gitops: adopt external-secrets + ClusterSecretStore/ExternalSecrets into GitOps (sync waves)

[ausbru87]

Goal

Adopt the external-secrets operator Helm release plus the ClusterSecretStore
and 9 ExternalSecret CRs into GitOps in place. Plan:
docs/plans/gitops-adoption.md.

Source of truth

• Chart external-secrets 2.6.0 (repo external-secrets), namespace external-secrets, image from the ECR mirror.
• Operator values: deploy/platform/external-secrets/values.yaml (installCRDs: true, crds.createClusterSecretStore: true).
• CRs: deploy/platform/external-secrets/secretstore-and-externalsecrets.yaml (1 ClusterSecretStore + 9 ExternalSecrets; ASM is the source of truth; no secret material in git).

Tasks

• Split ownership: one Application owns the operator + CRDs, a second Application owns the ClusterSecretStore + ExternalSecret CRs. Do not let two Applications both own the ClusterSecretStore (the chart can also create it).
• Adopt CRDs with ServerSideApply=true.
• Sync waves: operator + CRDs (wave 0) healthy before the CRs (wave 1); app Secrets exist before consuming apps (wave 2+).
• Set Argo to ignore the ESO-managed target Secret data (ESO reconciles it from ASM out of band), so no spurious drift.
• Render, diff (metadata-only), sync; keep the prior Helm release Secret until verified, then delete.

Notes

This is the cleanest, lowest-risk adoption and a good early proof of the GitOps plumbing before touching the NLB-bearing workloads (docs/as-built/85-secrets-management.md).

Generated by Coder Agents.