Merge remote-tracking branch 'origin/master'

eso: Phase 1 — climb chart 0.12.1 -> 0.16.2 (transition version) + atomic
First half of the ESO 0.12->2.6 migration (docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md), clearing the LAST k8s-1.35 compat-gate blocker. Stepped one minor at a time on k8s 1.34 (no k8s interleave — cluster already on 1.34, ESO bands are conservative tested ranges not hard limits): 0.12.1 -> 0.13.0 -> 0.14.4 -> 0.15.1 -> 0.16.2. Each hop applied + verified: controller healthy, all 108 live ExternalSecrets stayed SecretSynced (2 pre-existing dead — instagram-poster, payslip-ingest — missing Vault data, untouched). Added atomic=true + timeout=600 (ESO had no rollback safety net). 0.16.2 serves BOTH v1beta1 AND v1 (storedVersions now ["v1beta1","v1"]) — the safe window to rewrite all 104 CRs to v1 (Phase 2) before 0.17 removes v1beta1. State auto-committed per hop by scripts/tg (Tier-0 SOPS). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 20:41:35 +00:00 · 2026-06-21 20:41:30 +00:00 · 2026-06-21 20:41:10 +00:00 · 2026-06-21 20:39:45 +00:00 · 2026-06-21 20:38:34 +00:00 · 2026-06-21 20:36:37 +00:00
2 changed files with 1904 additions and 1589 deletions
--- a/stacks/external-secrets/main.tf
+++ b/stacks/external-secrets/main.tf
@ -17,7 +17,14 @@ resource "helm_release" "external_secrets" {
  namespace  = kubernetes_namespace.external_secrets.metadata[0].name
  repository = "https://charts.external-secrets.io"
  chart      = "external-secrets"
-  version    = "0.12.1"
+  # ESO 0.12->2.6 migration (2026-06-21, docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md).
+  # Stepped one minor at a time on k8s 1.34; rewrite all 104 CRs v1beta1->v1 at 0.16.2 before 0.17.
+  version = "0.16.2"
+
+  # Added for the migration: auto-rollback a failed hop's helm upgrade (ESO had no
+  # rollback safety net) and wait for the controller Deployment to be Ready first.
+  atomic  = true
+  timeout = 600

  values = [yamlencode({
    installCRDs = true
--- a/state/stacks/external-secrets/terraform.tfstate.enc
+++ b/state/stacks/external-secrets/terraform.tfstate.enc
Author	SHA1	Message	Date
Viktor Barzin	ac27e41fde	Merge remote-tracking branch 'origin/master' All checks were successful ci/woodpecker/push/default Pipeline was successful Details	2026-06-21 20:41:35 +00:00
Viktor Barzin	296deda3b4	eso: Phase 1 — climb chart 0.12.1 -> 0.16.2 (transition version) + atomic First half of the ESO 0.12->2.6 migration (docs/plans/2026-06-21-eso-0.12-to-2.x-migration-design.md), clearing the LAST k8s-1.35 compat-gate blocker. Stepped one minor at a time on k8s 1.34 (no k8s interleave — cluster already on 1.34, ESO bands are conservative tested ranges not hard limits): 0.12.1 -> 0.13.0 -> 0.14.4 -> 0.15.1 -> 0.16.2. Each hop applied + verified: controller healthy, all 108 live ExternalSecrets stayed SecretSynced (2 pre-existing dead — instagram-poster, payslip-ingest — missing Vault data, untouched). Added atomic=true + timeout=600 (ESO had no rollback safety net). 0.16.2 serves BOTH v1beta1 AND v1 (storedVersions now ["v1beta1","v1"]) — the safe window to rewrite all 104 CRs to v1 (Phase 2) before 0.17 removes v1beta1. State auto-committed per hop by scripts/tg (Tier-0 SOPS). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-21 20:41:30 +00:00
Viktor Barzin	0cd59d2c55	state(external-secrets): update encrypted state	2026-06-21 20:41:10 +00:00
Viktor Barzin	b8612e788d	state(external-secrets): update encrypted state	2026-06-21 20:39:45 +00:00
Viktor Barzin	877e5c73b2	state(external-secrets): update encrypted state	2026-06-21 20:38:34 +00:00
Viktor Barzin	8e6eff03dd	state(external-secrets): update encrypted state	2026-06-21 20:36:37 +00:00