ArgoCD was reporting all 6 ExternalSecrets as OutOfSync because the
live CRs had conversionStrategy/decodingStrategy/metadataPolicy fields
filled in by the CRD defaults that werent in the chart manifests.
Stamping them explicitly so the diff is clean. Tower UI will now show
Provisioning state correctly transition to Ready.
Phase 2 of Item #9. Adds ExternalSecret manifests for:
- docker-mirror-pull (×2 namespaces, dockerconfigjson template)
- cloudflare-api-token-<slug> (per-tenant, gated on tenant.id+slug)
- s3-backup-creds (per-tenant, in tenants ns)
- longhorn-s3-creds (per-tenant, gated on tenant.s3Endpoint)
New helm values: tenant.id, tenant.slug, tenant.s3Endpoint. Tower must
pass these per-cluster (next ship). All manifests gated on
externalSecrets.enabled + mountPath set + tenant.id set, so old apps
without the new params remain on the legacy Tower-stamped path until
the operator opts them in.
