feat(chart): rip out pg dual-mode shim — ESO-only (0.1.8)

A-Chunk 3 finalisation. All live instances are migrated to ESO,
and Tower 0.77.2 makes the migrate + template-deploy paths also
emit ESO-shape overlays (wizard always has). The
`{{- if not .Values.postgres.passwordVaultPath }}` shim in
postgres-secret.yaml has zero remaining production callers.

Changes:
  - DELETE templates/postgres-secret.yaml (dual-mode legacy path)
  - DELETE _helpers.tpl `instance.pgPassword` (only consumed by
    postgres-secret.yaml; no other callers)
  - UNWRAP templates/postgres-password-externalsecret.yaml — the
    outer `{{- if .Values.postgres.passwordVaultPath }}` conditional
    is removed; the template now renders unconditionally and the
    chart's `required` directive on tenant.id is the new boundary
    (chart render fails loud if Tower forgot to populate it)
  - SIMPLIFY values.yaml — drop the legacy `postgres.password` field
    and the dual-mode documentation. `passwordVaultPath` stays as an
    operator-visible advisory string but the chart hardcodes the
    path shape from tenant.id + instance.code

Chart 0.1.7 → 0.1.8. helm template + helm lint verified locally;
helm template with tenant.id missing fails loud with a clear
error pointing the operator at the chart line + the source of the
missing value.

The live instances (erp/erp18v3/v19) carry tenant.id + passwordVaultPath
in their overlays already; this chart version produces the same
manifests for them on next ArgoCD reconcile — no observable change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Chart.yaml

@@ -5,7 +5,7 @@ description: |
   Variation between instances is expressed via values.yaml only.
   No chart variants. No string-templating in Tower.
 type: application
-version: 0.1.7
+version: 0.1.8
 appVersion: "1.0"
 keywords:
   - odoo

templates/_helpers.tpl

@@ -89,19 +89,3 @@ upgrading to Medium for capacity it doesn't need.
 {{- end -}}
 {{- end -}}
 
-{{/*
-Postgres password. Looks up the existing Secret on upgrades; uses
-.Values.postgres.password if set; otherwise generates a 32-char
-random string on first install. The lookup ensures `helm upgrade`
-does NOT silently rotate the password.
-*/}}
-{{- define "instance.pgPassword" -}}
-{{- $existing := lookup "v1" "Secret" .Release.Namespace (printf "%s-pg" .Values.instance.code) -}}
-{{- if and $existing $existing.data $existing.data.POSTGRES_PASSWORD -}}
-{{- index $existing.data "POSTGRES_PASSWORD" | b64dec -}}
-{{- else if .Values.postgres.password -}}
-{{- .Values.postgres.password -}}
-{{- else -}}
-{{- randAlphaNum 32 -}}
-{{- end -}}
-{{- end -}}

templates/postgres-password-externalsecret.yaml

@@ -1,17 +1,18 @@
-{{- if .Values.postgres.passwordVaultPath }}
 # postgres-password-externalsecret.yaml — per-instance Postgres password
-# sourced from OpenBao via ESO. Produces the same `<release>-pg` Secret
+# sourced from OpenBao via ESO. Produces the `<release>-pg` Secret
-# shape (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) that the legacy
+# (POSTGRES_USER + POSTGRES_PASSWORD + POSTGRES_DB) consumed by
-# postgres-secret.yaml produces, so postgres-statefulset.yaml is unchanged.
+# postgres-statefulset.yaml's envFrom.
 #
-# Rendered only when `.Values.postgres.passwordVaultPath` is set. The
+# Single source of truth for pg password lifecycle. The chart had a
-# legacy postgres-secret.yaml renders when that field is empty —
+# dual-mode shim (legacy postgres-secret.yaml gated by an empty
-# exactly one of the two ships per instance. Tower-managed migration
+# passwordVaultPath) through Chunks 1-3 of the A-OpenBao migration;
-# in Chunk 3 flips overlays from the legacy path to this one.
+# rip-out lands in 0.1.8 after all live instances + every Tower
+# create path (wizard / migrate / template-deploy) generate overlays
+# that carry tenant.id + postgres.passwordVaultPath.
 #
 # OpenBao path convention: `tenants/<tenantID>/instances/<code>/pg`
 # with a `password` field. Covered by the per-cluster ESO policy
-# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which already grants
+# `eso-tenant-<cluster>` (buildEsoPolicy in Go) which grants
 # read on `v3/data/tenants/<tenantID>/*`. No policy change required.
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
@@ -48,4 +49,3 @@ spec:
         conversionStrategy: Default
         decodingStrategy: None
         metadataPolicy: None
-{{- end }}

templates/postgres-secret.yaml

@@ -1,20 +0,0 @@
-{{- if not .Values.postgres.passwordVaultPath }}
-# Legacy postgres-secret.yaml — chart-rendered Secret carrying
-# POSTGRES_USER/PASSWORD/DB for the postgres StatefulSet. Used when
-# `.Values.postgres.passwordVaultPath` is empty (the pre-ESO path).
-# When that field is set, postgres-password-externalsecret.yaml
-# renders an ExternalSecret producing the same Secret name + shape
-# from OpenBao instead, and this template skips. Exactly one of the
-# two ships per instance.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "instance.fullname" . }}-pg
-  labels:
-    {{- include "instance.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  POSTGRES_USER: {{ .Values.postgres.user | quote }}
-  POSTGRES_PASSWORD: {{ include "instance.pgPassword" . | quote }}
-  POSTGRES_DB: {{ .Values.postgres.database | quote }}
-{{- end }}

values.yaml

@@ -17,10 +17,12 @@ instance:
   # `instance.size: medium` (etc); they don't have to know the numbers.
   size: small
 
-# tenant — owning tenant identity. Currently only required when
+# tenant — owning tenant identity. Required: the chart's ExternalSecret
-# postgres.passwordVaultPath is set (the ESO path needs to know which
+# constructs `tenants/<tenant.id>/instances/<instance.code>/pg` from
-# tenant subtree to read from OpenBao). Tower writes `tenant.id` into
+# this value. Tower writes it into every overlay (wizard create,
-# every new overlay; legacy overlays without ESO leave this empty.
+# bundle-migrate, template-deploy). The `required` directive in
+# templates/postgres-password-externalsecret.yaml fails loud at chart
+# render time if it's missing.
 tenant:
   id: ""
 
@@ -164,30 +166,13 @@ postgres:
   tag: "16-alpine"
   user: odoo
   database: postgres
-  # If empty, the chart auto-generates on first install and re-reads
+  # passwordVaultPath — operator-visible advisory string carrying the
-  # the existing Secret on subsequent upgrades (lookup pattern).
+  # OpenBao path Tower wrote the password to. Tower sets this on every
-  # Ignored when `passwordVaultPath` is set — ESO sources the password
+  # overlay (it's how the operator runs `bao kv get` if they need to
-  # from OpenBao instead.
+  # rotate the password manually). The chart's
-  password: ""
+  # postgres-password-externalsecret.yaml template hardcodes the same
-  # passwordVaultPath — when set, the chart renders an ExternalSecret
+  # path shape — this field is informational, not load-bearing for
-  # pulling the password from OpenBao at
+  # ExternalSecret resolution.
-  # `tenants/<tenant.id>/instances/<instance.code>/pg` (field
-  # `password`). The legacy postgres-secret.yaml template is gated
-  # off; the ExternalSecret produces the same `<release>-pg` Secret
-  # shape so postgres-statefulset.yaml is unchanged.
-  #
-  # When empty (default), the chart falls back to the legacy
-  # postgres-secret.yaml path using `.password` above. Tower sets
-  # this field on every new instance starting v0.77; pre-v0.77
-  # instances stay on the legacy path until migrated by the one-shot
-  # tool (Chunk 3 of A-OpenBao).
-  #
-  # The actual path resolution is hardcoded in the
-  # postgres-password-externalsecret.yaml template; this field is
-  # the on/off toggle. Setting it to any non-empty value is
-  # equivalent ("use ESO for this instance"); the path string itself
-  # is currently advisory (it's the OpenBao subtree the operator can
-  # `bao kv list` to find the password).
   passwordVaultPath: ""
   # externalSecretsStoreRef — ClusterSecretStore name the
   # ExternalSecret references. Provisioned by cluster-platform-v3