From ebc8b6588f148741df6a048c2b7e472a684fd39a Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 25 Jun 2026 21:28:11 +0000 Subject: [PATCH] ESO: add force_conflicts to all ExternalSecret manifests (fleet sweep) The 2026-06-22 external-secrets v1 migration made the ESO controller the server-side-apply owner of .spec.refreshInterval on every ExternalSecret, so any stack defining one via kubernetes_manifest fails `terraform apply` with a field-manager conflict the next time it's applied (instagram-poster + grafana hit this on 2026-06-24; it was latent across the whole fleet). Add field_manager { force_conflicts = true } to all 101 remaining ExternalSecret manifests across 70 stacks, matching the fix already on grafana / woodpecker / traefik / k8s-version-upgrade / instagram-poster. TF and ESO set the same value, so it's stable (no perpetual drift). Defuses the landmine before each stack's next apply trips it. Co-Authored-By: Claude Opus 4.8 --- stacks/actualbudget/main.tf | 3 +++ stacks/affine/main.tf | 6 ++++++ stacks/authentik/email-secret.tf | 3 +++ stacks/beads-server/main.tf | 3 +++ stacks/broker-sync/main.tf | 3 +++ stacks/changedetection/main.tf | 3 +++ stacks/chrome-service/main.tf | 3 +++ stacks/ci-pipeline-health/main.tf | 3 +++ stacks/claude-agent-service/main.tf | 3 +++ stacks/claude-breakglass/main.tf | 6 ++++++ stacks/claude-memory/main.tf | 6 ++++++ stacks/coturn/main.tf | 3 +++ stacks/dawarich/main.tf | 3 +++ stacks/diun/main.tf | 3 +++ stacks/ebooks/main.tf | 9 +++++++++ stacks/f1-stream/main.tf | 6 ++++++ stacks/fire-planner/main.tf | 15 +++++++++++++++ stacks/forgejo/email-secret.tf | 3 +++ stacks/freedify/main.tf | 3 +++ stacks/freshrss/main.tf | 3 +++ stacks/goldmane-edge-aggregator/main.tf | 6 ++++++ stacks/grampsweb/main.tf | 3 +++ stacks/hackmd/main.tf | 3 +++ stacks/health/main.tf | 6 ++++++ stacks/hermes-agent/main.tf | 3 +++ stacks/immich/main.tf | 3 +++ stacks/insta2spotify/main.tf | 3 +++ stacks/job-hunter/main.tf | 9 +++++++++ stacks/k8s-dashboard/oauth2_proxy.tf | 3 +++ stacks/kms/main.tf | 3 +++ stacks/linkwarden/main.tf | 6 ++++++ stacks/mailserver/modules/mailserver/main.tf | 3 +++ stacks/matrix/main.tf | 3 +++ stacks/n8n/main.tf | 9 +++++++++ stacks/navidrome/main.tf | 3 +++ stacks/netbox/main.tf | 3 +++ stacks/nextcloud-todos/main.tf | 6 ++++++ stacks/nextcloud/main.tf | 6 ++++++ stacks/novelapp/main.tf | 3 +++ stacks/onlyoffice/main.tf | 3 +++ stacks/openclaw/main.tf | 3 +++ stacks/owntracks/main.tf | 3 +++ stacks/paperless-ai/main.tf | 3 +++ stacks/paperless-mcp/main.tf | 3 +++ stacks/paperless-ngx/main.tf | 3 +++ stacks/payslip-ingest/main.tf | 9 +++++++++ stacks/phpipam/main.tf | 9 +++++++++ stacks/plotting-book/main.tf | 3 +++ stacks/postiz/modules/postiz/main.tf | 3 +++ stacks/proxmox-csi/modules/proxmox-csi/main.tf | 3 +++ stacks/real-estate-crawler/main.tf | 9 +++++++++ stacks/recruiter-responder/main.tf | 6 ++++++ stacks/resume/main.tf | 3 +++ stacks/rybbit/main.tf | 3 +++ stacks/servarr/aiostreams/main.tf | 3 +++ stacks/servarr/main.tf | 3 +++ stacks/shadowsocks/main.tf | 3 +++ stacks/speedtest/main.tf | 3 +++ stacks/stem95su/gdrive-sync.tf | 3 +++ stacks/t3-afk/main.tf | 3 +++ stacks/tandoor/main.tf | 3 +++ stacks/technitium/modules/technitium/main.tf | 3 +++ stacks/trading-bot/main.tf | 6 ++++++ stacks/tripit/main.tf | 6 ++++++ stacks/tuya-bridge/main.tf | 3 +++ stacks/url/main.tf | 6 ++++++ stacks/wealthfolio/main.tf | 9 +++++++++ stacks/webhook_handler/main.tf | 3 +++ stacks/woodpecker/main.tf | 3 +++ stacks/ytdlp/main.tf | 3 +++ 70 files changed, 303 insertions(+) diff --git a/stacks/actualbudget/main.tf b/stacks/actualbudget/main.tf index 33012033..13da68a8 100644 --- a/stacks/actualbudget/main.tf +++ b/stacks/actualbudget/main.tf @@ -5,6 +5,9 @@ variable "tls_secret_name" { variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index bc63381c..10a94ad7 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -5,6 +5,9 @@ variable "tls_secret_name" { variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -42,6 +45,9 @@ data "kubernetes_secret" "eso_secrets" { # DB credentials from Vault database engine (rotated automatically) # Provides DATABASE_URL that auto-updates when password rotates resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/authentik/email-secret.tf b/stacks/authentik/email-secret.tf index b3a7f201..87be65d4 100644 --- a/stacks/authentik/email-secret.tf +++ b/stacks/authentik/email-secret.tf @@ -6,6 +6,9 @@ # are non-secret and live in values.yaml. The reloader annotation rolls the # authentik pods if the password ever changes. resource "kubernetes_manifest" "authentik_email_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf index 5b71373e..eebed876 100644 --- a/stacks/beads-server/main.tf +++ b/stacks/beads-server/main.tf @@ -601,6 +601,9 @@ resource "kubernetes_config_map" "beadboard_config" { # Pulls the claude-agent-service bearer token from Vault so BeadBoard can # dispatch agent jobs via the in-cluster HTTP API. resource "kubernetes_manifest" "beadboard_agent_service_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/broker-sync/main.tf b/stacks/broker-sync/main.tf index 2de168a1..76d822d8 100644 --- a/stacks/broker-sync/main.tf +++ b/stacks/broker-sync/main.tf @@ -28,6 +28,9 @@ resource "kubernetes_namespace" "broker_sync" { # trading212_api_keys — JSON array of {account_id, account_type, api_key, name, currency} # imap_host, imap_user, imap_password, imap_directory — for InvestEngine + Schwab email ingest resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index ee203e7b..319ebcf1 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -19,6 +19,9 @@ resource "kubernetes_namespace" "changedetection" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/chrome-service/main.tf b/stacks/chrome-service/main.tf index 2f679c00..37f82c01 100644 --- a/stacks/chrome-service/main.tf +++ b/stacks/chrome-service/main.tf @@ -41,6 +41,9 @@ resource "kubernetes_namespace" "chrome_service" { # --- Secrets (single-key extract: api_bearer_token) --- resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/ci-pipeline-health/main.tf b/stacks/ci-pipeline-health/main.tf index 17378f84..44aacbec 100644 --- a/stacks/ci-pipeline-health/main.tf +++ b/stacks/ci-pipeline-health/main.tf @@ -49,6 +49,9 @@ resource "kubernetes_namespace" "ci_pipeline_health" { # billing on PRIVATE mirrors, which a future scoped read:packages rotation of # the alias could not do. Blast radius = this single-CronJob namespace. resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/claude-agent-service/main.tf b/stacks/claude-agent-service/main.tf index 9f8b6478..a039f699 100644 --- a/stacks/claude-agent-service/main.tf +++ b/stacks/claude-agent-service/main.tf @@ -38,6 +38,9 @@ resource "kubernetes_namespace" "claude_agent" { # --- Secrets --- resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/claude-breakglass/main.tf b/stacks/claude-breakglass/main.tf index 6b996b9e..ca700945 100644 --- a/stacks/claude-breakglass/main.tf +++ b/stacks/claude-breakglass/main.tf @@ -57,6 +57,9 @@ resource "kubernetes_service_account" "breakglass" { # DENIED this path (see stacks/vault/main.tf) so the shared, prompt-injectable # pod can never read it. resource "kubernetes_manifest" "external_secret_ssh" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -82,6 +85,9 @@ resource "kubernetes_manifest" "external_secret_ssh" { # Env secrets: the Anthropic OAuth token (shared with claude-agent-service — # same account) and the app bearer token (in-cluster/CLI fallback caller auth). resource "kubernetes_manifest" "external_secret_env" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/claude-memory/main.tf b/stacks/claude-memory/main.tf index 18c21fe5..fad08b42 100644 --- a/stacks/claude-memory/main.tf +++ b/stacks/claude-memory/main.tf @@ -29,6 +29,9 @@ resource "kubernetes_namespace" "claude-memory" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -57,6 +60,9 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 24h) resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index caeb9a66..9ab23e5d 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -5,6 +5,9 @@ variable "tls_secret_name" { variable "public_ip" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf index 2432e9c3..3eeb1540 100644 --- a/stacks/dawarich/main.tf +++ b/stacks/dawarich/main.tf @@ -23,6 +23,9 @@ resource "kubernetes_namespace" "dawarich" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/diun/main.tf b/stacks/diun/main.tf index 9933f064..81294806 100644 --- a/stacks/diun/main.tf +++ b/stacks/diun/main.tf @@ -20,6 +20,9 @@ resource "kubernetes_namespace" "diun" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/ebooks/main.tf b/stacks/ebooks/main.tf index a5754590..0813b45a 100644 --- a/stacks/ebooks/main.tf +++ b/stacks/ebooks/main.tf @@ -20,6 +20,9 @@ resource "kubernetes_namespace" "ebooks" { # ExternalSecrets for all three sources resource "kubernetes_manifest" "calibre_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -47,6 +50,9 @@ resource "kubernetes_manifest" "calibre_external_secret" { } resource "kubernetes_manifest" "audiobookshelf_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -74,6 +80,9 @@ resource "kubernetes_manifest" "audiobookshelf_external_secret" { } resource "kubernetes_manifest" "servarr_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index a62ad01a..bcd66c7f 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -33,6 +33,9 @@ resource "kubernetes_namespace" "f1-stream" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -62,6 +65,9 @@ resource "kubernetes_manifest" "external_secret" { # Pull the chrome-service bearer token into this namespace as a separate # Secret so the verifier can reach the in-cluster Playwright pool. resource "kubernetes_manifest" "chrome_service_client_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/fire-planner/main.tf b/stacks/fire-planner/main.tf index 21503a37..0cab541e 100644 --- a/stacks/fire-planner/main.tf +++ b/stacks/fire-planner/main.tf @@ -53,6 +53,9 @@ resource "kubernetes_namespace" "fire_planner" { # Seed before applying: # secret/fire-planner -> property `recompute_bearer_token` resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -115,6 +118,9 @@ resource "kubernetes_manifest" "external_secret" { # Template builds the asyncpg DSN consumed by the FastAPI app + CronJob # as DB_CONNECTION_STRING. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -159,6 +165,9 @@ resource "kubernetes_manifest" "db_external_secret" { # pg-sync sidecar populates `daily_account_valuation` etc. hourly; the # fire-planner ingest reads those tables via this role. resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -661,6 +670,9 @@ variable "run_examples_bulk_ingest" { # Reddit OAuth creds pulled from Vault secret/viktor. resource "kubernetes_manifest" "external_secret_examples_reddit" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -701,6 +713,9 @@ resource "kubernetes_manifest" "external_secret_examples_reddit" { # claude-agent-service bearer pulled separately so its rotation cadence # is decoupled from the Reddit creds. resource "kubernetes_manifest" "external_secret_examples_claude" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/forgejo/email-secret.tf b/stacks/forgejo/email-secret.tf index 034d45f2..d0e44c1c 100644 --- a/stacks/forgejo/email-secret.tf +++ b/stacks/forgejo/email-secret.tf @@ -6,6 +6,9 @@ # (stacks/authentik/email-secret.tf) — one credential, one rotation point. The # reloader annotation rolls the Forgejo pod if the password is ever rotated. resource "kubernetes_manifest" "forgejo_email_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf index 3e2cf8b4..2f017003 100644 --- a/stacks/freedify/main.tf +++ b/stacks/freedify/main.tf @@ -3,6 +3,9 @@ variable "tls_secret_name" { sensitive = true } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index 31c5d20e..61e2122e 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -18,6 +18,9 @@ resource "kubernetes_namespace" "immich" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/goldmane-edge-aggregator/main.tf b/stacks/goldmane-edge-aggregator/main.tf index 9d1e8cdd..04a5f28f 100644 --- a/stacks/goldmane-edge-aggregator/main.tf +++ b/stacks/goldmane-edge-aggregator/main.tf @@ -168,6 +168,9 @@ resource "kubernetes_job" "db_init" { # place in the CNPG connection allowlist are added in stacks/vault/main.tf # (see this stack's terragrunt.hcl note). remoteRef key: static-creds/pg-goldmane-edges. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -210,6 +213,9 @@ resource "kubernetes_manifest" "db_external_secret" { # into this namespace as SLACK_WEBHOOK_URL via an ExternalSecret (no new # webhook). The digest CronJob defaults to #security. resource "kubernetes_manifest" "slack_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index 2d434ec7..139c6595 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -5,6 +5,9 @@ variable "tls_secret_name" { variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index bbe6db40..2e065c99 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -208,6 +208,9 @@ module "ingress" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/health/main.tf b/stacks/health/main.tf index 36fd17d6..7baf5f9c 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -250,6 +250,9 @@ module "ingress_test" { } resource "kubernetes_manifest" "external_secret_db" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -284,6 +287,9 @@ resource "kubernetes_manifest" "external_secret_db" { } resource "kubernetes_manifest" "external_secret_kv" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/hermes-agent/main.tf b/stacks/hermes-agent/main.tf index 1293d7a5..fff8578b 100644 --- a/stacks/hermes-agent/main.tf +++ b/stacks/hermes-agent/main.tf @@ -37,6 +37,9 @@ module "tls_secret" { # --- Secrets (ESO from Vault) --- resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf index 3009be5e..809d6a2e 100644 --- a/stacks/immich/main.tf +++ b/stacks/immich/main.tf @@ -162,6 +162,9 @@ resource "kubernetes_resource_quota" "immich" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/insta2spotify/main.tf b/stacks/insta2spotify/main.tf index 9770afd3..5e1cc4ef 100644 --- a/stacks/insta2spotify/main.tf +++ b/stacks/insta2spotify/main.tf @@ -20,6 +20,9 @@ resource "kubernetes_namespace" "insta2spotify" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/job-hunter/main.tf b/stacks/job-hunter/main.tf index a008e83c..94927bf6 100644 --- a/stacks/job-hunter/main.tf +++ b/stacks/job-hunter/main.tf @@ -41,6 +41,9 @@ resource "kubernetes_namespace" "job_hunter" { # digest_to_address — where the weekly digest goes # digest_from_address — From: header for the digest resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -105,6 +108,9 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (7-day rotation). # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -325,6 +331,9 @@ resource "kubernetes_service" "job_hunter" { # references it as $__env{JOB_HUNTER_PG_PASSWORD}. Reloader restarts # Grafana whenever ESO updates this secret (every 7d on rotation). resource "kubernetes_manifest" "grafana_job_hunter_db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/k8s-dashboard/oauth2_proxy.tf b/stacks/k8s-dashboard/oauth2_proxy.tf index 5ed73793..032d5057 100644 --- a/stacks/k8s-dashboard/oauth2_proxy.tf +++ b/stacks/k8s-dashboard/oauth2_proxy.tf @@ -5,6 +5,9 @@ # ----------------------------------------------------------------------------- resource "kubernetes_manifest" "oauth2_proxy_externalsecret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index 59b691d6..ed9a704e 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -304,6 +304,9 @@ resource "kubernetes_config_map" "kms_slack_notifier" { } resource "kubernetes_manifest" "kms_slack_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf index efae9c1f..d950163c 100644 --- a/stacks/linkwarden/main.tf +++ b/stacks/linkwarden/main.tf @@ -29,6 +29,9 @@ resource "kubernetes_namespace" "linkwarden" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -57,6 +60,9 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 24h) resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index 7f134144..76a7a251 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -800,6 +800,9 @@ resource "kubernetes_service" "mailserver_proxy" { # `EMAIL_MONITOR_IMAP_PASSWORD` so the CronJob can consume them via a single # `env_from { secret_ref {} }` block. resource "kubernetes_manifest" "email_roundtrip_monitor_secrets" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf index 38604917..1d0e434e 100644 --- a/stacks/matrix/main.tf +++ b/stacks/matrix/main.tf @@ -25,6 +25,9 @@ resource "kubernetes_namespace" "matrix" { # flipped to false. The token stays in Vault so registration can be re-opened # later (e.g. to add family) without regenerating it. resource "kubernetes_manifest" "secrets_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index 4f9b0921..5776fc61 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -26,6 +26,9 @@ resource "kubernetes_namespace" "n8n" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -53,6 +56,9 @@ resource "kubernetes_manifest" "external_secret" { } resource "kubernetes_manifest" "external_secret_claude_agent" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -84,6 +90,9 @@ resource "kubernetes_manifest" "external_secret_claude_agent" { # Shared secrets for the Immich → Telegram → Postiz Instagram pipeline. # Workflows in stacks/n8n/workflows/instagram-*.json reference these env vars. resource "kubernetes_manifest" "external_secret_instagram_pipeline" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index 5826b417..c8650290 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -19,6 +19,9 @@ resource "kubernetes_namespace" "navidrome" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf index 7dbbe6cf..c32f0896 100644 --- a/stacks/netbox/main.tf +++ b/stacks/netbox/main.tf @@ -21,6 +21,9 @@ resource "kubernetes_namespace" "netbox" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/nextcloud-todos/main.tf b/stacks/nextcloud-todos/main.tf index a299f29f..b857746e 100644 --- a/stacks/nextcloud-todos/main.tf +++ b/stacks/nextcloud-todos/main.tf @@ -58,6 +58,9 @@ resource "kubernetes_namespace" "nextcloud_todos" { # DB user: created in dbaas (null_resource.pg_nextcloud_todos_db); password # managed via the Vault database engine — see static-creds/pg-nextcloud-todos. resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -97,6 +100,9 @@ resource "kubernetes_manifest" "external_secret" { # Pre-req in dbaas: CNPG cluster has DB `nextcloud_todos`, role # `nextcloud_todos`, and Vault role `static-creds/pg-nextcloud-todos`. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index 40c4b7fa..cc764c96 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -125,6 +125,9 @@ resource "kubernetes_namespace" "nextcloud" { # other enrolled workload (immich, freshrss) — is both correct and drift-free. resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -154,6 +157,9 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 24h) # Nextcloud Helm chart reads password at runtime via existingSecret reference resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/novelapp/main.tf b/stacks/novelapp/main.tf index 454cedef..38676a24 100644 --- a/stacks/novelapp/main.tf +++ b/stacks/novelapp/main.tf @@ -4,6 +4,9 @@ variable "tls_secret_name" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf index 7cacf149..54d1fa5a 100644 --- a/stacks/onlyoffice/main.tf +++ b/stacks/onlyoffice/main.tf @@ -24,6 +24,9 @@ resource "kubernetes_namespace" "onlyoffice" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf index 6947f89e..d0ae2c93 100644 --- a/stacks/openclaw/main.tf +++ b/stacks/openclaw/main.tf @@ -37,6 +37,9 @@ module "tls_secret" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index 976b8714..5e9f5131 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -5,6 +5,9 @@ variable "tls_secret_name" { variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/paperless-ai/main.tf b/stacks/paperless-ai/main.tf index 3c9f8a75..c4414653 100644 --- a/stacks/paperless-ai/main.tf +++ b/stacks/paperless-ai/main.tf @@ -26,6 +26,9 @@ resource "kubernetes_namespace" "paperless_ai" { # api_key — M2M key between the Node UI and the Python RAG service. # custom_api_key — placeholder bearer for llama-swap (no auth, field required). resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/paperless-mcp/main.tf b/stacks/paperless-mcp/main.tf index 851659fb..cbe3e049 100644 --- a/stacks/paperless-mcp/main.tf +++ b/stacks/paperless-mcp/main.tf @@ -28,6 +28,9 @@ resource "kubernetes_namespace" "paperless-mcp" { # Paperless API token (MCP -> paperless). Synced from Vault to a K8s Secret # by ESO; the pod reads it via secret_key_ref. resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf index 46d7b9cb..569e3f52 100644 --- a/stacks/paperless-ngx/main.tf +++ b/stacks/paperless-ngx/main.tf @@ -34,6 +34,9 @@ resource "kubernetes_namespace" "paperless-ngx" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/payslip-ingest/main.tf b/stacks/payslip-ingest/main.tf index ed911b53..85455be0 100644 --- a/stacks/payslip-ingest/main.tf +++ b/stacks/payslip-ingest/main.tf @@ -58,6 +58,9 @@ resource "kubernetes_namespace" "payslip_ingest" { # - `actualbudget_budget_sync_id` # (same as Viktor's sync_id) resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -133,6 +136,9 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 7 days). # Template builds the asyncpg DSN consumed by the FastAPI app as DB_CONNECTION_STRING. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -450,6 +456,9 @@ resource "kubernetes_cron_job_v1" "actualbudget_payroll_sync" { # references it as $__env{PAYSLIPS_PG_PASSWORD}. Reloader restarts # Grafana whenever ESO updates this secret (every 7d on rotation). resource "kubernetes_manifest" "grafana_payslips_db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/phpipam/main.tf b/stacks/phpipam/main.tf index 9a4622f2..0783924d 100644 --- a/stacks/phpipam/main.tf +++ b/stacks/phpipam/main.tf @@ -28,6 +28,9 @@ resource "kubernetes_namespace" "phpipam" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -57,6 +60,9 @@ resource "kubernetes_manifest" "external_secret" { } resource "kubernetes_manifest" "external_secret_pfsense_ssh" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -86,6 +92,9 @@ resource "kubernetes_manifest" "external_secret_pfsense_ssh" { } resource "kubernetes_manifest" "external_secret_admin" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf index 3b810ad5..bb1dfa1c 100644 --- a/stacks/plotting-book/main.tf +++ b/stacks/plotting-book/main.tf @@ -19,6 +19,9 @@ resource "kubernetes_namespace" "plotting-book" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf index 91a55649..60ef8655 100644 --- a/stacks/postiz/modules/postiz/main.tf +++ b/stacks/postiz/modules/postiz/main.tf @@ -72,6 +72,9 @@ resource "kubernetes_persistent_volume_claim" "uploads" { # Helm-owned Secret resource intact. The chart's deployment already wires # this Secret in via `envFrom: secretRef: postiz-secrets`. resource "kubernetes_manifest" "external_secret_jwt" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/proxmox-csi/modules/proxmox-csi/main.tf b/stacks/proxmox-csi/modules/proxmox-csi/main.tf index 8ca6216f..2912c855 100644 --- a/stacks/proxmox-csi/modules/proxmox-csi/main.tf +++ b/stacks/proxmox-csi/modules/proxmox-csi/main.tf @@ -207,6 +207,9 @@ resource "kubernetes_cluster_role_binding" "pve_snapshot_admin" { # Creates K8s Secret "proxmox-csi-encryption" in kube-system from Vault KV. # Referenced by the proxmox-lvm-encrypted StorageClass for node-stage and node-expand. resource "kubernetes_manifest" "external_secret_encryption" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index 2b8d7cf5..a57bd771 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -7,6 +7,9 @@ variable "redis_host" { type = string } variable "mysql_host" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -36,6 +39,9 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated automatically) # Provides DB_CONNECTION_STRING that auto-updates when password rotates resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -85,6 +91,9 @@ data "kubernetes_secret" "eso_secrets" { # fresh node would also fail. ESO renders the dockerconfigjson server-side # (Sprig `b64enc`) so the PAT never sits in K8s in cleartext. resource "kubernetes_manifest" "dockerhub_pull_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/recruiter-responder/main.tf b/stacks/recruiter-responder/main.tf index e552ea46..c948992b 100644 --- a/stacks/recruiter-responder/main.tf +++ b/stacks/recruiter-responder/main.tf @@ -55,6 +55,9 @@ resource "kubernetes_namespace" "recruiter_responder" { # Schema in CNPG: `recruiter_responder` (alembic creates on first migrate). # DB user: created via Vault database engine — see static-creds/pg-recruiter-responder. resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -107,6 +110,9 @@ resource "kubernetes_manifest" "external_secret" { # Pre-req in dbaas: CNPG cluster has DB `recruiter_responder`, role # `recruiter_responder`, and Vault role `static-creds/pg-recruiter-responder`. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf index 7b482655..eef7eea0 100644 --- a/stacks/resume/main.tf +++ b/stacks/resume/main.tf @@ -41,6 +41,9 @@ module "tls_secret" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf index f1053bc4..77228869 100644 --- a/stacks/rybbit/main.tf +++ b/stacks/rybbit/main.tf @@ -25,6 +25,9 @@ resource "kubernetes_namespace" "rybbit" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/servarr/aiostreams/main.tf b/stacks/servarr/aiostreams/main.tf index 05b60741..d0e6fd9c 100644 --- a/stacks/servarr/aiostreams/main.tf +++ b/stacks/servarr/aiostreams/main.tf @@ -185,6 +185,9 @@ resource "kubernetes_service" "aiostreams" { } resource "kubernetes_manifest" "probe_secrets" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf index 6165afbf..04f1848c 100644 --- a/stacks/servarr/main.tf +++ b/stacks/servarr/main.tf @@ -5,6 +5,9 @@ variable "tls_secret_name" { variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf index 9e1ca8eb..1545eb03 100644 --- a/stacks/shadowsocks/main.tf +++ b/stacks/shadowsocks/main.tf @@ -21,6 +21,9 @@ resource "kubernetes_namespace" "shadowsocks" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf index 167312b5..a1dc23b2 100644 --- a/stacks/speedtest/main.tf +++ b/stacks/speedtest/main.tf @@ -20,6 +20,9 @@ resource "kubernetes_namespace" "speedtest" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/stem95su/gdrive-sync.tf b/stacks/stem95su/gdrive-sync.tf index a10bcf84..9142c15c 100644 --- a/stacks/stem95su/gdrive-sync.tf +++ b/stacks/stem95su/gdrive-sync.tf @@ -16,6 +16,9 @@ # `secret/stem95su.rclone_conf`. A failed run surfaces as a failed Job. resource "kubernetes_manifest" "rclone_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/t3-afk/main.tf b/stacks/t3-afk/main.tf index a2f73a67..40585880 100644 --- a/stacks/t3-afk/main.tf +++ b/stacks/t3-afk/main.tf @@ -58,6 +58,9 @@ resource "kubernetes_namespace" "t3_afk" { # (wired into ~/.gitconfig insteadOf rewrites in the container command). resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf index 5c08d440..dc60bb18 100644 --- a/stacks/tandoor/main.tf +++ b/stacks/tandoor/main.tf @@ -22,6 +22,9 @@ resource "kubernetes_namespace" "tandoor" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf index ef00506e..966d11f3 100644 --- a/stacks/technitium/modules/technitium/main.tf +++ b/stacks/technitium/modules/technitium/main.tf @@ -419,6 +419,9 @@ module "ingress" { # ExternalSecret for Technitium MySQL password (Vault auto-rotation) resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf index 871269e0..a09fd0bc 100644 --- a/stacks/trading-bot/main.tf +++ b/stacks/trading-bot/main.tf @@ -49,6 +49,9 @@ module "tls_secret" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -103,6 +106,9 @@ resource "kubernetes_manifest" "external_secret" { # DB credentials from Vault database engine (rotated every 24h) resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf index 1c8de495..e80427de 100644 --- a/stacks/tripit/main.tf +++ b/stacks/tripit/main.tf @@ -215,6 +215,9 @@ resource "kubernetes_namespace" "tripit" { # Schema in CNPG: `tripit` (alembic creates tables on first migrate). # DB user: created via Vault database engine — see static-creds/pg-tripit. resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -291,6 +294,9 @@ resource "kubernetes_manifest" "external_secret" { # Pre-req in dbaas: CNPG cluster has DB `tripit`, role `tripit`, and Vault # role `static-creds/pg-tripit`. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf index f81d9f4a..cd67fd94 100644 --- a/stacks/tuya-bridge/main.tf +++ b/stacks/tuya-bridge/main.tf @@ -14,6 +14,9 @@ resource "kubernetes_namespace" "tuya-bridge" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/url/main.tf b/stacks/url/main.tf index d3c7a8f8..f7959808 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -35,6 +35,9 @@ resource "kubernetes_namespace" "shlink" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -67,6 +70,9 @@ resource "kubernetes_manifest" "external_secret" { # the deployment is migrated to use env_from with this secret, the plan-time # kubernetes_secret can be removed. resource "kubernetes_manifest" "db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf index a291778e..1deb26fd 100644 --- a/stacks/wealthfolio/main.tf +++ b/stacks/wealthfolio/main.tf @@ -21,6 +21,9 @@ resource "kubernetes_namespace" "wealthfolio" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -51,6 +54,9 @@ resource "kubernetes_manifest" "external_secret" { # `pg-wealthfolio-sync` rotates this every 7 days; ExternalSecret refreshes # the K8s Secret every 15m so the sidecar always has a valid password. resource "kubernetes_manifest" "wealthfolio_sync_db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" @@ -777,6 +783,9 @@ resource "kubernetes_cron_job_v1" "wealthfolio_sync" { # below references it as $__env{WEALTH_PG_PASSWORD}. Reloader restarts # Grafana whenever ESO updates this secret (every 7d on rotation). resource "kubernetes_manifest" "grafana_wealth_db_external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf index 8e5a22ab..8ab9c783 100644 --- a/stacks/webhook_handler/main.tf +++ b/stacks/webhook_handler/main.tf @@ -291,6 +291,9 @@ module "ingress" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index ba84f9e4..49434ad9 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -63,6 +63,9 @@ module "tls_secret" { } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret" diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index bf19ce2a..e55707c8 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -6,6 +6,9 @@ variable "slack_channel" { type = string } variable "nfs_server" { type = string } resource "kubernetes_manifest" "external_secret" { + field_manager { + force_conflicts = true + } manifest = { apiVersion = "external-secrets.io/v1" kind = "ExternalSecret"