diff --git a/stacks/external-secrets/main.tf b/stacks/external-secrets/main.tf
index 291c67b9..39be8895 100644
--- a/stacks/external-secrets/main.tf
+++ b/stacks/external-secrets/main.tf
@@ -17,7 +17,14 @@ resource "helm_release" "external_secrets" {
   namespace  = kubernetes_namespace.external_secrets.metadata[0].name
   repository = "https://charts.external-secrets.io"
   chart      = "external-secrets"
-  version    = "0.12.1"
+  # ESO 0.12->2.6 migration (2026-06-21, docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md).
+  # Stepped one minor at a time on k8s 1.34; rewrite all 104 CRs v1beta1->v1 at 0.16.2 before 0.17.
+  version = "0.16.2"
+
+  # Added for the migration: auto-rollback a failed hop's helm upgrade (ESO had no
+  # rollback safety net) and wait for the controller Deployment to be Ready first.
+  atomic  = true
+  timeout = 600
 
   values = [yamlencode({
     installCRDs = true