From 765a2aaf8b41cdaed11a5c5d296393d46ba935be Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 26 May 2026 17:44:48 +0530 Subject: [PATCH 01/41] Copy sls related secrets from instance level to tenant level in pre sync --- .../113-ibm-aiservice/values.yaml | 1 + .../templates/98-ibm-aiservice-sls.yaml | 348 ++++++++++++++++++ 2 files changed, 349 insertions(+) create mode 100644 root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml diff --git a/instance-applications/113-ibm-aiservice/values.yaml b/instance-applications/113-ibm-aiservice/values.yaml index f87bc996a..d90c02449 100644 --- a/instance-applications/113-ibm-aiservice/values.yaml +++ b/instance-applications/113-ibm-aiservice/values.yaml @@ -76,6 +76,7 @@ mas_icr_cpopen: "icr.io/cpopen" cluster_domain: "_cluster_dns.resources[0].spec.baseDomain" in_saas_env: "false" +is_gitops_fvt_env: "false" #TENANT mas_aiservice_tenant_name: "aiservice-{{ mas_aiservice_tenant_name }}" \ No newline at end of file diff --git a/root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml b/root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml new file mode 100644 index 000000000..729c8ab8d --- /dev/null +++ b/root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml @@ -0,0 +1,348 @@ +{{- if or .Values.run_sync_hooks (eq .Values.ibm_aiservice_tenant.is_gitops_fvt_env "true") }} + +{{- /* +Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash. +*/}} +{{- $_job_name_prefix := "postsync-ibm-sls-update-sm-job" }} + +{{- /* +Use the build/bin/set-cli-image-digest.sh script to update this value across all charts. +Included in $_job_hash (see below). +*/}} +{{- $_cli_image_digest := "sha256:4636b74525a46ebd88cd540794e8e23143f0112ea85149f9dfc78d02704ad5a6" }} + +{{- /* +A dict of values that influence the behaviour of the job in some way. +Any changes to values in this dict will trigger a rerun of the job. +Since jobs must be idemopotent, it's generally safe to pass in values here that are not +strictly necessary (i.e. including some values that don't actually influence job behaviour). +We may want to refine this further though for jobs that can take a long time to complete. +Included in $_job_hash (see below). +*/}} +{{- $_job_config_values := omit .Values "junitreporter" }} + +{{- /* +Increment this value whenever you make a change to an immutable field of the Job resource. +E.g. passing in a new environment variable. +Included in $_job_hash (see below). +*/}} +{{- $_job_version := "v4" }} + +{{- /* +10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest +This is to ensure ArgoCD will create a new job resource intead of attempting (and failing) to update an +immutable field of any existing Job resource. +*/}} +{{- $_job_hash := print ($_job_config_values | toYaml) $_cli_image_digest $_job_version | adler32sum }} + +{{- $_job_name := join "-" (list $_job_name_prefix $_job_hash )}} + +{{- /* +Set as the value for the mas.ibm.com/job-cleanup-group label on the Job resource. + +When the auto_delete flag is not set on the root application, a CronJob in the cluster uses this label +to identify old Job resources that should be pruned on behalf of ArgoCD. + +Any Job resources in the same namespace that have the mas.ibm.com/job-cleanup-group with this value +will be considered to belong to the same cleanup group. All but the most recent (i.e. with the latest "creation_timestamp") +Jobs will be automatically deleted. + +$_job_cleanup_group can usually just be based on $_job_name_prefix. There are some special cases +where multiple Jobs are created in our templates using a Helm loop. In those cases, additional descriminators +must be added to $_job_cleanup_group. + +By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators +are required here. + +*/}} +{{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} + + + +{{ $ns := printf "mas-%s-%s-sls" .Values.ibm_customer_number .Values.subscription_id }} +{{ $instance := printf "%s-%s" .Values.ibm_customer_number .Values.subscription_id }} + +{{ $aws_secret := "aws"}} +{{ $np_name := "postsync-ibm-sls-update-sm-np" }} +{{ $role_name := "postsync-ibm-sls-update-sm-r" }} +{{ $sa_name := "postsync-ibm-sls-update-sm-sa" }} +{{ $rb_name := "postsync-ibm-sls-update-sm-rb" }} +{{ $job_label := "postsync-ibm-sls-update-sm-job" }} + + + +--- +# Permit outbound communication by the Job pods +# (Needed to communicate with the K8S HTTP API and AWS SM) +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ $np_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "98" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + podSelector: + matchLabels: + app: {{ $job_label }} + egress: + - {} + policyTypes: + - Egress + + +--- +kind: Secret +apiVersion: v1 +metadata: + name: {{ $aws_secret }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "110" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +data: + aws_access_key_id: {{ .Values.sm_aws_access_key_id | b64enc }} + aws_secret_access_key: {{ .Values.sm_aws_secret_access_key | b64enc }} +type: Opaque + +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ $sa_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "110" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $role_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "110" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +rules: + - verbs: + - get + apiGroups: + - "" + resources: + - configmaps + - verbs: + - get + - list + - patch + apiGroups: + - "route.openshift.io" + resources: + - routes + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $rb_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "111" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: {{ $sa_name }} + namespace: {{ $ns }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $role_name }} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $_job_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "112" + argocd.argoproj.io/sync-options: Prune=true + labels: + mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }} +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ $job_label }} +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 8 }} +{{- end }} + spec: + containers: + - name: run + image: quay.io/ibmmas/cli@{{ $_cli_image_digest }} + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi + env: + - name: ACCOUNT_ID + value: {{ .Values.account_id }} + - name: REGION_ID + value: {{ .Values.region_id }} + - name: ICN + value: '{{ .Values.ibm_customer_number }}' + - name: SUBSCRIPTION_ID + value: '{{ .Values.subscription_id }}' + - name: DOMAIN + value: '{{ .Values.sls_domain }}' + - name: TENANT + value: '{{ .Values.tenant.id }}' + - name: TENANT_NAMESPACE + value: '{{ .Values.tenantNamespace }}' + + # Hard-coded for now: + - name: AVP_TYPE + value: "aws" + volumeMounts: + - name: aws + mountPath: /etc/mas/creds/aws + - name: sls-suite-registration + mountPath: /etc/mas/creds/sls-suite-registration + command: + - /bin/sh + - -c + - | + + set -e + + # NOTE: cannot just render AWS secrets into here, as it will be exposed in the ArgoCD UI + # Instead, we pass them into a secret (ArgoCD knows to hide any data fields in k8s secrets), + # mount the secret on the jobs filesystem, and read them in here + SM_AWS_ACCESS_KEY_ID=$(cat /etc/mas/creds/aws/aws_access_key_id) + SM_AWS_SECRET_ACCESS_KEY=$(cat /etc/mas/creds/aws/aws_secret_access_key) + + echo "Fetching registrationKey from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" + SLS_REGISTRATION_KEY=$(cat /etc/mas/creds/sls-suite-registration/registrationKey) + if [[ -z "${SLS_REGISTRATION_KEY}" ]]; then + echo "Failed to fetch registrationKey" + exit 1 + fi + + echo "Fetching ca from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" + SLS_CA=$(cat /etc/mas/creds/sls-suite-registration/ca | base64 -w0) + if [[ -z "${SLS_CA}" ]]; then + echo "Failed to fetch ca" + exit 1 + fi + + echo "Setting SLS URL" + SLS_URL="https://sls.mas-${ICN}-${SUBSCRIPTION_ID}-sls.${DOMAIN}" + + # might as well take advantage of gitops_utils for sm_ functions as we're using the cli image + source /mascli/functions/gitops_utils + + # aws configure set aws_access_key_id $SM_AWS_ACCESS_KEY_ID + # aws configure set aws_secret_access_key $SM_AWS_SECRET_ACCESS_KEY + # aws configure set default.region $REGION_ID + # aws configure list + export SM_AWS_REGION=${REGION_ID} + sm_login + + # aws secretsmanager create-secret --name ${SECRET_NAME} --secret-string "${SECRET_VALUE}" + ## Why is the secreet name here sls and not license as it is in gitops_license function + SECRET_NAME_SLS=${ACCOUNT_ID}/${ICN}/${SUBSCRIPTION_ID}/sls + # TAGS="[{\"Key\": \"source\", \"Value\": \"postsync-ibm-sls-update-sm-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}]" + # sm_update_secret $SECRET_NAME_SLS "{\"registration_key\": \"$SLS_REGISTRATION_KEY\", \"ca_b64\": \"$SLS_CA\", \"sls_url\":\"$SLS_URL\" }" "${TAGS}" + + # Fetch the instance-level SLS secret and create tenant-level copy + echo "" + echo "Fetching instance-level SLS secret from AWS Secrets Manager" + RAW_SLS_SECRET=$(aws secretsmanager get-secret-value --secret-id "$SECRET_NAME_SLS" --output json 2>/dev/null | jq -r .SecretString) + + if [[ -n "$RAW_SLS_SECRET" && "$RAW_SLS_SECRET" != "null" ]]; then + echo "Successfully fetched instance-level SLS secret" + + # Extract tenant ID from TENANT variable (format could be like "apmdevops") + # For tenant-level path, we need the actual tenant ID + # Assuming TENANT_NAMESPACE format: mas-{icn}-{subscription}-{aiservice}-{tenant_id} + if [[ -n "${TENANT_NAMESPACE:-}" ]]; then + TENANT_ID=$(echo ${TENANT_NAMESPACE} | awk -F'-' '{print $NF}') + + # Create tenant-level secret path + SECRET_NAME_TENANT_SLS=${ACCOUNT_ID}/${ICN}/${SUBSCRIPTION_ID}/${TENANT}/sls + echo "Creating tenant-level SLS secret at: ${SECRET_NAME_TENANT_SLS}" + + TENANT_TAGS="[{\"Key\": \"source\", \"Value\": \"postsync-ibm-sls-update-sm-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}, {\"Key\": \"tenant_id\", \"Value\": \"${TENANT_ID}\"}]" + + # Use sm_update_secret to create/update tenant-level secret with same content + sm_update_secret $SECRET_NAME_TENANT_SLS "$RAW_SLS_SECRET" "${TENANT_TAGS}" + + echo "Successfully created/updated tenant-level SLS secret" + else + echo "TENANT_NAMESPACE not set, skipping tenant-level secret creation" + fi + else + echo "Failed to fetch instance-level SLS secret, skipping tenant-level secret creation" + fi + + # 1. Define the namespace using the environment variables passed to the container + namespace="mas-${ICN}-${SUBSCRIPTION_ID}-sls" + + echo "Fetching routes from ${namespace}" + + routes=$(oc get routes -n ${namespace} -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}') + + echo "Routes found:" + echo "${routes}" + + for route in $routes; do + echo "Adding label to route - ${route}" + + oc patch route ${route} \ + -n ${namespace} \ + --type=merge \ + -p '{"metadata":{"labels":{"type":"external"}}}' + done + + restartPolicy: Never + + # TODO: is this the correct SA to use here? + # No, probably want to add a more restricted SA that can just do things that these post-sync jobs need to do + serviceAccountName: {{ $sa_name }} + volumes: + - name: aws + secret: + secretName: {{ $aws_secret }} + defaultMode: 420 + optional: false + - name: sls-suite-registration + configMap: + name: sls-suite-registration + optional: false + + backoffLimit: 4 +{{- end }} \ No newline at end of file From 066991c7287d331596486ead273a44302bd35559 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Wed, 27 May 2026 12:28:28 +0530 Subject: [PATCH 02/41] [minor] sls copy from instance level to tenant level --- .../templates/98-presync-copy-sls.yaml | 14 +++++++------- .../115-ibm-aiservice-tenant/values.yaml | 4 ++++ 2 files changed, 11 insertions(+), 7 deletions(-) rename root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml => instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml (97%) diff --git a/root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml similarity index 97% rename from root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml rename to instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml index 729c8ab8d..0987a2f9c 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/98-ibm-aiservice-sls.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml @@ -1,9 +1,9 @@ -{{- if or .Values.run_sync_hooks (eq .Values.ibm_aiservice_tenant.is_gitops_fvt_env "true") }} +{{- if eq .Values.ibm_aiservice_tenant.is_gitops_fvt_env "true" }} {{- /* Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash. */}} -{{- $_job_name_prefix := "postsync-ibm-sls-update-sm-job" }} +{{- $_job_name_prefix := "presync-copy-sls-to-tenant-job" }} {{- /* Use the build/bin/set-cli-image-digest.sh script to update this value across all charts. @@ -102,7 +102,7 @@ metadata: name: {{ $aws_secret }} namespace: {{ $ns }} annotations: - argocd.argoproj.io/sync-wave: "110" + argocd.argoproj.io/sync-wave: "98" {{- if .Values.custom_labels }} labels: {{ .Values.custom_labels | toYaml | indent 4 }} @@ -119,7 +119,7 @@ metadata: name: {{ $sa_name }} namespace: {{ $ns }} annotations: - argocd.argoproj.io/sync-wave: "110" + argocd.argoproj.io/sync-wave: "98" {{- if .Values.custom_labels }} labels: {{ .Values.custom_labels | toYaml | indent 4 }} @@ -132,7 +132,7 @@ metadata: name: {{ $role_name }} namespace: {{ $ns }} annotations: - argocd.argoproj.io/sync-wave: "110" + argocd.argoproj.io/sync-wave: "98" {{- if .Values.custom_labels }} labels: {{ .Values.custom_labels | toYaml | indent 4 }} @@ -160,7 +160,7 @@ metadata: name: {{ $rb_name }} namespace: {{ $ns }} annotations: - argocd.argoproj.io/sync-wave: "111" + argocd.argoproj.io/sync-wave: "99" {{- if .Values.custom_labels }} labels: {{ .Values.custom_labels | toYaml | indent 4 }} @@ -181,7 +181,7 @@ metadata: name: {{ $_job_name }} namespace: {{ $ns }} annotations: - argocd.argoproj.io/sync-wave: "112" + argocd.argoproj.io/sync-wave: "100" argocd.argoproj.io/sync-options: Prune=true labels: mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }} diff --git a/instance-applications/115-ibm-aiservice-tenant/values.yaml b/instance-applications/115-ibm-aiservice-tenant/values.yaml index 69ae7c41b..8a8bf88be 100644 --- a/instance-applications/115-ibm-aiservice-tenant/values.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/values.yaml @@ -1,6 +1,10 @@ catalog_channel: "9.2.x-dev" catalog_source: ibm-operator-catalog +# FVT Environment Configuration +ibm_aiservice_tenant: + is_gitops_fvt_env: "false" + # aiservice tenant_id: "aiservice-t01" aiservice_namespace: "aiservice-inst-1-aiservice" From 77cc1f0bee0af84ac121fabb91d45796c00218a1 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 28 May 2026 02:21:30 +0530 Subject: [PATCH 03/41] Removed condition for temporary check --- .../templates/98-presync-copy-sls.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml index 0987a2f9c..ff992b1d6 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml @@ -1,4 +1,6 @@ +{{- /* TEMPORARY: Condition removed for testing {{- if eq .Values.ibm_aiservice_tenant.is_gitops_fvt_env "true" }} +*/}} {{- /* Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash. @@ -286,24 +288,20 @@ spec: if [[ -n "$RAW_SLS_SECRET" && "$RAW_SLS_SECRET" != "null" ]]; then echo "Successfully fetched instance-level SLS secret" - # Extract tenant ID from TENANT variable (format could be like "apmdevops") - # For tenant-level path, we need the actual tenant ID - # Assuming TENANT_NAMESPACE format: mas-{icn}-{subscription}-{aiservice}-{tenant_id} - if [[ -n "${TENANT_NAMESPACE:-}" ]]; then - TENANT_ID=$(echo ${TENANT_NAMESPACE} | awk -F'-' '{print $NF}') - + # Create tenant-level secret using TENANT variable (contains tenant ID) + if [[ -n "${TENANT:-}" ]]; then # Create tenant-level secret path SECRET_NAME_TENANT_SLS=${ACCOUNT_ID}/${ICN}/${SUBSCRIPTION_ID}/${TENANT}/sls echo "Creating tenant-level SLS secret at: ${SECRET_NAME_TENANT_SLS}" - TENANT_TAGS="[{\"Key\": \"source\", \"Value\": \"postsync-ibm-sls-update-sm-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}, {\"Key\": \"tenant_id\", \"Value\": \"${TENANT_ID}\"}]" + TENANT_TAGS="[{\"Key\": \"source\", \"Value\": \"presync-copy-sls-to-tenant-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}, {\"Key\": \"tenant_id\", \"Value\": \"${TENANT}\"}]" # Use sm_update_secret to create/update tenant-level secret with same content sm_update_secret $SECRET_NAME_TENANT_SLS "$RAW_SLS_SECRET" "${TENANT_TAGS}" echo "Successfully created/updated tenant-level SLS secret" else - echo "TENANT_NAMESPACE not set, skipping tenant-level secret creation" + echo "TENANT variable not set, skipping tenant-level secret creation" fi else echo "Failed to fetch instance-level SLS secret, skipping tenant-level secret creation" @@ -345,4 +343,6 @@ spec: optional: false backoffLimit: 4 -{{- end }} \ No newline at end of file +{{- /* TEMPORARY: End condition commented out for testing +{{- end }} +*/}} \ No newline at end of file From 1c7d549a708d0731c10ada891dae3582854e5d17 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 1 Jun 2026 00:14:47 +0530 Subject: [PATCH 04/41] db2u related configs added --- .../templates/020-ibm-db2u-app.yaml | 84 +++++++++++++++++++ .../099-aiservice-instance-appset.yaml | 7 +- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml new file mode 100644 index 000000000..f6a0e147a --- /dev/null +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml @@ -0,0 +1,84 @@ +{{- if not (empty .Values.ibm_db2u) }} +--- +# IBM DB2U Application for AI Service +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: db2u.{{ .Values.cluster.id }}.{{ .Values.instance.id }} + namespace: {{ .Values.argo.namespace }} + labels: + environment: '{{ .Values.account.id }}' + cluster: '{{ .Values.cluster.id }}' + {{- if .Values.argo.instance }} + argocd.argoproj.io/instance: '{{ .Values.argo.instance }}' + {{- end }} + instance: '{{ .Values.instance.id }}' + annotations: + argocd.argoproj.io/sync-wave: "020" + healthCheckTimeout: "1800" + {{- if and .Values.notifications .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-succeeded.workspace1: {{ .Values.notifications.slack_channel_id }} + {{- end }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: "{{ .Values.argo.projects.apps }}" + destination: + server: {{ .Values.cluster.url }} + namespace: "{{ .Values.ibm_db2u.db2_namespace }}" + source: + repoURL: "{{ .Values.source.repo_url }}" + path: instance-applications/110-ibm-db2u + targetRevision: "{{ .Values.source.revision }}" + plugin: + name: {{ .Values.avp.name }} + env: + - name: {{ .Values.avp.values_varname }} + value: | + argo_namespace: "{{ .Values.argo.namespace }}" + db2_namespace: "{{ .Values.ibm_db2u.db2_namespace }}" + cluster_admin_role: {{ .Values.cluster_admin_role }} + application_admin_role: {{ .Values.application_admin_role }} + ibm_entitlement_key: "{{ .Values.ibm_db2u.ibm_entitlement_key }}" + db2_channel: "{{ .Values.ibm_db2u.db2_channel }}" + db2_install_plan: "{{ .Values.ibm_db2u.db2_install_plan }}" + {{- if .Values.custom_labels }} + custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} + {{- end }} + junitreporter: + reporter_name: "ibm-db2u-{{ .Values.instance.id }}" + cluster_id: "{{ .Values.cluster.id }}" + instance_id: "{{ .Values.instance.id }}" + devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" + devops_build_number: "{{ .Values.devops.build_number }}" + gitops_version: "{{ .Values.source.revision }}" + - name: ARGOCD_APP_NAME + value: db2uapp + {{- if not (empty .Values.avp.secret) }} + - name: AVP_SECRET + value: {{ .Values.avp.secret }} + {{- end }} + syncPolicy: + automated: + {{- if .Values.auto_delete }} + prune: true + {{- end }} + selfHeal: true + retry: + limit: 20 + syncOptions: + - CreateNamespace=true +{{- if or .Values.custom_labels .Values.argocluster_instance }} + managedNamespaceMetadata: + labels: + {{- if .Values.argocluster_instance }} + argocd.argoproj.io/managed-by: {{ .Values.argocluster_instance }} + {{- end }} + {{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 8 }} + {{- end }} +{{- end }} +{{- end }} + +# Made with Bob diff --git a/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml b/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml index fed57bf53..4b3fa3207 100644 --- a/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml @@ -36,7 +36,12 @@ spec: repoURL: "{{ .Values.generator.repo_url }}" revision: "{{ .Values.generator.revision }}" files: - - path: "{{ .Values.account.id }}/{{ .Values.cluster.id }}/*/ibm-mas-odh-install.yaml" + - path: "{{ .Values.account.id }}/{{ .Values.cluster.id }}/*/ibm-db2u.yaml" + - git: + repoURL: "{{ .Values.generator.repo_url }}" + revision: "{{ .Values.generator.revision }}" + files: + - path: "{{ .Values.account.id }}/{{ .Values.cluster.id }}/*/ibm-mas-odh-install.yaml" - git: repoURL: "{{ .Values.generator.repo_url }}" revision: "{{ .Values.generator.revision }}" From e4123c81a8d4bb3f608b8d54bb89714856072c44 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 1 Jun 2026 13:31:56 +0530 Subject: [PATCH 05/41] minor fix related to db2u --- .../templates/020-ibm-db2u-app.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml index f6a0e147a..fb046d1e0 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml @@ -8,6 +8,7 @@ metadata: namespace: {{ .Values.argo.namespace }} labels: environment: '{{ .Values.account.id }}' + region: '{{ .Values.region.id }}' cluster: '{{ .Values.cluster.id }}' {{- if .Values.argo.instance }} argocd.argoproj.io/instance: '{{ .Values.argo.instance }}' @@ -38,6 +39,7 @@ spec: value: | argo_namespace: "{{ .Values.argo.namespace }}" db2_namespace: "{{ .Values.ibm_db2u.db2_namespace }}" + cli_image_repo: {{ .Values.cli_image_repo }} cluster_admin_role: {{ .Values.cluster_admin_role }} application_admin_role: {{ .Values.application_admin_role }} ibm_entitlement_key: "{{ .Values.ibm_db2u.ibm_entitlement_key }}" @@ -53,6 +55,7 @@ spec: devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" devops_build_number: "{{ .Values.devops.build_number }}" gitops_version: "{{ .Values.source.revision }}" + cli_image_repo: {{ .Values.cli_image_repo }} - name: ARGOCD_APP_NAME value: db2uapp {{- if not (empty .Values.avp.secret) }} From a10e73f1997bf059f74c4c35bcf6616911228764 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Wed, 3 Jun 2026 11:27:37 +0530 Subject: [PATCH 06/41] db2 operator creation related minor fix --- .../templates/020-ibm-db2u-app.yaml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml index fb046d1e0..69ee7b4ea 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml @@ -30,24 +30,27 @@ spec: namespace: "{{ .Values.ibm_db2u.db2_namespace }}" source: repoURL: "{{ .Values.source.repo_url }}" - path: instance-applications/110-ibm-db2u + path: instance-applications/120-ibm-db2u-database targetRevision: "{{ .Values.source.revision }}" plugin: name: {{ .Values.avp.name }} env: - name: {{ .Values.avp.values_varname }} value: | - argo_namespace: "{{ .Values.argo.namespace }}" - db2_namespace: "{{ .Values.ibm_db2u.db2_namespace }}" - cli_image_repo: {{ .Values.cli_image_repo }} + account_id: "{{ .Values.account.id }}" + region_id: "{{ .Values.region.id }}" + cluster_id: "{{ .Values.cluster.id }}" + instance_id: "{{ .Values.instance.id }}" + sm_aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" + sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" cluster_admin_role: {{ .Values.cluster_admin_role }} application_admin_role: {{ .Values.application_admin_role }} - ibm_entitlement_key: "{{ .Values.ibm_db2u.ibm_entitlement_key }}" - db2_channel: "{{ .Values.ibm_db2u.db2_channel }}" - db2_install_plan: "{{ .Values.ibm_db2u.db2_install_plan }}" + {{- if .Values.custom_labels }} custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} {{- end }} + + should_execute: true junitreporter: reporter_name: "ibm-db2u-{{ .Values.instance.id }}" cluster_id: "{{ .Values.cluster.id }}" @@ -56,6 +59,7 @@ spec: devops_build_number: "{{ .Values.devops.build_number }}" gitops_version: "{{ .Values.source.revision }}" cli_image_repo: {{ .Values.cli_image_repo }} + {{ .Values.ibm_db2u | toYaml | nindent 12 }} - name: ARGOCD_APP_NAME value: db2uapp {{- if not (empty .Values.avp.secret) }} From 029a69f64b543e3bf0cf3daaf6b7765ff7612a82 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Wed, 3 Jun 2026 18:16:32 +0530 Subject: [PATCH 07/41] Removed ldap related configs --- .../120-ibm-db2u-database/templates/03-db2uinstance.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/instance-applications/120-ibm-db2u-database/templates/03-db2uinstance.yaml b/instance-applications/120-ibm-db2u-database/templates/03-db2uinstance.yaml index 13b0040fa..bfb058185 100644 --- a/instance-applications/120-ibm-db2u-database/templates/03-db2uinstance.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/03-db2uinstance.yaml @@ -59,6 +59,15 @@ spec: secretName: "db2u-certificate-{{ .Values.db2_instance_name }}" certLabel: "CN=db2u" allowSslOnly: true +{{- if .Values.db2_ldap_enabled }} + authentication: + ldap: + enabled: {{ .Values.db2_ldap_enabled }} +{{- else }} + authentication: + ldap: + enabled: false +{{- end }} instance: {{- if .Values.db2_instance_registry }} From a01597a793dd8d67b0ef31141b2a164f5144a648 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Wed, 3 Jun 2026 22:02:40 +0530 Subject: [PATCH 08/41] jdbc. related configurations added --- .../templates/07-postsync-setup-db2_Job.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index 881b7f6f3..10d07b25e 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -786,6 +786,38 @@ spec: TAGS="[{\"Key\": \"source\", \"Value\": \"postsync-setup-db2\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"cluster\", \"Value\": \"${CLUSTER_ID}\"}]" sm_update_secret ${DB2_CONFIG_SECRET} "{ \"jdbc_connection_url\": \"${JDBC_CONNECTION_URL}\", \"jdbc_instance_name\": \"${DB2_INSTANCE_NAME}\", \"ca_b64\": \"${DB2_CA_PEM}\", \"db2_dbname\": \"${DB2_DBNAME}\", \"db2_namespace\": \"${DB2_NAMESPACE}\" }" "${TAGS}" || exit $? + # Update JDBC secret for AI Service (if MAS_APP_ID is empty or "aiservice") + if [[ -z "${MAS_APP_ID}" || "${MAS_APP_ID}" == "aiservice" ]]; then + echo "" + echo "================================================================================" + echo "Updating JDBC secret for AI Service" + echo "================================================================================" + + # Fetch DB2 instance password + echo "" + echo "Fetching DB2 instance password from c-${DB2_INSTANCE_NAME}-instancepassword secret" + echo "--------------------------------------------------------------------------------" + export DB2_PASSWORD=$(oc get secret c-${DB2_INSTANCE_NAME}-instancepassword -n ${DB2_NAMESPACE} -o jsonpath='{.data.password}' | base64 -d) + if [[ -z "${DB2_PASSWORD}" ]]; then + echo "Failed to fetch DB2 instance password" + exit 1 + fi + + # Construct JDBC secret name + JDBC_SECRET_NAME="${ACCOUNT_ID}/${CLUSTER_ID}/${MAS_INSTANCE_ID}/jdbc" + + echo "" + echo "Updating JDBC secret: ${JDBC_SECRET_NAME}" + echo "--------------------------------------------------------------------------------" + + # Update JDBC secret with real DB2 connection details + JDBC_TAGS="[{\"Key\": \"jdbccfg_username\", \"Value\": \"jdbccfg_username\"}, {\"Key\": \"jdbccfg_password\", \"Value\": \"jdbccfg_password\"}, {\"Key\": \"jdbccfg_url\", \"Value\": \"jdbccfg_url\"}, {\"Key\": \"jdbccfg_sslenabled\", \"Value\": \"jdbccfg_sslenabled\"}, {\"Key\": \"jdbccfg_ca_b64enc\", \"Value\": \"jdbccfg_ca_b64enc\"}]" + + sm_update_secret "${JDBC_SECRET_NAME}" "{\"jdbccfg_username\":\"db2inst1\",\"jdbccfg_password\":\"${DB2_PASSWORD}\",\"jdbccfg_url\":\"${JDBC_CONNECTION_URL}\",\"jdbccfg_sslenabled\":\"true\",\"jdbccfg_ca_b64enc\":\"${DB2_CA_PEM}\"}" "${JDBC_TAGS}" || exit $? + + echo "✓ JDBC secret updated successfully for AI Service" + fi + if [[ -n $BUCKET_NAME ]]; then echo "" echo "================================================================================" From 1296e7d6eaa3124c593b50b83e9406ee255795c4 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Wed, 3 Jun 2026 22:52:53 +0530 Subject: [PATCH 09/41] minor DB2U_INSTANCE_NAME fix --- .../templates/07-postsync-setup-db2_Job.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index 10d07b25e..df3dacdbd 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -632,8 +632,15 @@ spec: fi # check if config LOGARCHMETH1 is defined - config_op=`oc get db2uinstances db2wh-${MAS_INSTANCE_ID}-${MAS_APP_ID} -n ${DB2_NAMESPACE} -o json | jq -r '.spec.environment.databases' | jq ".[] | select(.name==\"${DB2_DBNAME}\")" | jq '.dbConfig.LOGARCHMETH1' | sed 's/DISK://'` - if [[ "${config_op}" != "null" ]]; then + # For AI Service (empty MAS_APP_ID), use DB2_INSTANCE_NAME directly + if [[ -z "${MAS_APP_ID}" || "${MAS_APP_ID}" == "aiservice" ]]; then + DB2U_INSTANCE_NAME="${DB2_INSTANCE_NAME}" + else + DB2U_INSTANCE_NAME="db2wh-${MAS_INSTANCE_ID}-${MAS_APP_ID}" + fi + + config_op=`oc get db2uinstances ${DB2U_INSTANCE_NAME} -n ${DB2_NAMESPACE} -o json | jq -r '.spec.environment.databases' | jq ".[] | select(.name==\"${DB2_DBNAME}\")" | jq '.dbConfig.LOGARCHMETH1' | sed 's/DISK://'` + if [[ "${config_op}" != "null" && -n "${config_op}" ]]; then echo "" echo "Creating directory ${config_op} for LOGARCHMETH1 on ${DB2_NAMESPACE}/c-${DB2_INSTANCE_NAME}-db2u-0" echo "--------------------------------------------------------------------------------" From fea6caa0740d95ec93fe3c8f6d2df8b41debf235 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 4 Jun 2026 00:07:38 +0530 Subject: [PATCH 10/41] Added condition for mas_ap_id in aiservice configs --- .../templates/07-postsync-setup-db2_Job.yaml | 27 +++++++++++++------ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index df3dacdbd..8a434ee41 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -304,10 +304,15 @@ spec: RETRIES=${1:-5} RETRY_DELAY_SECONDS=${2:-30} - mas-devops-db2-validate-config --mas-instance-id ${MAS_INSTANCE_ID} --mas-app-id ${MAS_APP_ID} --log-level DEBUG || rc=$? - if [[ "$rc" == "0" ]]; then - echo "... db2 config already matches expected config, returning without calling apply-db2cfg-settings" - return 0 + # Skip validation for AI Service (MAS_APP_ID is empty or "aiservice") + if [[ -n "${MAS_APP_ID}" && "${MAS_APP_ID}" != "aiservice" ]]; then + mas-devops-db2-validate-config --mas-instance-id ${MAS_INSTANCE_ID} --mas-app-id ${MAS_APP_ID} --log-level DEBUG || rc=$? + if [[ "$rc" == "0" ]]; then + echo "... db2 config already matches expected config, returning without calling apply-db2cfg-settings" + return 0 + fi + else + echo "... skipping db2 config validation for AI Service (MAS_APP_ID is empty or aiservice)" fi for (( c=1; c<="${RETRIES}"; c++ )); do @@ -316,10 +321,16 @@ spec: oc exec -n ${DB2_NAMESPACE} c-${DB2_INSTANCE_NAME}-db2u-0 -- su -lc '/db2u/scripts/apply-db2cfg-settings.sh --setting all | tee /tmp/apply-db2cfg-settings.log' db2inst1 # no useful info in return code of this script - rc=0 - mas-devops-db2-validate-config --mas-instance-id ${MAS_INSTANCE_ID} --mas-app-id ${MAS_APP_ID} --log-level DEBUG || rc=$? - if [[ "$rc" == "0" ]]; then - echo "...... success" + # Skip validation for AI Service + if [[ -n "${MAS_APP_ID}" && "${MAS_APP_ID}" != "aiservice" ]]; then + rc=0 + mas-devops-db2-validate-config --mas-instance-id ${MAS_INSTANCE_ID} --mas-app-id ${MAS_APP_ID} --log-level DEBUG || rc=$? + if [[ "$rc" == "0" ]]; then + echo "...... success" + return 0 + fi + else + echo "...... skipping validation for AI Service, assuming success" return 0 fi From 6f625a13bcae3c5ba16081bc85d6bf126e8438f2 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 4 Jun 2026 12:48:31 +0530 Subject: [PATCH 11/41] condition added for aws --- .../templates/07-postsync-setup-db2_Job.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index 8a434ee41..0328d0b27 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -67,6 +67,8 @@ are required here. */}} {{- $_job_cleanup_group := cat $_job_name_prefix .Values.db2_instance_name | sha1sum }} +{{- if and .Values.sm_aws_access_key_id .Values.sm_aws_secret_access_key }} +{{- if and .Values.sm_aws_access_key_id .Values.sm_aws_secret_access_key }} --- kind: Secret apiVersion: v1 @@ -87,9 +89,11 @@ data: db2_backup_bucket_secret_key: {{ .Values.db2_backup_bucket_secret_key | b64enc }} {{- if .Values.db2_backup_icd_auth_key }} icd_auth_key: {{ .Values.db2_backup_icd_auth_key | b64enc }} -{{- end }} +{{- end }} {{- end }} type: Opaque +{{- end }} +{{- end }} --- # Service account that is authorized to read k8s secrets (needed by the job) From 9d9b934af3c17e8575be7d0df2c5be3d9c41b1a5 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 4 Jun 2026 13:49:19 +0530 Subject: [PATCH 12/41] Remove duplicate conditional check for AWS credentials in DB2 postSync job --- .../templates/07-postsync-setup-db2_Job.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index 0328d0b27..01f2dec2b 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -67,7 +67,6 @@ are required here. */}} {{- $_job_cleanup_group := cat $_job_name_prefix .Values.db2_instance_name | sha1sum }} -{{- if and .Values.sm_aws_access_key_id .Values.sm_aws_secret_access_key }} {{- if and .Values.sm_aws_access_key_id .Values.sm_aws_secret_access_key }} --- kind: Secret From 6f943f2ffbb4704e17329b6b7ee4443354e3b567 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 4 Jun 2026 21:04:51 +0530 Subject: [PATCH 13/41] Removed the changes refarding secrets --- .../templates/020-ibm-db2u-app.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml index 69ee7b4ea..ea7197ded 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml @@ -37,20 +37,19 @@ spec: env: - name: {{ .Values.avp.values_varname }} value: | - account_id: "{{ .Values.account.id }}" - region_id: "{{ .Values.region.id }}" - cluster_id: "{{ .Values.cluster.id }}" - instance_id: "{{ .Values.instance.id }}" - sm_aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" - sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" + argo_namespace: "{{ .Values.argo.namespace }}" + db2_namespace: "{{ .Values.ibm_db2u.db2_namespace }}" + cli_image_repo: {{ .Values.cli_image_repo }} cluster_admin_role: {{ .Values.cluster_admin_role }} application_admin_role: {{ .Values.application_admin_role }} + ibm_entitlement_key: "{{ .Values.ibm_db2u.ibm_entitlement_key }}" + db2_channel: "{{ .Values.ibm_db2u.db2_channel }}" + db2_install_plan: "{{ .Values.ibm_db2u.db2_install_plan }}" {{- if .Values.custom_labels }} custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} {{- end }} - should_execute: true junitreporter: reporter_name: "ibm-db2u-{{ .Values.instance.id }}" cluster_id: "{{ .Values.cluster.id }}" @@ -59,7 +58,7 @@ spec: devops_build_number: "{{ .Values.devops.build_number }}" gitops_version: "{{ .Values.source.revision }}" cli_image_repo: {{ .Values.cli_image_repo }} - {{ .Values.ibm_db2u | toYaml | nindent 12 }} + - name: ARGOCD_APP_NAME value: db2uapp {{- if not (empty .Values.avp.secret) }} From 29d5077947e99d939db4774e5f523ec0717c3118 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 4 Jun 2026 22:28:24 +0530 Subject: [PATCH 14/41] db2u configs passed to create resources --- .../templates/020-ibm-db2u-app.yaml | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml index ea7197ded..c6898871f 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml @@ -50,6 +50,106 @@ spec: custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} {{- end }} + # Pass all DB2 configuration values from ibm-db2u.yaml + {{- if .Values.db2_instance_name }} + db2_instance_name: "{{ .Values.db2_instance_name }}" + {{- end }} + {{- if .Values.db2_dbname }} + db2_dbname: "{{ .Values.db2_dbname }}" + {{- end }} + {{- if .Values.db2_version }} + db2_version: "{{ .Values.db2_version }}" + {{- end }} + {{- if .Values.db2_action }} + db2_action: "{{ .Values.db2_action }}" + {{- end }} + {{- if .Values.db2_type }} + db2_type: "{{ .Values.db2_type }}" + {{- end }} + {{- if .Values.db2_mln_count }} + db2_mln_count: {{ .Values.db2_mln_count }} + {{- end }} + {{- if .Values.db2_num_pods }} + db2_num_pods: {{ .Values.db2_num_pods }} + {{- end }} + {{- if .Values.db2_table_org }} + db2_table_org: "{{ .Values.db2_table_org }}" + {{- end }} + {{- if .Values.db2_cpu_requests }} + db2_cpu_requests: "{{ .Values.db2_cpu_requests }}" + {{- end }} + {{- if .Values.db2_memory_requests }} + db2_memory_requests: "{{ .Values.db2_memory_requests }}" + {{- end }} + {{- if .Values.db2_cpu_limits }} + db2_cpu_limits: "{{ .Values.db2_cpu_limits }}" + {{- end }} + {{- if .Values.db2_memory_limits }} + db2_memory_limits: "{{ .Values.db2_memory_limits }}" + {{- end }} + {{- if .Values.db2_meta_storage_class }} + db2_meta_storage_class: "{{ .Values.db2_meta_storage_class }}" + {{- end }} + {{- if .Values.db2_meta_storage_accessmode }} + db2_meta_storage_accessmode: "{{ .Values.db2_meta_storage_accessmode }}" + {{- end }} + {{- if .Values.db2_meta_storage_size }} + db2_meta_storage_size: "{{ .Values.db2_meta_storage_size }}" + {{- end }} + {{- if .Values.db2_backup_storage_class }} + db2_backup_storage_class: "{{ .Values.db2_backup_storage_class }}" + {{- end }} + {{- if .Values.db2_backup_storage_accessmode }} + db2_backup_storage_accessmode: "{{ .Values.db2_backup_storage_accessmode }}" + {{- end }} + {{- if .Values.db2_backup_storage_size }} + db2_backup_storage_size: "{{ .Values.db2_backup_storage_size }}" + {{- end }} + {{- if .Values.db2_data_storage_class }} + db2_data_storage_class: "{{ .Values.db2_data_storage_class }}" + {{- end }} + {{- if .Values.db2_data_storage_accessmode }} + db2_data_storage_accessmode: "{{ .Values.db2_data_storage_accessmode }}" + {{- end }} + {{- if .Values.db2_data_storage_size }} + db2_data_storage_size: "{{ .Values.db2_data_storage_size }}" + {{- end }} + {{- if .Values.db2_temp_storage_class }} + db2_temp_storage_class: "{{ .Values.db2_temp_storage_class }}" + {{- end }} + {{- if .Values.db2_temp_storage_accessmode }} + db2_temp_storage_accessmode: "{{ .Values.db2_temp_storage_accessmode }}" + {{- end }} + {{- if .Values.db2_temp_storage_size }} + db2_temp_storage_size: "{{ .Values.db2_temp_storage_size }}" + {{- end }} + {{- if .Values.db2_logs_storage_class }} + db2_logs_storage_class: "{{ .Values.db2_logs_storage_class }}" + {{- end }} + {{- if .Values.db2_logs_storage_accessmode }} + db2_logs_storage_accessmode: "{{ .Values.db2_logs_storage_accessmode }}" + {{- end }} + {{- if .Values.db2_logs_storage_size }} + db2_logs_storage_size: "{{ .Values.db2_logs_storage_size }}" + {{- end }} + {{- if .Values.db2_audit_logs_storage_class }} + db2_audit_logs_storage_class: "{{ .Values.db2_audit_logs_storage_class }}" + {{- end }} + {{- if .Values.db2_audit_logs_storage_accessmode }} + db2_audit_logs_storage_accessmode: "{{ .Values.db2_audit_logs_storage_accessmode }}" + {{- end }} + {{- if .Values.db2_audit_logs_storage_size }} + db2_audit_logs_storage_size: "{{ .Values.db2_audit_logs_storage_size }}" + {{- end }} + {{- if .Values.db2_ldap_enabled }} + db2_ldap_enabled: {{ .Values.db2_ldap_enabled }} + {{- end }} + {{- if .Values.sm }} + sm: + aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" + aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" + {{- end }} + junitreporter: reporter_name: "ibm-db2u-{{ .Values.instance.id }}" cluster_id: "{{ .Values.cluster.id }}" From 16416b05e1d94ddc6eeb5c2fcaeda08f9c597310 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 4 Jun 2026 22:53:23 +0530 Subject: [PATCH 15/41] Reverted the changes --- .../templates/07-postsync-setup-db2_Job.yaml | 3 - .../templates/020-ibm-db2u-app.yaml | 100 ------------------ 2 files changed, 103 deletions(-) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index 01f2dec2b..58c37e436 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -67,7 +67,6 @@ are required here. */}} {{- $_job_cleanup_group := cat $_job_name_prefix .Values.db2_instance_name | sha1sum }} -{{- if and .Values.sm_aws_access_key_id .Values.sm_aws_secret_access_key }} --- kind: Secret apiVersion: v1 @@ -91,8 +90,6 @@ data: {{- end }} {{- end }} type: Opaque -{{- end }} -{{- end }} --- # Service account that is authorized to read k8s secrets (needed by the job) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml index c6898871f..ea7197ded 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml @@ -50,106 +50,6 @@ spec: custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} {{- end }} - # Pass all DB2 configuration values from ibm-db2u.yaml - {{- if .Values.db2_instance_name }} - db2_instance_name: "{{ .Values.db2_instance_name }}" - {{- end }} - {{- if .Values.db2_dbname }} - db2_dbname: "{{ .Values.db2_dbname }}" - {{- end }} - {{- if .Values.db2_version }} - db2_version: "{{ .Values.db2_version }}" - {{- end }} - {{- if .Values.db2_action }} - db2_action: "{{ .Values.db2_action }}" - {{- end }} - {{- if .Values.db2_type }} - db2_type: "{{ .Values.db2_type }}" - {{- end }} - {{- if .Values.db2_mln_count }} - db2_mln_count: {{ .Values.db2_mln_count }} - {{- end }} - {{- if .Values.db2_num_pods }} - db2_num_pods: {{ .Values.db2_num_pods }} - {{- end }} - {{- if .Values.db2_table_org }} - db2_table_org: "{{ .Values.db2_table_org }}" - {{- end }} - {{- if .Values.db2_cpu_requests }} - db2_cpu_requests: "{{ .Values.db2_cpu_requests }}" - {{- end }} - {{- if .Values.db2_memory_requests }} - db2_memory_requests: "{{ .Values.db2_memory_requests }}" - {{- end }} - {{- if .Values.db2_cpu_limits }} - db2_cpu_limits: "{{ .Values.db2_cpu_limits }}" - {{- end }} - {{- if .Values.db2_memory_limits }} - db2_memory_limits: "{{ .Values.db2_memory_limits }}" - {{- end }} - {{- if .Values.db2_meta_storage_class }} - db2_meta_storage_class: "{{ .Values.db2_meta_storage_class }}" - {{- end }} - {{- if .Values.db2_meta_storage_accessmode }} - db2_meta_storage_accessmode: "{{ .Values.db2_meta_storage_accessmode }}" - {{- end }} - {{- if .Values.db2_meta_storage_size }} - db2_meta_storage_size: "{{ .Values.db2_meta_storage_size }}" - {{- end }} - {{- if .Values.db2_backup_storage_class }} - db2_backup_storage_class: "{{ .Values.db2_backup_storage_class }}" - {{- end }} - {{- if .Values.db2_backup_storage_accessmode }} - db2_backup_storage_accessmode: "{{ .Values.db2_backup_storage_accessmode }}" - {{- end }} - {{- if .Values.db2_backup_storage_size }} - db2_backup_storage_size: "{{ .Values.db2_backup_storage_size }}" - {{- end }} - {{- if .Values.db2_data_storage_class }} - db2_data_storage_class: "{{ .Values.db2_data_storage_class }}" - {{- end }} - {{- if .Values.db2_data_storage_accessmode }} - db2_data_storage_accessmode: "{{ .Values.db2_data_storage_accessmode }}" - {{- end }} - {{- if .Values.db2_data_storage_size }} - db2_data_storage_size: "{{ .Values.db2_data_storage_size }}" - {{- end }} - {{- if .Values.db2_temp_storage_class }} - db2_temp_storage_class: "{{ .Values.db2_temp_storage_class }}" - {{- end }} - {{- if .Values.db2_temp_storage_accessmode }} - db2_temp_storage_accessmode: "{{ .Values.db2_temp_storage_accessmode }}" - {{- end }} - {{- if .Values.db2_temp_storage_size }} - db2_temp_storage_size: "{{ .Values.db2_temp_storage_size }}" - {{- end }} - {{- if .Values.db2_logs_storage_class }} - db2_logs_storage_class: "{{ .Values.db2_logs_storage_class }}" - {{- end }} - {{- if .Values.db2_logs_storage_accessmode }} - db2_logs_storage_accessmode: "{{ .Values.db2_logs_storage_accessmode }}" - {{- end }} - {{- if .Values.db2_logs_storage_size }} - db2_logs_storage_size: "{{ .Values.db2_logs_storage_size }}" - {{- end }} - {{- if .Values.db2_audit_logs_storage_class }} - db2_audit_logs_storage_class: "{{ .Values.db2_audit_logs_storage_class }}" - {{- end }} - {{- if .Values.db2_audit_logs_storage_accessmode }} - db2_audit_logs_storage_accessmode: "{{ .Values.db2_audit_logs_storage_accessmode }}" - {{- end }} - {{- if .Values.db2_audit_logs_storage_size }} - db2_audit_logs_storage_size: "{{ .Values.db2_audit_logs_storage_size }}" - {{- end }} - {{- if .Values.db2_ldap_enabled }} - db2_ldap_enabled: {{ .Values.db2_ldap_enabled }} - {{- end }} - {{- if .Values.sm }} - sm: - aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" - aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" - {{- end }} - junitreporter: reporter_name: "ibm-db2u-{{ .Values.instance.id }}" cluster_id: "{{ .Values.cluster.id }}" From 3e28451d4a5f83cd95885d3108a94cd80712be58 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Thu, 4 Jun 2026 23:45:15 +0530 Subject: [PATCH 16/41] DB2u instance and DB2u operator install related code added --- .../templates/010-ibm-db2u-app.yaml | 87 +++++++++++++++++++ ...pp.yaml => 020-ibm-db2u-database-app.yaml} | 0 2 files changed, 87 insertions(+) create mode 100644 root-applications/ibm-aiservice-instance-root/templates/010-ibm-db2u-app.yaml rename root-applications/ibm-aiservice-instance-root/templates/{020-ibm-db2u-app.yaml => 020-ibm-db2u-database-app.yaml} (100%) diff --git a/root-applications/ibm-aiservice-instance-root/templates/010-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/010-ibm-db2u-app.yaml new file mode 100644 index 000000000..8478a02b5 --- /dev/null +++ b/root-applications/ibm-aiservice-instance-root/templates/010-ibm-db2u-app.yaml @@ -0,0 +1,87 @@ +{{- if not (empty .Values.ibm_db2u) }} +--- +# IBM DB2U Operator Application for AI Service +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: db2u-operator.{{ .Values.cluster.id }}.{{ .Values.instance.id }} + namespace: {{ .Values.argo.namespace }} + labels: + environment: '{{ .Values.account.id }}' + region: '{{ .Values.region.id }}' + cluster: '{{ .Values.cluster.id }}' + {{- if .Values.argo.instance }} + argocd.argoproj.io/instance: '{{ .Values.argo.instance }}' + {{- end }} + instance: '{{ .Values.instance.id }}' + annotations: + argocd.argoproj.io/sync-wave: "010" + healthCheckTimeout: "1800" + {{- if and .Values.notifications .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }} + notifications.argoproj.io/subscribe.on-sync-succeeded.workspace1: {{ .Values.notifications.slack_channel_id }} + {{- end }} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: "{{ .Values.argo.projects.apps }}" + destination: + server: {{ .Values.cluster.url }} + namespace: "{{ .Values.ibm_db2u.db2_namespace }}" + source: + repoURL: "{{ .Values.source.repo_url }}" + path: instance-applications/110-ibm-db2u + targetRevision: "{{ .Values.source.revision }}" + plugin: + name: {{ .Values.avp.name }} + env: + - name: {{ .Values.avp.values_varname }} + value: | + argo_namespace: "{{ .Values.argo.namespace }}" + db2_namespace: "{{ .Values.ibm_db2u.db2_namespace }}" + cli_image_repo: {{ .Values.cli_image_repo }} + cluster_admin_role: {{ .Values.cluster_admin_role }} + application_admin_role: {{ .Values.application_admin_role }} + ibm_entitlement_key: "{{ .Values.ibm_db2u.ibm_entitlement_key }}" + db2_channel: "{{ .Values.ibm_db2u.db2_channel }}" + db2_install_plan: "{{ .Values.ibm_db2u.db2_install_plan }}" + {{- if .Values.custom_labels }} + custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} + {{- end }} + junitreporter: + reporter_name: "ibm-db2u-operator-{{ .Values.instance.id }}" + cluster_id: "{{ .Values.cluster.id }}" + instance_id: "{{ .Values.instance.id }}" + devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" + devops_build_number: "{{ .Values.devops.build_number }}" + gitops_version: "{{ .Values.source.revision }}" + cli_image_repo: {{ .Values.cli_image_repo }} + - name: ARGOCD_APP_NAME + value: db2u-operator + {{- if not (empty .Values.avp.secret) }} + - name: AVP_SECRET + value: {{ .Values.avp.secret }} + {{- end }} + syncPolicy: + automated: + {{- if .Values.auto_delete }} + prune: true + {{- end }} + selfHeal: true + retry: + limit: 20 + syncOptions: + - CreateNamespace=true +{{- if or .Values.custom_labels .Values.argocluster_instance }} + managedNamespaceMetadata: + labels: + {{- if .Values.argocluster_instance }} + argocd.argoproj.io/managed-by: {{ .Values.argocluster_instance }} + {{- end }} + {{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 8 }} + {{- end }} +{{- end }} +{{- end }} + +# Made with Bob diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml similarity index 100% rename from root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-app.yaml rename to root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml From 2a86552f6da7dca68ad6e11f92bd23f9b788ca7c Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Fri, 5 Jun 2026 00:19:37 +0530 Subject: [PATCH 17/41] db2uinstqance related changes --- .../templates/020-ibm-db2u-database-app.yaml | 29 ++++++++----------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml index ea7197ded..e64561665 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml @@ -1,4 +1,4 @@ -{{- if not (empty .Values.ibm_db2u) }} +{{- if not (empty .Values.ibm_db2u_databases) }} --- # IBM DB2U Application for AI Service apiVersion: argoproj.io/v1alpha1 @@ -33,31 +33,26 @@ spec: path: instance-applications/120-ibm-db2u-database targetRevision: "{{ .Values.source.revision }}" plugin: - name: {{ .Values.avp.name }} + name: {{ .Values.avp.name }} env: - name: {{ .Values.avp.values_varname }} value: | - argo_namespace: "{{ .Values.argo.namespace }}" - db2_namespace: "{{ .Values.ibm_db2u.db2_namespace }}" - cli_image_repo: {{ .Values.cli_image_repo }} + account_id: "{{ .Values.account.id }}" + region_id: "{{ .Values.region.id }}" + cluster_id: "{{ .Values.cluster.id }}" + instance_id: "{{ .Values.instance.id }}" + sm_aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" + sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" cluster_admin_role: {{ .Values.cluster_admin_role }} application_admin_role: {{ .Values.application_admin_role }} - ibm_entitlement_key: "{{ .Values.ibm_db2u.ibm_entitlement_key }}" - db2_channel: "{{ .Values.ibm_db2u.db2_channel }}" - db2_install_plan: "{{ .Values.ibm_db2u.db2_install_plan }}" {{- if .Values.custom_labels }} - custom_labels: {{ .Values.custom_labels | toYaml | nindent 14 }} + custom_labels: {{ .Values.custom_labels | toYaml | nindent 12 }} {{- end }} - junitreporter: - reporter_name: "ibm-db2u-{{ .Values.instance.id }}" - cluster_id: "{{ .Values.cluster.id }}" - instance_id: "{{ .Values.instance.id }}" - devops_mongo_uri: "{{ .Values.devops.mongo_uri }}" - devops_build_number: "{{ .Values.devops.build_number }}" - gitops_version: "{{ .Values.source.revision }}" - cli_image_repo: {{ .Values.cli_image_repo }} + {{- if .Values.ibm_db2u_databases }} + {{ index .Values.ibm_db2u_databases 0 | toYaml | nindent 12 }} + {{- end }} - name: ARGOCD_APP_NAME value: db2uapp From c25c6f64e4b1b960e0b6c5ea27d2677b43edbb30 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Fri, 5 Jun 2026 01:28:42 +0530 Subject: [PATCH 18/41] Namespace creation --- .../templates/005-ibm-db2u-namespace.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml diff --git a/root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml b/root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml new file mode 100644 index 000000000..9255fce73 --- /dev/null +++ b/root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml @@ -0,0 +1,22 @@ +{{- if not (empty .Values.ibm_db2u) }} +--- +# Explicitly create DB2 namespace for AI Service to ensure it exists before PreSync hooks +# This is AI Service-specific and does not affect MAS +apiVersion: v1 +kind: Namespace +metadata: + name: "{{ .Values.ibm_db2u.db2_namespace }}" + annotations: + argocd.argoproj.io/sync-wave: "005" +{{- if or .Values.custom_labels .Values.argocluster_instance }} + labels: + {{- if .Values.argocluster_instance }} + argocd.argoproj.io/managed-by: {{ .Values.argocluster_instance }} + {{- end }} + {{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 4 }} + {{- end }} +{{- end }} +{{- end }} + +# Made with Bob From 93282cac5b57b29238974f0340219f24773e3fe8 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Fri, 5 Jun 2026 15:12:32 +0530 Subject: [PATCH 19/41] ignoreDiff --- .../templates/020-ibm-db2u-database-app.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml index e64561665..bb0983931 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml @@ -70,6 +70,15 @@ spec: limit: 20 syncOptions: - CreateNamespace=true + - RespectIgnoreDifferences=true + ignoreDifferences: + - group: 'db2u.databases.ibm.com' + kind: Db2uInstance + jsonPointers: + - /metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration + - /spec/environment/ssl/secretName + - /spec/podTemplate/db2u/resource/db2u/limits/cpu + - /spec/podTemplate/db2u/resource/db2u/requests/cpu {{- if or .Values.custom_labels .Values.argocluster_instance }} managedNamespaceMetadata: labels: From 09931ff39a510f34a9b2787f2ba46bf6b09e529c Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Fri, 5 Jun 2026 15:37:20 +0530 Subject: [PATCH 20/41] Removed unnecessary namesace temaplate --- .../templates/005-ibm-db2u-namespace.yaml | 22 ------------------- 1 file changed, 22 deletions(-) delete mode 100644 root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml diff --git a/root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml b/root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml deleted file mode 100644 index 9255fce73..000000000 --- a/root-applications/ibm-aiservice-instance-root/templates/005-ibm-db2u-namespace.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if not (empty .Values.ibm_db2u) }} ---- -# Explicitly create DB2 namespace for AI Service to ensure it exists before PreSync hooks -# This is AI Service-specific and does not affect MAS -apiVersion: v1 -kind: Namespace -metadata: - name: "{{ .Values.ibm_db2u.db2_namespace }}" - annotations: - argocd.argoproj.io/sync-wave: "005" -{{- if or .Values.custom_labels .Values.argocluster_instance }} - labels: - {{- if .Values.argocluster_instance }} - argocd.argoproj.io/managed-by: {{ .Values.argocluster_instance }} - {{- end }} - {{- if .Values.custom_labels }} -{{ .Values.custom_labels | toYaml | indent 4 }} - {{- end }} -{{- end }} -{{- end }} - -# Made with Bob From 33a718fba4acade4f313e0fe5461a3acac24e12d Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Fri, 5 Jun 2026 18:51:19 +0530 Subject: [PATCH 21/41] REmove ignoreDiff for secretName --- .../templates/020-ibm-db2u-database-app.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml index bb0983931..508fd1513 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml @@ -75,10 +75,7 @@ spec: - group: 'db2u.databases.ibm.com' kind: Db2uInstance jsonPointers: - - /metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration - /spec/environment/ssl/secretName - - /spec/podTemplate/db2u/resource/db2u/limits/cpu - - /spec/podTemplate/db2u/resource/db2u/requests/cpu {{- if or .Values.custom_labels .Values.argocluster_instance }} managedNamespaceMetadata: labels: From c0689bfed22e09b0bcd47762fcbbbc56b725b370 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Sun, 7 Jun 2026 15:18:37 +0530 Subject: [PATCH 22/41] Update permission for secrets --- .../templates/07-postsync-setup-db2_Job.yaml | 15 +++++++++++---- .../templates/020-ibm-db2u-database-app.yaml | 1 + 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index 58c37e436..38a6d371b 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -139,15 +139,22 @@ rules: - list - apiGroups: - "" - resources: + resources: - services - verbs: + verbs: - "get" +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list - apiGroups: - db2u.databases.ibm.com - resources: + resources: - db2uinstances - verbs: + verbs: - "get" --- diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml index 508fd1513..aa20dacf3 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml @@ -45,6 +45,7 @@ spec: sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" cluster_admin_role: {{ .Values.cluster_admin_role }} application_admin_role: {{ .Values.application_admin_role }} + should_execute: true {{- if .Values.custom_labels }} custom_labels: {{ .Values.custom_labels | toYaml | nindent 12 }} From acac38d034e4bb250e592453ac915f3c84d48ac6 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 8 Jun 2026 15:36:16 +0530 Subject: [PATCH 23/41] Corrected the path for jdbc aiservice --- .../templates/07-postsync-setup-db2_Job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml index 38a6d371b..a409ed2a4 100644 --- a/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml +++ b/instance-applications/120-ibm-db2u-database/templates/07-postsync-setup-db2_Job.yaml @@ -829,7 +829,7 @@ spec: fi # Construct JDBC secret name - JDBC_SECRET_NAME="${ACCOUNT_ID}/${CLUSTER_ID}/${MAS_INSTANCE_ID}/jdbc" + JDBC_SECRET_NAME="${ACCOUNT_ID}/${CLUSTER_ID}/jdbc" echo "" echo "Updating JDBC secret: ${JDBC_SECRET_NAME}" From bd83d9c38aae2374e12435badc7306d59a65a54b Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 8 Jun 2026 18:32:36 +0530 Subject: [PATCH 24/41] Updated jdbc certificate format --- .../113-ibm-aiservice/templates/03-aiservice-jdbc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml b/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml index f55b72e79..3db04cbb5 100644 --- a/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml +++ b/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml @@ -12,6 +12,6 @@ data: password: {{ .Values.jdbccfg_password | default "" | toString | b64enc | quote }} url: {{ .Values.jdbccfg_url | default "" | toString | b64enc | quote }} sslenabled: {{ .Values.jdbccfg_sslenabled | default "" | toString | b64enc | quote }} - certificate: {{ .Values.jdbccfg_ca_b64enc }} + certificate: {{ .Values.jdbccfg_ca_b64enc | default "" | toString | quote }} type: Opaque {{- end }} From d2dec72a12b6b350bec94961dc1db15965982171 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 8 Jun 2026 18:59:01 +0530 Subject: [PATCH 25/41] temp check for sls at tenant level --- .../templates/98-presync-copy-sls.yaml | 348 ++++++++++++++++++ 1 file changed, 348 insertions(+) create mode 100644 root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml diff --git a/root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml b/root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml new file mode 100644 index 000000000..ff992b1d6 --- /dev/null +++ b/root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml @@ -0,0 +1,348 @@ +{{- /* TEMPORARY: Condition removed for testing +{{- if eq .Values.ibm_aiservice_tenant.is_gitops_fvt_env "true" }} +*/}} + +{{- /* +Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash. +*/}} +{{- $_job_name_prefix := "presync-copy-sls-to-tenant-job" }} + +{{- /* +Use the build/bin/set-cli-image-digest.sh script to update this value across all charts. +Included in $_job_hash (see below). +*/}} +{{- $_cli_image_digest := "sha256:4636b74525a46ebd88cd540794e8e23143f0112ea85149f9dfc78d02704ad5a6" }} + +{{- /* +A dict of values that influence the behaviour of the job in some way. +Any changes to values in this dict will trigger a rerun of the job. +Since jobs must be idemopotent, it's generally safe to pass in values here that are not +strictly necessary (i.e. including some values that don't actually influence job behaviour). +We may want to refine this further though for jobs that can take a long time to complete. +Included in $_job_hash (see below). +*/}} +{{- $_job_config_values := omit .Values "junitreporter" }} + +{{- /* +Increment this value whenever you make a change to an immutable field of the Job resource. +E.g. passing in a new environment variable. +Included in $_job_hash (see below). +*/}} +{{- $_job_version := "v4" }} + +{{- /* +10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest +This is to ensure ArgoCD will create a new job resource intead of attempting (and failing) to update an +immutable field of any existing Job resource. +*/}} +{{- $_job_hash := print ($_job_config_values | toYaml) $_cli_image_digest $_job_version | adler32sum }} + +{{- $_job_name := join "-" (list $_job_name_prefix $_job_hash )}} + +{{- /* +Set as the value for the mas.ibm.com/job-cleanup-group label on the Job resource. + +When the auto_delete flag is not set on the root application, a CronJob in the cluster uses this label +to identify old Job resources that should be pruned on behalf of ArgoCD. + +Any Job resources in the same namespace that have the mas.ibm.com/job-cleanup-group with this value +will be considered to belong to the same cleanup group. All but the most recent (i.e. with the latest "creation_timestamp") +Jobs will be automatically deleted. + +$_job_cleanup_group can usually just be based on $_job_name_prefix. There are some special cases +where multiple Jobs are created in our templates using a Helm loop. In those cases, additional descriminators +must be added to $_job_cleanup_group. + +By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators +are required here. + +*/}} +{{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} + + + +{{ $ns := printf "mas-%s-%s-sls" .Values.ibm_customer_number .Values.subscription_id }} +{{ $instance := printf "%s-%s" .Values.ibm_customer_number .Values.subscription_id }} + +{{ $aws_secret := "aws"}} +{{ $np_name := "postsync-ibm-sls-update-sm-np" }} +{{ $role_name := "postsync-ibm-sls-update-sm-r" }} +{{ $sa_name := "postsync-ibm-sls-update-sm-sa" }} +{{ $rb_name := "postsync-ibm-sls-update-sm-rb" }} +{{ $job_label := "postsync-ibm-sls-update-sm-job" }} + + + +--- +# Permit outbound communication by the Job pods +# (Needed to communicate with the K8S HTTP API and AWS SM) +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ $np_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "98" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + podSelector: + matchLabels: + app: {{ $job_label }} + egress: + - {} + policyTypes: + - Egress + + +--- +kind: Secret +apiVersion: v1 +metadata: + name: {{ $aws_secret }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "98" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +data: + aws_access_key_id: {{ .Values.sm_aws_access_key_id | b64enc }} + aws_secret_access_key: {{ .Values.sm_aws_secret_access_key | b64enc }} +type: Opaque + +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ $sa_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "98" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $role_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "98" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +rules: + - verbs: + - get + apiGroups: + - "" + resources: + - configmaps + - verbs: + - get + - list + - patch + apiGroups: + - "route.openshift.io" + resources: + - routes + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $rb_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "99" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: {{ $sa_name }} + namespace: {{ $ns }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $role_name }} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $_job_name }} + namespace: {{ $ns }} + annotations: + argocd.argoproj.io/sync-wave: "100" + argocd.argoproj.io/sync-options: Prune=true + labels: + mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }} +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: {{ $job_label }} +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 8 }} +{{- end }} + spec: + containers: + - name: run + image: quay.io/ibmmas/cli@{{ $_cli_image_digest }} + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi + env: + - name: ACCOUNT_ID + value: {{ .Values.account_id }} + - name: REGION_ID + value: {{ .Values.region_id }} + - name: ICN + value: '{{ .Values.ibm_customer_number }}' + - name: SUBSCRIPTION_ID + value: '{{ .Values.subscription_id }}' + - name: DOMAIN + value: '{{ .Values.sls_domain }}' + - name: TENANT + value: '{{ .Values.tenant.id }}' + - name: TENANT_NAMESPACE + value: '{{ .Values.tenantNamespace }}' + + # Hard-coded for now: + - name: AVP_TYPE + value: "aws" + volumeMounts: + - name: aws + mountPath: /etc/mas/creds/aws + - name: sls-suite-registration + mountPath: /etc/mas/creds/sls-suite-registration + command: + - /bin/sh + - -c + - | + + set -e + + # NOTE: cannot just render AWS secrets into here, as it will be exposed in the ArgoCD UI + # Instead, we pass them into a secret (ArgoCD knows to hide any data fields in k8s secrets), + # mount the secret on the jobs filesystem, and read them in here + SM_AWS_ACCESS_KEY_ID=$(cat /etc/mas/creds/aws/aws_access_key_id) + SM_AWS_SECRET_ACCESS_KEY=$(cat /etc/mas/creds/aws/aws_secret_access_key) + + echo "Fetching registrationKey from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" + SLS_REGISTRATION_KEY=$(cat /etc/mas/creds/sls-suite-registration/registrationKey) + if [[ -z "${SLS_REGISTRATION_KEY}" ]]; then + echo "Failed to fetch registrationKey" + exit 1 + fi + + echo "Fetching ca from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" + SLS_CA=$(cat /etc/mas/creds/sls-suite-registration/ca | base64 -w0) + if [[ -z "${SLS_CA}" ]]; then + echo "Failed to fetch ca" + exit 1 + fi + + echo "Setting SLS URL" + SLS_URL="https://sls.mas-${ICN}-${SUBSCRIPTION_ID}-sls.${DOMAIN}" + + # might as well take advantage of gitops_utils for sm_ functions as we're using the cli image + source /mascli/functions/gitops_utils + + # aws configure set aws_access_key_id $SM_AWS_ACCESS_KEY_ID + # aws configure set aws_secret_access_key $SM_AWS_SECRET_ACCESS_KEY + # aws configure set default.region $REGION_ID + # aws configure list + export SM_AWS_REGION=${REGION_ID} + sm_login + + # aws secretsmanager create-secret --name ${SECRET_NAME} --secret-string "${SECRET_VALUE}" + ## Why is the secreet name here sls and not license as it is in gitops_license function + SECRET_NAME_SLS=${ACCOUNT_ID}/${ICN}/${SUBSCRIPTION_ID}/sls + # TAGS="[{\"Key\": \"source\", \"Value\": \"postsync-ibm-sls-update-sm-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}]" + # sm_update_secret $SECRET_NAME_SLS "{\"registration_key\": \"$SLS_REGISTRATION_KEY\", \"ca_b64\": \"$SLS_CA\", \"sls_url\":\"$SLS_URL\" }" "${TAGS}" + + # Fetch the instance-level SLS secret and create tenant-level copy + echo "" + echo "Fetching instance-level SLS secret from AWS Secrets Manager" + RAW_SLS_SECRET=$(aws secretsmanager get-secret-value --secret-id "$SECRET_NAME_SLS" --output json 2>/dev/null | jq -r .SecretString) + + if [[ -n "$RAW_SLS_SECRET" && "$RAW_SLS_SECRET" != "null" ]]; then + echo "Successfully fetched instance-level SLS secret" + + # Create tenant-level secret using TENANT variable (contains tenant ID) + if [[ -n "${TENANT:-}" ]]; then + # Create tenant-level secret path + SECRET_NAME_TENANT_SLS=${ACCOUNT_ID}/${ICN}/${SUBSCRIPTION_ID}/${TENANT}/sls + echo "Creating tenant-level SLS secret at: ${SECRET_NAME_TENANT_SLS}" + + TENANT_TAGS="[{\"Key\": \"source\", \"Value\": \"presync-copy-sls-to-tenant-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}, {\"Key\": \"tenant_id\", \"Value\": \"${TENANT}\"}]" + + # Use sm_update_secret to create/update tenant-level secret with same content + sm_update_secret $SECRET_NAME_TENANT_SLS "$RAW_SLS_SECRET" "${TENANT_TAGS}" + + echo "Successfully created/updated tenant-level SLS secret" + else + echo "TENANT variable not set, skipping tenant-level secret creation" + fi + else + echo "Failed to fetch instance-level SLS secret, skipping tenant-level secret creation" + fi + + # 1. Define the namespace using the environment variables passed to the container + namespace="mas-${ICN}-${SUBSCRIPTION_ID}-sls" + + echo "Fetching routes from ${namespace}" + + routes=$(oc get routes -n ${namespace} -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}') + + echo "Routes found:" + echo "${routes}" + + for route in $routes; do + echo "Adding label to route - ${route}" + + oc patch route ${route} \ + -n ${namespace} \ + --type=merge \ + -p '{"metadata":{"labels":{"type":"external"}}}' + done + + restartPolicy: Never + + # TODO: is this the correct SA to use here? + # No, probably want to add a more restricted SA that can just do things that these post-sync jobs need to do + serviceAccountName: {{ $sa_name }} + volumes: + - name: aws + secret: + secretName: {{ $aws_secret }} + defaultMode: 420 + optional: false + - name: sls-suite-registration + configMap: + name: sls-suite-registration + optional: false + + backoffLimit: 4 +{{- /* TEMPORARY: End condition commented out for testing +{{- end }} +*/}} \ No newline at end of file From 28b25a8a9a424a1acaa8175f1e9e2bcd40f4eda5 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 8 Jun 2026 19:07:14 +0530 Subject: [PATCH 26/41] reverted the temp check for sls and pass customer value for sls creation at tenant level --- .../100-ibm-aiservice-tenant-app.yaml | 7 + .../templates/98-presync-copy-sls.yaml | 348 ------------------ 2 files changed, 7 insertions(+), 348 deletions(-) delete mode 100644 root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index 801d01b73..e2bdb4671 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -80,6 +80,13 @@ spec: slscfg_ca_b64enc: "{{ .Values.ibm_aiservice_tenant.slscfg_ca_b64enc }}" aiservice_sls_subscription_id: "{{ .Values.ibm_aiservice_tenant.aiservice_sls_subscription_id }}" + # Values needed for presync job (98-presync-copy-sls.yaml) + ibm_customer_number: "{{ .Values.ibm_customer_number }}" + subscription_id: "{{ .Values.subscription_id }}" + sls_domain: "{{ .Values.sls_domain }}" + sm_aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" + sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" + #s3 postsync manage aiservice_s3_accesskey: "{{ .Values.ibm_aiservice_tenant.aiservice_s3_accesskey }}" aiservice_s3_secretkey: "{{ .Values.ibm_aiservice_tenant.aiservice_s3_secretkey }}" diff --git a/root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml b/root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml deleted file mode 100644 index ff992b1d6..000000000 --- a/root-applications/ibm-aiservice-tenant-root/templates/98-presync-copy-sls.yaml +++ /dev/null @@ -1,348 +0,0 @@ -{{- /* TEMPORARY: Condition removed for testing -{{- if eq .Values.ibm_aiservice_tenant.is_gitops_fvt_env "true" }} -*/}} - -{{- /* -Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash. -*/}} -{{- $_job_name_prefix := "presync-copy-sls-to-tenant-job" }} - -{{- /* -Use the build/bin/set-cli-image-digest.sh script to update this value across all charts. -Included in $_job_hash (see below). -*/}} -{{- $_cli_image_digest := "sha256:4636b74525a46ebd88cd540794e8e23143f0112ea85149f9dfc78d02704ad5a6" }} - -{{- /* -A dict of values that influence the behaviour of the job in some way. -Any changes to values in this dict will trigger a rerun of the job. -Since jobs must be idemopotent, it's generally safe to pass in values here that are not -strictly necessary (i.e. including some values that don't actually influence job behaviour). -We may want to refine this further though for jobs that can take a long time to complete. -Included in $_job_hash (see below). -*/}} -{{- $_job_config_values := omit .Values "junitreporter" }} - -{{- /* -Increment this value whenever you make a change to an immutable field of the Job resource. -E.g. passing in a new environment variable. -Included in $_job_hash (see below). -*/}} -{{- $_job_version := "v4" }} - -{{- /* -10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest -This is to ensure ArgoCD will create a new job resource intead of attempting (and failing) to update an -immutable field of any existing Job resource. -*/}} -{{- $_job_hash := print ($_job_config_values | toYaml) $_cli_image_digest $_job_version | adler32sum }} - -{{- $_job_name := join "-" (list $_job_name_prefix $_job_hash )}} - -{{- /* -Set as the value for the mas.ibm.com/job-cleanup-group label on the Job resource. - -When the auto_delete flag is not set on the root application, a CronJob in the cluster uses this label -to identify old Job resources that should be pruned on behalf of ArgoCD. - -Any Job resources in the same namespace that have the mas.ibm.com/job-cleanup-group with this value -will be considered to belong to the same cleanup group. All but the most recent (i.e. with the latest "creation_timestamp") -Jobs will be automatically deleted. - -$_job_cleanup_group can usually just be based on $_job_name_prefix. There are some special cases -where multiple Jobs are created in our templates using a Helm loop. In those cases, additional descriminators -must be added to $_job_cleanup_group. - -By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators -are required here. - -*/}} -{{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} - - - -{{ $ns := printf "mas-%s-%s-sls" .Values.ibm_customer_number .Values.subscription_id }} -{{ $instance := printf "%s-%s" .Values.ibm_customer_number .Values.subscription_id }} - -{{ $aws_secret := "aws"}} -{{ $np_name := "postsync-ibm-sls-update-sm-np" }} -{{ $role_name := "postsync-ibm-sls-update-sm-r" }} -{{ $sa_name := "postsync-ibm-sls-update-sm-sa" }} -{{ $rb_name := "postsync-ibm-sls-update-sm-rb" }} -{{ $job_label := "postsync-ibm-sls-update-sm-job" }} - - - ---- -# Permit outbound communication by the Job pods -# (Needed to communicate with the K8S HTTP API and AWS SM) -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - name: {{ $np_name }} - namespace: {{ $ns }} - annotations: - argocd.argoproj.io/sync-wave: "98" -{{- if .Values.custom_labels }} - labels: -{{ .Values.custom_labels | toYaml | indent 4 }} -{{- end }} -spec: - podSelector: - matchLabels: - app: {{ $job_label }} - egress: - - {} - policyTypes: - - Egress - - ---- -kind: Secret -apiVersion: v1 -metadata: - name: {{ $aws_secret }} - namespace: {{ $ns }} - annotations: - argocd.argoproj.io/sync-wave: "98" -{{- if .Values.custom_labels }} - labels: -{{ .Values.custom_labels | toYaml | indent 4 }} -{{- end }} -data: - aws_access_key_id: {{ .Values.sm_aws_access_key_id | b64enc }} - aws_secret_access_key: {{ .Values.sm_aws_secret_access_key | b64enc }} -type: Opaque - ---- -kind: ServiceAccount -apiVersion: v1 -metadata: - name: {{ $sa_name }} - namespace: {{ $ns }} - annotations: - argocd.argoproj.io/sync-wave: "98" -{{- if .Values.custom_labels }} - labels: -{{ .Values.custom_labels | toYaml | indent 4 }} -{{- end }} - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $role_name }} - namespace: {{ $ns }} - annotations: - argocd.argoproj.io/sync-wave: "98" -{{- if .Values.custom_labels }} - labels: -{{ .Values.custom_labels | toYaml | indent 4 }} -{{- end }} -rules: - - verbs: - - get - apiGroups: - - "" - resources: - - configmaps - - verbs: - - get - - list - - patch - apiGroups: - - "route.openshift.io" - resources: - - routes - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ $rb_name }} - namespace: {{ $ns }} - annotations: - argocd.argoproj.io/sync-wave: "99" -{{- if .Values.custom_labels }} - labels: -{{ .Values.custom_labels | toYaml | indent 4 }} -{{- end }} -subjects: - - kind: ServiceAccount - name: {{ $sa_name }} - namespace: {{ $ns }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $role_name }} - ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ $_job_name }} - namespace: {{ $ns }} - annotations: - argocd.argoproj.io/sync-wave: "100" - argocd.argoproj.io/sync-options: Prune=true - labels: - mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }} -{{- if .Values.custom_labels }} -{{ .Values.custom_labels | toYaml | indent 4 }} -{{- end }} -spec: - template: - metadata: - labels: - app: {{ $job_label }} -{{- if .Values.custom_labels }} -{{ .Values.custom_labels | toYaml | indent 8 }} -{{- end }} - spec: - containers: - - name: run - image: quay.io/ibmmas/cli@{{ $_cli_image_digest }} - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 200m - memory: 512Mi - requests: - cpu: 10m - memory: 64Mi - env: - - name: ACCOUNT_ID - value: {{ .Values.account_id }} - - name: REGION_ID - value: {{ .Values.region_id }} - - name: ICN - value: '{{ .Values.ibm_customer_number }}' - - name: SUBSCRIPTION_ID - value: '{{ .Values.subscription_id }}' - - name: DOMAIN - value: '{{ .Values.sls_domain }}' - - name: TENANT - value: '{{ .Values.tenant.id }}' - - name: TENANT_NAMESPACE - value: '{{ .Values.tenantNamespace }}' - - # Hard-coded for now: - - name: AVP_TYPE - value: "aws" - volumeMounts: - - name: aws - mountPath: /etc/mas/creds/aws - - name: sls-suite-registration - mountPath: /etc/mas/creds/sls-suite-registration - command: - - /bin/sh - - -c - - | - - set -e - - # NOTE: cannot just render AWS secrets into here, as it will be exposed in the ArgoCD UI - # Instead, we pass them into a secret (ArgoCD knows to hide any data fields in k8s secrets), - # mount the secret on the jobs filesystem, and read them in here - SM_AWS_ACCESS_KEY_ID=$(cat /etc/mas/creds/aws/aws_access_key_id) - SM_AWS_SECRET_ACCESS_KEY=$(cat /etc/mas/creds/aws/aws_secret_access_key) - - echo "Fetching registrationKey from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" - SLS_REGISTRATION_KEY=$(cat /etc/mas/creds/sls-suite-registration/registrationKey) - if [[ -z "${SLS_REGISTRATION_KEY}" ]]; then - echo "Failed to fetch registrationKey" - exit 1 - fi - - echo "Fetching ca from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" - SLS_CA=$(cat /etc/mas/creds/sls-suite-registration/ca | base64 -w0) - if [[ -z "${SLS_CA}" ]]; then - echo "Failed to fetch ca" - exit 1 - fi - - echo "Setting SLS URL" - SLS_URL="https://sls.mas-${ICN}-${SUBSCRIPTION_ID}-sls.${DOMAIN}" - - # might as well take advantage of gitops_utils for sm_ functions as we're using the cli image - source /mascli/functions/gitops_utils - - # aws configure set aws_access_key_id $SM_AWS_ACCESS_KEY_ID - # aws configure set aws_secret_access_key $SM_AWS_SECRET_ACCESS_KEY - # aws configure set default.region $REGION_ID - # aws configure list - export SM_AWS_REGION=${REGION_ID} - sm_login - - # aws secretsmanager create-secret --name ${SECRET_NAME} --secret-string "${SECRET_VALUE}" - ## Why is the secreet name here sls and not license as it is in gitops_license function - SECRET_NAME_SLS=${ACCOUNT_ID}/${ICN}/${SUBSCRIPTION_ID}/sls - # TAGS="[{\"Key\": \"source\", \"Value\": \"postsync-ibm-sls-update-sm-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}]" - # sm_update_secret $SECRET_NAME_SLS "{\"registration_key\": \"$SLS_REGISTRATION_KEY\", \"ca_b64\": \"$SLS_CA\", \"sls_url\":\"$SLS_URL\" }" "${TAGS}" - - # Fetch the instance-level SLS secret and create tenant-level copy - echo "" - echo "Fetching instance-level SLS secret from AWS Secrets Manager" - RAW_SLS_SECRET=$(aws secretsmanager get-secret-value --secret-id "$SECRET_NAME_SLS" --output json 2>/dev/null | jq -r .SecretString) - - if [[ -n "$RAW_SLS_SECRET" && "$RAW_SLS_SECRET" != "null" ]]; then - echo "Successfully fetched instance-level SLS secret" - - # Create tenant-level secret using TENANT variable (contains tenant ID) - if [[ -n "${TENANT:-}" ]]; then - # Create tenant-level secret path - SECRET_NAME_TENANT_SLS=${ACCOUNT_ID}/${ICN}/${SUBSCRIPTION_ID}/${TENANT}/sls - echo "Creating tenant-level SLS secret at: ${SECRET_NAME_TENANT_SLS}" - - TENANT_TAGS="[{\"Key\": \"source\", \"Value\": \"presync-copy-sls-to-tenant-job\"}, {\"Key\": \"account\", \"Value\": \"${ACCOUNT_ID}\"}, {\"Key\": \"subscription_id\", \"Value\": \"${SUBSCRIPTION_ID}\"}, {\"Key\": \"tenant_id\", \"Value\": \"${TENANT}\"}]" - - # Use sm_update_secret to create/update tenant-level secret with same content - sm_update_secret $SECRET_NAME_TENANT_SLS "$RAW_SLS_SECRET" "${TENANT_TAGS}" - - echo "Successfully created/updated tenant-level SLS secret" - else - echo "TENANT variable not set, skipping tenant-level secret creation" - fi - else - echo "Failed to fetch instance-level SLS secret, skipping tenant-level secret creation" - fi - - # 1. Define the namespace using the environment variables passed to the container - namespace="mas-${ICN}-${SUBSCRIPTION_ID}-sls" - - echo "Fetching routes from ${namespace}" - - routes=$(oc get routes -n ${namespace} -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}') - - echo "Routes found:" - echo "${routes}" - - for route in $routes; do - echo "Adding label to route - ${route}" - - oc patch route ${route} \ - -n ${namespace} \ - --type=merge \ - -p '{"metadata":{"labels":{"type":"external"}}}' - done - - restartPolicy: Never - - # TODO: is this the correct SA to use here? - # No, probably want to add a more restricted SA that can just do things that these post-sync jobs need to do - serviceAccountName: {{ $sa_name }} - volumes: - - name: aws - secret: - secretName: {{ $aws_secret }} - defaultMode: 420 - optional: false - - name: sls-suite-registration - configMap: - name: sls-suite-registration - optional: false - - backoffLimit: 4 -{{- /* TEMPORARY: End condition commented out for testing -{{- end }} -*/}} \ No newline at end of file From e1e42908a87f0c0c3e0caa5d8a91453ae8323c7c Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 8 Jun 2026 19:27:40 +0530 Subject: [PATCH 27/41] Added checks for sls --- .../templates/98-presync-copy-sls.yaml | 26 +++++++++++++++---- .../100-ibm-aiservice-tenant-app.yaml | 7 +++-- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml index ff992b1d6..12ad615e0 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml @@ -59,10 +59,26 @@ are required here. */}} {{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} +{{- /* +Extract ICN and subscription_id from the SLS secret path +Example: "" +We need to extract: 87654321 and bedd3ceac223 +*/}} +{{- $slsSecretPath := .Values.slscfg_ca_b64enc }} +{{- $pathParts := regexFindAll "[^/]+" $slsSecretPath -1 }} +{{- $ibm_customer_number := "" }} +{{- $subscription_id := "" }} +{{- if gt (len $pathParts) 3 }} + {{- $ibm_customer_number = index $pathParts 2 }} + {{- $subscription_id = index $pathParts 3 }} +{{- end }} +{{- /* Extract domain from cluster URL */}} +{{- $clusterUrl := .Values.cluster.url }} +{{- $domain := regexReplaceAll "https://api\\.[^.]+\\.(.+):\\d+" $clusterUrl "${1}" }} -{{ $ns := printf "mas-%s-%s-sls" .Values.ibm_customer_number .Values.subscription_id }} -{{ $instance := printf "%s-%s" .Values.ibm_customer_number .Values.subscription_id }} +{{ $ns := printf "mas-%s-%s-sls" $ibm_customer_number $subscription_id }} +{{ $instance := printf "%s-%s" $ibm_customer_number $subscription_id }} {{ $aws_secret := "aws"}} {{ $np_name := "postsync-ibm-sls-update-sm-np" }} @@ -216,11 +232,11 @@ spec: - name: REGION_ID value: {{ .Values.region_id }} - name: ICN - value: '{{ .Values.ibm_customer_number }}' + value: '{{ $ibm_customer_number }}' - name: SUBSCRIPTION_ID - value: '{{ .Values.subscription_id }}' + value: '{{ $subscription_id }}' - name: DOMAIN - value: '{{ .Values.sls_domain }}' + value: '{{ $domain }}' - name: TENANT value: '{{ .Values.tenant.id }}' - name: TENANT_NAMESPACE diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index e2bdb4671..106ba5eea 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -80,12 +80,11 @@ spec: slscfg_ca_b64enc: "{{ .Values.ibm_aiservice_tenant.slscfg_ca_b64enc }}" aiservice_sls_subscription_id: "{{ .Values.ibm_aiservice_tenant.aiservice_sls_subscription_id }}" - # Values needed for presync job (98-presync-copy-sls.yaml) - ibm_customer_number: "{{ .Values.ibm_customer_number }}" - subscription_id: "{{ .Values.subscription_id }}" - sls_domain: "{{ .Values.sls_domain }}" + # Values needed for presync job (98-presync-copy-sls.yaml) - AWS credentials and cluster URL sm_aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" + cluster: + url: "{{ .Values.cluster.url }}" #s3 postsync manage aiservice_s3_accesskey: "{{ .Values.ibm_aiservice_tenant.aiservice_s3_accesskey }}" From b393646bb0bc34d4b1fb632236c23b33e8b2ca5d Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 9 Jun 2026 11:00:57 +0530 Subject: [PATCH 28/41] Reverted the changes for sls --- .../templates/100-ibm-aiservice-tenant-app.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index 106ba5eea..801d01b73 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -80,12 +80,6 @@ spec: slscfg_ca_b64enc: "{{ .Values.ibm_aiservice_tenant.slscfg_ca_b64enc }}" aiservice_sls_subscription_id: "{{ .Values.ibm_aiservice_tenant.aiservice_sls_subscription_id }}" - # Values needed for presync job (98-presync-copy-sls.yaml) - AWS credentials and cluster URL - sm_aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" - sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" - cluster: - url: "{{ .Values.cluster.url }}" - #s3 postsync manage aiservice_s3_accesskey: "{{ .Values.ibm_aiservice_tenant.aiservice_s3_accesskey }}" aiservice_s3_secretkey: "{{ .Values.ibm_aiservice_tenant.aiservice_s3_secretkey }}" From 81d56d996444b522c5aa93ef9139dda970fe6a48 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 9 Jun 2026 11:05:48 +0530 Subject: [PATCH 29/41] Change sync-wave for pre-sync sls --- .../templates/98-presync-copy-sls.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml index 12ad615e0..c8b46382e 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml @@ -178,7 +178,7 @@ metadata: name: {{ $rb_name }} namespace: {{ $ns }} annotations: - argocd.argoproj.io/sync-wave: "99" + argocd.argoproj.io/sync-wave: "98" {{- if .Values.custom_labels }} labels: {{ .Values.custom_labels | toYaml | indent 4 }} @@ -199,7 +199,7 @@ metadata: name: {{ $_job_name }} namespace: {{ $ns }} annotations: - argocd.argoproj.io/sync-wave: "100" + argocd.argoproj.io/sync-wave: "98" argocd.argoproj.io/sync-options: Prune=true labels: mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }} From 176396b89645004b8cc5970dd4246a73b083206f Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 9 Jun 2026 15:24:04 +0530 Subject: [PATCH 30/41] tenant level aplication error fix --- .../templates/98-presync-copy-sls.yaml | 70 ++++++++++++------- .../100-ibm-aiservice-tenant-app.yaml | 6 ++ 2 files changed, 52 insertions(+), 24 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml index c8b46382e..417d5084d 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml @@ -60,25 +60,13 @@ are required here. {{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} {{- /* -Extract ICN and subscription_id from the SLS secret path -Example: "" -We need to extract: 87654321 and bedd3ceac223 +ICN and subscription_id will be extracted from the resolved slscfg_url at runtime. +The namespace will be determined dynamically in the bash script. +For now, we use a placeholder that will be replaced at runtime. */}} -{{- $slsSecretPath := .Values.slscfg_ca_b64enc }} -{{- $pathParts := regexFindAll "[^/]+" $slsSecretPath -1 }} -{{- $ibm_customer_number := "" }} -{{- $subscription_id := "" }} -{{- if gt (len $pathParts) 3 }} - {{- $ibm_customer_number = index $pathParts 2 }} - {{- $subscription_id = index $pathParts 3 }} -{{- end }} - -{{- /* Extract domain from cluster URL */}} -{{- $clusterUrl := .Values.cluster.url }} -{{- $domain := regexReplaceAll "https://api\\.[^.]+\\.(.+):\\d+" $clusterUrl "${1}" }} -{{ $ns := printf "mas-%s-%s-sls" $ibm_customer_number $subscription_id }} -{{ $instance := printf "%s-%s" $ibm_customer_number $subscription_id }} +{{ $ns := "mas-sls-runtime" }} +{{ $instance := "sls-runtime" }} {{ $aws_secret := "aws"}} {{ $np_name := "postsync-ibm-sls-update-sm-np" }} @@ -126,8 +114,8 @@ metadata: {{ .Values.custom_labels | toYaml | indent 4 }} {{- end }} data: - aws_access_key_id: {{ .Values.sm_aws_access_key_id | b64enc }} - aws_secret_access_key: {{ .Values.sm_aws_secret_access_key | b64enc }} + aws_access_key_id: {{ .Values.sm_aws_access_key_id | default "" | b64enc }} + aws_secret_access_key: {{ .Values.sm_aws_secret_access_key | default "" | b64enc }} type: Opaque --- @@ -231,14 +219,22 @@ spec: value: {{ .Values.account_id }} - name: REGION_ID value: {{ .Values.region_id }} + {{- if .Values.cluster_url }} + - name: CLUSTER_URL + value: {{ .Values.cluster_url }} + {{- end }} + - name: SLSCFG_URL + value: '{{ .Values.slscfg_url }}' + {{- if .Values.ibm_customer_number }} - name: ICN - value: '{{ $ibm_customer_number }}' + value: '{{ .Values.ibm_customer_number }}' + {{- end }} + {{- if .Values.aiservice_sls_subscription_id }} - name: SUBSCRIPTION_ID - value: '{{ $subscription_id }}' - - name: DOMAIN - value: '{{ $domain }}' + value: '{{ .Values.aiservice_sls_subscription_id }}' + {{- end }} - name: TENANT - value: '{{ .Values.tenant.id }}' + value: '{{ .Values.tenant_id }}' - name: TENANT_NAMESPACE value: '{{ .Values.tenantNamespace }}' @@ -257,6 +253,32 @@ spec: set -e + # Extract ICN, SUBSCRIPTION_ID, and DOMAIN from SLSCFG_URL if not provided + # SLSCFG_URL format: https://sls.mas-87654350-bedd3ceac250-sls.apps.fvtsaasai.2rdp.p1.openshiftapps.com + if [[ -z "${ICN}" || -z "${SUBSCRIPTION_ID}" ]]; then + echo "Extracting ICN and SUBSCRIPTION_ID from SLSCFG_URL: ${SLSCFG_URL}" + # Extract the namespace part: mas-87654350-bedd3ceac250-sls + SLS_NAMESPACE=$(echo "${SLSCFG_URL}" | sed -n 's|https://sls\.\(mas-[^.]*-sls\)\..*|\1|p') + if [[ -z "${SLS_NAMESPACE}" ]]; then + echo "ERROR: Failed to extract SLS namespace from SLSCFG_URL" + exit 1 + fi + echo "Extracted SLS namespace: ${SLS_NAMESPACE}" + + # Extract ICN and SUBSCRIPTION_ID from namespace: mas-ICN-SUBID-sls + ICN=$(echo "${SLS_NAMESPACE}" | cut -d'-' -f2) + SUBSCRIPTION_ID=$(echo "${SLS_NAMESPACE}" | cut -d'-' -f3) + echo "Extracted ICN: ${ICN}, SUBSCRIPTION_ID: ${SUBSCRIPTION_ID}" + fi + + # Extract DOMAIN from CLUSTER_URL or SLSCFG_URL + if [[ -n "${CLUSTER_URL}" ]]; then + DOMAIN=$(echo "${CLUSTER_URL}" | sed -n 's|https://api\.[^.]*\.\(.*\):.*|\1|p') + else + DOMAIN=$(echo "${SLSCFG_URL}" | sed -n 's|https://[^.]*\.\(.*\)|\1|p') + fi + echo "Using DOMAIN: ${DOMAIN}" + # NOTE: cannot just render AWS secrets into here, as it will be exposed in the ArgoCD UI # Instead, we pass them into a secret (ArgoCD knows to hide any data fields in k8s secrets), # mount the secret on the jobs filesystem, and read them in here diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index 801d01b73..843bac018 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -53,6 +53,7 @@ spec: account_id: "{{ .Values.account.id }}" region_id: "{{ .Values.region.id }}" cluster_id: "{{ .Values.cluster.id }}" + cluster_url: "{{ .Values.cluster.url }}" cluster_admin_role: {{ if hasKey .Values "cluster_admin_role" }}{{ .Values.cluster_admin_role }}{{ else }}true{{ end }} application_admin_role: {{ if hasKey .Values "application_admin_role" }}{{ .Values.application_admin_role }}{{ else }}true{{ end }} # SAAS @@ -79,6 +80,11 @@ spec: slscfg_url: "{{ .Values.ibm_aiservice_tenant.slscfg_url }}" slscfg_ca_b64enc: "{{ .Values.ibm_aiservice_tenant.slscfg_ca_b64enc }}" aiservice_sls_subscription_id: "{{ .Values.ibm_aiservice_tenant.aiservice_sls_subscription_id }}" + {{- if .Values.ibm_aiservice_tenant.ibm_customer_number }} + ibm_customer_number: "{{ .Values.ibm_aiservice_tenant.ibm_customer_number }}" + {{- end }} + sm_aws_access_key_id: "{{ .Values.sm.aws_access_key_id }}" + sm_aws_secret_access_key: "{{ .Values.sm.aws_secret_access_key }}" #s3 postsync manage aiservice_s3_accesskey: "{{ .Values.ibm_aiservice_tenant.aiservice_s3_accesskey }}" From 9a6257da62fded9d0342a0bf9bbea26f86ce321d Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 9 Jun 2026 15:29:35 +0530 Subject: [PATCH 31/41] tenant namespace fix for sls presync --- .../templates/98-presync-copy-sls.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml index 417d5084d..c5e80581f 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml @@ -61,12 +61,12 @@ are required here. {{- /* ICN and subscription_id will be extracted from the resolved slscfg_url at runtime. -The namespace will be determined dynamically in the bash script. -For now, we use a placeholder that will be replaced at runtime. +Deploy the Job in the tenant namespace (which already exists). +The Job will access the SLS namespace to read ConfigMaps. */}} -{{ $ns := "mas-sls-runtime" }} -{{ $instance := "sls-runtime" }} +{{ $ns := .Values.tenantNamespace }} +{{ $instance := .Values.tenant_id }} {{ $aws_secret := "aws"}} {{ $np_name := "postsync-ibm-sls-update-sm-np" }} From 679d4d7a14b26ef7c2474cc9a6d9ee1934910e88 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 9 Jun 2026 15:38:51 +0530 Subject: [PATCH 32/41] sls-presync job issue fix --- .../templates/98-presync-copy-sls.yaml | 36 +++++++++---------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml index c5e80581f..347f03d91 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/98-presync-copy-sls.yaml @@ -132,11 +132,10 @@ metadata: {{- end }} --- -kind: Role +kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ $role_name }} - namespace: {{ $ns }} + name: {{ $role_name }}-{{ $instance }} annotations: argocd.argoproj.io/sync-wave: "98" {{- if .Values.custom_labels }} @@ -146,10 +145,12 @@ metadata: rules: - verbs: - get + - list apiGroups: - "" resources: - configmaps + - namespaces - verbs: - get - list @@ -160,11 +161,10 @@ rules: - routes --- -kind: RoleBinding +kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ $rb_name }} - namespace: {{ $ns }} + name: {{ $rb_name }}-{{ $instance }} annotations: argocd.argoproj.io/sync-wave: "98" {{- if .Values.custom_labels }} @@ -177,8 +177,8 @@ subjects: namespace: {{ $ns }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ $role_name }} + kind: ClusterRole + name: {{ $role_name }}-{{ $instance }} --- apiVersion: batch/v1 @@ -244,8 +244,6 @@ spec: volumeMounts: - name: aws mountPath: /etc/mas/creds/aws - - name: sls-suite-registration - mountPath: /etc/mas/creds/sls-suite-registration command: - /bin/sh - -c @@ -285,17 +283,19 @@ spec: SM_AWS_ACCESS_KEY_ID=$(cat /etc/mas/creds/aws/aws_access_key_id) SM_AWS_SECRET_ACCESS_KEY=$(cat /etc/mas/creds/aws/aws_secret_access_key) - echo "Fetching registrationKey from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" - SLS_REGISTRATION_KEY=$(cat /etc/mas/creds/sls-suite-registration/registrationKey) + # Fetch SLS data from ConfigMap in the SLS namespace using kubectl + SLS_NAMESPACE="mas-${ICN}-${SUBSCRIPTION_ID}-sls" + echo "Fetching registrationKey from sls-suite-registration ConfigMap in ${SLS_NAMESPACE}" + SLS_REGISTRATION_KEY=$(kubectl get configmap sls-suite-registration -n ${SLS_NAMESPACE} -o jsonpath='{.data.registrationKey}' 2>/dev/null) if [[ -z "${SLS_REGISTRATION_KEY}" ]]; then - echo "Failed to fetch registrationKey" + echo "Failed to fetch registrationKey from ${SLS_NAMESPACE}" exit 1 fi - echo "Fetching ca from sls-suite-registration ConfigMap in mas-${ICN}-${SUBSCRIPTION_ID}-sls" - SLS_CA=$(cat /etc/mas/creds/sls-suite-registration/ca | base64 -w0) + echo "Fetching ca from sls-suite-registration ConfigMap in ${SLS_NAMESPACE}" + SLS_CA=$(kubectl get configmap sls-suite-registration -n ${SLS_NAMESPACE} -o jsonpath='{.data.ca}' 2>/dev/null | base64 -w0) if [[ -z "${SLS_CA}" ]]; then - echo "Failed to fetch ca" + echo "Failed to fetch ca from ${SLS_NAMESPACE}" exit 1 fi @@ -375,10 +375,6 @@ spec: secretName: {{ $aws_secret }} defaultMode: 420 optional: false - - name: sls-suite-registration - configMap: - name: sls-suite-registration - optional: false backoffLimit: 4 {{- /* TEMPORARY: End condition commented out for testing From e601fb2a37a12012340f9cf15c106027d87bfa71 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 9 Jun 2026 16:25:08 +0530 Subject: [PATCH 33/41] Code addd for creating apikey-secret --- .../templates/08-aiservice-postsyncjob.yaml | 28 +++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml index 7fffffcef..0fd7ac8c1 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml @@ -170,9 +170,33 @@ spec: echo "Retrieve AIBroker API Key for tenant: ${AISERVICE_TENANT}" echo "================================================================================" - AISERVICE_APIKEY_SECRET=$(oc get secret ${AISERVICE_TENANT}----apikey-secret -n ${TARGET_NAMESPACE} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) + # Wait for the apikey-secret to be created by the AIService operator + # The operator creates this secret after the AIServiceTenant CR is reconciled + SECRET_NAME="${AISERVICE_TENANT}----apikey-secret" + MAX_RETRIES=30 + RETRY_DELAY=10 + + echo "Waiting for secret ${SECRET_NAME} to be created in namespace ${TARGET_NAMESPACE}..." + for i in $(seq 1 $MAX_RETRIES); do + if oc get secret ${SECRET_NAME} -n ${TARGET_NAMESPACE} > /dev/null 2>&1; then + echo "Secret ${SECRET_NAME} found (attempt $i/$MAX_RETRIES)" + break + fi + + if [ $i -eq $MAX_RETRIES ]; then + echo "ERROR: Secret ${SECRET_NAME} not found after ${MAX_RETRIES} attempts" + echo "The AIService operator may not have created the secret yet" + exit 1 + fi + + echo "Secret not found yet, waiting ${RETRY_DELAY}s... (attempt $i/$MAX_RETRIES)" + sleep $RETRY_DELAY + done + + AISERVICE_APIKEY_SECRET=$(oc get secret ${SECRET_NAME} -n ${TARGET_NAMESPACE} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) if [ -z "$AISERVICE_APIKEY_SECRET" ]; then - echo "AISERVICE_APIKEY_SECRET is empty" + echo "ERROR: AISERVICE_APIKEY_SECRET is empty in secret ${SECRET_NAME}" + echo "The secret exists but does not contain the AIBROKER_APIKEY field" exit 1 fi From 443b642d070d76d9d34de9a423bc0021a2c04285 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Fri, 12 Jun 2026 12:56:30 +0530 Subject: [PATCH 34/41] sync-wave changed due to missing jdbc secrets --- .../113-ibm-aiservice/templates/03-aiservice-jdbc.yaml | 2 +- .../113-ibm-aiservice/templates/06-aiservice-app.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml b/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml index 3db04cbb5..262f71f52 100644 --- a/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml +++ b/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml @@ -6,7 +6,7 @@ metadata: name: "{{ .Values.aiservice_jdbc_secret }}" namespace: "{{ .Values.aiservice_namespace }}" annotations: - argocd.argoproj.io/sync-wave: "144" + argocd.argoproj.io/sync-wave: "154" data: username: {{ .Values.jdbccfg_username | default "" | toString | b64enc | quote }} password: {{ .Values.jdbccfg_password | default "" | toString | b64enc | quote }} diff --git a/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml b/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml index 24d7f9750..f628f49cf 100644 --- a/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml +++ b/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml @@ -9,7 +9,7 @@ metadata: aiservice.ibm.com/instanceId: "{{ .Values.aiservice_instance_id }}" app.kubernetes.io/instance: "{{ .Values.aiservice_instance_id }}" annotations: - argocd.argoproj.io/sync-wave: "150" + argocd.argoproj.io/sync-wave: "160" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true ansible.sdk.operatorframework.io/verbosity: "{{ .Values.aiservice_operator_log_level }}" spec: From 4eb3b455cfd3cd421d93228c27322dfc6ae06269 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Sat, 13 Jun 2026 00:39:50 +0530 Subject: [PATCH 35/41] sync wave revert for jdbc and aiservice app --- .../113-ibm-aiservice/templates/03-aiservice-jdbc.yaml | 2 +- .../113-ibm-aiservice/templates/06-aiservice-app.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml b/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml index 262f71f52..3db04cbb5 100644 --- a/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml +++ b/instance-applications/113-ibm-aiservice/templates/03-aiservice-jdbc.yaml @@ -6,7 +6,7 @@ metadata: name: "{{ .Values.aiservice_jdbc_secret }}" namespace: "{{ .Values.aiservice_namespace }}" annotations: - argocd.argoproj.io/sync-wave: "154" + argocd.argoproj.io/sync-wave: "144" data: username: {{ .Values.jdbccfg_username | default "" | toString | b64enc | quote }} password: {{ .Values.jdbccfg_password | default "" | toString | b64enc | quote }} diff --git a/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml b/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml index f628f49cf..24d7f9750 100644 --- a/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml +++ b/instance-applications/113-ibm-aiservice/templates/06-aiservice-app.yaml @@ -9,7 +9,7 @@ metadata: aiservice.ibm.com/instanceId: "{{ .Values.aiservice_instance_id }}" app.kubernetes.io/instance: "{{ .Values.aiservice_instance_id }}" annotations: - argocd.argoproj.io/sync-wave: "160" + argocd.argoproj.io/sync-wave: "150" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true ansible.sdk.operatorframework.io/verbosity: "{{ .Values.aiservice_operator_log_level }}" spec: From d4bc7f24fb189d2aa2976ed5a542d08530f87e01 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 15 Jun 2026 17:57:43 +0530 Subject: [PATCH 36/41] minor fix --- .../templates/099-aiservice-instance-appset.yaml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml b/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml index 600471c9e..d079e44de 100644 --- a/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml @@ -70,13 +70,23 @@ spec: {{- end }} annotations: healthCheckTimeout: "1800" - argocd.argoproj.io/sync-wave: "099" + argocd.argoproj.io/sync-wave: "130" {{- if and .Values.notifications .Values.notifications.slack_channel_id }} notifications.argoproj.io/subscribe.on-sync-failed.workspace1: {{ .Values.notifications.slack_channel_id }} notifications.argoproj.io/subscribe.on-sync-succeeded.workspace1: {{ .Values.notifications.slack_channel_id }} {{- end }} spec: project: "{{ .Values.argo.projects.rootapps }}" + syncPolicy: + automated: + prune: {{- if .Values.auto_delete }}true{{- else }}false{{- end }} + selfHeal: true + retry: + limit: 10 + backoff: + duration: 30s + factor: 2 + maxDuration: 5m source: repoURL: "{{ .Values.source.repo_url }}" targetRevision: "{{ .Values.source.revision }}" From 04f5780c0dc21e9d0ca478c061f5a6f819027f54 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 15 Jun 2026 18:06:16 +0530 Subject: [PATCH 37/41] minor fix --- .../templates/099-aiservice-instance-appset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml b/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml index d079e44de..d07203e01 100644 --- a/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml +++ b/root-applications/ibm-mas-cluster-root/templates/099-aiservice-instance-appset.yaml @@ -79,7 +79,7 @@ spec: project: "{{ .Values.argo.projects.rootapps }}" syncPolicy: automated: - prune: {{- if .Values.auto_delete }}true{{- else }}false{{- end }} + prune: {{ if .Values.auto_delete }}true{{ else }}false{{ end }} selfHeal: true retry: limit: 10 From 4f49771ada5cec0f965857d029b10bdef1a2bb17 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 15 Jun 2026 18:11:37 +0530 Subject: [PATCH 38/41] minox fix --- root-applications/ibm-aiservice-instance-root/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/root-applications/ibm-aiservice-instance-root/README.md b/root-applications/ibm-aiservice-instance-root/README.md index 102dc473a..3636661a9 100644 --- a/root-applications/ibm-aiservice-instance-root/README.md +++ b/root-applications/ibm-aiservice-instance-root/README.md @@ -180,6 +180,8 @@ The following table lists all ArgoCD applications defined in the templates folde | Template File | Application Name | Cluster Admin Role | Application Admin Role | Both Roles | |--------------|------------------|-------------------|----------------------|------------| +| [`010-ibm-db2u-app.yaml`](templates/010-ibm-db2u-app.yaml) | db2u | - | - | ✓ | +| [`020-ibm-db2u-database-app.yaml`](templates/020-ibm-db2u-database-app.yaml) | db2u-database | - | - | ✓ | | [`030-ibm-odh-app.yaml`](templates/030-ibm-odh-app.yaml) | odh | - | - | ✓ | | [`031-ibm-rhoai-app.yaml`](templates/031-ibm-rhoai-app.yaml) | rhoai | - | - | ✓ | | [`040-ibm-aiservice-app.yaml`](templates/040-ibm-aiservice-app.yaml) | aiservice | - | - | ✓ | @@ -189,7 +191,7 @@ The following table lists all ArgoCD applications defined in the templates folde - **Cluster Admin Role**: Applications that require `cluster_admin_role` to be set (0 applications) - **Application Admin Role**: Applications that require `application_admin_role` to be set (0 applications) -- **Both Roles**: Applications rendered regardless of role settings (3 applications) +- **Both Roles**: Applications rendered regardless of role settings (6 applications) **Note**: Some applications have additional conditions beyond role requirements (e.g., specific configuration values must be defined). Refer to individual template files for complete rendering logic. From a7207e08590637d53f852af09c7da955c35367e5 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Mon, 15 Jun 2026 18:22:22 +0530 Subject: [PATCH 39/41] Added templates in README --- instance-applications/115-ibm-aiservice-tenant/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/instance-applications/115-ibm-aiservice-tenant/README.md b/instance-applications/115-ibm-aiservice-tenant/README.md index 3544079dc..03fd98748 100644 --- a/instance-applications/115-ibm-aiservice-tenant/README.md +++ b/instance-applications/115-ibm-aiservice-tenant/README.md @@ -20,6 +20,8 @@ This chart provisions a tenant for Maximo AI Service. It installs the AI Service | `ServiceAccount` | Migration and post-sync service accounts | Tenant namespace | Always | `application_admin_role` | | `Role` | Migration and post-sync roles | Tenant namespace | Always | `application_admin_role` | | `RoleBinding` | Migration and post-sync role bindings | Tenant namespace | Always | `application_admin_role` | +| `ClusterRole` | Tenant cluster-level permissions | Cluster-wide | Always | `application_admin_role` | +| `ClusterRoleBinding` | Tenant cluster role bindings | Cluster-wide | Always | `application_admin_role` | | `NetworkPolicy` | Tenant migration and ingress network policies | Tenant namespace | Always | `application_admin_role` | | `Job` | Migration, post-sync, and secret setup jobs | Tenant namespace | Always | `application_admin_role` | From d871214b5d9e8affb6d7ea70884f804511082f7b Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 16 Jun 2026 13:49:58 +0530 Subject: [PATCH 40/41] Set default values for the db2 secrets --- .../templates/040-ibm-aiservice-app.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml index 9cdf05219..b660f20ae 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml @@ -51,7 +51,7 @@ spec: aiservice_s3_port: "{{ .Values.ibm_aiservice.aiservice_s3_port }}" dro_ca_b64enc: "{{ .Values.ibm_aiservice.dro_ca_b64enc }}" - jdbccfg_ca_b64enc: "{{ .Values.ibm_aiservice.jdbccfg_ca_b64enc }}" + jdbccfg_ca_b64enc: "{{ .Values.ibm_aiservice.jdbccfg_ca_b64enc | default "" }}" aiservice_dro_token_secret: "{{ .Values.ibm_aiservice.aiservice_dro_token_secret }}" aiservice_dro_cacert_secret: "{{ .Values.ibm_aiservice.aiservice_dro_cacert_secret }}" @@ -62,11 +62,11 @@ spec: aiservice_jdbc_secret: "{{ .Values.ibm_aiservice.aiservice_jdbc_secret }}" use_aws_db2: "{{ .Values.ibm_aiservice.use_aws_db2 }}" - jdbccfg_username: "{{ .Values.ibm_aiservice.jdbccfg_username }}" - jdbccfg_password: "{{ .Values.ibm_aiservice.jdbccfg_password }}" - jdbccfg_url: "{{ .Values.ibm_aiservice.jdbccfg_url }}" - jdbccfg_sslenabled: "{{ .Values.ibm_aiservice.jdbccfg_sslenabled }}" - jdbccfg_ca: "{{ .Values.ibm_aiservice.jdbccfg_ca }}" + jdbccfg_username: "{{ .Values.ibm_aiservice.jdbccfg_username | default "" }}" + jdbccfg_password: "{{ .Values.ibm_aiservice.jdbccfg_password | default "" }}" + jdbccfg_url: "{{ .Values.ibm_aiservice.jdbccfg_url | default "" }}" + jdbccfg_sslenabled: "{{ .Values.ibm_aiservice.jdbccfg_sslenabled | default "" }}" + jdbccfg_ca: "{{ .Values.ibm_aiservice.jdbccfg_ca | default "" }}" entitlement_username: "{{ .Values.ibm_aiservice.entitlement_username }}" entitlement_key: "{{ .Values.ibm_aiservice.entitlement_key }}" From 44c47146db63e552d34cffc44b631677680e8945 Mon Sep 17 00:00:00 2001 From: Richa Joshi Date: Tue, 16 Jun 2026 15:19:53 +0530 Subject: [PATCH 41/41] Applied fix for the sync-wave --- .../templates/020-ibm-db2u-database-app.yaml | 1 + .../templates/040-ibm-aiservice-app.yaml | 1 + .../templates/070-aiservice-tenant-appset.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml index aa20dacf3..c9c6ed373 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/020-ibm-db2u-database-app.yaml @@ -72,6 +72,7 @@ spec: syncOptions: - CreateNamespace=true - RespectIgnoreDifferences=true + - ApplyOutOfSyncOnly=true ignoreDifferences: - group: 'db2u.databases.ibm.com' kind: Db2uInstance diff --git a/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml b/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml index b660f20ae..8119da868 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/040-ibm-aiservice-app.yaml @@ -120,6 +120,7 @@ spec: {{- if .Values.cluster_admin_role }} - CreateNamespace=true {{- end }} + - ApplyOutOfSyncOnly=true {{- if .Values.custom_labels }} managedNamespaceMetadata: labels: diff --git a/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml b/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml index 79183b39e..217a4dcfa 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml @@ -121,6 +121,7 @@ spec: - CreateNamespace=false - RespectIgnoreDifferences=true - ServerSideApply=true + - ApplyOutOfSyncOnly=true retry: limit: -1 ignoreDifferences: