From 296deda3b424f9f67e2971e482999b7655bc6ca2 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 21 Jun 2026 20:41:30 +0000
Subject: [PATCH] =?UTF-8?q?eso:=20Phase=201=20=E2=80=94=20climb=20chart=20?=
 =?UTF-8?q?0.12.1=20->=200.16.2=20(transition=20version)=20+=20atomic?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

First half of the ESO 0.12->2.6 migration (docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md),
clearing the LAST k8s-1.35 compat-gate blocker. Stepped one minor at a time on
k8s 1.34 (no k8s interleave — cluster already on 1.34, ESO bands are conservative
tested ranges not hard limits): 0.12.1 -> 0.13.0 -> 0.14.4 -> 0.15.1 -> 0.16.2.
Each hop applied + verified: controller healthy, all 108 live ExternalSecrets
stayed SecretSynced (2 pre-existing dead — instagram-poster, payslip-ingest —
missing Vault data, untouched). Added atomic=true + timeout=600 (ESO had no
rollback safety net). 0.16.2 serves BOTH v1beta1 AND v1 (storedVersions now
["v1beta1","v1"]) — the safe window to rewrite all 104 CRs to v1 (Phase 2) before
0.17 removes v1beta1. State auto-committed per hop by scripts/tg (Tier-0 SOPS).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/external-secrets/main.tf | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/stacks/external-secrets/main.tf b/stacks/external-secrets/main.tf
index 291c67b9..39be8895 100644
--- a/stacks/external-secrets/main.tf
+++ b/stacks/external-secrets/main.tf
@@ -17,7 +17,14 @@ resource "helm_release" "external_secrets" {
   namespace  = kubernetes_namespace.external_secrets.metadata[0].name
   repository = "https://charts.external-secrets.io"
   chart      = "external-secrets"
-  version    = "0.12.1"
+  # ESO 0.12->2.6 migration (2026-06-21, docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md).
+  # Stepped one minor at a time on k8s 1.34; rewrite all 104 CRs v1beta1->v1 at 0.16.2 before 0.17.
+  version = "0.16.2"
+
+  # Added for the migration: auto-rollback a failed hop's helm upgrade (ESO had no
+  # rollback safety net) and wait for the controller Deployment to be Ready first.
+  atomic  = true
+  timeout = 600
 
   values = [yamlencode({
     installCRDs = true