fix: offset all Argo CD sync-wave values by +31 to ensure positive waves

Makefile

@@ -18,6 +18,8 @@ install: operator-deploy post-install ## installs the pattern and loads the secr
 .PHONY: post-install
 post-install: ## Post-install tasks
 	make load-secrets
+	@echo "Waiting for MachineConfigPool rollout to complete..."
+	oc wait mcp/master --for=condition=Updated --timeout=600s
 	make vault-config-jwt
 	@echo "Done"
 

charts/acs-central/templates/admin-password-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "36"
 type: Opaque
 stringData:
   password: {{ .Values.central.adminPassword.password | default (randAlphaNum 32) | quote }}

charts/acs-central/templates/central-cr.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "10"
+    argocd.argoproj.io/sync-wave: "41"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   central:

charts/acs-central/templates/central-htpasswd-external-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "36"
 spec:
   refreshInterval: 15s
   secretStoreRef:

charts/acs-central/templates/console-link.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "15"
+    argocd.argoproj.io/sync-wave: "46"
 spec:
   href: https://central-{{ .Release.Namespace }}.{{ .Values.global.localClusterDomain }}
   location: ApplicationMenu

charts/acs-central/templates/jobs/create-auth-provider.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "13"
+    argocd.argoproj.io/sync-wave: "44"
 spec:
   template:
     metadata:

charts/acs-central/templates/jobs/create-cluster-init-bundle.yaml

@@ -14,7 +14,7 @@ metadata:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "12"
+    argocd.argoproj.io/sync-wave: "43"
 spec:
   template:
     metadata:

charts/acs-central/templates/jobs/create-htpasswd-field.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "6"
+    argocd.argoproj.io/sync-wave: "37"
 spec:
   template:
     metadata:

charts/acs-central/templates/keycloak-client-secret-external-secret.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "5"
+    argocd.argoproj.io/sync-wave: "36"
 spec:
   refreshInterval: 15s
   secretStoreRef:

charts/acs-central/templates/rbac/cluster-init-clusterrole.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "32"
 rules:
 - apiGroups: ["console.openshift.io"]
   resources: ["consolelinks"]

charts/acs-central/templates/rbac/cluster-init-clusterrolebinding.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "32"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

charts/acs-central/templates/rbac/cluster-init-role.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "32"
 rules:
   - apiGroups:
       - ""

charts/acs-central/templates/rbac/cluster-init-rolebinding.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "32"
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

charts/acs-central/templates/rbac/cluster-init-serviceaccount.yaml

@@ -6,4 +6,4 @@ metadata:
   labels:
     {{- include "acs-central.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "32"

charts/acs-secured-cluster/templates/secured-cluster-cr.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "acs-secured-cluster.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "15"
+    argocd.argoproj.io/sync-wave: "46"
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
 spec:
   clusterName: {{ .Values.clusterName | default .Values.global.clusterName | quote }}

charts/noobaa-mcg/templates/bucket-class.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ .Values.noobaa.bucketClass.name }}
   namespace: {{ .Values.noobaa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "3"  # Layer 1: Create BucketClass
+    argocd.argoproj.io/sync-wave: "34"  # Layer 1: Create BucketClass
 spec:
   placementPolicy:
     tiers:

charts/noobaa-mcg/templates/default-backingstore.yaml

@@ -4,7 +4,7 @@ metadata:
   name: noobaa-default-backing-store
   namespace: {{ .Values.noobaa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-wave: "32"
 spec:
   type: pv-pool
   pvPool:

charts/noobaa-mcg/templates/noobaa-system.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ .Values.noobaa.system.name }}
   namespace: {{ .Values.noobaa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "2"  # Layer 1: Deploy NooBaa System
+    argocd.argoproj.io/sync-wave: "33"  # Layer 1: Deploy NooBaa System
 spec:
   tolerations:
     - key: "node.ocs.openshift.io/storage"

charts/qtodo/templates/app-deployment.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: '20'
+    argocd.argoproj.io/sync-wave: '51'
   labels:
     app: qtodo
     ztvp.io/uses-certificates: "true"

charts/qtodo/templates/app-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: '20'
+    argocd.argoproj.io/sync-wave: '51'
   labels:
     app: qtodo
   name: qtodo

charts/qtodo/templates/postgresql-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: '10'
+    argocd.argoproj.io/sync-wave: '41'
   labels:
     app: qtodo-db
   name: qtodo-db

charts/qtodo/templates/postgresql-statefulset.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: '10'
+    argocd.argoproj.io/sync-wave: '41'
   labels:
     app: qtodo-db
   name: qtodo-db

charts/qtodo/templates/qtodo-truststore-config.yaml

@@ -6,7 +6,7 @@ metadata:
   name: qtodo-truststore-java
   namespace: qtodo
   annotations:
-    argocd.argoproj.io/sync-wave: '10'
+    argocd.argoproj.io/sync-wave: '41'
   labels:
     app: qtodo
     app.kubernetes.io/component: truststore-init

charts/qtodo/templates/truststore-secret-external-secret.yaml

@@ -5,7 +5,7 @@ metadata:
   name: qtodo-truststore-secret
   namespace: {{ .Release.Namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: '5'
+    argocd.argoproj.io/sync-wave: '36'
 spec:
   refreshInterval: 15s
   secretStoreRef:

charts/rhtas-operator/templates/securesign.yaml

@@ -8,7 +8,7 @@ metadata:
   labels:
     {{- include "rhtas-operator.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "15"  # Deploy after namespace and operator
+    argocd.argoproj.io/sync-wave: "46"  # Deploy after namespace and operator
     {{- if .Values.rhtas.monitoring.enabled }}
     rhtas.redhat.com/metrics: "true"
     {{- end }}

charts/rhtpa-operator/templates/ingress-ca-job.yaml

@@ -6,7 +6,7 @@ metadata:
   name: rhtpa-ingress-ca-extractor
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "0"
+    argocd.argoproj.io/sync-wave: "31"
     argocd.argoproj.io/hook: PreSync
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -15,7 +15,7 @@ metadata:
   name: rhtpa-ingress-ca-extractor
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "0"
+    argocd.argoproj.io/sync-wave: "31"
     argocd.argoproj.io/hook: PreSync
 rules:
 - apiGroups: [""]
@@ -28,7 +28,7 @@ metadata:
   name: rhtpa-ingress-ca-extractor
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "0"
+    argocd.argoproj.io/sync-wave: "31"
     argocd.argoproj.io/hook: PreSync
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -44,7 +44,7 @@ kind: ClusterRole
 metadata:
   name: rhtpa-ingress-ca-reader
   annotations:
-    argocd.argoproj.io/sync-wave: "0"
+    argocd.argoproj.io/sync-wave: "31"
     argocd.argoproj.io/hook: PreSync
 rules:
 # Read ingress CA from router secret (default or custom)
@@ -66,7 +66,7 @@ kind: ClusterRoleBinding
 metadata:
   name: rhtpa-ingress-ca-reader-{{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "0"
+    argocd.argoproj.io/sync-wave: "31"
     argocd.argoproj.io/hook: PreSync
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -83,7 +83,7 @@ metadata:
   name: rhtpa-ingress-ca-extractor
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-wave: "33"
     argocd.argoproj.io/hook: PreSync
     argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
 spec:

charts/rhtpa-operator/templates/object-bucket-claim.yaml

@@ -6,7 +6,7 @@ metadata:
   name: {{ .Values.rhtpa.objectStorage.objectBucketClaim.name }}
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "5"  # Create OBC after NooBaa system is ready
+    argocd.argoproj.io/sync-wave: "36"  # Create OBC after NooBaa system is ready
 spec:
   generateBucketName: {{ .Values.rhtpa.objectStorage.objectBucketClaim.bucketName }}
   storageClassName: {{ .Values.rhtpa.objectStorage.objectBucketClaim.storageClass }}

charts/rhtpa-operator/templates/oidc-cli-secret.yaml

@@ -8,7 +8,7 @@ metadata:
   labels:
     {{- include "rhtpa-operator.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "3"  # Create before RHTPA CR
+    argocd.argoproj.io/sync-wave: "34"  # Create before RHTPA CR
 spec:
   refreshInterval: 15s
   secretStoreRef:

charts/rhtpa-operator/templates/operator-readiness-check.yaml

@@ -10,7 +10,7 @@ metadata:
   labels:
     {{- include "rhtpa-operator.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "40"  # Before CR creation (wave 50)
+    argocd.argoproj.io/sync-wave: "71"  # Before CR creation (wave 81)
     policy.open-cluster-management.io/standards: NIST SP 800-53
     policy.open-cluster-management.io/categories: CM Configuration Management
     policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
@@ -59,7 +59,7 @@ metadata:
   labels:
     {{- include "rhtpa-operator.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "40"
+    argocd.argoproj.io/sync-wave: "71"
 placementRef:
   name: placement-policy-rhtpa-operator-ready
   kind: PlacementRule
@@ -77,7 +77,7 @@ metadata:
   labels:
     {{- include "rhtpa-operator.labels" . | nindent 4 }}
   annotations:
-    argocd.argoproj.io/sync-wave: "40"
+    argocd.argoproj.io/sync-wave: "71"
 spec:
   clusterConditions:
     - status: "True"

charts/rhtpa-operator/templates/operator-rolebinding.yaml

@@ -6,7 +6,7 @@ metadata:
   name: rhtpa-operator-job-manager
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"  # Create early, before CR
+    argocd.argoproj.io/sync-wave: "32"  # Create early, before CR
 rules:
 - apiGroups: ["batch"]
   resources: ["jobs"]
@@ -30,7 +30,7 @@ metadata:
   name: rhtpa-operator-job-manager
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "1"  # Create early, before CR
+    argocd.argoproj.io/sync-wave: "32"  # Create early, before CR
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

charts/rhtpa-operator/templates/postgresql-external-secret.yaml

@@ -6,7 +6,7 @@ metadata:
   name: rhtpa-db-secret
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: '5'
+    argocd.argoproj.io/sync-wave: '36'
 spec:
   refreshInterval: 15s
   secretStoreRef:

charts/rhtpa-operator/templates/postgresql-service.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: '10'
+    argocd.argoproj.io/sync-wave: '41'
   labels:
     app: rhtpa-db
   name: rhtpa-db

charts/rhtpa-operator/templates/postgresql-serviceaccount.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: '5'
+    argocd.argoproj.io/sync-wave: '36'
   name: rhtpa-db
   namespace: {{ .Values.rhtpa.namespace }}
 {{- end }}

charts/rhtpa-operator/templates/postgresql-statefulset.yaml

@@ -4,7 +4,7 @@ apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   annotations:
-    argocd.argoproj.io/sync-wave: '10'
+    argocd.argoproj.io/sync-wave: '41'
   labels:
     app: rhtpa-db
   name: rhtpa-db

charts/rhtpa-operator/templates/s3-credentials-secret.yaml

@@ -9,7 +9,7 @@ metadata:
   name: rhtpa-s3-config
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "8"  # After OBC is created
+    argocd.argoproj.io/sync-wave: "39"  # After OBC is created
 data:
   # The OBC creates a secret with these keys automatically
   # AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, BUCKET_HOST, BUCKET_NAME, BUCKET_PORT

charts/rhtpa-operator/templates/spiffe-helper-config.yaml

@@ -6,7 +6,7 @@ metadata:
   name: spiffe-helper-config
   namespace: {{ .Values.rhtpa.namespace }}
   annotations:
-    argocd.argoproj.io/sync-wave: "18"
+    argocd.argoproj.io/sync-wave: "49"
 data:
   config.hcl: |
     agent_address = "/spiffe-workload-api/spire-agent.sock"