Fix ESO API versions and add CRDs app

- Update ClusterSecretStore to use v1 API (not v1beta1)
- Update devpi ExternalSecret to use v1 API
- Add external-secrets-crds app to install CRDs with ServerSideApply
  (Helm chart CRDs are auto-generated during packaging, not in raw git)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/apps/external-secrets-crds.yaml

@@ -0,0 +1,28 @@
+# External Secrets Operator CRDs
+#
+# CRDs are installed separately because:
+# 1. They need ServerSideApply due to large annotation sizes
+# 2. The Helm chart's CRDs are auto-generated during packaging (not in raw git)
+# 3. CRDs should exist before the operator starts
+#
+# Must be synced BEFORE external-secrets operator app.
+#
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-crds
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    targetRevision: helm-chart-1.3.1
+    path: config/crds/bases
+    directory:
+      exclude: 'kustomization.yaml'
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true
+      - CreateNamespace=false

argocd/manifests/devpi/external-secret.yaml

@@ -5,7 +5,7 @@
 # 1Password item: "devpi" in blumeops vault
 # Field: "root password"
 #
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: devpi-root

argocd/manifests/external-secrets/cluster-secret-store.yaml

@@ -3,7 +3,7 @@
 # Provides cluster-wide access to the blumeops vault via 1Password Connect.
 # ExternalSecret resources in any namespace can reference this store.
 #
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: onepassword-blumeops