fix(base): remove dangerous helm release options

[sebastiancorrea81]

Summary

• Removes atomic, cleanup_on_fail, replace, force_update, and recreate_pods from the helm_release.base resource — all were set to true and could cause namespace/resource deletion on failed upgrades
• Removes options that were explicitly set to their Helm provider defaults (create_namespace, disable_webhooks, wait, reuse_values), reducing noise and making intentional deviations explicit
• Retains only options that meaningfully differ from defaults: wait_for_jobs, timeout, reset_values, dependency_update, max_history

Root cause

With atomic = true + cleanup_on_fail = true + replace = true, a failed helm upgrade would:

1. Delete newly created resources (cleanup_on_fail)
2. Trigger automatic rollback (atomic)
3. If rollback failed, purge the entire release (replace)

This caused namespaces and chart-managed resources to be deleted on upgrade failures.

Test plan

• tofu plan shows 0 to destroy on upgrade
• tofu apply with changed values shows ~ update in-place only, no destroys
• Failed upgrade (metrics-server timeout in minikube) left all namespaces and pods intact
• Subsequent upgrade after failure recovered cleanly (failed → deployed) with 0 destroyed

🤖 Generated with Claude Code