eso: Phase 2 — migrate all 104 ExternalSecrets + 2 ClusterSecretStores to v1

The API rewrite half of the ESO 0.12->2.6 migration (last k8s-1.35 compat-gate blocker). Done on chart 0.16.2, which serves BOTH external-secrets.io/v1beta1 and v1, so this is the safe window — MUST land before 0.17 removes v1beta1 (there is no conversion webhook). Pure apiVersion bump, schema is byte-identical: 106 occurrences (104 ExternalSecrets + 2 ClusterSecretStores vault-kv/vault-database) across 73 .tf files, v1beta1 -> v1, no other field changes. Validated live first on tandoor (single, non-coupled, synced ES): the kubernetes_manifest apiVersion bump forces a REPLACE; the target Secret is cascade-GC'd for ONE ~0.3s poll then ESO recreates it (identical value re-synced from Vault, new UID) and the ES returns SecretSynced=True on v1. Running pods keep their mounted copy through the sub-second blip. All 110 target Secrets were snapshotted to /tmp first as a backstop. CI applies the changed stacks serially (staged rollout); watching aggregate ES sync back to 108 synced (2 pre-existing dead: instagram-poster, payslip-ingest). Next: Phase 3 climb 0.16.2 -> 2.6.0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-22 19:13:04 +00:00 · 2026-06-22 19:13:04 +00:00 · c670cb7118
commit c670cb7118
parent 98cd535b97
73 changed files with 106 additions and 106 deletions
--- a/stacks/actualbudget/main.tf
+++ b/stacks/actualbudget/main.tf
@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "actualbudget-secrets"
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "affine-secrets"
@ -43,7 +43,7 @@ data "kubernetes_secret" "eso_secrets" {
 # Provides DATABASE_URL that auto-updates when password rotates
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "affine-db-creds"
--- a/stacks/authentik/email-secret.tf
+++ b/stacks/authentik/email-secret.tf
@ -7,7 +7,7 @@
 # authentik pods if the password ever changes.
 resource "kubernetes_manifest" "authentik_email_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "authentik-email"
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@ -602,7 +602,7 @@ resource "kubernetes_config_map" "beadboard_config" {
 # dispatch agent jobs via the in-cluster HTTP API.
 resource "kubernetes_manifest" "beadboard_agent_service_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "beadboard-agent-service"
--- a/stacks/broker-sync/main.tf
+++ b/stacks/broker-sync/main.tf
@ -29,7 +29,7 @@ resource "kubernetes_namespace" "broker_sync" {
 #   imap_host, imap_user, imap_password, imap_directory — for InvestEngine + Schwab email ingest
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "broker-sync-secrets"
--- a/stacks/changedetection/main.tf
+++ b/stacks/changedetection/main.tf
@ -20,7 +20,7 @@ resource "kubernetes_namespace" "changedetection" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "changedetection-secrets"
--- a/stacks/chrome-service/main.tf
+++ b/stacks/chrome-service/main.tf
@ -42,7 +42,7 @@ resource "kubernetes_namespace" "chrome_service" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "chrome-service-secrets"
--- a/stacks/ci-pipeline-health/main.tf
+++ b/stacks/ci-pipeline-health/main.tf
@ -50,7 +50,7 @@ resource "kubernetes_namespace" "ci_pipeline_health" {
 # the alias could not do. Blast radius = this single-CronJob namespace.
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "ci-pipeline-health-creds"
--- a/stacks/claude-agent-service/main.tf
+++ b/stacks/claude-agent-service/main.tf
@ -39,7 +39,7 @@ resource "kubernetes_namespace" "claude_agent" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "claude-agent-secrets"
--- a/stacks/claude-breakglass/main.tf
+++ b/stacks/claude-breakglass/main.tf
@ -58,7 +58,7 @@ resource "kubernetes_service_account" "breakglass" {
 # pod can never read it.
 resource "kubernetes_manifest" "external_secret_ssh" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "breakglass-ssh"
@ -83,7 +83,7 @@ resource "kubernetes_manifest" "external_secret_ssh" {
 # same account) and the app bearer token (in-cluster/CLI fallback caller auth).
 resource "kubernetes_manifest" "external_secret_env" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "breakglass-env"
--- a/stacks/claude-memory/main.tf
+++ b/stacks/claude-memory/main.tf
@ -30,7 +30,7 @@ resource "kubernetes_namespace" "claude-memory" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "claude-memory-secrets"
@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "claude-memory-db-creds"
--- a/stacks/coturn/main.tf
+++ b/stacks/coturn/main.tf
@ -6,7 +6,7 @@ variable "public_ip" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "coturn-secrets"
--- a/stacks/dawarich/main.tf
+++ b/stacks/dawarich/main.tf
@ -24,7 +24,7 @@ resource "kubernetes_namespace" "dawarich" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "dawarich-secrets"
--- a/stacks/diun/main.tf
+++ b/stacks/diun/main.tf
@ -21,7 +21,7 @@ resource "kubernetes_namespace" "diun" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "diun-secrets"
--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@ -21,7 +21,7 @@ resource "kubernetes_namespace" "ebooks" {
 # ExternalSecrets for all three sources
 resource "kubernetes_manifest" "calibre_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "calibre-secrets"
@ -48,7 +48,7 @@ resource "kubernetes_manifest" "calibre_external_secret" {
 resource "kubernetes_manifest" "audiobookshelf_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "audiobookshelf-secrets"
@ -75,7 +75,7 @@ resource "kubernetes_manifest" "audiobookshelf_external_secret" {
 resource "kubernetes_manifest" "servarr_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "servarr-secrets"
--- a/stacks/external-secrets/main.tf
+++ b/stacks/external-secrets/main.tf
@ -35,7 +35,7 @@ resource "helm_release" "external_secrets" {
 resource "kubernetes_manifest" "css_vault_kv" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ClusterSecretStore"
    metadata   = { name = "vault-kv" }
    spec = {
@ -65,7 +65,7 @@ resource "kubernetes_manifest" "css_vault_kv" {
 resource "kubernetes_manifest" "css_vault_db" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ClusterSecretStore"
    metadata   = { name = "vault-database" }
    spec = {
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@ -34,7 +34,7 @@ resource "kubernetes_namespace" "f1-stream" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "f1-stream-secrets"
@ -63,7 +63,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Secret so the verifier can reach the in-cluster Playwright pool.
 resource "kubernetes_manifest" "chrome_service_client_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "chrome-service-client-secrets"
--- a/stacks/fire-planner/main.tf
+++ b/stacks/fire-planner/main.tf
@ -54,7 +54,7 @@ resource "kubernetes_namespace" "fire_planner" {
 #   secret/fire-planner -> property `recompute_bearer_token`
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "fire-planner-secrets"
@ -116,7 +116,7 @@ resource "kubernetes_manifest" "external_secret" {
 # as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "fire-planner-db-creds"
@ -160,7 +160,7 @@ resource "kubernetes_manifest" "db_external_secret" {
 # fire-planner ingest reads those tables via this role.
 resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "wealthfolio-sync-db-creds"
@ -662,7 +662,7 @@ variable "run_examples_bulk_ingest" {
 # Reddit OAuth creds pulled from Vault secret/viktor.
 resource "kubernetes_manifest" "external_secret_examples_reddit" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "fire-planner-examples-reddit"
@ -702,7 +702,7 @@ resource "kubernetes_manifest" "external_secret_examples_reddit" {
 # is decoupled from the Reddit creds.
 resource "kubernetes_manifest" "external_secret_examples_claude" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "fire-planner-examples-claude"
--- a/stacks/forgejo/email-secret.tf
+++ b/stacks/forgejo/email-secret.tf
@ -7,7 +7,7 @@
 # reloader annotation rolls the Forgejo pod if the password is ever rotated.
 resource "kubernetes_manifest" "forgejo_email_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "forgejo-email"
--- a/stacks/freedify/main.tf
+++ b/stacks/freedify/main.tf
@ -4,7 +4,7 @@ variable "tls_secret_name" {
 }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "freedify-secrets"
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@ -19,7 +19,7 @@ resource "kubernetes_namespace" "immich" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "freshrss-secrets"
--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "grampsweb-secrets"
--- a/stacks/hackmd/main.tf
+++ b/stacks/hackmd/main.tf
@ -209,7 +209,7 @@ module "ingress" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "hackmd-secrets"
--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@ -251,7 +251,7 @@ module "ingress_test" {
 resource "kubernetes_manifest" "external_secret_db" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "health-db-secrets"
@ -285,7 +285,7 @@ resource "kubernetes_manifest" "external_secret_db" {
 resource "kubernetes_manifest" "external_secret_kv" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "health-kv-secrets"
--- a/stacks/hermes-agent/main.tf
+++ b/stacks/hermes-agent/main.tf
@ -38,7 +38,7 @@ module "tls_secret" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "hermes-agent-secrets"
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@ -163,7 +163,7 @@ resource "kubernetes_resource_quota" "immich" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "immich-secrets"
--- a/stacks/insta2spotify/main.tf
+++ b/stacks/insta2spotify/main.tf
@ -21,7 +21,7 @@ resource "kubernetes_namespace" "insta2spotify" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "insta2spotify-secrets"
--- a/stacks/instagram-poster/modules/instagram-poster/main.tf
+++ b/stacks/instagram-poster/modules/instagram-poster/main.tf
@ -36,7 +36,7 @@ resource "kubernetes_namespace" "instagram_poster" {
 #     - immich_tag_posted         (optional — auto-resolved if missing)
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "instagram-poster-secrets"
@ -140,7 +140,7 @@ resource "kubernetes_manifest" "external_secret" {
 # bounces the pod when the password changes.
 resource "kubernetes_manifest" "benchmark_db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "instagram-poster-benchmark-db"
--- a/stacks/job-hunter/main.tf
+++ b/stacks/job-hunter/main.tf
@ -42,7 +42,7 @@ resource "kubernetes_namespace" "job_hunter" {
 #     digest_from_address   — From: header for the digest
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "job-hunter-secrets"
@ -106,7 +106,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "job-hunter-db-creds"
@ -326,7 +326,7 @@ resource "kubernetes_service" "job_hunter" {
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_job_hunter_db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "grafana-job-hunter-pg-creds"
--- a/stacks/k8s-dashboard/oauth2_proxy.tf
+++ b/stacks/k8s-dashboard/oauth2_proxy.tf
@ -6,7 +6,7 @@
 resource "kubernetes_manifest" "oauth2_proxy_externalsecret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "oauth2-proxy"
--- a/stacks/k8s-version-upgrade/main.tf
+++ b/stacks/k8s-version-upgrade/main.tf
@ -98,7 +98,7 @@ resource "kubernetes_namespace" "k8s_upgrade" {
 # No claude-agent bearer needed — the chain no longer POSTs to that service.
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "k8s-upgrade-creds"
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@ -305,7 +305,7 @@ resource "kubernetes_config_map" "kms_slack_notifier" {
 resource "kubernetes_manifest" "kms_slack_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "kms-slack-webhook"
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@ -30,7 +30,7 @@ resource "kubernetes_namespace" "linkwarden" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "linkwarden-secrets"
@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "linkwarden-db-creds"
--- a/stacks/mailserver/modules/mailserver/main.tf
+++ b/stacks/mailserver/modules/mailserver/main.tf
@ -801,7 +801,7 @@ resource "kubernetes_service" "mailserver_proxy" {
 # `env_from { secret_ref {} }` block.
 resource "kubernetes_manifest" "email_roundtrip_monitor_secrets" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "mailserver-probe-secrets"
--- a/stacks/matrix/main.tf
+++ b/stacks/matrix/main.tf
@ -26,7 +26,7 @@ resource "kubernetes_namespace" "matrix" {
 # later (e.g. to add family) without regenerating it.
 resource "kubernetes_manifest" "secrets_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "matrix-secrets"
--- a/stacks/monitoring/modules/monitoring/grafana.tf
+++ b/stacks/monitoring/modules/monitoring/grafana.tf
@ -72,7 +72,7 @@ resource "kubernetes_persistent_volume" "alertmanager_pv" {
 # Provides GF_DATABASE_PASSWORD that auto-updates when password rotates
 resource "kubernetes_manifest" "grafana_db_creds" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "grafana-db-creds"
--- a/stacks/n8n/main.tf
+++ b/stacks/n8n/main.tf
@ -27,7 +27,7 @@ resource "kubernetes_namespace" "n8n" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "n8n-secrets"
@ -54,7 +54,7 @@ resource "kubernetes_manifest" "external_secret" {
 resource "kubernetes_manifest" "external_secret_claude_agent" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "claude-agent-token"
@ -85,7 +85,7 @@ resource "kubernetes_manifest" "external_secret_claude_agent" {
 # Workflows in stacks/n8n/workflows/instagram-*.json reference these env vars.
 resource "kubernetes_manifest" "external_secret_instagram_pipeline" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "instagram-pipeline-secrets"
--- a/stacks/navidrome/main.tf
+++ b/stacks/navidrome/main.tf
@ -20,7 +20,7 @@ resource "kubernetes_namespace" "navidrome" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "navidrome-secrets"
--- a/stacks/netbox/main.tf
+++ b/stacks/netbox/main.tf
@ -22,7 +22,7 @@ resource "kubernetes_namespace" "netbox" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "netbox-secrets"
--- a/stacks/nextcloud-todos/main.tf
+++ b/stacks/nextcloud-todos/main.tf
@ -59,7 +59,7 @@ resource "kubernetes_namespace" "nextcloud_todos" {
 # managed via the Vault database engine — see static-creds/pg-nextcloud-todos.
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "nextcloud-todos-secrets"
@ -98,7 +98,7 @@ resource "kubernetes_manifest" "external_secret" {
 # `nextcloud_todos`, and Vault role `static-creds/pg-nextcloud-todos`.
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "nextcloud-todos-db-creds"
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -126,7 +126,7 @@ resource "kubernetes_namespace" "nextcloud" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "nextcloud-secrets"
@ -155,7 +155,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Nextcloud Helm chart reads password at runtime via existingSecret reference
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "nextcloud-db-creds"
--- a/stacks/novelapp/main.tf
+++ b/stacks/novelapp/main.tf
@ -5,7 +5,7 @@ variable "tls_secret_name" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "novelapp-secrets"
--- a/stacks/onlyoffice/main.tf
+++ b/stacks/onlyoffice/main.tf
@ -25,7 +25,7 @@ resource "kubernetes_namespace" "onlyoffice" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "onlyoffice-secrets"
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@ -38,7 +38,7 @@ module "tls_secret" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "openclaw-secrets"
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "owntracks-secrets"
--- a/stacks/paperless-ai/main.tf
+++ b/stacks/paperless-ai/main.tf
@ -27,7 +27,7 @@ resource "kubernetes_namespace" "paperless_ai" {
 #   custom_api_key      — placeholder bearer for llama-swap (no auth, field required).
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "paperless-ai-secrets"
--- a/stacks/paperless-mcp/main.tf
+++ b/stacks/paperless-mcp/main.tf
@ -29,7 +29,7 @@ resource "kubernetes_namespace" "paperless-mcp" {
 # by ESO; the pod reads it via secret_key_ref.
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "paperless-mcp-secrets"
--- a/stacks/paperless-ngx/main.tf
+++ b/stacks/paperless-ngx/main.tf
@ -35,7 +35,7 @@ resource "kubernetes_namespace" "paperless-ngx" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "paperless-ngx-secrets"
--- a/stacks/payslip-ingest/main.tf
+++ b/stacks/payslip-ingest/main.tf
@ -59,7 +59,7 @@ resource "kubernetes_namespace" "payslip_ingest" {
 #                                       (same as Viktor's sync_id)
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "payslip-ingest-secrets"
@ -134,7 +134,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "payslip-ingest-db-creds"
@ -451,7 +451,7 @@ resource "kubernetes_cron_job_v1" "actualbudget_payroll_sync" {
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_payslips_db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "grafana-payslips-pg-creds"
--- a/stacks/phpipam/main.tf
+++ b/stacks/phpipam/main.tf
@ -29,7 +29,7 @@ resource "kubernetes_namespace" "phpipam" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "phpipam-secrets"
@ -58,7 +58,7 @@ resource "kubernetes_manifest" "external_secret" {
 resource "kubernetes_manifest" "external_secret_pfsense_ssh" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "phpipam-pfsense-ssh"
@ -87,7 +87,7 @@ resource "kubernetes_manifest" "external_secret_pfsense_ssh" {
 resource "kubernetes_manifest" "external_secret_admin" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "phpipam-admin-password"
--- a/stacks/plotting-book/main.tf
+++ b/stacks/plotting-book/main.tf
@ -20,7 +20,7 @@ resource "kubernetes_namespace" "plotting-book" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "plotting-book-secrets"
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@ -73,7 +73,7 @@ resource "kubernetes_persistent_volume_claim" "uploads" {
 # this Secret in via `envFrom: secretRef: postiz-secrets`.
 resource "kubernetes_manifest" "external_secret_jwt" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "postiz-jwt-secret"
--- a/stacks/proxmox-csi/modules/proxmox-csi/main.tf
+++ b/stacks/proxmox-csi/modules/proxmox-csi/main.tf
@ -208,7 +208,7 @@ resource "kubernetes_cluster_role_binding" "pve_snapshot_admin" {
 # Referenced by the proxmox-lvm-encrypted StorageClass for node-stage and node-expand.
 resource "kubernetes_manifest" "external_secret_encryption" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "proxmox-csi-encryption"
--- a/stacks/real-estate-crawler/main.tf
+++ b/stacks/real-estate-crawler/main.tf
@ -8,7 +8,7 @@ variable "mysql_host" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "real-estate-crawler-secrets"
@ -37,7 +37,7 @@ resource "kubernetes_manifest" "external_secret" {
 # Provides DB_CONNECTION_STRING that auto-updates when password rotates
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "realestate-crawler-db-creds"
@ -86,7 +86,7 @@ data "kubernetes_secret" "eso_secrets" {
 # (Sprig `b64enc`) so the PAT never sits in K8s in cleartext.
 resource "kubernetes_manifest" "dockerhub_pull_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "dockerhub-pull-secret"
--- a/stacks/recruiter-responder/main.tf
+++ b/stacks/recruiter-responder/main.tf
@ -56,7 +56,7 @@ resource "kubernetes_namespace" "recruiter_responder" {
 # DB user: created via Vault database engine — see static-creds/pg-recruiter-responder.
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "recruiter-responder-secrets"
@ -108,7 +108,7 @@ resource "kubernetes_manifest" "external_secret" {
 # `recruiter_responder`, and Vault role `static-creds/pg-recruiter-responder`.
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "recruiter-responder-db-creds"
--- a/stacks/resume/main.tf
+++ b/stacks/resume/main.tf
@ -42,7 +42,7 @@ module "tls_secret" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "resume-secrets"
--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@ -26,7 +26,7 @@ resource "kubernetes_namespace" "rybbit" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "rybbit-secrets"
--- a/stacks/servarr/aiostreams/main.tf
+++ b/stacks/servarr/aiostreams/main.tf
@ -186,7 +186,7 @@ resource "kubernetes_service" "aiostreams" {
 resource "kubernetes_manifest" "probe_secrets" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "aiostreams-probe-secrets"
--- a/stacks/servarr/main.tf
+++ b/stacks/servarr/main.tf
@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "servarr-secrets"
--- a/stacks/shadowsocks/main.tf
+++ b/stacks/shadowsocks/main.tf
@ -22,7 +22,7 @@ resource "kubernetes_namespace" "shadowsocks" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "shadowsocks-secrets"
--- a/stacks/speedtest/main.tf
+++ b/stacks/speedtest/main.tf
@ -21,7 +21,7 @@ resource "kubernetes_namespace" "speedtest" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "speedtest-secrets"
--- a/stacks/stem95su/gdrive-sync.tf
+++ b/stacks/stem95su/gdrive-sync.tf
@ -17,7 +17,7 @@
 resource "kubernetes_manifest" "rclone_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "stem95su-rclone"
--- a/stacks/t3-afk/main.tf
+++ b/stacks/t3-afk/main.tf
@ -59,7 +59,7 @@ resource "kubernetes_namespace" "t3_afk" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "t3-afk-secrets"
--- a/stacks/tandoor/main.tf
+++ b/stacks/tandoor/main.tf
@ -23,7 +23,7 @@ resource "kubernetes_namespace" "tandoor" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "tandoor-secrets"
--- a/stacks/technitium/modules/technitium/main.tf
+++ b/stacks/technitium/modules/technitium/main.tf
@ -420,7 +420,7 @@ module "ingress" {
 # ExternalSecret for Technitium MySQL password (Vault auto-rotation)
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "technitium-db-creds"
--- a/stacks/trading-bot/main.tf
+++ b/stacks/trading-bot/main.tf
@ -50,7 +50,7 @@ module "tls_secret" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "trading-bot-secrets"
@ -104,7 +104,7 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "trading-bot-db-creds"
--- a/stacks/tripit/main.tf
+++ b/stacks/tripit/main.tf
@ -216,7 +216,7 @@ resource "kubernetes_namespace" "tripit" {
 # DB user: created via Vault database engine — see static-creds/pg-tripit.
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "tripit-secrets"
@ -292,7 +292,7 @@ resource "kubernetes_manifest" "external_secret" {
 # role `static-creds/pg-tripit`.
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "tripit-db-creds"
--- a/stacks/tuya-bridge/main.tf
+++ b/stacks/tuya-bridge/main.tf
@ -15,7 +15,7 @@ resource "kubernetes_namespace" "tuya-bridge" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "tuya-bridge-secrets"
--- a/stacks/url/main.tf
+++ b/stacks/url/main.tf
@ -36,7 +36,7 @@ resource "kubernetes_namespace" "shlink" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "url-secrets"
@ -68,7 +68,7 @@ resource "kubernetes_manifest" "external_secret" {
 # kubernetes_secret can be removed.
 resource "kubernetes_manifest" "db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "url-db-creds"
--- a/stacks/wealthfolio/main.tf
+++ b/stacks/wealthfolio/main.tf
@ -22,7 +22,7 @@ resource "kubernetes_namespace" "wealthfolio" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "wealthfolio-secrets"
@ -52,7 +52,7 @@ resource "kubernetes_manifest" "external_secret" {
 # the K8s Secret every 15m so the sidecar always has a valid password.
 resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "wealthfolio-sync-db-creds"
@ -778,7 +778,7 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" {
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_wealth_db_external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "grafana-wealth-pg-creds"
--- a/stacks/webhook_handler/main.tf
+++ b/stacks/webhook_handler/main.tf
@ -292,7 +292,7 @@ module "ingress" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "webhook-handler-secrets"
--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@ -64,7 +64,7 @@ module "tls_secret" {
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "woodpecker-secrets"
@ -103,7 +103,7 @@ resource "kubernetes_manifest" "db_external_secret" {
    force_conflicts = true
  }
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "woodpecker-db-creds"
--- a/stacks/ytdlp/main.tf
+++ b/stacks/ytdlp/main.tf
@ -7,7 +7,7 @@ variable "nfs_server" { type = string }
 resource "kubernetes_manifest" "external_secret" {
  manifest = {
-    apiVersion = "external-secrets.io/v1beta1"
+    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
    metadata = {
      name      = "ytdlp-secrets"