diff --git a/argocd/apps/external-secrets-crds.yaml b/argocd/apps/external-secrets-crds.yaml
new file mode 100644
index 0000000..6f06954
--- /dev/null
+++ b/argocd/apps/external-secrets-crds.yaml
@@ -0,0 +1,28 @@
+# External Secrets Operator CRDs
+#
+# CRDs are installed separately because:
+# 1. They need ServerSideApply due to large annotation sizes
+# 2. The Helm chart's CRDs are auto-generated during packaging (not in raw git)
+# 3. CRDs should exist before the operator starts
+#
+# Must be synced BEFORE external-secrets operator app.
+#
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-crds
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/external-secrets.git
+    targetRevision: helm-chart-1.3.1
+    path: config/crds/bases
+    directory:
+      exclude: 'kustomization.yaml'
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    syncOptions:
+      - ServerSideApply=true
+      - CreateNamespace=false
diff --git a/argocd/manifests/devpi/external-secret.yaml b/argocd/manifests/devpi/external-secret.yaml
index 1f591c1..e50650d 100644
--- a/argocd/manifests/devpi/external-secret.yaml
+++ b/argocd/manifests/devpi/external-secret.yaml
@@ -5,7 +5,7 @@
 # 1Password item: "devpi" in blumeops vault
 # Field: "root password"
 #
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: devpi-root
diff --git a/argocd/manifests/external-secrets/cluster-secret-store.yaml b/argocd/manifests/external-secrets/cluster-secret-store.yaml
index 6661e77..f01ad75 100644
--- a/argocd/manifests/external-secrets/cluster-secret-store.yaml
+++ b/argocd/manifests/external-secrets/cluster-secret-store.yaml
@@ -3,7 +3,7 @@
 # Provides cluster-wide access to the blumeops vault via 1Password Connect.
 # ExternalSecret resources in any namespace can reference this store.
 #
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: onepassword-blumeops