k8s-upgrade: preflight kubeadm-plan gate must pass explicit target (minor-upgrade fix)

Last night's 1.34.9->1.35.6 run passed the ESO/kyverno compat gate (the migration
worked!) but ABORTED at the kubeadm-plan-target gate: it ran `kubeadm upgrade plan`
with NO version, so master's old 1.34.9 kubeadm auto-proposed only the current
minor (Loki: "falling back to stable-1.34") and plan_target != 1.35.6 -> abort.
That gate worked for patch upgrades but never for minors. Fix: pass the explicit
`v$TARGET_VERSION` (verified on master: `kubeadm upgrade plan v1.35.6` emits
"kubeadm upgrade apply v1.35.6"). Works for patches too. Applied live to the
ConfigMap before tonight's run; deleted the failed preflight-1-35-6 job.

Also: ESO 2.x took SSA ownership of .spec.refreshInterval, so terraform's apply of
the k8s-upgrade-creds ExternalSecret hit a field-manager conflict. Added
field_manager.force_conflicts=true (benign — interval is semantically identical).
This pattern affects all 104 migrated ESs fleet-wide (follow-up).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/k8s-version-upgrade/main.tf

@@ -131,6 +131,15 @@ resource "kubernetes_manifest" "external_secret" {
       ]
     }
   }
+
+  # ESO 2.x took SSA ownership of .spec.refreshInterval (it normalizes the value),
+  # which conflicts with terraform's apply of this ExternalSecret. force_conflicts
+  # lets terraform reassert its spec — the interval is semantically identical, so
+  # this is benign. Surfaced after the ESO 0.12->2.6 migration (2026-06-24); the
+  # same pattern affects all migrated ExternalSecrets fleet-wide.
+  field_manager {
+    force_conflicts = true
+  }
 }
 
 # --- Unified ServiceAccount + RBAC ---