From 06365943cb7fce3258656551c4b72cf9001feecb Mon Sep 17 00:00:00 2001 From: Jignesh Chauhan Date: Mon, 15 Jun 2026 20:00:16 +0530 Subject: [PATCH 1/6] [patch] remove ibm_entitlement_key from pipeline runs to kubernetes secrets --- src/mas/devops/tekton.py | 16 +++++++++++++++- .../pipelinerun-aiservice-upgrade.yml.j2 | 5 ----- .../devops/templates/pipelinerun-install.yml.j2 | 4 ---- .../devops/templates/pipelinerun-restore.yml.j2 | 4 ---- .../devops/templates/pipelinerun-update.yml.j2 | 5 ----- .../devops/templates/pipelinerun-upgrade.yml.j2 | 5 ----- 6 files changed, 15 insertions(+), 24 deletions(-) diff --git a/src/mas/devops/tekton.py b/src/mas/devops/tekton.py index b915cac1..d9041f2f 100644 --- a/src/mas/devops/tekton.py +++ b/src/mas/devops/tekton.py @@ -598,7 +598,7 @@ def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfi secretsAPI.create(body=restoreConfigs, namespace=namespace) -def prepareInstallSecrets(dynClient: DynamicClient, namespace: str, slsLicenseFile: str = None, additionalConfigs: dict = None, certs: str = None, podTemplates: str = None, slack_token: str = None, slack_channel: str = None, aiserviceConfig: str = None, db2LicenseFile: dict | None = None, facilitiesProperties: dict | None = None) -> None: +def prepareInstallSecrets(dynClient: DynamicClient, namespace: str, slsLicenseFile: str = None, additionalConfigs: dict = None, certs: str = None, podTemplates: str = None, slack_token: str = None, slack_channel: str = None, aiserviceConfig: str = None, db2LicenseFile: dict | None = None, facilitiesProperties: dict | None = None, ibm_entitlement_key: str = None) -> None: """ Create or update secrets required for MAS installation pipelines. @@ -618,6 +618,7 @@ def prepareInstallSecrets(dynClient: DynamicClient, namespace: str, slsLicenseFi slack_channel (str, optional): Slack channel ID for notifications. Defaults to None. aiserviceConfig (str, optional): AI Service tenant config data. Defaults to None (empty secret). facilitiesProperties (dict, optional): Facilities properties file content. Defaults to None (empty secret). + ibm_entitlement_key (str, optional): IBM entitlement key for authentication. Defaults to None. Returns: None @@ -685,6 +686,19 @@ def prepareInstallSecrets(dynClient: DynamicClient, namespace: str, slsLicenseFi "name": "pipeline-additional-configs" } } + + additionalConfigs.setdefault("apiVersion", "v1") + additionalConfigs.setdefault("kind", "Secret") + additionalConfigs.setdefault("type", "Opaque") + additionalConfigs.setdefault("metadata", {}) + additionalConfigs["metadata"]["name"] = "pipeline-additional-configs" + + # Add IBM_ENTITLEMENT_KEY to the secret if provided + if ibm_entitlement_key: + if "data" not in additionalConfigs: + additionalConfigs["data"] = {} + additionalConfigs["data"]["IBM_ENTITLEMENT_KEY"] = base64.b64encode(ibm_entitlement_key.encode()).decode() + secretsAPI.create(body=additionalConfigs, namespace=namespace) # 2. Secret/pipeline-sls-entitlement diff --git a/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 b/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 index 47bfe1d6..b00ad613 100644 --- a/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 @@ -21,11 +21,6 @@ spec: - name: aiservice_channel value: "{{ aiservice_channel }}" - # IBM Entitlement Key - # ------------------------------------------------------------------------- - - name: ibm_entitlement_key - value: "{{ ibm_entitlement_key }}" - {%- if skip_pre_check is defined and skip_pre_check != "" %} # Skip pre-check # ------------------------------------------------------------------------- diff --git a/src/mas/devops/templates/pipelinerun-install.yml.j2 b/src/mas/devops/templates/pipelinerun-install.yml.j2 index d716ecb5..c634b233 100644 --- a/src/mas/devops/templates/pipelinerun-install.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-install.yml.j2 @@ -18,10 +18,6 @@ spec: pipeline: "0" params: - # IBM Entitlement Key - # ------------------------------------------------------------------------- - - name: ibm_entitlement_key - value: "{{ ibm_entitlement_key }}" {%- if skip_pre_check is defined and skip_pre_check != "" %} # Pipeline config diff --git a/src/mas/devops/templates/pipelinerun-restore.yml.j2 b/src/mas/devops/templates/pipelinerun-restore.yml.j2 index 849c61be..0186968d 100644 --- a/src/mas/devops/templates/pipelinerun-restore.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-restore.yml.j2 @@ -98,10 +98,6 @@ spec: - name: dro_contact_lastname value: "{{ dro_contact_lastname }}" {% endif %} - {% if ibm_entitlement_key is defined and ibm_entitlement_key != "" %} - - name: ibm_entitlement_key - value: "{{ ibm_entitlement_key }}" - {% endif %} {% if dro_namespace is defined and dro_namespace != "" %} - name: dro_namespace value: "{{ dro_namespace }}" diff --git a/src/mas/devops/templates/pipelinerun-update.yml.j2 b/src/mas/devops/templates/pipelinerun-update.yml.j2 index 6ffdce28..fdd5d6e3 100644 --- a/src/mas/devops/templates/pipelinerun-update.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-update.yml.j2 @@ -27,11 +27,6 @@ spec: - name: mas_catalog_version value: "{{ mas_catalog_version }}" -{%- if ibm_entitlement_key is defined and ibm_entitlement_key != "" %} - # TODO: What even uses this, nothing in the update pipeline should be using this - - name: ibm_entitlement_key - value: "{{ ibm_entitlement_key }}" -{%- endif %} {%- if artifactory_username is defined and artifactory_username != "" %} # Enable development catalogs # ------------------------------------------------------------------------- diff --git a/src/mas/devops/templates/pipelinerun-upgrade.yml.j2 b/src/mas/devops/templates/pipelinerun-upgrade.yml.j2 index 0d7b8af4..058a6258 100644 --- a/src/mas/devops/templates/pipelinerun-upgrade.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-upgrade.yml.j2 @@ -29,11 +29,6 @@ spec: - name: mas_channel value: "{{ mas_channel }}" - # IBM Entitlement Key - # ------------------------------------------------------------------------- - - name: ibm_entitlement_key - value: "{{ ibm_entitlement_key }}" - {%- if skip_pre_check is defined and skip_pre_check != "" %} # Skip pre-check # ------------------------------------------------------------------------- From 92aeb7eca547b3fb8b2c3217e098789d9bc2b2c0 Mon Sep 17 00:00:00 2001 From: Jignesh Chauhan Date: Tue, 16 Jun 2026 09:59:57 +0530 Subject: [PATCH 2/6] [patch] trigger builds --- src/mas/devops/templates/pipelinerun-install.yml.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/src/mas/devops/templates/pipelinerun-install.yml.j2 b/src/mas/devops/templates/pipelinerun-install.yml.j2 index c634b233..bdf87c55 100644 --- a/src/mas/devops/templates/pipelinerun-install.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-install.yml.j2 @@ -1001,3 +1001,4 @@ spec: secret: secretName: pipeline-facilities-properties {% endif %} + From cf8ac33af58a20af766b08a1f7d88e7628cc22f1 Mon Sep 17 00:00:00 2001 From: Jignesh Chauhan Date: Tue, 16 Jun 2026 13:37:23 +0530 Subject: [PATCH 3/6] [patch] trigger empty commit --- src/mas/devops/templates/pipelinerun-install.yml.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/mas/devops/templates/pipelinerun-install.yml.j2 b/src/mas/devops/templates/pipelinerun-install.yml.j2 index bdf87c55..a7fae260 100644 --- a/src/mas/devops/templates/pipelinerun-install.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-install.yml.j2 @@ -1001,4 +1001,5 @@ spec: secret: secretName: pipeline-facilities-properties {% endif %} - + + From df2f55427be7724df6195d7d80cc0bba8aaae2d4 Mon Sep 17 00:00:00 2001 From: Jignesh Chauhan Date: Mon, 22 Jun 2026 17:14:55 +0530 Subject: [PATCH 4/6] [patch] update aiservice/restore pipelines --- src/mas/devops/tekton.py | 41 +++++++++++++++++-- .../templates/pipelinerun-restore.yml.j2 | 3 ++ 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/src/mas/devops/tekton.py b/src/mas/devops/tekton.py index e8549d0e..5a7c5908 100644 --- a/src/mas/devops/tekton.py +++ b/src/mas/devops/tekton.py @@ -679,17 +679,20 @@ def prepareAiServicePipelinesNamespace( logger.info(f"Storage class {storageClass} uses volumeBindingMode={volumeBindingMode}, skipping PVC bind wait") -def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfigs: dict = None): +def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfigs: dict = None, additionalConfigs: dict = None, ibm_entitlement_key: str = None): """ - Create or update secret required for MAS Restore pipeline. + Create or update secrets required for MAS Restore pipeline. - Creates secret in the specified namespace: + Creates secrets in the specified namespace: - pipeline-restore-configs + - pipeline-additional-configs Parameters: dynClient (DynamicClient): OpenShift Dynamic Client namespace (str): The namespace to create secrets in restoreConfigs (dict, optional): configuration data for restore. Defaults to None (empty secret). + additionalConfigs (dict, optional): Additional configuration data. Defaults to None (empty secret). + ibm_entitlement_key (str, optional): IBM entitlement key for authentication. Defaults to None. Returns: None @@ -716,6 +719,38 @@ def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfi } secretsAPI.create(body=restoreConfigs, namespace=namespace) + # 2. Secret/pipeline-additional-configs + # ------------------------------------------------------------------------- + # Must exist, but can be empty + try: + secretsAPI.delete(name="pipeline-additional-configs", namespace=namespace) + except NotFoundError: + pass + + if additionalConfigs is None: + additionalConfigs = { + "apiVersion": "v1", + "kind": "Secret", + "type": "Opaque", + "metadata": { + "name": "pipeline-additional-configs" + } + } + + additionalConfigs.setdefault("apiVersion", "v1") + additionalConfigs.setdefault("kind", "Secret") + additionalConfigs.setdefault("type", "Opaque") + additionalConfigs.setdefault("metadata", {}) + additionalConfigs["metadata"]["name"] = "pipeline-additional-configs" + + # Add IBM_ENTITLEMENT_KEY to the secret if provided + if ibm_entitlement_key: + if "data" not in additionalConfigs: + additionalConfigs["data"] = {} + additionalConfigs["data"]["IBM_ENTITLEMENT_KEY"] = base64.b64encode(ibm_entitlement_key.encode()).decode() + + secretsAPI.create(body=additionalConfigs, namespace=namespace) + def prepareInstallSecrets( dynClient: DynamicClient, diff --git a/src/mas/devops/templates/pipelinerun-restore.yml.j2 b/src/mas/devops/templates/pipelinerun-restore.yml.j2 index 0ff158ae..30d0c31d 100644 --- a/src/mas/devops/templates/pipelinerun-restore.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-restore.yml.j2 @@ -18,6 +18,9 @@ spec: - name: restore-configurations secret: secretName: pipeline-restore-configs + - name: shared-additional-configs + secret: + secretName: pipeline-additional-configs params: # Common Parameters - name: image_pull_policy From 30ec1116f601dd28afcddca5998a7178c0077c31 Mon Sep 17 00:00:00 2001 From: Jignesh Chauhan Date: Mon, 22 Jun 2026 17:28:00 +0530 Subject: [PATCH 5/6] [patch] fix formatting using pre-commit --- src/mas/devops/tekton.py | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/mas/devops/tekton.py b/src/mas/devops/tekton.py index 5a7c5908..c8c26b2f 100644 --- a/src/mas/devops/tekton.py +++ b/src/mas/devops/tekton.py @@ -679,7 +679,9 @@ def prepareAiServicePipelinesNamespace( logger.info(f"Storage class {storageClass} uses volumeBindingMode={volumeBindingMode}, skipping PVC bind wait") -def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfigs: dict = None, additionalConfigs: dict = None, ibm_entitlement_key: str = None): +def prepareRestoreSecrets( + dynClient: DynamicClient, namespace: str, restoreConfigs: dict = None, additionalConfigs: dict = None, ibm_entitlement_key: str = None +): """ Create or update secrets required for MAS Restore pipeline. @@ -728,14 +730,7 @@ def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfi pass if additionalConfigs is None: - additionalConfigs = { - "apiVersion": "v1", - "kind": "Secret", - "type": "Opaque", - "metadata": { - "name": "pipeline-additional-configs" - } - } + additionalConfigs = {"apiVersion": "v1", "kind": "Secret", "type": "Opaque", "metadata": {"name": "pipeline-additional-configs"}} additionalConfigs.setdefault("apiVersion", "v1") additionalConfigs.setdefault("kind", "Secret") From 9fe2292c1f1234ffd8175edae3bc6ee7b3db30e5 Mon Sep 17 00:00:00 2001 From: Jignesh Chauhan Date: Wed, 24 Jun 2026 12:52:48 +0530 Subject: [PATCH 6/6] [patch] add new workspace in airservice pipeline runs --- .../devops/templates/pipelinerun-aiservice-upgrade.yml.j2 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 b/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 index b00ad613..e64dde66 100644 --- a/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 +++ b/src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2 @@ -49,3 +49,9 @@ spec: - name: shared-pod-templates secret: secretName: pipeline-pod-templates + + # IBM entitlement key configurations + # ------------------------------------------------------------------------- + - name: shared-additional-configs + secret: + secretName: pipeline-additional-configs