fix/ESO upgrade

Makefile

@@ -1,26 +1,5 @@
-.PHONY: default
-default: help
+# Generated by patternizer
+# This Makefile includes the common pattern targets from Makefile-common
+# You can add custom targets above or below the include line
 
-.PHONY: help
-##@ Pattern tasks
-
-# No need to add a comment here as help is described in common/
-help:
-	@make -f common/Makefile MAKEFILE_LIST="Makefile common/Makefile" help
-
-%:
-	make -f common/Makefile $*
-
-.PHONY: install
-install: operator-deploy post-install ## installs the pattern and loads the secrets
-	@echo "Installed"
-
-.PHONY: post-install
-post-install: ## Post-install tasks
-	make load-secrets
-	make vault-config-jwt
-	@echo "Done"
-
-.PHONY: test
-test:
-	@make -f common/Makefile PATTERN_OPTS="-f values-global.yaml -f values-hub.yaml" test
+include Makefile-common

Makefile-common

@@ -0,0 +1,54 @@
+MAKEFLAGS += --no-print-directory
+ANSIBLE_STDOUT_CALLBACK ?= rhvp.cluster_utils.readable
+ANSIBLE_RUN ?= ANSIBLE_STDOUT_CALLBACK=$(ANSIBLE_STDOUT_CALLBACK) ansible-playbook $(EXTRA_PLAYBOOK_OPTS)
+DOCS_URL := https://validatedpatterns.io/blog/2025-08-29-new-common-makefile-structure/
+
+.PHONY: help
+help: ## Print this help message
+	@echo "For a complete guide to these targets and the available overrides, please visit $(DOCS_URL)"
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf "  \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Pattern Install Tasks
+.PHONY: show
+show: ## Shows the template that would be applied by the `make install` target
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.show
+
+.PHONY: operator-deploy
+operator-deploy operator-upgrade: ## Installs/updates the pattern on a cluster (DOES NOT load secrets)
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.operator_deploy
+
+.PHONY: install
+install: pattern-install ## Installs the pattern onto a cluster (Loads secrets as well if configured)
+
+.PHONY: uninstall
+uninstall: ## (EXPERIMENTAL) See https://validatedpatterns.io/blog/2026-02-16-pattern-uninstall/.
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.uninstall
+
+.PHONY: pattern-install
+pattern-install:
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.install
+
+.PHONY: load-secrets
+load-secrets: ## Loads secrets onto the cluster (unless explicitly disabled in values-global.yaml)
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.load_secrets
+
+##@ Validation Tasks
+.PHONY: validate-prereq
+validate-prereq: ## verify pre-requisites
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_prereq
+
+.PHONY: validate-origin
+validate-origin: ## verify the git origin is available
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_origin
+
+.PHONY: validate-cluster
+validate-cluster: ## Do some cluster validations before installing
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_cluster
+
+.PHONY: validate-schema
+validate-schema: ## validates values files against schema in common/clustergroup
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.validate_schema
+
+.PHONY: argo-healthcheck
+argo-healthcheck: ## Checks if all argo applications are synced
+	@$(ANSIBLE_RUN) rhvp.cluster_utils.argo_healthcheck

ansible.cfg

@@ -1,6 +1,15 @@
 [defaults]
 localhost_warning=False
 retry_files_enabled=False
-library=~/.ansible/plugins/modules:./ansible/plugins/modules:./common/ansible/plugins/modules:/usr/share/ansible/plugins/modules
-roles_path=~/.ansible/roles:./ansible/roles:./common/ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
-filter_plugins=~/.ansible/plugins/filter:./ansible/plugins/filter:./common/ansible/plugins/filter:/usr/share/ansible/plugins/filter
+# Retry files disabled to avoid cluttering CI/CD environments
+interpreter_python=auto_silent
+timeout=30
+library=~/.ansible/plugins/modules:./ansible/plugins/modules:/usr/share/ansible/plugins/modules
+roles_path=~/.ansible/roles:./ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
+filter_plugins=~/.ansible/plugins/filter:./ansible/plugins/filter:/usr/share/ansible/plugins/filter
+# use the collections from the util. container,
+# change below if you want to test local collections
+collections_path=/usr/share/ansible/collections
+
+[inventory]
+inventory_unparsed_warning=False

charts/acm-managed-clusters/templates/acm-external-secrets.yaml

@@ -1,7 +1,7 @@
 {{- $clusters := .Values.acmManagedClusters.clusters | default list }}
 {{- range $clusters }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: kubeconfig-{{ .name }}

charts/acs-central/templates/central-htpasswd-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.central.enabled .Values.central.adminPassword.useExternalSecret }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: central-htpasswd-external-secret

charts/acs-central/templates/keycloak-client-secret-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if and .Values.central.enabled .Values.integration.keycloak.enabled }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.integration.keycloak.clientSecret.secretName }}

charts/hello-coco/templates/pull-secret-external.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: pull-secret

charts/hello-coco/templates/pull-secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: SecretStore
 metadata:
   name: openshift-config

charts/qtodo/templates/oidc-client-secret-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.app.oidc.clientSecret.enabled }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.app.oidc.clientSecret.name }}

charts/qtodo/templates/postgresql-external-secret.yaml

@@ -1,4 +1,4 @@
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: qtodo-db-secret

charts/qtodo/templates/registry-external-secret.yaml

@@ -5,7 +5,7 @@
 {{- $regPasswordKey := .Values.app.images.main.registry.passwordVaultKey | default .Values.global.registry.passwordVaultKey }}
 {{- if $regAuth }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.app.images.main.registry.secretName }}

charts/qtodo/templates/truststore-secret-external-secret.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.app.spire.enabled }}
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: qtodo-truststore-secret

charts/qtodo/values.yaml

@@ -84,6 +84,14 @@ app:
     tag: "latest"
     image: "registry.redhat.io/openshift4/ose-tools-rhel9:latest"
 
+  # Seed image Job: mirrors the upstream qtodo image into the configured
+  # registry so the deployment can pull before the supply-chain pipeline runs.
+  seedImage:
+    enabled: false
+    source: "quay.io/validatedpatterns/qtodo:latest"
+    tag: "latest"
+    image: "registry.redhat.io/openshift4/ose-tools-rhel9:latest"
+
   # Truststore configuration for Java CA certificates (PKCS12 format)
   truststore:
     enabled: true

charts/rhtpa-operator/templates/oidc-cli-secret.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.rhtpa.zeroTrust.keycloak.enabled }}
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: {{ .Values.rhtpa.zeroTrust.keycloak.clients.cli.secretName | default "rhtpa-oidc-cli-secret" }}

charts/rhtpa-operator/templates/postgresql-external-secret.yaml

@@ -1,6 +1,6 @@
 {{- if .Values.rhtpa.database.create }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: rhtpa-db-secret

charts/supply-chain/templates/secrets/qtodo-quay-pass.yaml

@@ -7,7 +7,7 @@
 */}}
 {{- if eq .Values.quay.enabled true }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: qtodo-quay-password

charts/supply-chain/templates/secrets/qtodo-registry-auth.yaml

@@ -13,7 +13,7 @@
 {{- $regPasswordKey := .Values.registry.passwordVaultKey | default .Values.global.registry.passwordVaultKey }}
 {{- if $regEnabled }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: {{ .Values.registry.authSecretName }}

charts/supply-chain/templates/secrets/qtodo-rhtpa-pass.yaml

@@ -1,6 +1,6 @@
 {{- if eq .Values.rhtpa.enabled true }}
 ---
-apiVersion: "external-secrets.io/v1beta1"
+apiVersion: "external-secrets.io/v1"
 kind: ExternalSecret
 metadata:
   name: qtodo-rhtpa-cli-password