[patch] remove ibm_entitlement_key from Tekton param flow and source from secrets

src/mas/devops/tekton.py

@@ -727,17 +727,22 @@ def prepareAiServicePipelinesNamespace(
         logger.info(f"Storage class {storageClass} uses volumeBindingMode={volumeBindingMode}, skipping PVC bind wait")
 
 
-def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfigs: dict = None):
+def prepareRestoreSecrets(
+    dynClient: DynamicClient, namespace: str, restoreConfigs: dict = None, additionalConfigs: dict = None, ibm_entitlement_key: str = None
+):
     """
-    Create or update secret required for MAS Restore pipeline.
+    Create or update secrets required for MAS Restore pipeline.
 
-    Creates secret in the specified namespace:
+    Creates secrets in the specified namespace:
         - pipeline-restore-configs
+        - pipeline-additional-configs
 
     Parameters:
         dynClient (DynamicClient): OpenShift Dynamic Client
         namespace (str): The namespace to create secrets in
         restoreConfigs (dict, optional): configuration data for restore. Defaults to None (empty secret).
+        additionalConfigs (dict, optional): Additional configuration data. Defaults to None (empty secret).
+        ibm_entitlement_key (str, optional): IBM entitlement key for authentication. Defaults to None.
 
     Returns:
         None
@@ -764,6 +769,31 @@ def prepareRestoreSecrets(dynClient: DynamicClient, namespace: str, restoreConfi
         }
     secretsAPI.create(body=restoreConfigs, namespace=namespace)
 
+    # 2. Secret/pipeline-additional-configs
+    # -------------------------------------------------------------------------
+    # Must exist, but can be empty
+    try:
+        secretsAPI.delete(name="pipeline-additional-configs", namespace=namespace)
+    except NotFoundError:
+        pass
+
+    if additionalConfigs is None:
+        additionalConfigs = {"apiVersion": "v1", "kind": "Secret", "type": "Opaque", "metadata": {"name": "pipeline-additional-configs"}}
+
+    additionalConfigs.setdefault("apiVersion", "v1")
+    additionalConfigs.setdefault("kind", "Secret")
+    additionalConfigs.setdefault("type", "Opaque")
+    additionalConfigs.setdefault("metadata", {})
+    additionalConfigs["metadata"]["name"] = "pipeline-additional-configs"
+
+    # Add IBM_ENTITLEMENT_KEY to the secret if provided
+    if ibm_entitlement_key:
+        if "data" not in additionalConfigs:
+            additionalConfigs["data"] = {}
+        additionalConfigs["data"]["IBM_ENTITLEMENT_KEY"] = base64.b64encode(ibm_entitlement_key.encode()).decode()
+
+    secretsAPI.create(body=additionalConfigs, namespace=namespace)
+
 
 def prepareInstallSecrets(
     dynClient: DynamicClient,
@@ -777,6 +807,7 @@ def prepareInstallSecrets(
     aiserviceConfig: str = None,
     db2LicenseFile: dict | None = None,
     facilitiesProperties: dict | None = None,
+    ibm_entitlement_key: str = None,
 ) -> None:
     """
     Create or update secrets required for MAS installation pipelines.
@@ -797,6 +828,7 @@ def prepareInstallSecrets(
         slack_channel (str, optional): Slack channel ID for notifications. Defaults to None.
         aiserviceConfig (str, optional): AI Service tenant config data. Defaults to None (empty secret).
         facilitiesProperties (dict, optional): Facilities properties file content. Defaults to None (empty secret).
+        ibm_entitlement_key (str, optional): IBM entitlement key for authentication. Defaults to None.
 
     Returns:
         None
@@ -858,6 +890,19 @@ def prepareInstallSecrets(
             "type": "Opaque",
             "metadata": {"name": "pipeline-additional-configs"},
         }
+
+    additionalConfigs.setdefault("apiVersion", "v1")
+    additionalConfigs.setdefault("kind", "Secret")
+    additionalConfigs.setdefault("type", "Opaque")
+    additionalConfigs.setdefault("metadata", {})
+    additionalConfigs["metadata"]["name"] = "pipeline-additional-configs"
+
+    # Add IBM_ENTITLEMENT_KEY to the secret if provided
+    if ibm_entitlement_key:
+        if "data" not in additionalConfigs:
+            additionalConfigs["data"] = {}
+        additionalConfigs["data"]["IBM_ENTITLEMENT_KEY"] = base64.b64encode(ibm_entitlement_key.encode()).decode()
+
     secretsAPI.create(body=additionalConfigs, namespace=namespace)
 
     # 2. Secret/pipeline-sls-entitlement

src/mas/devops/templates/pipelinerun-aiservice-upgrade.yml.j2

@@ -21,11 +21,6 @@ spec:
     - name: aiservice_channel
       value: "{{ aiservice_channel }}"
 
-    # IBM Entitlement Key
-    # -------------------------------------------------------------------------
-    - name: ibm_entitlement_key
-      value: "{{ ibm_entitlement_key }}"
-
 {%- if skip_pre_check is defined and skip_pre_check != "" %}
     # Skip pre-check
     # -------------------------------------------------------------------------
@@ -54,3 +49,9 @@ spec:
     - name: shared-pod-templates
       secret:
         secretName: pipeline-pod-templates
+
+    # IBM entitlement key configurations
+    # -------------------------------------------------------------------------
+    - name: shared-additional-configs
+      secret:
+        secretName: pipeline-additional-configs

src/mas/devops/templates/pipelinerun-install.yml.j2

@@ -18,10 +18,6 @@ spec:
     pipeline: "0"
 
   params:
-    # IBM Entitlement Key
-    # -------------------------------------------------------------------------
-    - name: ibm_entitlement_key
-      value: "{{ ibm_entitlement_key }}"
 {%- if skip_pre_check is defined and skip_pre_check != "" %}
 
     # Pipeline config
@@ -1059,3 +1055,5 @@ spec:
       secret:
         secretName: pipeline-facilities-properties
     {% endif %}
+
+

src/mas/devops/templates/pipelinerun-restore.yml.j2

@@ -18,6 +18,9 @@ spec:
     - name: restore-configurations
       secret:
         secretName: pipeline-restore-configs
+    - name: shared-additional-configs
+      secret:
+        secretName: pipeline-additional-configs
   params:
     # Common Parameters
     - name: image_pull_policy
@@ -98,10 +101,6 @@ spec:
     - name: dro_contact_lastname
       value: "{{ dro_contact_lastname }}"
     {% endif %}
-    {% if ibm_entitlement_key is defined and ibm_entitlement_key != "" %}
-    - name: ibm_entitlement_key
-      value: "{{ ibm_entitlement_key }}"
-    {% endif %}
     {% if dro_namespace is defined and dro_namespace != "" %}
     - name: dro_namespace
       value: "{{ dro_namespace }}"

src/mas/devops/templates/pipelinerun-update.yml.j2

@@ -27,11 +27,6 @@ spec:
     - name: mas_catalog_version
       value: "{{ mas_catalog_version }}"
 
-{%- if ibm_entitlement_key is defined and ibm_entitlement_key != "" %}
-    # TODO: What even uses this, nothing in the update pipeline should be using this
-    - name: ibm_entitlement_key
-      value: "{{ ibm_entitlement_key }}"
-{%- endif %}
 {%- if artifactory_username is defined and artifactory_username != "" %}
     # Enable development catalogs
     # -------------------------------------------------------------------------

src/mas/devops/templates/pipelinerun-upgrade.yml.j2

@@ -29,11 +29,6 @@ spec:
     - name: mas_channel
       value: "{{ mas_channel }}"
 
-    # IBM Entitlement Key
-    # -------------------------------------------------------------------------
-    - name: ibm_entitlement_key
-      value: "{{ ibm_entitlement_key }}"
-
 {%- if skip_pre_check is defined and skip_pre_check != "" %}
     # Skip pre-check
     # -------------------------------------------------------------------------