Improve Tailscale and sync sequence optimizations

[vpittamp]

Summary

• Add PreSync hook for Dapr sidecar injection to prevent race condition
• Create shared TailscaleServeRbacChart to eliminate SharedResourceWarning
• Fix ExternalSecrets OutOfSync by expanding ignoreDifferences for controller-defaulted fields

Changes

Dapr Sidecar Injection Fix

• Added ArgoCD PreSync hook Job speckit-wait-for-dapr-injector that waits for Dapr MutatingWebhookConfiguration to be ready before deploying speckit-agents
• Added ClusterRole/ClusterRoleBinding for reading webhook configurations

Tailscale Serve RBAC Consolidation

• Created TailscaleServeRbacChart with shared ServiceAccount, Role, and RoleBinding
• Modified TailscaleServeChart, ArgoCdTailscaleServeChart, and LangfuseTailscaleServeChart to use shared RBAC
• Eliminates SharedResourceWarning where 7 apps were managing the same RBAC resources

ExternalSecrets Sync Fix

• Updated EXTERNAL_SECRET_IGNORE_DIFFERENCES to use jqPathExpressions
• Added all controller-defaulted fields: conversionStrategy, decodingStrategy, metadataPolicy, creationPolicy, deletionPolicy, engineVersion, mergePolicy

Test plan

• Cluster recreated and all speckit-agents pods show 2/2 Running with Dapr sidecar
• All 7 tailscale-serve apps show Synced without SharedResourceWarning
• All ExternalSecrets apps show Synced/Healthy
• 63 Synced / 1 OutOfSync (kargo-pipelines-project - unrelated)

Known Issues

• Let's Encrypt rate limiting: tailscale-serve HTTPS certs are rate limited until Dec 7th due to multiple cluster recreations. Pods are running but can't serve HTTPS until rate limit resets.

🤖 Generated with Claude Code