feat(chart): rip out pg dual-mode shim — ESO-only (0.1.8)

A-Chunk 3 finalisation. All live instances are migrated to ESO,
and Tower 0.77.2 makes the migrate + template-deploy paths also
emit ESO-shape overlays (wizard always has). The
`{{- if not .Values.postgres.passwordVaultPath }}` shim in
postgres-secret.yaml has zero remaining production callers.

Changes:
  - DELETE templates/postgres-secret.yaml (dual-mode legacy path)
  - DELETE _helpers.tpl `instance.pgPassword` (only consumed by
    postgres-secret.yaml; no other callers)
  - UNWRAP templates/postgres-password-externalsecret.yaml — the
    outer `{{- if .Values.postgres.passwordVaultPath }}` conditional
    is removed; the template now renders unconditionally and the
    chart's `required` directive on tenant.id is the new boundary
    (chart render fails loud if Tower forgot to populate it)
  - SIMPLIFY values.yaml — drop the legacy `postgres.password` field
    and the dual-mode documentation. `passwordVaultPath` stays as an
    operator-visible advisory string but the chart hardcodes the
    path shape from tenant.id + instance.code

Chart 0.1.7 → 0.1.8. helm template + helm lint verified locally;
helm template with tenant.id missing fails loud with a clear
error pointing the operator at the chart line + the source of the
missing value.

The live instances (erp/erp18v3/v19) carry tenant.id + passwordVaultPath
in their overlays already; this chart version produces the same
manifests for them on next ArgoCD reconcile — no observable change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

templates/_helpers.tpl

@@ -89,19 +89,3 @@ upgrading to Medium for capacity it doesn't need.
 {{- end -}}
 {{- end -}}
 
-{{/*
-Postgres password. Looks up the existing Secret on upgrades; uses
-.Values.postgres.password if set; otherwise generates a 32-char
-random string on first install. The lookup ensures `helm upgrade`
-does NOT silently rotate the password.
-*/}}
-{{- define "instance.pgPassword" -}}
-{{- $existing := lookup "v1" "Secret" .Release.Namespace (printf "%s-pg" .Values.instance.code) -}}
-{{- if and $existing $existing.data $existing.data.POSTGRES_PASSWORD -}}
-{{- index $existing.data "POSTGRES_PASSWORD" | b64dec -}}
-{{- else if .Values.postgres.password -}}
-{{- .Values.postgres.password -}}
-{{- else -}}
-{{- randAlphaNum 32 -}}
-{{- end -}}
-{{- end -}}

templates/postgres-password-externalsecret.yaml

@@ -1,17 +1,18 @@
-{{- if .Values.postgres.passwordVaultPath }}
 # postgres-password-externalsecret.yaml — per-instance Postgres password
-# sourced from OpenBao via ESO. Produces the same `<release>-pg` Secret
-# shape (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) that the legacy
-# postgres-secret.yaml produces, so postgres-statefulset.yaml is unchanged.
+# sourced from OpenBao via ESO. Produces the `<release>-pg` Secret
+# (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) consumed by
+# postgres-statefulset.yaml's envFrom.
 #
-# Rendered only when `.Values.postgres.passwordVaultPath` is set. The
-# legacy postgres-secret.yaml renders when that field is empty —
-# exactly one of the two ships per instance. Tower-managed migration
-# in Chunk 3 flips overlays from the legacy path to this one.
+# Single source of truth for pg password lifecycle. The chart had a
+# dual-mode shim (legacy postgres-secret.yaml gated by an empty
+# passwordVaultPath) through Chunks 1-3 of the A-OpenBao migration;
+# rip-out lands in 0.1.8 after all live instances + every Tower
+# create path (wizard / migrate / template-deploy) generate overlays
+# that carry tenant.id + postgres.passwordVaultPath.
 #
 # OpenBao path convention: `tenants/<tenantID>/instances/<code>/pg`
 # with a `password` field. Covered by the per-cluster ESO policy
-# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which already grants
+# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which grants
 # read on `v3/data/tenants/<tenantID>/*`. No policy change required.
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -48,4 +49,3 @@ spec:
         conversionStrategy: Default
         decodingStrategy: None
         metadataPolicy: None
-{{- end }}

templates/postgres-secret.yaml

@@ -1,20 +0,0 @@
-{{- if not .Values.postgres.passwordVaultPath }}
-# Legacy postgres-secret.yaml — chart-rendered Secret carrying
-# POSTGRES_USER/PASSWORD/DB for the postgres StatefulSet. Used when
-# `.Values.postgres.passwordVaultPath` is empty (the pre-ESO path).
-# When that field is set, postgres-password-externalsecret.yaml
-# renders an ExternalSecret producing the same Secret name + shape
-# from OpenBao instead, and this template skips. Exactly one of the
-# two ships per instance.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "instance.fullname" . }}-pg
-  labels:
-    {{- include "instance.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  POSTGRES_USER: {{ .Values.postgres.user | quote }}
-  POSTGRES_PASSWORD: {{ include "instance.pgPassword" . | quote }}
-  POSTGRES_DB: {{ .Values.postgres.database | quote }}
-{{- end }}