fix/ESO upgrade

Makefile

@@ -1,26 +1,5 @@
-.PHONY: default
-default: help
+# Generated by patternizer
+# This Makefile includes the common pattern targets from Makefile-common
+# You can add custom targets above or below the include line
 
-.PHONY: help
-##@ Pattern tasks
-
-# No need to add a comment here as help is described in common/
-help:
-	@make -f common/Makefile MAKEFILE_LIST="Makefile common/Makefile" help
-
-%:
-	make -f common/Makefile $*
-
-.PHONY: install
-install: operator-deploy post-install ## installs the pattern and loads the secrets
-	@echo "Installed"
-
-.PHONY: post-install
-post-install: ## Post-install tasks
-	make load-secrets
-	make vault-config-jwt
-	@echo "Done"
-
-.PHONY: test
-test:
-	@make -f common/Makefile PATTERN_OPTS="-f values-global.yaml -f values-hub.yaml" test
+include Makefile-common

Makefile-common

@@ -0,0 +1,54 @@
+MAKEFLAGS += --no-print-directory
+ANSIBLE_STDOUT_CALLBACK ?= null # null silences all ansible output. Override this with default, minimal, oneline, etc. when debugging.
+ANSIBLE_RUN := ANSIBLE_STDOUT_CALLBACK=$(ANSIBLE_STDOUT_CALLBACK) ansible-playbook $(EXTRA_PLAYBOOK_OPTS)
+DOCS_URL := https://validatedpatterns.io/blog/2025-08-29-new-common-makefile-structure/
+
+.PHONY: help
+help: ## Print this help message
+	@echo "For a complete guide to these targets and the available overrides, please visit $(DOCS_URL)"
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf "  \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Pattern Install Tasks
+.PHONY: show
+show: ## Shows the template that would be applied by the `make install` target
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.show
+
+.PHONY: operator-deploy
+operator-deploy operator-upgrade: ## Installs/updates the pattern on a cluster (DOES NOT load secrets)
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.operator_deploy
+
+.PHONY: install
+install: pattern-install ## Installs the pattern onto a cluster (Loads secrets as well if configured)
+
+.PHONY: uninstall ## Prints a notice that patterns cannot currently be uninstalled
+uninstall:
+	@echo "Uninstall is not possible at the moment so this target is empty. We are working to implement it as well as we can."
+
+.PHONY: pattern-install
+pattern-install:
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.install
+
+.PHONY: load-secrets
+load-secrets: ## Loads secrets onto the cluster (unless explicitly disabled in values-global.yaml)
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.load_secrets
+
+##@ Validation Tasks
+.PHONY: validate-prereq
+validate-prereq: ## verify pre-requisites
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_prereq
+
+.PHONY: validate-origin
+validate-origin: ## verify the git origin is available
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_origin
+
+.PHONY: validate-cluster
+validate-cluster: ## Do some cluster validations before installing
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_cluster
+
+.PHONY: validate-schema
+validate-schema: ## validates values files against schema in common/clustergroup
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_schema
+
+.PHONY: argo-healthcheck
+argo-healthcheck: ## Checks if all argo applications are synced
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.argo_healthcheck

ansible.cfg

@@ -1,6 +1,15 @@
 [defaults]
 localhost_warning=False
 retry_files_enabled=False
-library=~/.ansible/plugins/modules:./ansible/plugins/modules:./common/ansible/plugins/modules:/usr/share/ansible/plugins/modules
-roles_path=~/.ansible/roles:./ansible/roles:./common/ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
-filter_plugins=~/.ansible/plugins/filter:./ansible/plugins/filter:./common/ansible/plugins/filter:/usr/share/ansible/plugins/filter
+# Retry files disabled to avoid cluttering CI/CD environments
+interpreter_python=auto_silent
+timeout=30
+library=~/.ansible/plugins/modules:./ansible/plugins/modules:/usr/share/ansible/plugins/modules
+roles_path=~/.ansible/roles:./ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
+filter_plugins=~/.ansible/plugins/filter:./ansible/plugins/filter:/usr/share/ansible/plugins/filter
+# use the collections from the util. container,
+# change below if you want to test local collections
+collections_path=/usr/share/ansible/collections
+
+[inventory]
+inventory_unparsed_warning=False

charts/acm-managed-clusters/templates/acm-external-secrets.yaml

@@ -1,7 +1,7 @@
 {{- $clusters := .Values.acmManagedClusters.clusters | default list }}
 {{- range $clusters }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: kubeconfig-{{ .name }}

charts/acs-central/templates/central-htpasswd-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.central.enabled .Values.central.adminPassword.useExternalSecret }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: central-htpasswd-external-secret

charts/acs-central/templates/jobs/create-auth-provider.yaml

@@ -8,6 +8,8 @@ metadata:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/sync-wave: "44"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
 spec:
   template:
     metadata:

charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml

@@ -15,6 +15,8 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
     argocd.argoproj.io/sync-wave: "43"
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
 spec:
   template:
     metadata:

charts/acs-central/templates/jobs/create-htpasswd-field.yaml

@@ -8,6 +8,9 @@ metadata:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/sync-wave: "37"
+    # Jobs are immutable; delete and recreate on each sync when spec changes
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
 spec:
   template:
     metadata:
@@ -34,7 +37,7 @@ spec:
 
               echo "🔄 Generating htpasswd entry for admin user..."
 
-              # Check if central-htpasswd secret already has valid htpasswd field
+              # Check if admin password secret already has valid htpasswd field
               if oc get secret {{ .Values.central.adminPassword.secretName }} -n {{ .Release.Namespace }} -o jsonpath='{.data.htpasswd}' 2>/dev/null | base64 -d | grep -q "^admin:\$2[aby]\$"; then
                 echo "✅ htpasswd entry already exists and is valid (bcrypt format)"
                 exit 0

charts/acs-central/templates/keycloak-client-secret-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.central.enabled .Values.integration.keycloak.enabled }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.integration.keycloak.clientSecret.secretName }}

charts/acs-central/values.yaml

@@ -20,7 +20,7 @@ central:
   adminPassword:
     # Use external secret from Vault
     useExternalSecret: true
-    secretName: central-htpasswd
+    secretName: central-admin-htpasswd
     secretKey: password
 
   # Image configuration
@@ -195,4 +195,4 @@ securityContext:
 # Node selector and tolerations
 nodeSelector: {}
 tolerations: []
-affinity: {}
+affinity: {}

charts/hello-coco/templates/pull-secret-external.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: pull-secret

charts/hello-coco/templates/pull-secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: SecretStore
 metadata:
   name: openshift-config

charts/qtodo/templates/oidc-client-secret-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.app.oidc.clientSecret.enabled }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.app.oidc.clientSecret.name }}

charts/qtodo/templates/postgresql-external-secret.yaml

@@ -1,4 +1,4 @@
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: qtodo-db-secret

charts/qtodo/templates/registry-external-secret.yaml

@@ -5,7 +5,7 @@
 {{- $regPasswordKey := .Values.app.images.main.registry.passwordVaultKey | default .Values.global.registry.passwordVaultKey }}
 {{- if $regAuth }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.app.images.main.registry.secretName }}

charts/qtodo/templates/truststore-secret-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.app.spire.enabled }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: qtodo-truststore-secret

charts/rhtpa-operator/templates/oidc-cli-secret.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.rhtpa.zeroTrust.oidc.enabled }}
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: {{ .Values.rhtpa.zeroTrust.oidc.clients.cli.secretName | default "rhtpa-oidc-cli-secret" }}

charts/rhtpa-operator/templates/postgresql-external-secret.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.rhtpa.database.create }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: rhtpa-db-secret

charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml

@@ -7,7 +7,7 @@
 */}}
 {{- if eq .Values.quay.enabled true }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: qtodo-quay-password

charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml

@@ -13,7 +13,7 @@
 {{- $regPasswordKey := .Values.registry.passwordVaultKey | default .Values.global.registry.passwordVaultKey }}
 {{- if $regEnabled }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.registry.authSecretName }}

charts/supply-chain/templates/secrets/qtodo-rhtpa-pass.yaml

@@ -1,6 +1,6 @@
 {{- if and .Values.rhtpa.enabled .Values.rhtpa.oidc.enabled }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.rhtpa.oidc.clientSecretName }}