesty pro testovací kind cluster
- Dockerfile: opraven EXPOSE port na 3001
- .gitignore: ignorovány Claude pracovní soubory

k8s/base/ingressroute.yaml

@@ -0,0 +1,16 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: luncher
+  namespace: luncher
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`luncher.localhost`)
+      kind: Rule
+      services:
+        - name: luncher
+          port: 3001

k8s/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: luncher

k8s/base/redis-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: luncher
+spec:
+  clusterIP: None  # headless — StatefulSet pod discovery
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379

k8s/base/redis-statefulset.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  namespace: luncher
+spec:
+  serviceName: redis
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          # Redis Stack je nutný — aplikace používá JSON.GET / JSON.SET (modul RedisJSON)
+          image: redis/redis-stack-server:7.2.0-v14
+          ports:
+            - containerPort: 6379
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          readinessProbe:
+            exec:
+              command: ["redis-cli", "ping"]
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          livenessProbe:
+            exec:
+              command: ["redis-cli", "ping"]
+            initialDelaySeconds: 10
+            periodSeconds: 10
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi

k8s/base/reloader.yaml

@@ -0,0 +1,184 @@
+# stakater/Reloader v1.4.16
+# Zdroj: https://raw.githubusercontent.com/stakater/Reloader/v1.4.16/deployments/kubernetes/reloader.yaml
+# Aktualizace: stáhnout novou verzi ze stejné URL a nahradit tento soubor.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: reloader-reloader
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: reloader-reloader-metadata-role
+  namespace: default
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - list
+  - get
+  - watch
+  - create
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: reloader-reloader-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - list
+  - get
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - statefulsets
+  verbs:
+  - list
+  - get
+  - update
+  - patch
+- apiGroups:
+  - extensions
+  resources:
+  - deployments
+  - daemonsets
+  verbs:
+  - list
+  - get
+  - update
+  - patch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - list
+  - get
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - list
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: reloader-reloader-metadata-rolebinding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: reloader-reloader-metadata-role
+subjects:
+- kind: ServiceAccount
+  name: reloader-reloader
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: reloader-reloader-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: reloader-reloader-role
+subjects:
+- kind: ServiceAccount
+  name: reloader-reloader
+  namespace: default
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: reloader-reloader
+  namespace: default
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: reloader-reloader
+  template:
+    metadata:
+      labels:
+        app: reloader-reloader
+    spec:
+      containers:
+      - env:
+        - name: GOMAXPROCS
+          valueFrom:
+            resourceFieldRef:
+              divisor: "1"
+              resource: limits.cpu
+        - name: GOMEMLIMIT
+          valueFrom:
+            resourceFieldRef:
+              divisor: "1"
+              resource: limits.memory
+        - name: RELOADER_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: RELOADER_DEPLOYMENT_NAME
+          value: reloader-reloader
+        image: ghcr.io/stakater/reloader:v1.4.16
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /live
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        name: reloader-reloader
+        ports:
+        - containerPort: 9090
+          name: http
+        readinessProbe:
+          failureThreshold: 5
+          httpGet:
+            path: /metrics
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: "1"
+            memory: 512Mi
+          requests:
+            cpu: 10m
+            memory: 512Mi
+        securityContext: {}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: reloader-reloader

k8s/base/server-configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: luncher-config
+  namespace: luncher
+data:
+  NODE_ENV: production
+  STORAGE: redis
+  REDIS_HOST: redis
+  REDIS_PORT: "6379"
+  PORT: "3001"
+  HOST: "0.0.0.0"

k8s/base/server-deployment.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: luncher
+  namespace: luncher
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: luncher
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0        # nelze přidat extra pod — každý worker je obsazen
+      maxUnavailable: 1  # nejdřív smaž starý pod, pak naplánuj nový
+  template:
+    metadata:
+      labels:
+        app: luncher
+      annotations:
+        reloader.stakater.com/auto: "true"
+    spec:
+      terminationGracePeriodSeconds: 30
+
+      # Rozmístit každý pod na jiný worker uzel
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: luncher
+              topologyKey: kubernetes.io/hostname
+
+      containers:
+        - name: luncher
+          image: luncher:ha-test
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 3001
+
+          envFrom:
+            - configMapRef:
+                name: luncher-config
+            - secretRef:
+                name: luncher-secrets
+
+          env:
+            # POD_ID pro leader election scheduleru připomínek
+            - name: POD_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+
+          # Liveness — levná kontrola bez externích závislostí
+          livenessProbe:
+            httpGet:
+              path: /api/health
+              port: 3001
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 3
+
+          # Readiness — kontroluje Redis; při shutdown vrací 503
+          readinessProbe:
+            httpGet:
+              path: /api/health/ready
+              port: 3001
+            initialDelaySeconds: 10
+            periodSeconds: 5
+            failureThreshold: 2
+
+          # preStop sleep: dá čas kube-proxy a Traefiku odebrat endpoint
+          # dřív než kontejner začne odmítat nová spojení
+          lifecycle:
+            preStop:
+              exec:
+                command: ["sleep", "5"]

k8s/base/server-pdb.yaml

@@ -0,0 +1,10 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: luncher-pdb
+  namespace: luncher
+spec:
+  minAvailable: 2   # ze 3 replik, max 1 voluntary disruption najednou
+  selector:
+    matchLabels:
+      app: luncher

k8s/base/server-secret.yaml

@@ -0,0 +1,14 @@
+# Šablona — hodnoty jsou zástupné symboly.
+# Pro kind test vytvoř secret příkazem:
+#   kubectl create secret generic luncher-secrets -n luncher \
+#     --from-literal=JWT_SECRET=<your-secret> \
+#     --from-literal=ADMIN_PASSWORD=<your-password>
+apiVersion: v1
+kind: Secret
+metadata:
+  name: luncher-secrets
+  namespace: luncher
+type: Opaque
+stringData:
+  JWT_SECRET: CHANGE_ME
+  ADMIN_PASSWORD: CHANGE_ME

k8s/base/server-service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: luncher
+  namespace: luncher
+spec:
+  selector:
+    app: luncher
+  ports:
+    - port: 3001
+      targetPort: 3001