[minor] add external-secrets operator ansible role with helm deployment

[terc1997]

Description

Introduce the installation of the External Secrets Operator in our ansible-devops collection. Supports install and uninstalls

Test Results

1. Install
2. Re-installation to check idempotency
3. Uninstall

---

⚠️ Notes for Reviewers

• Ensure you have understood the PR guidelines in the Playbook before proceeding with a review.
• Ensure all sections in the PR template are appropriately completed.

[durera]

We need to see it working end-to-end with a generated secret containing content from our secrets-manager.

e.g. I added some code from the other branch for the clustersecretstore and ran a quick test and this is as far as I got:

oc -n default get externalsecret example-arbitrary-secret -o yaml
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"external-secrets.io/v1","kind":"ExternalSecret","metadata":{"annotations":{},"name":"example-arbitrary-secret","namespace":"default"},"spec":{"data":[{"remoteRef":{"key":"ibmcloud-apikey"},"secretKey":"IBMCLOUD_APIKEY"}],"refreshInterval":"1h","secretStoreRef":{"kind":"ClusterSecretStore","name":"ibm-secrets-manager"},"target":{"creationPolicy":"Owner","name":"my-secrets"}}}
  creationTimestamp: "2026-05-23T11:20:30Z"
  finalizers:
  - externalsecrets.external-secrets.io/externalsecret-cleanup
  generation: 1
  name: example-arbitrary-secret
  namespace: default
  resourceVersion: "1065400"
  uid: 0d29efbb-063b-43dd-b0d6-db25a8c0bc94
spec:
  data:
  - remoteRef:
      conversionStrategy: Default
      decodingStrategy: None
      key: ibmcloud-apikey
      metadataPolicy: None
      nullBytePolicy: Ignore
    secretKey: IBMCLOUD_APIKEY
  refreshInterval: 1h
  secretStoreRef:
    kind: ClusterSecretStore
    name: ibm-secrets-manager
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: my-secrets
status:
  binding:
    name: ""
  conditions:
  - lastTransitionTime: "2026-05-23T11:20:30Z"
    message: could not get secret data from provider
    reason: SecretSyncedError
    status: "False"
    type: Ready
  refreshTime: null

We don't need the to to support creating the secrets itself (just the operator install + the store creation)

[durera]

Various places where the role name is incorrect (- instead of _)

[durera]

we need the role able to create/delete secretstores per:

• https://github.com/ibm-mas/ansible-devops/tree/external-secrets/ibm/mas_devops/roles/external_secrets#eso_action
• https://github.com/ibm-mas/ansible-devops/blob/external-secrets/ibm/mas_devops/roles/external_secrets/tasks/create-clustersecretstore.yml, https://github.com/ibm-mas/ansible-devops/blob/external-secrets/ibm/mas_devops/roles/external_secrets/tasks/create-secretstore.yml