From ff7eb9fafcc78490af7ae484dac4e5a89c2ae1bf Mon Sep 17 00:00:00 2001
From: OdooSky v3 <m@havari.me>
Date: Thu, 7 May 2026 21:47:00 +0300
Subject: [PATCH] =?UTF-8?q?fix(eso):=20chart=200.7.1=20=E2=80=94=20explici?=
 =?UTF-8?q?t=20CRD=20defaults=20to=20clear=20ArgoCD=20OutOfSync?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ArgoCD was reporting all 6 ExternalSecrets as OutOfSync because the
live CRs had conversionStrategy/decodingStrategy/metadataPolicy fields
filled in by the CRD defaults that werent in the chart manifests.
Stamping them explicitly so the diff is clean. Tower UI will now show
Provisioning state correctly transition to Ready.
---
 Chart.yaml                                    |  4 ++--
 .../cloudflare-api-token-externalsecret.yaml  |  3 +++
 .../docker-mirror-pull-externalsecret.yaml    |  9 +++++++
 .../gitea-archive-pull-externalsecret.yaml    |  6 +++++
 .../longhorn-s3-creds-externalsecret.yaml     |  6 +++++
 templates/longhorn.yaml                       | 24 ++++++++++---------
 templates/s3-backup-creds-externalsecret.yaml |  6 +++++
 7 files changed, 45 insertions(+), 13 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index d4c0dfe..c2521d9 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -23,8 +23,8 @@ description: |
       Git).
 
 type: application
-version: 0.7.0
-appVersion: "0.7.0"
+version: 0.7.1
+appVersion: "0.7.1"
 
 dependencies:
   - name: cert-manager
diff --git a/templates/cloudflare-api-token-externalsecret.yaml b/templates/cloudflare-api-token-externalsecret.yaml
index 607d15e..f87f0f4 100644
--- a/templates/cloudflare-api-token-externalsecret.yaml
+++ b/templates/cloudflare-api-token-externalsecret.yaml
@@ -27,6 +27,9 @@ spec:
       remoteRef:
         key: tenants/{{ .Values.tenant.id }}/cloudflare-token
         property: api_token
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/templates/docker-mirror-pull-externalsecret.yaml b/templates/docker-mirror-pull-externalsecret.yaml
index 29d3694..97a8f3b 100644
--- a/templates/docker-mirror-pull-externalsecret.yaml
+++ b/templates/docker-mirror-pull-externalsecret.yaml
@@ -33,14 +33,23 @@ spec:
       remoteRef:
         key: platform/docker-mirror-pull
         property: registry
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
     - secretKey: username
       remoteRef:
         key: platform/docker-mirror-pull
         property: username
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
     - secretKey: password
       remoteRef:
         key: platform/docker-mirror-pull
         property: password
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/templates/gitea-archive-pull-externalsecret.yaml b/templates/gitea-archive-pull-externalsecret.yaml
index 5b262c3..32af786 100644
--- a/templates/gitea-archive-pull-externalsecret.yaml
+++ b/templates/gitea-archive-pull-externalsecret.yaml
@@ -33,5 +33,11 @@ spec:
       remoteRef:
         key: platform/gitea-archive-pull
         property: token
+        # CRD defaults stamped explicitly so ArgoCD's diff matches the
+        # live spec (otherwise the app sits in OutOfSync forever even
+        # though ESO is happily reconciling).
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
 {{- end }}
 {{- end }}
diff --git a/templates/longhorn-s3-creds-externalsecret.yaml b/templates/longhorn-s3-creds-externalsecret.yaml
index ae1a2aa..d80a887 100644
--- a/templates/longhorn-s3-creds-externalsecret.yaml
+++ b/templates/longhorn-s3-creds-externalsecret.yaml
@@ -38,10 +38,16 @@ spec:
       remoteRef:
         key: tenants/{{ .Values.tenant.id }}/s3-credentials
         property: access_key
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
     - secretKey: secret_key
       remoteRef:
         key: tenants/{{ .Values.tenant.id }}/s3-credentials
         property: secret_key
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
 {{- end }}
 {{- end }}
 {{- end }}
diff --git a/templates/longhorn.yaml b/templates/longhorn.yaml
index 1545d64..cd4fb21 100644
--- a/templates/longhorn.yaml
+++ b/templates/longhorn.yaml
@@ -1,17 +1,19 @@
 {{- if .Values.longhorn.enabled }}
-# Tenant data StorageClass. Tower's instance overlays don't pin a
-# storageClassName today (they let the cluster default decide). Phase
-# 1 of ADR 0003 just defines this class so Phase 2/3 can flip new
-# instances to bind here without further chart changes.
+# Tenant data StorageClass. Tower's instance overlays bind here in
+# Phase 6 (Tower stamps storageClassName=longhorn-tenants on new
+# instance PVCs). Existing instances on local-path stay where they
+# are — Longhorn additive, doesn't replace.
 #
 # `replicaCount` comes from values; Standalone tier ships replicas=1
-# (durability is hourly S3, not local mirrors).
+# (durability is hourly S3 backup, not local mirrors).
 apiVersion: storage.k8s.io/v1
 kind: StorageClass
 metadata:
   name: longhorn-tenants
   annotations:
-    # Not the cluster default in Phase 1 — explicit opt-in only.
+    # Not the cluster default — explicit opt-in only via Tower's
+    # PVC-stamp logic. (Two default storage classes is a k8s
+    # misconfig; k3s already provides local-path as default.)
     storageclass.kubernetes.io/is-default-class: "false"
 provisioner: driver.longhorn.io
 allowVolumeExpansion: true
@@ -25,8 +27,8 @@ parameters:
   fsType: "ext4"
 {{- end }}
 # NOTE: The CSI VolumeSnapshotClass (snapshot.storage.k8s.io/v1) lives
-# in Phase 3 of ADR 0003, alongside the Tower code that consumes it.
-# It depends on the external-snapshotter CRDs which Longhorn does not
-# ship — they're a separate install. Adding it here would fail the
-# initial sync on a fresh cluster. Phase 3 will land both together
-# (snapshotter CRDs + VolumeSnapshotClass + Tower VolumeClone path).
+# in Phase 3 of ADR 0003, alongside the Tower code that consumes it
+# AND the external-snapshotter CRDs (which Longhorn does not ship —
+# they're a separate install). Adding VolumeSnapshotClass here would
+# fail the initial sync. Phase 3 lands all three together: snapshotter
+# CRDs + controller + VolumeSnapshotClass + Tower VolumeClone path.
diff --git a/templates/s3-backup-creds-externalsecret.yaml b/templates/s3-backup-creds-externalsecret.yaml
index 242220e..f3a7fa9 100644
--- a/templates/s3-backup-creds-externalsecret.yaml
+++ b/templates/s3-backup-creds-externalsecret.yaml
@@ -34,10 +34,16 @@ spec:
       remoteRef:
         key: tenants/{{ .Values.tenant.id }}/s3-credentials
         property: access_key
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
     - secretKey: secret_key
       remoteRef:
         key: tenants/{{ .Values.tenant.id }}/s3-credentials
         property: secret_key
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
 {{- end }}
 {{- end }}
 {{- end }}