gitops: adopt the coder Helm release into GitOps in place (chart 2.34.0)

[ausbru87]

Goal

Adopt the live, CLI-installed coder Helm release into GitOps in place (the
running control plane keeps serving; the GitOps controller adopts it without a
recreate). Plan: docs/plans/gitops-adoption.md.

Source of truth

• Chart coder 2.34.0 (repo helm.coder.com/v2), app v2.34.0.
• Values: deploy/coder/values.yaml (already matches the live release).
• Namespace coder; live revisions v1..v4.

Tasks

• Create an Argo Application (Helm source) pointing at deploy/coder/values.yaml, unsynced first.
• Confirm the GitOps control plane uses annotation resource tracking (argocd.argoproj.io/tracking-id) so app.kubernetes.io/instance on immutable selectors is never mutated.
• Render and diff: helm template coder ... --version 2.34.0 -n coder -f deploy/coder/values.yaml then kubectl diff. Accept only metadata diffs (managed-by flip, tracking annotation, removal of meta.helm.sh/*). Block on any change to image tag, replicas, the coder SA Bedrock IRSA annotation, or env.
• Freeze the seed-once AI Gateway provider env block. Editing a seeded CODER_AI_GATEWAY_PROVIDER_* value or the coder-ai secret trips the drift guard and coderd refuses to start (docs/as-built/30-coder-control-plane.md). Manage providers through the DB/API instead (see the Coder API app-state issue).
• Sync with ServerSideApply=true, Replace=false.
• Keep the prior sh.helm.release.v1.coder.* Secrets until verified, then delete.

Out of scope

License, appearance banner, and IdP sync are Coder DB/API state, tracked in the Coder API app-state issue, not here.

Landmines

• AI provider seed-once drift guard (above).
• Helm label collision on immutable selectors (mitigated by annotation tracking).

Generated by Coder Agents.