MASCORE-13194: Fix MREF AES encryption keystore not the same amongst all customer instances#2437
Open
LamyaG10 wants to merge 29 commits into
Open
MASCORE-13194: Fix MREF AES encryption keystore not the same amongst all customer instances#2437LamyaG10 wants to merge 29 commits into
LamyaG10 wants to merge 29 commits into
Conversation
mnivedithaa
requested changes
Jun 29, 2026
| echo "Error: Secret name $FACILITIES_LIBERTY_EXTENSIONS_SECRET_NAME does not match ${MAS_WORKSPACE_ID}-facilities-lexml--sn" | ||
|
|
||
| # Sanitize ICN to prevent path injection (allow only alphanumeric, underscore, hyphen) | ||
| SANITIZED_ICN=$(echo "${ICN}" | tr -cd 'A-Za-z0-9_-') |
Contributor
There was a problem hiding this comment.
We need to use the passed ICN value as is
|
|
||
|
|
||
|
|
||
| function gitops_suite_app_config_help() { |
Contributor
There was a problem hiding this comment.
Pass the newly added params to this function
| fi | ||
|
|
||
| # Try SLS_LICENSE_FILE if LICENSE_FILE didn't work | ||
| if [[ -z "${ICN}" ]] && [[ -n "${SLS_LICENSE_FILE}" ]] && [[ -f "${SLS_LICENSE_FILE}" ]]; then |
Contributor
There was a problem hiding this comment.
Only LICENSE_FILE is passed. In that case, we need not check SLS_LICENSE_FILE
Comment on lines
+31
to
+34
| - name: sls_license_icn | ||
| value: $(params.sls_license_icn) | ||
| - name: centralized_sls_service | ||
| value: $(params.centralized_sls_service) |
Contributor
There was a problem hiding this comment.
This info is required only for Facilities. Need to be removed for other apps
LamyaG10
commented
Jun 29, 2026
LamyaG10
left a comment
LamyaG10
left a comment
Author
There was a problem hiding this comment.
Have made the requested changes.
whitfiea
requested changes
Jun 29, 2026
Comment on lines
+549
to
+567
| # Source gitops_utils unconditionally in callback context | ||
| # Nested functions require explicit sourcing even if parent has it loaded | ||
| if [[ -n "${CLI_DIR}" ]]; then | ||
| echo "DEBUG: Sourcing ${CLI_DIR}/functions/gitops_utils" | ||
| ls -l "${CLI_DIR}/functions/gitops_utils" || echo "WARNING: File not found" | ||
| if ! source "${CLI_DIR}/functions/gitops_utils"; then | ||
| echo "ERROR: Failed to source gitops_utils from ${CLI_DIR}/functions/gitops_utils" | ||
| exit 1 | ||
| fi | ||
| else | ||
| DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
| echo "DEBUG: Sourcing ${DIR}/gitops_utils" | ||
| ls -l "${DIR}/gitops_utils" || echo "WARNING: File not found" | ||
| if ! source "${DIR}/gitops_utils"; then | ||
| echo "ERROR: Failed to source gitops_utils from ${DIR}/gitops_utils" | ||
| exit 1 | ||
| fi | ||
| fi | ||
| echo "- Sourced gitops_utils in apply_suite_app_config_changes callback" |
Member
There was a problem hiding this comment.
we shouldn't need to source the gitops_utils as it should already be sourced
Comment on lines
+571
to
+582
| declare -F manage_customer_mref_password || echo "WARNING: Function not found in declare -F" | ||
|
|
||
| if ! declare -F manage_customer_mref_password >/dev/null; then | ||
| echo "ERROR: manage_customer_mref_password function not loaded after sourcing gitops_utils" | ||
| echo "DEBUG: Checking file contents for function definition" | ||
| if [[ -n "${CLI_DIR}" ]]; then | ||
| grep -n "^function manage_customer_mref_password" "${CLI_DIR}/functions/gitops_utils" || echo "Function definition not found in file" | ||
| else | ||
| grep -n "^function manage_customer_mref_password" "${DIR}/gitops_utils" || echo "Function definition not found in file" | ||
| fi | ||
| exit 1 | ||
| fi |
Member
There was a problem hiding this comment.
the code is delivered as a container image so the function in gitops_utils will be available so no need to check it
| --manage-update-schedule ${COLOR_YELLOW}MANAGE_UPDATE_SCHEDULE${TEXT_RESET} Cron based schedule to indicate when manage will do the offline update when the onlineUpgrade is set in the ManageWorkspace CR. Optional as default is "0 0 * * *" | ||
|
|
||
| SLS License Configuration: | ||
| --sls-license-icn ${COLOR_YELLOW}SLS_LICENSE_ICN${TEXT_RESET} SLS License ICN (Installation Customer Number) |
Comment on lines
+60
to
+61
| --license-file ${COLOR_YELLOW}LICENSE_FILE${TEXT_RESET} Path to SLS license file (ICN will be extracted) | ||
| --centralized-sls-service ${COLOR_YELLOW}CENTRALIZED_SLS_SERVICE${TEXT_RESET} Centralized SLS service path |
Member
There was a problem hiding this comment.
it isn't obvious that you only need one of these and not all three. Can we update the description to say what order these will be check in, i.e. the SLS_LICENSE_ICN first, and if that is not set then LICENSE_FILE and if that is not set then CENTRALIZED_SLS_SERVICE (which I think is a ref path to something? that might need an example or pointer to another function)
Comment on lines
+233
to
+247
| if ! type manage_customer_mref_password &>/dev/null; then | ||
| if [[ -n "${CLI_DIR}" ]]; then | ||
| if ! source "${CLI_DIR}/functions/gitops_utils"; then | ||
| echo "ERROR: Failed to source gitops_utils from ${CLI_DIR}/functions/gitops_utils" | ||
| exit 1 | ||
| fi | ||
| else | ||
| DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" | ||
| if ! source "${DIR}/gitops_utils"; then | ||
| echo "ERROR: Failed to source gitops_utils from ${DIR}/gitops_utils" | ||
| exit 1 | ||
| fi | ||
| fi | ||
| echo "- Sourced gitops_utils for manage_customer_mref_password function" | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Isuue
https://jsw.ibm.com/browse/MASCORE-13194
Description
Implemented ICN (IBM Customer Number) extraction from multiple sources to support customer-level secrets in Facilities and other MAS applications, enabling both standard and centralized SLS deployments.
First Run - https://cloud.ibm.com/devops/pipelines/tekton/8bb11078-2a03-43b2-9d30-df3ea17af143/runs/30cc1db6-e02e-491c-9273-6d6d0f53ab31/app-cfg-facilities?env_id=ibm:yp:us-south&view=logs
Subsequent Run - https://cloud.ibm.com/devops/pipelines/tekton/8bb11078-2a03-43b2-9d30-df3ea17af143/runs/dd724ecf-83bb-496b-aced-b18c126e14a8/app-cfg-facilities?env_id=ibm:yp:us-south&view=logs
First Run - https://cloud.ibm.com/devops/pipelines/tekton/8bb11078-2a03-43b2-9d30-df3ea17af143/runs/30cc1db6-e02e-491c-9273-6d6d0f53ab31/app-cfg-facilities?env_id=ibm:yp:us-south&view=logs
Subsequent Run - https://cloud.ibm.com/devops/pipelines/tekton/8bb11078-2a03-43b2-9d30-df3ea17af143/runs/379ceecc-2256-4eca-9f08-0628b19b5573/app-cfg-facilities?env_id=ibm:yp:us-south&view=logs
First Run - https://cloud.ibm.com/devops/pipelines/tekton/8bb11078-2a03-43b2-9d30-df3ea17af143/runs/e5e76856-32c3-4f38-9f20-354f84ac7fb9/app-cfg-facilities?env_id=ibm:yp:us-south&view=logs
Subsequent Run - https://cloud.ibm.com/devops/pipelines/tekton/8bb11078-2a03-43b2-9d30-df3ea17af143/runs/ee196c80-0d44-4045-8019-9588167bf04c/app-cfg-facilities?env_id=ibm:yp:us-south&view=logs
Screenshots