diff --git a/Chart.yaml b/Chart.yaml
index 81a1b63..ddcc086 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -5,7 +5,7 @@ description: |
   Variation between instances is expressed via values.yaml only.
   No chart variants. No string-templating in Tower.
 type: application
-version: 0.1.7
+version: 0.1.8
 appVersion: "1.0"
 keywords:
   - odoo
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 8972a74..62e5afd 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -89,19 +89,3 @@ upgrading to Medium for capacity it doesn't need.
 {{- end -}}
 {{- end -}}
 
-{{/*
-Postgres password. Looks up the existing Secret on upgrades; uses
-.Values.postgres.password if set; otherwise generates a 32-char
-random string on first install. The lookup ensures `helm upgrade`
-does NOT silently rotate the password.
-*/}}
-{{- define "instance.pgPassword" -}}
-{{- $existing := lookup "v1" "Secret" .Release.Namespace (printf "%s-pg" .Values.instance.code) -}}
-{{- if and $existing $existing.data $existing.data.POSTGRES_PASSWORD -}}
-{{- index $existing.data "POSTGRES_PASSWORD" | b64dec -}}
-{{- else if .Values.postgres.password -}}
-{{- .Values.postgres.password -}}
-{{- else -}}
-{{- randAlphaNum 32 -}}
-{{- end -}}
-{{- end -}}
diff --git a/templates/postgres-password-externalsecret.yaml b/templates/postgres-password-externalsecret.yaml
index 1231a95..f984540 100644
--- a/templates/postgres-password-externalsecret.yaml
+++ b/templates/postgres-password-externalsecret.yaml
@@ -1,17 +1,18 @@
-{{- if .Values.postgres.passwordVaultPath }}
 # postgres-password-externalsecret.yaml — per-instance Postgres password
-# sourced from OpenBao via ESO. Produces the same `<release>-pg` Secret
-# shape (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) that the legacy
-# postgres-secret.yaml produces, so postgres-statefulset.yaml is unchanged.
+# sourced from OpenBao via ESO. Produces the `<release>-pg` Secret
+# (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) consumed by
+# postgres-statefulset.yaml's envFrom.
 #
-# Rendered only when `.Values.postgres.passwordVaultPath` is set. The
-# legacy postgres-secret.yaml renders when that field is empty —
-# exactly one of the two ships per instance. Tower-managed migration
-# in Chunk 3 flips overlays from the legacy path to this one.
+# Single source of truth for pg password lifecycle. The chart had a
+# dual-mode shim (legacy postgres-secret.yaml gated by an empty
+# passwordVaultPath) through Chunks 1-3 of the A-OpenBao migration;
+# rip-out lands in 0.1.8 after all live instances + every Tower
+# create path (wizard / migrate / template-deploy) generate overlays
+# that carry tenant.id + postgres.passwordVaultPath.
 #
 # OpenBao path convention: `tenants/<tenantID>/instances/<code>/pg`
 # with a `password` field. Covered by the per-cluster ESO policy
-# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which already grants
+# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which grants
 # read on `v3/data/tenants/<tenantID>/*`. No policy change required.
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -48,4 +49,3 @@ spec:
         conversionStrategy: Default
         decodingStrategy: None
         metadataPolicy: None
-{{- end }}
diff --git a/templates/postgres-secret.yaml b/templates/postgres-secret.yaml
deleted file mode 100644
index f0d3277..0000000
--- a/templates/postgres-secret.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-{{- if not .Values.postgres.passwordVaultPath }}
-# Legacy postgres-secret.yaml — chart-rendered Secret carrying
-# POSTGRES_USER/PASSWORD/DB for the postgres StatefulSet. Used when
-# `.Values.postgres.passwordVaultPath` is empty (the pre-ESO path).
-# When that field is set, postgres-password-externalsecret.yaml
-# renders an ExternalSecret producing the same Secret name + shape
-# from OpenBao instead, and this template skips. Exactly one of the
-# two ships per instance.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "instance.fullname" . }}-pg
-  labels:
-    {{- include "instance.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  POSTGRES_USER: {{ .Values.postgres.user | quote }}
-  POSTGRES_PASSWORD: {{ include "instance.pgPassword" . | quote }}
-  POSTGRES_DB: {{ .Values.postgres.database | quote }}
-{{- end }}
diff --git a/values.yaml b/values.yaml
index a3ea57c..97e2c25 100644
--- a/values.yaml
+++ b/values.yaml
@@ -17,10 +17,12 @@ instance:
   # `instance.size: medium` (etc); they don't have to know the numbers.
   size: small
 
-# tenant — owning tenant identity. Currently only required when
-# postgres.passwordVaultPath is set (the ESO path needs to know which
-# tenant subtree to read from OpenBao). Tower writes `tenant.id` into
-# every new overlay; legacy overlays without ESO leave this empty.
+# tenant — owning tenant identity. Required: the chart's ExternalSecret
+# constructs `tenants/<tenant.id>/instances/<instance.code>/pg` from
+# this value. Tower writes it into every overlay (wizard create,
+# bundle-migrate, template-deploy). The `required` directive in
+# templates/postgres-password-externalsecret.yaml fails loud at chart
+# render time if it's missing.
 tenant:
   id: ""
 
@@ -164,30 +166,13 @@ postgres:
   tag: "16-alpine"
   user: odoo
   database: postgres
-  # If empty, the chart auto-generates on first install and re-reads
-  # the existing Secret on subsequent upgrades (lookup pattern).
-  # Ignored when `passwordVaultPath` is set — ESO sources the password
-  # from OpenBao instead.
-  password: ""
-  # passwordVaultPath — when set, the chart renders an ExternalSecret
-  # pulling the password from OpenBao at
-  # `tenants/<tenant.id>/instances/<instance.code>/pg` (field
-  # `password`). The legacy postgres-secret.yaml template is gated
-  # off; the ExternalSecret produces the same `<release>-pg` Secret
-  # shape so postgres-statefulset.yaml is unchanged.
-  #
-  # When empty (default), the chart falls back to the legacy
-  # postgres-secret.yaml path using `.password` above. Tower sets
-  # this field on every new instance starting v0.77; pre-v0.77
-  # instances stay on the legacy path until migrated by the one-shot
-  # tool (Chunk 3 of A-OpenBao).
-  #
-  # The actual path resolution is hardcoded in the
-  # postgres-password-externalsecret.yaml template; this field is
-  # the on/off toggle. Setting it to any non-empty value is
-  # equivalent ("use ESO for this instance"); the path string itself
-  # is currently advisory (it's the OpenBao subtree the operator can
-  # `bao kv list` to find the password).
+  # passwordVaultPath — operator-visible advisory string carrying the
+  # OpenBao path Tower wrote the password to. Tower sets this on every
+  # overlay (it's how the operator runs `bao kv get` if they need to
+  # rotate the password manually). The chart's
+  # postgres-password-externalsecret.yaml template hardcodes the same
+  # path shape — this field is informational, not load-bearing for
+  # ExternalSecret resolution.
   passwordVaultPath: ""
   # externalSecretsStoreRef — ClusterSecretStore name the
   # ExternalSecret references. Provisioned by cluster-platform-v3