gitops: adopt the ingress-nginx Helm release into GitOps in place (chart 4.15.1, owns the NLB)

[ausbru87]

Goal

Adopt the live ingress-nginx Helm release into GitOps in place. This is the
highest-risk adoption: the controller Service owns the live internet-facing NLB
that every DNS alias (dev, auth, gitlab, *) points at. Plan:
docs/plans/gitops-adoption.md.

Source of truth

• Chart ingress-nginx 4.15.1 (repo kubernetes.github.io/ingress-nginx).
• Values: deploy/platform/ingress-nginx-values.yaml.
• Namespace ingress-nginx; live revision v1; 2 controller replicas.

Tasks

• Create an Argo Application (Helm source), unsynced first.
• Render and diff. Hard gate: zero change to the controller Service .spec and its six service.beta.kubernetes.io/aws-load-balancer-* annotations (type=external, scheme=internet-facing, nlb-target-type=ip, backend-protocol=tcp, the ACM ssl-cert ARN, ssl-ports=443, cross-zone=true).
• Add ignoreDifferences for the Service .status and any fields the AWS Load Balancer Controller mutates; set RespectIgnoreDifferences=true.
• Sync with ServerSideApply=true, Replace=false. Never delete/recreate the Service (would provision a new NLB and break DNS).
• Adopt after or together with the aws-load-balancer-controller release, which reconciles this NLB.
• Keep the prior Helm release Secret until verified, then delete.

Landmines

• A Service recreate re-provisions the NLB and breaks dev/auth/gitlab/* DNS.
• Helm label collision on immutable selectors (mitigated by annotation tracking on the control plane).

Generated by Coder Agents.