From c670cb711803cd37307d7ce77d4fde429381a68b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 22 Jun 2026 19:13:04 +0000 Subject: [PATCH] =?UTF-8?q?eso:=20Phase=202=20=E2=80=94=20migrate=20all=20?= =?UTF-8?q?104=20ExternalSecrets=20+=202=20ClusterSecretStores=20to=20v1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The API rewrite half of the ESO 0.12->2.6 migration (last k8s-1.35 compat-gate blocker). Done on chart 0.16.2, which serves BOTH external-secrets.io/v1beta1 and v1, so this is the safe window — MUST land before 0.17 removes v1beta1 (there is no conversion webhook). Pure apiVersion bump, schema is byte-identical: 106 occurrences (104 ExternalSecrets + 2 ClusterSecretStores vault-kv/vault-database) across 73 .tf files, v1beta1 -> v1, no other field changes. Validated live first on tandoor (single, non-coupled, synced ES): the kubernetes_manifest apiVersion bump forces a REPLACE; the target Secret is cascade-GC'd for ONE ~0.3s poll then ESO recreates it (identical value re-synced from Vault, new UID) and the ES returns SecretSynced=True on v1. Running pods keep their mounted copy through the sub-second blip. All 110 target Secrets were snapshotted to /tmp first as a backstop. CI applies the changed stacks serially (staged rollout); watching aggregate ES sync back to 108 synced (2 pre-existing dead: instagram-poster, payslip-ingest). Next: Phase 3 climb 0.16.2 -> 2.6.0. Co-Authored-By: Claude Opus 4.8 --- stacks/actualbudget/main.tf | 2 +- stacks/affine/main.tf | 4 ++-- stacks/authentik/email-secret.tf | 2 +- stacks/beads-server/main.tf | 2 +- stacks/broker-sync/main.tf | 2 +- stacks/changedetection/main.tf | 2 +- stacks/chrome-service/main.tf | 2 +- stacks/ci-pipeline-health/main.tf | 2 +- stacks/claude-agent-service/main.tf | 2 +- stacks/claude-breakglass/main.tf | 4 ++-- stacks/claude-memory/main.tf | 4 ++-- stacks/coturn/main.tf | 2 +- stacks/dawarich/main.tf | 2 +- stacks/diun/main.tf | 2 +- stacks/ebooks/main.tf | 6 +++--- stacks/external-secrets/main.tf | 4 ++-- stacks/f1-stream/main.tf | 4 ++-- stacks/fire-planner/main.tf | 10 +++++----- stacks/forgejo/email-secret.tf | 2 +- stacks/freedify/main.tf | 2 +- stacks/freshrss/main.tf | 2 +- stacks/grampsweb/main.tf | 2 +- stacks/hackmd/main.tf | 2 +- stacks/health/main.tf | 4 ++-- stacks/hermes-agent/main.tf | 2 +- stacks/immich/main.tf | 2 +- stacks/insta2spotify/main.tf | 2 +- .../instagram-poster/modules/instagram-poster/main.tf | 4 ++-- stacks/job-hunter/main.tf | 6 +++--- stacks/k8s-dashboard/oauth2_proxy.tf | 2 +- stacks/k8s-version-upgrade/main.tf | 2 +- stacks/kms/main.tf | 2 +- stacks/linkwarden/main.tf | 4 ++-- stacks/mailserver/modules/mailserver/main.tf | 2 +- stacks/matrix/main.tf | 2 +- stacks/monitoring/modules/monitoring/grafana.tf | 2 +- stacks/n8n/main.tf | 6 +++--- stacks/navidrome/main.tf | 2 +- stacks/netbox/main.tf | 2 +- stacks/nextcloud-todos/main.tf | 4 ++-- stacks/nextcloud/main.tf | 4 ++-- stacks/novelapp/main.tf | 2 +- stacks/onlyoffice/main.tf | 2 +- stacks/openclaw/main.tf | 2 +- stacks/owntracks/main.tf | 2 +- stacks/paperless-ai/main.tf | 2 +- stacks/paperless-mcp/main.tf | 2 +- stacks/paperless-ngx/main.tf | 2 +- stacks/payslip-ingest/main.tf | 6 +++--- stacks/phpipam/main.tf | 6 +++--- stacks/plotting-book/main.tf | 2 +- stacks/postiz/modules/postiz/main.tf | 2 +- stacks/proxmox-csi/modules/proxmox-csi/main.tf | 2 +- stacks/real-estate-crawler/main.tf | 6 +++--- stacks/recruiter-responder/main.tf | 4 ++-- stacks/resume/main.tf | 2 +- stacks/rybbit/main.tf | 2 +- stacks/servarr/aiostreams/main.tf | 2 +- stacks/servarr/main.tf | 2 +- stacks/shadowsocks/main.tf | 2 +- stacks/speedtest/main.tf | 2 +- stacks/stem95su/gdrive-sync.tf | 2 +- stacks/t3-afk/main.tf | 2 +- stacks/tandoor/main.tf | 2 +- stacks/technitium/modules/technitium/main.tf | 2 +- stacks/trading-bot/main.tf | 4 ++-- stacks/tripit/main.tf | 4 ++-- stacks/tuya-bridge/main.tf | 2 +- stacks/url/main.tf | 4 ++-- stacks/wealthfolio/main.tf | 6 +++--- stacks/webhook_handler/main.tf | 2 +- stacks/woodpecker/main.tf | 4 ++-- stacks/ytdlp/main.tf | 2 +- 73 files changed, 106 insertions(+), 106 deletions(-) diff --git a/stacks/actualbudget/main.tf b/stacks/actualbudget/main.tf index 7e93ef3a..33012033 100644 --- a/stacks/actualbudget/main.tf +++ b/stacks/actualbudget/main.tf @@ -6,7 +6,7 @@ variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "actualbudget-secrets" diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index c7144f28..bc63381c 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -6,7 +6,7 @@ variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "affine-secrets" @@ -43,7 +43,7 @@ data "kubernetes_secret" "eso_secrets" { # Provides DATABASE_URL that auto-updates when password rotates resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "affine-db-creds" diff --git a/stacks/authentik/email-secret.tf b/stacks/authentik/email-secret.tf index 42558d81..b3a7f201 100644 --- a/stacks/authentik/email-secret.tf +++ b/stacks/authentik/email-secret.tf @@ -7,7 +7,7 @@ # authentik pods if the password ever changes. resource "kubernetes_manifest" "authentik_email_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "authentik-email" diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf index 0b9a84f2..5b71373e 100644 --- a/stacks/beads-server/main.tf +++ b/stacks/beads-server/main.tf @@ -602,7 +602,7 @@ resource "kubernetes_config_map" "beadboard_config" { # dispatch agent jobs via the in-cluster HTTP API. resource "kubernetes_manifest" "beadboard_agent_service_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "beadboard-agent-service" diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf index 5b04a1cc..2de168a1 100644 --- a/stacks/broker-sync/main.tf +++ b/stacks/broker-sync/main.tf @@ -29,7 +29,7 @@ resource "kubernetes_namespace" "broker_sync" { # imap_host, imap_user, imap_password, imap_directory — for InvestEngine + Schwab email ingest resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "broker-sync-secrets" diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index 7974e884..ee203e7b 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -20,7 +20,7 @@ resource "kubernetes_namespace" "changedetection" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "changedetection-secrets" diff --git a/stacks/chrome-service/main.tf b/stacks/chrome-service/main.tf index 7d370fbd..23ca3e79 100644 --- a/stacks/chrome-service/main.tf +++ b/stacks/chrome-service/main.tf @@ -42,7 +42,7 @@ resource "kubernetes_namespace" "chrome_service" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "chrome-service-secrets" diff --git a/stacks/ci-pipeline-health/main.tf b/stacks/ci-pipeline-health/main.tf index 31b3b475..17378f84 100644 --- a/stacks/ci-pipeline-health/main.tf +++ b/stacks/ci-pipeline-health/main.tf @@ -50,7 +50,7 @@ resource "kubernetes_namespace" "ci_pipeline_health" { # the alias could not do. Blast radius = this single-CronJob namespace. resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "ci-pipeline-health-creds" diff --git a/stacks/claude-agent-service/main.tf b/stacks/claude-agent-service/main.tf index 7e3f3111..9f8b6478 100644 --- a/stacks/claude-agent-service/main.tf +++ b/stacks/claude-agent-service/main.tf @@ -39,7 +39,7 @@ resource "kubernetes_namespace" "claude_agent" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "claude-agent-secrets" diff --git a/stacks/claude-breakglass/main.tf b/stacks/claude-breakglass/main.tf index 7a02a838..6b996b9e 100644 --- a/stacks/claude-breakglass/main.tf +++ b/stacks/claude-breakglass/main.tf @@ -58,7 +58,7 @@ resource "kubernetes_service_account" "breakglass" { # pod can never read it. resource "kubernetes_manifest" "external_secret_ssh" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "breakglass-ssh" @@ -83,7 +83,7 @@ resource "kubernetes_manifest" "external_secret_ssh" { # same account) and the app bearer token (in-cluster/CLI fallback caller auth). resource "kubernetes_manifest" "external_secret_env" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "breakglass-env" diff --git a/stacks/claude-memory/main.tf b/stacks/claude-memory/main.tf index 2d75fdca..18c21fe5 100644 --- a/stacks/claude-memory/main.tf +++ b/stacks/claude-memory/main.tf @@ -30,7 +30,7 @@ resource "kubernetes_namespace" "claude-memory" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "claude-memory-secrets" @@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 24h) resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "claude-memory-db-creds" diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index c323ff56..caeb9a66 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -6,7 +6,7 @@ variable "public_ip" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "coturn-secrets" diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf index 92fef613..2432e9c3 100644 --- a/stacks/dawarich/main.tf +++ b/stacks/dawarich/main.tf @@ -24,7 +24,7 @@ resource "kubernetes_namespace" "dawarich" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "dawarich-secrets" diff --git a/stacks/diun/main.tf b/stacks/diun/main.tf index 083a8125..9933f064 100644 --- a/stacks/diun/main.tf +++ b/stacks/diun/main.tf @@ -21,7 +21,7 @@ resource "kubernetes_namespace" "diun" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "diun-secrets" diff --git a/stacks/ebooks/main.tf b/stacks/ebooks/main.tf index 0e0474fc..a5754590 100644 --- a/stacks/ebooks/main.tf +++ b/stacks/ebooks/main.tf @@ -21,7 +21,7 @@ resource "kubernetes_namespace" "ebooks" { # ExternalSecrets for all three sources resource "kubernetes_manifest" "calibre_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "calibre-secrets" @@ -48,7 +48,7 @@ resource "kubernetes_manifest" "calibre_external_secret" { resource "kubernetes_manifest" "audiobookshelf_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "audiobookshelf-secrets" @@ -75,7 +75,7 @@ resource "kubernetes_manifest" "audiobookshelf_external_secret" { resource "kubernetes_manifest" "servarr_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "servarr-secrets" diff --git a/stacks/external-secrets/main.tf b/stacks/external-secrets/main.tf index 39be8895..5481ee8b 100644 --- a/stacks/external-secrets/main.tf +++ b/stacks/external-secrets/main.tf @@ -35,7 +35,7 @@ resource "helm_release" "external_secrets" { resource "kubernetes_manifest" "css_vault_kv" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ClusterSecretStore" metadata = { name = "vault-kv" } spec = { @@ -65,7 +65,7 @@ resource "kubernetes_manifest" "css_vault_kv" { resource "kubernetes_manifest" "css_vault_db" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ClusterSecretStore" metadata = { name = "vault-database" } spec = { diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index 0fe6bacf..a62ad01a 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -34,7 +34,7 @@ resource "kubernetes_namespace" "f1-stream" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "f1-stream-secrets" @@ -63,7 +63,7 @@ resource "kubernetes_manifest" "external_secret" { # Secret so the verifier can reach the in-cluster Playwright pool. resource "kubernetes_manifest" "chrome_service_client_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "chrome-service-client-secrets" diff --git a/stacks/fire-planner/main.tf b/stacks/fire-planner/main.tf index 817503e4..21503a37 100644 --- a/stacks/fire-planner/main.tf +++ b/stacks/fire-planner/main.tf @@ -54,7 +54,7 @@ resource "kubernetes_namespace" "fire_planner" { # secret/fire-planner -> property `recompute_bearer_token` resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "fire-planner-secrets" @@ -116,7 +116,7 @@ resource "kubernetes_manifest" "external_secret" { # as DB_CONNECTION_STRING. resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "fire-planner-db-creds" @@ -160,7 +160,7 @@ resource "kubernetes_manifest" "db_external_secret" { # fire-planner ingest reads those tables via this role. resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "wealthfolio-sync-db-creds" @@ -662,7 +662,7 @@ variable "run_examples_bulk_ingest" { # Reddit OAuth creds pulled from Vault secret/viktor. resource "kubernetes_manifest" "external_secret_examples_reddit" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "fire-planner-examples-reddit" @@ -702,7 +702,7 @@ resource "kubernetes_manifest" "external_secret_examples_reddit" { # is decoupled from the Reddit creds. resource "kubernetes_manifest" "external_secret_examples_claude" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "fire-planner-examples-claude" diff --git a/stacks/forgejo/email-secret.tf b/stacks/forgejo/email-secret.tf index 1793caf9..034d45f2 100644 --- a/stacks/forgejo/email-secret.tf +++ b/stacks/forgejo/email-secret.tf @@ -7,7 +7,7 @@ # reloader annotation rolls the Forgejo pod if the password is ever rotated. resource "kubernetes_manifest" "forgejo_email_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "forgejo-email" diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf index 4113948e..3e2cf8b4 100644 --- a/stacks/freedify/main.tf +++ b/stacks/freedify/main.tf @@ -4,7 +4,7 @@ variable "tls_secret_name" { } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "freedify-secrets" diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index 37393b77..31c5d20e 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -19,7 +19,7 @@ resource "kubernetes_namespace" "immich" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "freshrss-secrets" diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index 8d8a059d..2d434ec7 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -6,7 +6,7 @@ variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "grampsweb-secrets" diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index 3dd913b7..bbe6db40 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -209,7 +209,7 @@ module "ingress" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "hackmd-secrets" diff --git a/stacks/health/main.tf b/stacks/health/main.tf index 8d21d33b..36fd17d6 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -251,7 +251,7 @@ module "ingress_test" { resource "kubernetes_manifest" "external_secret_db" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "health-db-secrets" @@ -285,7 +285,7 @@ resource "kubernetes_manifest" "external_secret_db" { resource "kubernetes_manifest" "external_secret_kv" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "health-kv-secrets" diff --git a/stacks/hermes-agent/main.tf b/stacks/hermes-agent/main.tf index dced38c4..1293d7a5 100644 --- a/stacks/hermes-agent/main.tf +++ b/stacks/hermes-agent/main.tf @@ -38,7 +38,7 @@ module "tls_secret" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "hermes-agent-secrets" diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf index ccb3bd2f..3009be5e 100644 --- a/stacks/immich/main.tf +++ b/stacks/immich/main.tf @@ -163,7 +163,7 @@ resource "kubernetes_resource_quota" "immich" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "immich-secrets" diff --git a/stacks/insta2spotify/main.tf b/stacks/insta2spotify/main.tf index 39edac87..9770afd3 100644 --- a/stacks/insta2spotify/main.tf +++ b/stacks/insta2spotify/main.tf @@ -21,7 +21,7 @@ resource "kubernetes_namespace" "insta2spotify" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "insta2spotify-secrets" diff --git a/stacks/instagram-poster/modules/instagram-poster/main.tf b/stacks/instagram-poster/modules/instagram-poster/main.tf index 0b249597..65714739 100644 --- a/stacks/instagram-poster/modules/instagram-poster/main.tf +++ b/stacks/instagram-poster/modules/instagram-poster/main.tf @@ -36,7 +36,7 @@ resource "kubernetes_namespace" "instagram_poster" { # - immich_tag_posted (optional — auto-resolved if missing) resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "instagram-poster-secrets" @@ -140,7 +140,7 @@ resource "kubernetes_manifest" "external_secret" { # bounces the pod when the password changes. resource "kubernetes_manifest" "benchmark_db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "instagram-poster-benchmark-db" diff --git a/stacks/job-hunter/main.tf b/stacks/job-hunter/main.tf index 9a962674..a008e83c 100644 --- a/stacks/job-hunter/main.tf +++ b/stacks/job-hunter/main.tf @@ -42,7 +42,7 @@ resource "kubernetes_namespace" "job_hunter" { # digest_from_address — From: header for the digest resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "job-hunter-secrets" @@ -106,7 +106,7 @@ resource "kubernetes_manifest" "external_secret" { # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING. resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "job-hunter-db-creds" @@ -326,7 +326,7 @@ resource "kubernetes_service" "job_hunter" { # Grafana whenever ESO updates this secret (every 7d on rotation). resource "kubernetes_manifest" "grafana_job_hunter_db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "grafana-job-hunter-pg-creds" diff --git a/stacks/k8s-dashboard/oauth2_proxy.tf b/stacks/k8s-dashboard/oauth2_proxy.tf index 31e07bed..5ed73793 100644 --- a/stacks/k8s-dashboard/oauth2_proxy.tf +++ b/stacks/k8s-dashboard/oauth2_proxy.tf @@ -6,7 +6,7 @@ resource "kubernetes_manifest" "oauth2_proxy_externalsecret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "oauth2-proxy" diff --git a/stacks/k8s-version-upgrade/main.tf b/stacks/k8s-version-upgrade/main.tf index 9c4f1626..077028f1 100644 --- a/stacks/k8s-version-upgrade/main.tf +++ b/stacks/k8s-version-upgrade/main.tf @@ -98,7 +98,7 @@ resource "kubernetes_namespace" "k8s_upgrade" { # No claude-agent bearer needed — the chain no longer POSTs to that service. resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "k8s-upgrade-creds" diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index 1d2fadda..59b691d6 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -305,7 +305,7 @@ resource "kubernetes_config_map" "kms_slack_notifier" { resource "kubernetes_manifest" "kms_slack_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "kms-slack-webhook" diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf index 23c8fd16..efae9c1f 100644 --- a/stacks/linkwarden/main.tf +++ b/stacks/linkwarden/main.tf @@ -30,7 +30,7 @@ resource "kubernetes_namespace" "linkwarden" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "linkwarden-secrets" @@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 24h) resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "linkwarden-db-creds" diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index b76de3f2..7f134144 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -801,7 +801,7 @@ resource "kubernetes_service" "mailserver_proxy" { # `env_from { secret_ref {} }` block. resource "kubernetes_manifest" "email_roundtrip_monitor_secrets" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "mailserver-probe-secrets" diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf index 97b04057..38604917 100644 --- a/stacks/matrix/main.tf +++ b/stacks/matrix/main.tf @@ -26,7 +26,7 @@ resource "kubernetes_namespace" "matrix" { # later (e.g. to add family) without regenerating it. resource "kubernetes_manifest" "secrets_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "matrix-secrets" diff --git a/stacks/monitoring/modules/monitoring/grafana.tf b/stacks/monitoring/modules/monitoring/grafana.tf index 7ce6bb8c..4acafd52 100644 --- a/stacks/monitoring/modules/monitoring/grafana.tf +++ b/stacks/monitoring/modules/monitoring/grafana.tf @@ -72,7 +72,7 @@ resource "kubernetes_persistent_volume" "alertmanager_pv" { # Provides GF_DATABASE_PASSWORD that auto-updates when password rotates resource "kubernetes_manifest" "grafana_db_creds" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "grafana-db-creds" diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index 272ec646..4f9b0921 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -27,7 +27,7 @@ resource "kubernetes_namespace" "n8n" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "n8n-secrets" @@ -54,7 +54,7 @@ resource "kubernetes_manifest" "external_secret" { resource "kubernetes_manifest" "external_secret_claude_agent" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "claude-agent-token" @@ -85,7 +85,7 @@ resource "kubernetes_manifest" "external_secret_claude_agent" { # Workflows in stacks/n8n/workflows/instagram-*.json reference these env vars. resource "kubernetes_manifest" "external_secret_instagram_pipeline" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "instagram-pipeline-secrets" diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index c02a1428..5826b417 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -20,7 +20,7 @@ resource "kubernetes_namespace" "navidrome" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "navidrome-secrets" diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf index 2e621476..7dbbe6cf 100644 --- a/stacks/netbox/main.tf +++ b/stacks/netbox/main.tf @@ -22,7 +22,7 @@ resource "kubernetes_namespace" "netbox" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "netbox-secrets" diff --git a/stacks/nextcloud-todos/main.tf b/stacks/nextcloud-todos/main.tf index 416b94a3..a299f29f 100644 --- a/stacks/nextcloud-todos/main.tf +++ b/stacks/nextcloud-todos/main.tf @@ -59,7 +59,7 @@ resource "kubernetes_namespace" "nextcloud_todos" { # managed via the Vault database engine — see static-creds/pg-nextcloud-todos. resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "nextcloud-todos-secrets" @@ -98,7 +98,7 @@ resource "kubernetes_manifest" "external_secret" { # `nextcloud_todos`, and Vault role `static-creds/pg-nextcloud-todos`. resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "nextcloud-todos-db-creds" diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index 066058a8..40c4b7fa 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -126,7 +126,7 @@ resource "kubernetes_namespace" "nextcloud" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "nextcloud-secrets" @@ -155,7 +155,7 @@ resource "kubernetes_manifest" "external_secret" { # Nextcloud Helm chart reads password at runtime via existingSecret reference resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "nextcloud-db-creds" diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf index 71aaf119..454cedef 100644 --- a/stacks/novelapp/main.tf +++ b/stacks/novelapp/main.tf @@ -5,7 +5,7 @@ variable "tls_secret_name" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "novelapp-secrets" diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf index 1a9d14f2..7cacf149 100644 --- a/stacks/onlyoffice/main.tf +++ b/stacks/onlyoffice/main.tf @@ -25,7 +25,7 @@ resource "kubernetes_namespace" "onlyoffice" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "onlyoffice-secrets" diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf index 925c6675..6947f89e 100644 --- a/stacks/openclaw/main.tf +++ b/stacks/openclaw/main.tf @@ -38,7 +38,7 @@ module "tls_secret" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "openclaw-secrets" diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index d8d3627a..976b8714 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -6,7 +6,7 @@ variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "owntracks-secrets" diff --git a/stacks/paperless-ai/main.tf b/stacks/paperless-ai/main.tf index a1f52b94..3c9f8a75 100644 --- a/stacks/paperless-ai/main.tf +++ b/stacks/paperless-ai/main.tf @@ -27,7 +27,7 @@ resource "kubernetes_namespace" "paperless_ai" { # custom_api_key — placeholder bearer for llama-swap (no auth, field required). resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "paperless-ai-secrets" diff --git a/stacks/paperless-mcp/main.tf b/stacks/paperless-mcp/main.tf index f3f2f7fc..851659fb 100644 --- a/stacks/paperless-mcp/main.tf +++ b/stacks/paperless-mcp/main.tf @@ -29,7 +29,7 @@ resource "kubernetes_namespace" "paperless-mcp" { # by ESO; the pod reads it via secret_key_ref. resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "paperless-mcp-secrets" diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf index 2e6f48a8..46d7b9cb 100644 --- a/stacks/paperless-ngx/main.tf +++ b/stacks/paperless-ngx/main.tf @@ -35,7 +35,7 @@ resource "kubernetes_namespace" "paperless-ngx" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "paperless-ngx-secrets" diff --git a/stacks/payslip-ingest/main.tf b/stacks/payslip-ingest/main.tf index 5ec72a05..ed911b53 100644 --- a/stacks/payslip-ingest/main.tf +++ b/stacks/payslip-ingest/main.tf @@ -59,7 +59,7 @@ resource "kubernetes_namespace" "payslip_ingest" { # (same as Viktor's sync_id) resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "payslip-ingest-secrets" @@ -134,7 +134,7 @@ resource "kubernetes_manifest" "external_secret" { # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING. resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "payslip-ingest-db-creds" @@ -451,7 +451,7 @@ resource "kubernetes_cron_job_v1" "actualbudget_payroll_sync" { # Grafana whenever ESO updates this secret (every 7d on rotation). resource "kubernetes_manifest" "grafana_payslips_db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "grafana-payslips-pg-creds" diff --git a/stacks/phpipam/main.tf b/stacks/phpipam/main.tf index ce74ae1d..9a4622f2 100644 --- a/stacks/phpipam/main.tf +++ b/stacks/phpipam/main.tf @@ -29,7 +29,7 @@ resource "kubernetes_namespace" "phpipam" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "phpipam-secrets" @@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" { resource "kubernetes_manifest" "external_secret_pfsense_ssh" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "phpipam-pfsense-ssh" @@ -87,7 +87,7 @@ resource "kubernetes_manifest" "external_secret_pfsense_ssh" { resource "kubernetes_manifest" "external_secret_admin" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "phpipam-admin-password" diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf index 0e91212d..3b810ad5 100644 --- a/stacks/plotting-book/main.tf +++ b/stacks/plotting-book/main.tf @@ -20,7 +20,7 @@ resource "kubernetes_namespace" "plotting-book" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "plotting-book-secrets" diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf index 9e6684b6..91a55649 100644 --- a/stacks/postiz/modules/postiz/main.tf +++ b/stacks/postiz/modules/postiz/main.tf @@ -73,7 +73,7 @@ resource "kubernetes_persistent_volume_claim" "uploads" { # this Secret in via `envFrom: secretRef: postiz-secrets`. resource "kubernetes_manifest" "external_secret_jwt" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "postiz-jwt-secret" diff --git a/stacks/proxmox-csi/modules/proxmox-csi/main.tf b/stacks/proxmox-csi/modules/proxmox-csi/main.tf index ec6b03f2..8ca6216f 100644 --- a/stacks/proxmox-csi/modules/proxmox-csi/main.tf +++ b/stacks/proxmox-csi/modules/proxmox-csi/main.tf @@ -208,7 +208,7 @@ resource "kubernetes_cluster_role_binding" "pve_snapshot_admin" { # Referenced by the proxmox-lvm-encrypted StorageClass for node-stage and node-expand. resource "kubernetes_manifest" "external_secret_encryption" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "proxmox-csi-encryption" diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index bb2a41d0..2b8d7cf5 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -8,7 +8,7 @@ variable "mysql_host" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "real-estate-crawler-secrets" @@ -37,7 +37,7 @@ resource "kubernetes_manifest" "external_secret" { # Provides DB_CONNECTION_STRING that auto-updates when password rotates resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "realestate-crawler-db-creds" @@ -86,7 +86,7 @@ data "kubernetes_secret" "eso_secrets" { # (Sprig `b64enc`) so the PAT never sits in K8s in cleartext. resource "kubernetes_manifest" "dockerhub_pull_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "dockerhub-pull-secret" diff --git a/stacks/recruiter-responder/main.tf b/stacks/recruiter-responder/main.tf index 460ec1b6..e552ea46 100644 --- a/stacks/recruiter-responder/main.tf +++ b/stacks/recruiter-responder/main.tf @@ -56,7 +56,7 @@ resource "kubernetes_namespace" "recruiter_responder" { # DB user: created via Vault database engine — see static-creds/pg-recruiter-responder. resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "recruiter-responder-secrets" @@ -108,7 +108,7 @@ resource "kubernetes_manifest" "external_secret" { # `recruiter_responder`, and Vault role `static-creds/pg-recruiter-responder`. resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "recruiter-responder-db-creds" diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf index 25bde022..7b482655 100644 --- a/stacks/resume/main.tf +++ b/stacks/resume/main.tf @@ -42,7 +42,7 @@ module "tls_secret" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "resume-secrets" diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf index 812a0883..f1053bc4 100644 --- a/stacks/rybbit/main.tf +++ b/stacks/rybbit/main.tf @@ -26,7 +26,7 @@ resource "kubernetes_namespace" "rybbit" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "rybbit-secrets" diff --git a/stacks/servarr/aiostreams/main.tf b/stacks/servarr/aiostreams/main.tf index 7bb03b2e..05b60741 100644 --- a/stacks/servarr/aiostreams/main.tf +++ b/stacks/servarr/aiostreams/main.tf @@ -186,7 +186,7 @@ resource "kubernetes_service" "aiostreams" { resource "kubernetes_manifest" "probe_secrets" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "aiostreams-probe-secrets" diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf index 90123848..6165afbf 100644 --- a/stacks/servarr/main.tf +++ b/stacks/servarr/main.tf @@ -6,7 +6,7 @@ variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "servarr-secrets" diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf index 65dd776b..9e1ca8eb 100644 --- a/stacks/shadowsocks/main.tf +++ b/stacks/shadowsocks/main.tf @@ -22,7 +22,7 @@ resource "kubernetes_namespace" "shadowsocks" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "shadowsocks-secrets" diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf index 002ede72..167312b5 100644 --- a/stacks/speedtest/main.tf +++ b/stacks/speedtest/main.tf @@ -21,7 +21,7 @@ resource "kubernetes_namespace" "speedtest" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "speedtest-secrets" diff --git a/stacks/stem95su/gdrive-sync.tf b/stacks/stem95su/gdrive-sync.tf index 9f870205..a10bcf84 100644 --- a/stacks/stem95su/gdrive-sync.tf +++ b/stacks/stem95su/gdrive-sync.tf @@ -17,7 +17,7 @@ resource "kubernetes_manifest" "rclone_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "stem95su-rclone" diff --git a/stacks/t3-afk/main.tf b/stacks/t3-afk/main.tf index d7544fd9..a2f73a67 100644 --- a/stacks/t3-afk/main.tf +++ b/stacks/t3-afk/main.tf @@ -59,7 +59,7 @@ resource "kubernetes_namespace" "t3_afk" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "t3-afk-secrets" diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf index 822576ab..5c08d440 100644 --- a/stacks/tandoor/main.tf +++ b/stacks/tandoor/main.tf @@ -23,7 +23,7 @@ resource "kubernetes_namespace" "tandoor" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "tandoor-secrets" diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf index 8bd87609..ef00506e 100644 --- a/stacks/technitium/modules/technitium/main.tf +++ b/stacks/technitium/modules/technitium/main.tf @@ -420,7 +420,7 @@ module "ingress" { # ExternalSecret for Technitium MySQL password (Vault auto-rotation) resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "technitium-db-creds" diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf index e26e728a..871269e0 100644 --- a/stacks/trading-bot/main.tf +++ b/stacks/trading-bot/main.tf @@ -50,7 +50,7 @@ module "tls_secret" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "trading-bot-secrets" @@ -104,7 +104,7 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 24h) resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "trading-bot-db-creds" diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf index e0d09ceb..1c8de495 100644 --- a/stacks/tripit/main.tf +++ b/stacks/tripit/main.tf @@ -216,7 +216,7 @@ resource "kubernetes_namespace" "tripit" { # DB user: created via Vault database engine — see static-creds/pg-tripit. resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "tripit-secrets" @@ -292,7 +292,7 @@ resource "kubernetes_manifest" "external_secret" { # role `static-creds/pg-tripit`. resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "tripit-db-creds" diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf index bca2299c..f81d9f4a 100644 --- a/stacks/tuya-bridge/main.tf +++ b/stacks/tuya-bridge/main.tf @@ -15,7 +15,7 @@ resource "kubernetes_namespace" "tuya-bridge" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "tuya-bridge-secrets" diff --git a/stacks/url/main.tf b/stacks/url/main.tf index 4544a0a1..d3c7a8f8 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -36,7 +36,7 @@ resource "kubernetes_namespace" "shlink" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "url-secrets" @@ -68,7 +68,7 @@ resource "kubernetes_manifest" "external_secret" { # kubernetes_secret can be removed. resource "kubernetes_manifest" "db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "url-db-creds" diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf index 3dcdf971..a291778e 100644 --- a/stacks/wealthfolio/main.tf +++ b/stacks/wealthfolio/main.tf @@ -22,7 +22,7 @@ resource "kubernetes_namespace" "wealthfolio" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "wealthfolio-secrets" @@ -52,7 +52,7 @@ resource "kubernetes_manifest" "external_secret" { # the K8s Secret every 15m so the sidecar always has a valid password. resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "wealthfolio-sync-db-creds" @@ -778,7 +778,7 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" { # Grafana whenever ESO updates this secret (every 7d on rotation). resource "kubernetes_manifest" "grafana_wealth_db_external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "grafana-wealth-pg-creds" diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf index 3e71c84f..8e5a22ab 100644 --- a/stacks/webhook_handler/main.tf +++ b/stacks/webhook_handler/main.tf @@ -292,7 +292,7 @@ module "ingress" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "webhook-handler-secrets" diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index afe7d009..ba84f9e4 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -64,7 +64,7 @@ module "tls_secret" { resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "woodpecker-secrets" @@ -103,7 +103,7 @@ resource "kubernetes_manifest" "db_external_secret" { force_conflicts = true } manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "woodpecker-db-creds" diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index 361fd53b..bf19ce2a 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -7,7 +7,7 @@ variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { manifest = { - apiVersion = "external-secrets.io/v1beta1" + apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" metadata = { name = "ytdlp-secrets"