ESO: add force_conflicts to all ExternalSecret manifests (fleet sweep)

The 2026-06-22 external-secrets v1 migration made the ESO controller the server-side-apply owner of .spec.refreshInterval on every ExternalSecret, so any stack defining one via kubernetes_manifest fails `terraform apply` with a field-manager conflict the next time it's applied (instagram-poster + grafana hit this on 2026-06-24; it was latent across the whole fleet). Add field_manager { force_conflicts = true } to all 101 remaining ExternalSecret manifests across 70 stacks, matching the fix already on grafana / woodpecker / traefik / k8s-version-upgrade / instagram-poster. TF and ESO set the same value, so it's stable (no perpetual drift). Defuses the landmine before each stack's next apply trips it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-25 21:28:11 +00:00 · 2026-06-25 21:28:11 +00:00 · ebc8b6588f
commit ebc8b6588f
parent 6c5288998f
70 changed files with 303 additions and 0 deletions
--- a/stacks/actualbudget/main.tf
+++ b/stacks/actualbudget/main.tf
@ -5,6 +5,9 @@ variable "tls_secret_name" {
 variable "nfs_server" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@ -5,6 +5,9 @@ variable "tls_secret_name" {
 variable "nfs_server" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -42,6 +45,9 @@ data "kubernetes_secret" "eso_secrets" {
 # DB credentials from Vault database engine (rotated automatically)
 # Provides DATABASE_URL that auto-updates when password rotates
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/authentik/email-secret.tf
+++ b/stacks/authentik/email-secret.tf
@ -6,6 +6,9 @@
 # are non-secret and live in values.yaml. The reloader annotation rolls the
 # authentik pods if the password ever changes.
 resource "kubernetes_manifest" "authentik_email_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/beads-server/main.tf
+++ b/stacks/beads-server/main.tf
@ -601,6 +601,9 @@ resource "kubernetes_config_map" "beadboard_config" {
 # Pulls the claude-agent-service bearer token from Vault so BeadBoard can
 # dispatch agent jobs via the in-cluster HTTP API.
 resource "kubernetes_manifest" "beadboard_agent_service_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/broker-sync/main.tf
+++ b/stacks/broker-sync/main.tf
@ -28,6 +28,9 @@ resource "kubernetes_namespace" "broker_sync" {
 #   trading212_api_keys — JSON array of {account_id, account_type, api_key, name, currency}
 #   imap_host, imap_user, imap_password, imap_directory — for InvestEngine + Schwab email ingest
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/changedetection/main.tf
+++ b/stacks/changedetection/main.tf
@ -19,6 +19,9 @@ resource "kubernetes_namespace" "changedetection" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/chrome-service/main.tf
+++ b/stacks/chrome-service/main.tf
@ -41,6 +41,9 @@ resource "kubernetes_namespace" "chrome_service" {
 # --- Secrets (single-key extract: api_bearer_token) ---

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/ci-pipeline-health/main.tf
+++ b/stacks/ci-pipeline-health/main.tf
@ -49,6 +49,9 @@ resource "kubernetes_namespace" "ci_pipeline_health" {
 # billing on PRIVATE mirrors, which a future scoped read:packages rotation of
 # the alias could not do. Blast radius = this single-CronJob namespace.
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/claude-agent-service/main.tf
+++ b/stacks/claude-agent-service/main.tf
@ -38,6 +38,9 @@ resource "kubernetes_namespace" "claude_agent" {
 # --- Secrets ---

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/claude-breakglass/main.tf
+++ b/stacks/claude-breakglass/main.tf
@ -57,6 +57,9 @@ resource "kubernetes_service_account" "breakglass" {
 # DENIED this path (see stacks/vault/main.tf) so the shared, prompt-injectable
 # pod can never read it.
 resource "kubernetes_manifest" "external_secret_ssh" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -82,6 +85,9 @@ resource "kubernetes_manifest" "external_secret_ssh" {
 # Env secrets: the Anthropic OAuth token (shared with claude-agent-service —
 # same account) and the app bearer token (in-cluster/CLI fallback caller auth).
 resource "kubernetes_manifest" "external_secret_env" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/claude-memory/main.tf
+++ b/stacks/claude-memory/main.tf
@ -29,6 +29,9 @@ resource "kubernetes_namespace" "claude-memory" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -57,6 +60,9 @@ resource "kubernetes_manifest" "external_secret" {

 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/coturn/main.tf
+++ b/stacks/coturn/main.tf
@ -5,6 +5,9 @@ variable "tls_secret_name" {
 variable "public_ip" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/dawarich/main.tf
+++ b/stacks/dawarich/main.tf
@ -23,6 +23,9 @@ resource "kubernetes_namespace" "dawarich" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/diun/main.tf
+++ b/stacks/diun/main.tf
@ -20,6 +20,9 @@ resource "kubernetes_namespace" "diun" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@ -20,6 +20,9 @@ resource "kubernetes_namespace" "ebooks" {

 # ExternalSecrets for all three sources
 resource "kubernetes_manifest" "calibre_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -47,6 +50,9 @@ resource "kubernetes_manifest" "calibre_external_secret" {
 }

 resource "kubernetes_manifest" "audiobookshelf_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -74,6 +80,9 @@ resource "kubernetes_manifest" "audiobookshelf_external_secret" {
 }

 resource "kubernetes_manifest" "servarr_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@ -33,6 +33,9 @@ resource "kubernetes_namespace" "f1-stream" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -62,6 +65,9 @@ resource "kubernetes_manifest" "external_secret" {
 # Pull the chrome-service bearer token into this namespace as a separate
 # Secret so the verifier can reach the in-cluster Playwright pool.
 resource "kubernetes_manifest" "chrome_service_client_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/fire-planner/main.tf
+++ b/stacks/fire-planner/main.tf
@ -53,6 +53,9 @@ resource "kubernetes_namespace" "fire_planner" {
 # Seed before applying:
 #   secret/fire-planner -> property `recompute_bearer_token`
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -115,6 +118,9 @@ resource "kubernetes_manifest" "external_secret" {
 # Template builds the asyncpg DSN consumed by the FastAPI app + CronJob
 # as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -159,6 +165,9 @@ resource "kubernetes_manifest" "db_external_secret" {
 # pg-sync sidecar populates `daily_account_valuation` etc. hourly; the
 # fire-planner ingest reads those tables via this role.
 resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -661,6 +670,9 @@ variable "run_examples_bulk_ingest" {

 # Reddit OAuth creds pulled from Vault secret/viktor.
 resource "kubernetes_manifest" "external_secret_examples_reddit" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -701,6 +713,9 @@ resource "kubernetes_manifest" "external_secret_examples_reddit" {
 # claude-agent-service bearer pulled separately so its rotation cadence
 # is decoupled from the Reddit creds.
 resource "kubernetes_manifest" "external_secret_examples_claude" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/forgejo/email-secret.tf
+++ b/stacks/forgejo/email-secret.tf
@ -6,6 +6,9 @@
 # (stacks/authentik/email-secret.tf) — one credential, one rotation point. The
 # reloader annotation rolls the Forgejo pod if the password is ever rotated.
 resource "kubernetes_manifest" "forgejo_email_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/freedify/main.tf
+++ b/stacks/freedify/main.tf
@ -3,6 +3,9 @@ variable "tls_secret_name" {
  sensitive = true
 }
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@ -18,6 +18,9 @@ resource "kubernetes_namespace" "immich" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/goldmane-edge-aggregator/main.tf
+++ b/stacks/goldmane-edge-aggregator/main.tf
@ -168,6 +168,9 @@ resource "kubernetes_job" "db_init" {
 # place in the CNPG connection allowlist are added in stacks/vault/main.tf
 # (see this stack's terragrunt.hcl note). remoteRef key: static-creds/pg-goldmane-edges.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -210,6 +213,9 @@ resource "kubernetes_manifest" "db_external_secret" {
 # into this namespace as SLACK_WEBHOOK_URL via an ExternalSecret (no new
 # webhook). The digest CronJob defaults to #security.
 resource "kubernetes_manifest" "slack_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/grampsweb/main.tf
+++ b/stacks/grampsweb/main.tf
@ -5,6 +5,9 @@ variable "tls_secret_name" {
 variable "nfs_server" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/hackmd/main.tf
+++ b/stacks/hackmd/main.tf
@ -208,6 +208,9 @@ module "ingress" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/health/main.tf
+++ b/stacks/health/main.tf
@ -250,6 +250,9 @@ module "ingress_test" {
 }

 resource "kubernetes_manifest" "external_secret_db" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -284,6 +287,9 @@ resource "kubernetes_manifest" "external_secret_db" {
 }

 resource "kubernetes_manifest" "external_secret_kv" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/hermes-agent/main.tf
+++ b/stacks/hermes-agent/main.tf
@ -37,6 +37,9 @@ module "tls_secret" {
 # --- Secrets (ESO from Vault) ---

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@ -162,6 +162,9 @@ resource "kubernetes_resource_quota" "immich" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/insta2spotify/main.tf
+++ b/stacks/insta2spotify/main.tf
@ -20,6 +20,9 @@ resource "kubernetes_namespace" "insta2spotify" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/job-hunter/main.tf
+++ b/stacks/job-hunter/main.tf
@ -41,6 +41,9 @@ resource "kubernetes_namespace" "job_hunter" {
 #     digest_to_address     — where the weekly digest goes
 #     digest_from_address   — From: header for the digest
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -105,6 +108,9 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (7-day rotation).
 # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -325,6 +331,9 @@ resource "kubernetes_service" "job_hunter" {
 # references it as $__env{JOB_HUNTER_PG_PASSWORD}. Reloader restarts
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_job_hunter_db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/k8s-dashboard/oauth2_proxy.tf
+++ b/stacks/k8s-dashboard/oauth2_proxy.tf
@ -5,6 +5,9 @@
 # -----------------------------------------------------------------------------

 resource "kubernetes_manifest" "oauth2_proxy_externalsecret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@ -304,6 +304,9 @@ resource "kubernetes_config_map" "kms_slack_notifier" {
 }

 resource "kubernetes_manifest" "kms_slack_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@ -29,6 +29,9 @@ resource "kubernetes_namespace" "linkwarden" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -57,6 +60,9 @@ resource "kubernetes_manifest" "external_secret" {

 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/mailserver/modules/mailserver/main.tf
+++ b/stacks/mailserver/modules/mailserver/main.tf
@ -800,6 +800,9 @@ resource "kubernetes_service" "mailserver_proxy" {
 # `EMAIL_MONITOR_IMAP_PASSWORD` so the CronJob can consume them via a single
 # `env_from { secret_ref {} }` block.
 resource "kubernetes_manifest" "email_roundtrip_monitor_secrets" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/matrix/main.tf
+++ b/stacks/matrix/main.tf
@ -25,6 +25,9 @@ resource "kubernetes_namespace" "matrix" {
 # flipped to false. The token stays in Vault so registration can be re-opened
 # later (e.g. to add family) without regenerating it.
 resource "kubernetes_manifest" "secrets_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/n8n/main.tf
+++ b/stacks/n8n/main.tf
@ -26,6 +26,9 @@ resource "kubernetes_namespace" "n8n" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -53,6 +56,9 @@ resource "kubernetes_manifest" "external_secret" {
 }

 resource "kubernetes_manifest" "external_secret_claude_agent" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -84,6 +90,9 @@ resource "kubernetes_manifest" "external_secret_claude_agent" {
 # Shared secrets for the Immich → Telegram → Postiz Instagram pipeline.
 # Workflows in stacks/n8n/workflows/instagram-*.json reference these env vars.
 resource "kubernetes_manifest" "external_secret_instagram_pipeline" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/navidrome/main.tf
+++ b/stacks/navidrome/main.tf
@ -19,6 +19,9 @@ resource "kubernetes_namespace" "navidrome" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/netbox/main.tf
+++ b/stacks/netbox/main.tf
@ -21,6 +21,9 @@ resource "kubernetes_namespace" "netbox" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/nextcloud-todos/main.tf
+++ b/stacks/nextcloud-todos/main.tf
@ -58,6 +58,9 @@ resource "kubernetes_namespace" "nextcloud_todos" {
 # DB user: created in dbaas (null_resource.pg_nextcloud_todos_db); password
 # managed via the Vault database engine — see static-creds/pg-nextcloud-todos.
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -97,6 +100,9 @@ resource "kubernetes_manifest" "external_secret" {
 # Pre-req in dbaas: CNPG cluster has DB `nextcloud_todos`, role
 # `nextcloud_todos`, and Vault role `static-creds/pg-nextcloud-todos`.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -125,6 +125,9 @@ resource "kubernetes_namespace" "nextcloud" {
 # other enrolled workload (immich, freshrss) — is both correct and drift-free.

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -154,6 +157,9 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 24h)
 # Nextcloud Helm chart reads password at runtime via existingSecret reference
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/novelapp/main.tf
+++ b/stacks/novelapp/main.tf
@ -4,6 +4,9 @@ variable "tls_secret_name" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/onlyoffice/main.tf
+++ b/stacks/onlyoffice/main.tf
@ -24,6 +24,9 @@ resource "kubernetes_namespace" "onlyoffice" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/openclaw/main.tf
+++ b/stacks/openclaw/main.tf
@ -37,6 +37,9 @@ module "tls_secret" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@ -5,6 +5,9 @@ variable "tls_secret_name" {
 variable "nfs_server" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/paperless-ai/main.tf
+++ b/stacks/paperless-ai/main.tf
@ -26,6 +26,9 @@ resource "kubernetes_namespace" "paperless_ai" {
 #   api_key             — M2M key between the Node UI and the Python RAG service.
 #   custom_api_key      — placeholder bearer for llama-swap (no auth, field required).
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/paperless-mcp/main.tf
+++ b/stacks/paperless-mcp/main.tf
@ -28,6 +28,9 @@ resource "kubernetes_namespace" "paperless-mcp" {
 # Paperless API token (MCP -> paperless). Synced from Vault to a K8s Secret
 # by ESO; the pod reads it via secret_key_ref.
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/paperless-ngx/main.tf
+++ b/stacks/paperless-ngx/main.tf
@ -34,6 +34,9 @@ resource "kubernetes_namespace" "paperless-ngx" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/payslip-ingest/main.tf
+++ b/stacks/payslip-ingest/main.tf
@ -58,6 +58,9 @@ resource "kubernetes_namespace" "payslip_ingest" {
 #                                     - `actualbudget_budget_sync_id`
 #                                       (same as Viktor's sync_id)
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -133,6 +136,9 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated every 7 days).
 # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -450,6 +456,9 @@ resource "kubernetes_cron_job_v1" "actualbudget_payroll_sync" {
 # references it as $__env{PAYSLIPS_PG_PASSWORD}. Reloader restarts
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_payslips_db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/phpipam/main.tf
+++ b/stacks/phpipam/main.tf
@ -28,6 +28,9 @@ resource "kubernetes_namespace" "phpipam" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -57,6 +60,9 @@ resource "kubernetes_manifest" "external_secret" {
 }

 resource "kubernetes_manifest" "external_secret_pfsense_ssh" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -86,6 +92,9 @@ resource "kubernetes_manifest" "external_secret_pfsense_ssh" {
 }

 resource "kubernetes_manifest" "external_secret_admin" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/plotting-book/main.tf
+++ b/stacks/plotting-book/main.tf
@ -19,6 +19,9 @@ resource "kubernetes_namespace" "plotting-book" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@ -72,6 +72,9 @@ resource "kubernetes_persistent_volume_claim" "uploads" {
 # Helm-owned Secret resource intact. The chart's deployment already wires
 # this Secret in via `envFrom: secretRef: postiz-secrets`.
 resource "kubernetes_manifest" "external_secret_jwt" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/proxmox-csi/modules/proxmox-csi/main.tf
+++ b/stacks/proxmox-csi/modules/proxmox-csi/main.tf
@ -207,6 +207,9 @@ resource "kubernetes_cluster_role_binding" "pve_snapshot_admin" {
 # Creates K8s Secret "proxmox-csi-encryption" in kube-system from Vault KV.
 # Referenced by the proxmox-lvm-encrypted StorageClass for node-stage and node-expand.
 resource "kubernetes_manifest" "external_secret_encryption" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/real-estate-crawler/main.tf
+++ b/stacks/real-estate-crawler/main.tf
@ -7,6 +7,9 @@ variable "redis_host" { type = string }
 variable "mysql_host" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -36,6 +39,9 @@ resource "kubernetes_manifest" "external_secret" {
 # DB credentials from Vault database engine (rotated automatically)
 # Provides DB_CONNECTION_STRING that auto-updates when password rotates
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -85,6 +91,9 @@ data "kubernetes_secret" "eso_secrets" {
 # fresh node would also fail. ESO renders the dockerconfigjson server-side
 # (Sprig `b64enc`) so the PAT never sits in K8s in cleartext.
 resource "kubernetes_manifest" "dockerhub_pull_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/recruiter-responder/main.tf
+++ b/stacks/recruiter-responder/main.tf
@ -55,6 +55,9 @@ resource "kubernetes_namespace" "recruiter_responder" {
 # Schema in CNPG: `recruiter_responder` (alembic creates on first migrate).
 # DB user: created via Vault database engine — see static-creds/pg-recruiter-responder.
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -107,6 +110,9 @@ resource "kubernetes_manifest" "external_secret" {
 # Pre-req in dbaas: CNPG cluster has DB `recruiter_responder`, role
 # `recruiter_responder`, and Vault role `static-creds/pg-recruiter-responder`.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/resume/main.tf
+++ b/stacks/resume/main.tf
@ -41,6 +41,9 @@ module "tls_secret" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@ -25,6 +25,9 @@ resource "kubernetes_namespace" "rybbit" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/servarr/aiostreams/main.tf
+++ b/stacks/servarr/aiostreams/main.tf
@ -185,6 +185,9 @@ resource "kubernetes_service" "aiostreams" {
 }

 resource "kubernetes_manifest" "probe_secrets" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/servarr/main.tf
+++ b/stacks/servarr/main.tf
@ -5,6 +5,9 @@ variable "tls_secret_name" {
 variable "nfs_server" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/shadowsocks/main.tf
+++ b/stacks/shadowsocks/main.tf
@ -21,6 +21,9 @@ resource "kubernetes_namespace" "shadowsocks" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/speedtest/main.tf
+++ b/stacks/speedtest/main.tf
@ -20,6 +20,9 @@ resource "kubernetes_namespace" "speedtest" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/stem95su/gdrive-sync.tf
+++ b/stacks/stem95su/gdrive-sync.tf
@ -16,6 +16,9 @@
 # `secret/stem95su.rclone_conf`. A failed run surfaces as a failed Job.

 resource "kubernetes_manifest" "rclone_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/t3-afk/main.tf
+++ b/stacks/t3-afk/main.tf
@ -58,6 +58,9 @@ resource "kubernetes_namespace" "t3_afk" {
 # (wired into ~/.gitconfig insteadOf rewrites in the container command).

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/tandoor/main.tf
+++ b/stacks/tandoor/main.tf
@ -22,6 +22,9 @@ resource "kubernetes_namespace" "tandoor" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/technitium/modules/technitium/main.tf
+++ b/stacks/technitium/modules/technitium/main.tf
@ -419,6 +419,9 @@ module "ingress" {

 # ExternalSecret for Technitium MySQL password (Vault auto-rotation)
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/trading-bot/main.tf
+++ b/stacks/trading-bot/main.tf
@ -49,6 +49,9 @@ module "tls_secret" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -103,6 +106,9 @@ resource "kubernetes_manifest" "external_secret" {

 # DB credentials from Vault database engine (rotated every 24h)
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/tripit/main.tf
+++ b/stacks/tripit/main.tf
@ -215,6 +215,9 @@ resource "kubernetes_namespace" "tripit" {
 # Schema in CNPG: `tripit` (alembic creates tables on first migrate).
 # DB user: created via Vault database engine — see static-creds/pg-tripit.
 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -291,6 +294,9 @@ resource "kubernetes_manifest" "external_secret" {
 # Pre-req in dbaas: CNPG cluster has DB `tripit`, role `tripit`, and Vault
 # role `static-creds/pg-tripit`.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/tuya-bridge/main.tf
+++ b/stacks/tuya-bridge/main.tf
@ -14,6 +14,9 @@ resource "kubernetes_namespace" "tuya-bridge" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/url/main.tf
+++ b/stacks/url/main.tf
@ -35,6 +35,9 @@ resource "kubernetes_namespace" "shlink" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -67,6 +70,9 @@ resource "kubernetes_manifest" "external_secret" {
 # the deployment is migrated to use env_from with this secret, the plan-time
 # kubernetes_secret can be removed.
 resource "kubernetes_manifest" "db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/wealthfolio/main.tf
+++ b/stacks/wealthfolio/main.tf
@ -21,6 +21,9 @@ resource "kubernetes_namespace" "wealthfolio" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -51,6 +54,9 @@ resource "kubernetes_manifest" "external_secret" {
 # `pg-wealthfolio-sync` rotates this every 7 days; ExternalSecret refreshes
 # the K8s Secret every 15m so the sidecar always has a valid password.
 resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
@ -777,6 +783,9 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" {
 # below references it as $__env{WEALTH_PG_PASSWORD}. Reloader restarts
 # Grafana whenever ESO updates this secret (every 7d on rotation).
 resource "kubernetes_manifest" "grafana_wealth_db_external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/webhook_handler/main.tf
+++ b/stacks/webhook_handler/main.tf
@ -291,6 +291,9 @@ module "ingress" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/woodpecker/main.tf
+++ b/stacks/woodpecker/main.tf
@ -63,6 +63,9 @@ module "tls_secret" {
 }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"
--- a/stacks/ytdlp/main.tf
+++ b/stacks/ytdlp/main.tf
@ -6,6 +6,9 @@ variable "slack_channel" { type = string }
 variable "nfs_server" { type = string }

 resource "kubernetes_manifest" "external_secret" {
+  field_manager {
+    force_conflicts = true
+  }
  manifest = {
    apiVersion = "external-secrets.io/v1"
    kind       = "ExternalSecret"