From f942909e58ea49494902156f6fbd5ca5d25af0f7 Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Thu, 29 Jan 2026 10:34:15 +0000 Subject: [PATCH 01/12] aiservice tenant operator --- .../113-ibm-aiservice/values.yaml | 6 --- .../templates/02-aiservice-sls-secret.yaml | 4 +- .../templates/06-aiservice-workspace.yaml | 4 +- ...iservice-tenant-operator-subscription.yaml | 40 +++++++++++++++++++ .../ibm-aiservice-instance-root/values.yaml | 3 -- .../ibm-aiservice-tenant-root/values.yaml | 4 -- 6 files changed, 44 insertions(+), 17 deletions(-) rename instance-applications/{113-ibm-aiservice => 115-ibm-aiservice-tenant}/templates/02-aiservice-sls-secret.yaml (66%) create mode 100644 instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml diff --git a/instance-applications/113-ibm-aiservice/values.yaml b/instance-applications/113-ibm-aiservice/values.yaml index 0d1d327da..86b26038c 100644 --- a/instance-applications/113-ibm-aiservice/values.yaml +++ b/instance-applications/113-ibm-aiservice/values.yaml @@ -26,10 +26,6 @@ mas_aiservice_storage_secretkey: "MAS_AISERVICE_STORAGE_SECRETKEY" mas_aiservice_storage_host: "true" mas_aiservice_storage_port: "true" -# SLS -mas_aiservice_sls_registration_key_secret: "sls-registration-key" - - mas_aiservice_db_host: "MAS_AISERVICE_DB_HOST" mas_aiservice_db_port: "MAS_AISERVICE_DB_PORT" mas_aiservice_db_secret_name: "MAS_AISERVICE_DB_SECRET_NAME" @@ -39,8 +35,6 @@ mas_aiservice_storage_pipelines_bucket: "MAS_AISERVICE_STORAGE_PIPELINES_BUCKET" mas_aiservice_storage_tenants_bucket: "MAS_AISERVICE_STORAGE_TENANTS_BUCKET" mas_aiservice_storage_templates_bucket: "MAS_AISERVICE_STORAGE_TEMPLATES_BUCKET" -slscfg_registration_key: "slscfg_registration_key" - # DRO mas_aiservice_dro_token_secret: "dro-token" mas_aiservice_dro_cacert_secret: "dro-certificates" diff --git a/instance-applications/113-ibm-aiservice/templates/02-aiservice-sls-secret.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/02-aiservice-sls-secret.yaml similarity index 66% rename from instance-applications/113-ibm-aiservice/templates/02-aiservice-sls-secret.yaml rename to instance-applications/115-ibm-aiservice-tenant/templates/02-aiservice-sls-secret.yaml index fbbdb37ad..d5b2f47da 100644 --- a/instance-applications/113-ibm-aiservice/templates/02-aiservice-sls-secret.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/02-aiservice-sls-secret.yaml @@ -2,8 +2,8 @@ apiVersion: v1 kind: Secret metadata: - name: "{{ .Values.aiservice_sls_registration_key_secret }}" - namespace: "{{ .Values.aiservice_namespace }}" + name: "{{ .Values.tenantNamespace }}----sls-secret" + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "141" type: Opaque diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml index e8b78c57d..e0f386c73 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml @@ -3,7 +3,7 @@ apiVersion: aiservice.ibm.com/v1 kind: AIServiceTenant metadata: name: "{{ .Values.tenantNamespace }}" - namespace: "{{ .Values.aiservice_namespace }}" + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "307" ansible.sdk.operatorframework.io/verbosity: "{{ .Values.aiservice_operator_log_level }}" @@ -43,4 +43,4 @@ spec: entitlement: type: "{{ .Values.tenant_entitlement_type }}" startDate: "{{ .Values.tenant_entitlement_start_date }}" - endDate: "{{ .Values.tenant_entitlement_end_date }}" \ No newline at end of file + endDate: "{{ .Values.tenant_entitlement_end_date }}" diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml new file mode 100644 index 000000000..d3d7b724b --- /dev/null +++ b/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: ibm-entitlement + namespace: "{{ .Values.tenantNamespace }}" + annotations: + argocd.argoproj.io/sync-wave: "308" +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: "{{ .Values.artifactory_token}}" + +--- +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: "{{ .Values.tenantNamespace }}" + namespace: "{{ .Values.tenantNamespace }}" + annotations: + argocd.argoproj.io/sync-wave: "308" + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + targetNamespaces: + - "{{ .Values.tenantNamespace }}" + +--- +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: ibm-aiservice-tenant + namespace: "{{ .Values.tenantNamespace }}" + annotations: + argocd.argoproj.io/sync-wave: "308" + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: + channel: "{{ .Values.aiservice_channel }}" + installPlanApproval: Automatic + name: ibm-aiservice-tenant + source: "{{ .Values.mas_catalog_source }}" + sourceNamespace: openshift-marketplace diff --git a/root-applications/ibm-aiservice-instance-root/values.yaml b/root-applications/ibm-aiservice-instance-root/values.yaml index baab575e8..b1ec892c2 100644 --- a/root-applications/ibm-aiservice-instance-root/values.yaml +++ b/root-applications/ibm-aiservice-instance-root/values.yaml @@ -193,9 +193,6 @@ ibm_aiservice: mas_aiservice_storage_host: "true" mas_aiservice_storage_port: "true" - # SLS - mas_aiservice_sls_registration_key_secret: "sls-registration-key" - mas_aiservice_db_host: "mas_aiservice_db_host" mas_aiservice_db_port: "mas_aiservice_db_port" mas_aiservice_db_secret_name: "mas_aiservice_db_secret_name" diff --git a/root-applications/ibm-aiservice-tenant-root/values.yaml b/root-applications/ibm-aiservice-tenant-root/values.yaml index cd2db235e..1a7c0818a 100644 --- a/root-applications/ibm-aiservice-tenant-root/values.yaml +++ b/root-applications/ibm-aiservice-tenant-root/values.yaml @@ -190,9 +190,6 @@ ibm_aiservice: mas_aiservice_storage_host: "true" mas_aiservice_storage_port: "true" - # SLS - mas_aiservice_sls_registration_key_secret: "sls-registration-key" - mas_aiservice_db_host: "mas_aiservice_db_host" mas_aiservice_db_port: "mas_aiservice_db_port" mas_aiservice_db_secret_name: "mas_aiservice_db_secret_name" @@ -300,7 +297,6 @@ ibm_aiservice_tenant: mas_aiservice_watsonxai_project_id: MAS_AISERVICE_WATSONXAI_PROJECT_ID # SLS - #mas_aiservice_sls_registration_key_secret: "sls-registration-key" mas_aiservice_sls_subscription_id: "001" # S3 From a1a9acf04bc4247754d8a9a7aeb1df5044a93e59 Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Thu, 5 Feb 2026 14:24:56 +0000 Subject: [PATCH 02/12] add channel and source --- .../templates/100-ibm-aiservice-tenant-app.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index 32e061f39..aae2a116f 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -35,6 +35,10 @@ spec: env: - name: {{ .Values.avp.values_varname }} value: | + # These values are taken from main AI Service config and are not tenant-specific + aiservice_channel: "{{ .Values.ibm_aiservice.aiservice_channel }}" + mas_catalog_source: "{{ .Values.ibm_aiservice.mas_catalog_source }}" + tenant_id: "{{ .Values.ibm_aiservice_tenant.tenant_id }}" aiservice_instance_id: "{{ .Values.ibm_aiservice_tenant.aiservice_instance_id }}" aiservice_namespace: "{{ .Values.ibm_aiservice_tenant.aiservice_namespace }}" From d508af3d478af9c2340f19acd3fd656e1e5b245f Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Thu, 5 Feb 2026 14:37:38 +0000 Subject: [PATCH 03/12] fix app namespace --- .../templates/100-ibm-aiservice-tenant-app.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index aae2a116f..787f7688d 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -25,7 +25,7 @@ spec: project: "{{ .Values.argo.projects.apps }}" destination: server: {{ .Values.cluster.url }} - namespace: "{{ .Values.ibm_aiservice_tenant.aiservice_namespace }}" + namespace: "{{ .Values.ibm_aiservice_tenant.tenantNamespace }}" source: repoURL: "{{ .Values.source.repo_url }}" path: instance-applications/115-ibm-aiservice-tenant From 477f81e0e3b431614e1eae1b1097db66dd6aed39 Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Thu, 5 Feb 2026 14:56:51 +0000 Subject: [PATCH 04/12] add new config generator --- .../templates/070-aiservice-tenant-appset.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml b/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml index a7c440c3a..4aec99221 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml @@ -29,6 +29,11 @@ spec: revision: "{{ .Values.generator.revision }}" files: - path: "{{ .Values.account.id }}/{{ .Values.cluster.id }}/{{ .Values.instance.id }}/*/ibm-aiservice-tenant-base.yaml" + - git: + repoURL: "{{ .Values.generator.repo_url }}" + revision: "{{ .Values.generator.revision }}" + files: + - path: "{{ .Values.account.id }}/{{ .Values.cluster.id }}/{{ .Values.instance.id }}/ibm-aiservice.yaml" - git: repoURL: "{{ .Values.generator.repo_url }}" revision: "{{ .Values.generator.revision }}" From b8539b9f2221b5c44a00f71901d7dbda4f545b0f Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Mon, 9 Feb 2026 10:38:38 +0000 Subject: [PATCH 05/12] clean up --- .../templates/070-aiservice-tenant-appset.yaml | 5 ----- .../templates/100-ibm-aiservice-tenant-app.yaml | 9 +++++---- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml b/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml index 4aec99221..a7c440c3a 100644 --- a/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml +++ b/root-applications/ibm-aiservice-instance-root/templates/070-aiservice-tenant-appset.yaml @@ -29,11 +29,6 @@ spec: revision: "{{ .Values.generator.revision }}" files: - path: "{{ .Values.account.id }}/{{ .Values.cluster.id }}/{{ .Values.instance.id }}/*/ibm-aiservice-tenant-base.yaml" - - git: - repoURL: "{{ .Values.generator.repo_url }}" - revision: "{{ .Values.generator.revision }}" - files: - - path: "{{ .Values.account.id }}/{{ .Values.cluster.id }}/{{ .Values.instance.id }}/ibm-aiservice.yaml" - git: repoURL: "{{ .Values.generator.repo_url }}" revision: "{{ .Values.generator.revision }}" diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index 787f7688d..b5fff8eb6 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -35,16 +35,17 @@ spec: env: - name: {{ .Values.avp.values_varname }} value: | - # These values are taken from main AI Service config and are not tenant-specific - aiservice_channel: "{{ .Values.ibm_aiservice.aiservice_channel }}" - mas_catalog_source: "{{ .Values.ibm_aiservice.mas_catalog_source }}" - + mas_catalog_source: "{{ .Values.ibm_aiservice_tenant.mas_catalog_source }}" + tenant_id: "{{ .Values.ibm_aiservice_tenant.tenant_id }}" aiservice_instance_id: "{{ .Values.ibm_aiservice_tenant.aiservice_instance_id }}" aiservice_namespace: "{{ .Values.ibm_aiservice_tenant.aiservice_namespace }}" + aiservice_channel: "{{ .Values.ibm_aiservice_tenant.aiservice_channel }}" + account_id: "{{ .Values.account.id }}" region_id: "{{ .Values.region.id }}" cluster_id: "{{ .Values.cluster.id }}" + # SAAS aiservice_saas_apikey: "{{ .Values.ibm_aiservice_tenant.aiservice_saas_apikey }}" mas_aiservice_saas: "{{ .Values.ibm_aiservice_tenant.mas_aiservice_saas }}" From 54d37760bc3b21375daab60c96c39d183fb8300b Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Wed, 25 Feb 2026 16:38:38 +0000 Subject: [PATCH 06/12] remove duplicate secret --- .../09-aiservice-tenant-operator-subscription.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml index d3d7b724b..02deb051e 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml @@ -1,14 +1,3 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: ibm-entitlement - namespace: "{{ .Values.tenantNamespace }}" - annotations: - argocd.argoproj.io/sync-wave: "308" -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: "{{ .Values.artifactory_token}}" --- apiVersion: operators.coreos.com/v1 From 63c522eb6b849b6f217478cbb3a435423eee5130 Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Thu, 26 Feb 2026 16:07:20 +0000 Subject: [PATCH 07/12] update postsync job --- .../templates/08-aiservice-postsyncjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml index 21b3d3740..05ca1fe60 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml @@ -157,7 +157,7 @@ spec: echo "Retrieve AIBroker API Key for tenant: ${AISERVICE_TENANT}" echo "================================================================================" - AISERVICE_APIKEY_SECRET=$(oc get secret ${AISERVICE_TENANT}----apikey-secret -n aiservice-${AISERVICE_INSTANCE_ID} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) + AISERVICE_APIKEY_SECRET=$(oc get secret ${AISERVICE_TENANT}----apikey-secret -n aiservice-${AISERVICE_INSTANCE_ID}-${AISERVICE_TENANT} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) if [ -z "$AISERVICE_APIKEY_SECRET" ]; then echo "AISERVICE_APIKEY_SECRET is empty" exit 1 From 4ea5da04008a2eccef0f39e62c962e273e621bfe Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Thu, 26 Feb 2026 16:31:03 +0000 Subject: [PATCH 08/12] update job --- .../templates/08-aiservice-postsyncjob.yaml | 36 ++++++++----------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml index 05ca1fe60..41450b851 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml @@ -41,8 +41,8 @@ are required here.*/}} apiVersion: v1 kind: ServiceAccount metadata: - name: postsync-manage-aiservice-job-{{ .Values.tenantNamespace }} - namespace: "{{ .Values.aiservice_namespace }}" + name: postsync-manage-aiservice-job + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "309" @@ -50,8 +50,8 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: postsync-manage-aiservice-job-role-{{ .Values.tenantNamespace }} - namespace: "{{ .Values.aiservice_namespace }}" + name: postsync-manage-aiservice-job-role + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "310" rules: @@ -62,24 +62,24 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: postsync-manage-aiservice-job-rolebinding-{{ .Values.tenantNamespace }} - namespace: "{{ .Values.aiservice_namespace }}" + name: postsync-manage-aiservice-job-rolebinding + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "311" subjects: - kind: ServiceAccount - name: postsync-manage-aiservice-job-{{ .Values.tenantNamespace }} - namespace: "{{ .Values.aiservice_namespace }}" + name: postsync-manage-aiservice-job + namespace: "{{ .Values.tenantNamespace }}" roleRef: kind: Role - name: postsync-manage-aiservice-job-role-{{ .Values.tenantNamespace }} + name: postsync-manage-aiservice-job-role apiGroup: rbac.authorization.k8s.io --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-postsync-manage-ai-tenant-job-{{ .Values.tenantNamespace }} - namespace: "{{ .Values.aiservice_namespace }}" + name: allow-postsync-manage-ai-tenant-job + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "312" spec: @@ -95,7 +95,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ $_job_name }} - namespace: "{{ .Values.aiservice_namespace }}" + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "313" argocd.argoproj.io/hook: PostSync @@ -106,6 +106,7 @@ metadata: {{ .Values.custom_labels | toYaml | indent 4 }} {{- end }} spec: + backoffLimit: 0 template: metadata: labels: @@ -114,7 +115,7 @@ spec: {{ .Values.custom_labels | toYaml | indent 8 }} {{- end }} spec: - serviceAccountName: postsync-manage-aiservice-job-{{ .Values.tenantNamespace }} + serviceAccountName: postsync-manage-aiservice-job restartPolicy: Never containers: - name: postsync-manage-aiservice-run @@ -182,11 +183,4 @@ spec: sm_update_secret "${SECRET_NAME_AISERVICE}" \ "{\"aiservice_apikey\": \"${AISERVICE_APIKEY_SECRET}\"}" \ "${TAGS}" || exit $? - exit 0 - volumes: - - name: postsync-manage-aiservice-{{ .Values.tenantNamespace }} - secret: - secretName: postsync-manage-aiservice-{{ .Values.tenantNamespace }} - defaultMode: 420 - optional: false - backoffLimit: 0 \ No newline at end of file + exit 0 \ No newline at end of file From e48ac3c84dc81796fe3fe5bc70b22844f5a9fd25 Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Thu, 26 Feb 2026 16:34:15 +0000 Subject: [PATCH 09/12] update namespaec --- .../templates/08-aiservice-postsyncjob.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml index 41450b851..5b2f4190b 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml @@ -158,7 +158,7 @@ spec: echo "Retrieve AIBroker API Key for tenant: ${AISERVICE_TENANT}" echo "================================================================================" - AISERVICE_APIKEY_SECRET=$(oc get secret ${AISERVICE_TENANT}----apikey-secret -n aiservice-${AISERVICE_INSTANCE_ID}-${AISERVICE_TENANT} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) + AISERVICE_APIKEY_SECRET=$(oc get secret ${AISERVICE_TENANT}----apikey-secret -n ${AISERVICE_TENANT} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) if [ -z "$AISERVICE_APIKEY_SECRET" ]; then echo "AISERVICE_APIKEY_SECRET is empty" exit 1 From e12f23dbc1a6e6e266c49a8bd3ffe7a063c60c5c Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Fri, 27 Feb 2026 12:24:19 +0000 Subject: [PATCH 10/12] refactor --- .../templates/01-aiservice-sls-secret.yaml | 2 +- .../templates/02-aiservice-sls-secret.yaml | 11 ----------- ...=> 06-aiservice-tenant-operator-subscription.yaml} | 4 ++-- 3 files changed, 3 insertions(+), 14 deletions(-) delete mode 100644 instance-applications/115-ibm-aiservice-tenant/templates/02-aiservice-sls-secret.yaml rename instance-applications/115-ibm-aiservice-tenant/templates/{09-aiservice-tenant-operator-subscription.yaml => 06-aiservice-tenant-operator-subscription.yaml} (90%) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml index 82482091e..dc2e0f8ba 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: Secret metadata: name: "{{ .Values.tenantNamespace }}----sls-secret" - namespace: "{{ .Values.aiservice_namespace }}" + namespace: "{{ .Values.tenantNamespace }}" annotations: argocd.argoproj.io/sync-wave: "301" labels: diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/02-aiservice-sls-secret.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/02-aiservice-sls-secret.yaml deleted file mode 100644 index d5b2f47da..000000000 --- a/instance-applications/115-ibm-aiservice-tenant/templates/02-aiservice-sls-secret.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Values.tenantNamespace }}----sls-secret" - namespace: "{{ .Values.tenantNamespace }}" - annotations: - argocd.argoproj.io/sync-wave: "141" -type: Opaque -data: - SLS_REGISTRATION_KEY: {{ .Values.slscfg_registration_key | default "" | toString | b64enc | quote }} \ No newline at end of file diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-tenant-operator-subscription.yaml similarity index 90% rename from instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml rename to instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-tenant-operator-subscription.yaml index 02deb051e..72daaab83 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/09-aiservice-tenant-operator-subscription.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-tenant-operator-subscription.yaml @@ -6,7 +6,7 @@ metadata: name: "{{ .Values.tenantNamespace }}" namespace: "{{ .Values.tenantNamespace }}" annotations: - argocd.argoproj.io/sync-wave: "308" + argocd.argoproj.io/sync-wave: "306" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: targetNamespaces: @@ -19,7 +19,7 @@ metadata: name: ibm-aiservice-tenant namespace: "{{ .Values.tenantNamespace }}" annotations: - argocd.argoproj.io/sync-wave: "308" + argocd.argoproj.io/sync-wave: "306" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: channel: "{{ .Values.aiservice_channel }}" From 33125056b395ea16d301dc1b797fab813db8f922 Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Fri, 27 Feb 2026 16:44:13 +0000 Subject: [PATCH 11/12] release-aware --- .../templates/02-aiservice-sls-secret.yaml | 13 +++++++++++ .../113-ibm-aiservice/values.yaml | 6 +++++ .../templates/01-aiservice-sls-secret.yaml | 4 ++++ ...iservice-tenant-operator-subscription.yaml | 3 ++- .../templates/06-aiservice-workspace.yaml | 4 ++++ .../templates/08-aiservice-postsyncjob.yaml | 22 +++++++++++++------ 6 files changed, 44 insertions(+), 8 deletions(-) create mode 100644 instance-applications/113-ibm-aiservice/templates/02-aiservice-sls-secret.yaml diff --git a/instance-applications/113-ibm-aiservice/templates/02-aiservice-sls-secret.yaml b/instance-applications/113-ibm-aiservice/templates/02-aiservice-sls-secret.yaml new file mode 100644 index 000000000..116115960 --- /dev/null +++ b/instance-applications/113-ibm-aiservice/templates/02-aiservice-sls-secret.yaml @@ -0,0 +1,13 @@ +{{- if hasPrefix "9.1." .Values.aiservice_channel }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: "{{ .Values.aiservice_sls_registration_key_secret }}" + namespace: "{{ .Values.aiservice_namespace }}" + annotations: + argocd.argoproj.io/sync-wave: "141" +type: Opaque +data: + SLS_REGISTRATION_KEY: {{ .Values.slscfg_registration_key | default "" | toString | b64enc | quote }} +{{- end}} diff --git a/instance-applications/113-ibm-aiservice/values.yaml b/instance-applications/113-ibm-aiservice/values.yaml index 86b26038c..0d1d327da 100644 --- a/instance-applications/113-ibm-aiservice/values.yaml +++ b/instance-applications/113-ibm-aiservice/values.yaml @@ -26,6 +26,10 @@ mas_aiservice_storage_secretkey: "MAS_AISERVICE_STORAGE_SECRETKEY" mas_aiservice_storage_host: "true" mas_aiservice_storage_port: "true" +# SLS +mas_aiservice_sls_registration_key_secret: "sls-registration-key" + + mas_aiservice_db_host: "MAS_AISERVICE_DB_HOST" mas_aiservice_db_port: "MAS_AISERVICE_DB_PORT" mas_aiservice_db_secret_name: "MAS_AISERVICE_DB_SECRET_NAME" @@ -35,6 +39,8 @@ mas_aiservice_storage_pipelines_bucket: "MAS_AISERVICE_STORAGE_PIPELINES_BUCKET" mas_aiservice_storage_tenants_bucket: "MAS_AISERVICE_STORAGE_TENANTS_BUCKET" mas_aiservice_storage_templates_bucket: "MAS_AISERVICE_STORAGE_TEMPLATES_BUCKET" +slscfg_registration_key: "slscfg_registration_key" + # DRO mas_aiservice_dro_token_secret: "dro-token" mas_aiservice_dro_cacert_secret: "dro-certificates" diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml index dc2e0f8ba..d768e5759 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/01-aiservice-sls-secret.yaml @@ -3,7 +3,11 @@ apiVersion: v1 kind: Secret metadata: name: "{{ .Values.tenantNamespace }}----sls-secret" + {{- if hasPrefix "9.1." .Values.aiservice_channel }} + namespace: "{{ .Values.aiservice_namespace }}" + {{- else }} namespace: "{{ .Values.tenantNamespace }}" + {{- end }} annotations: argocd.argoproj.io/sync-wave: "301" labels: diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-tenant-operator-subscription.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-tenant-operator-subscription.yaml index 72daaab83..1b9bbd921 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-tenant-operator-subscription.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-tenant-operator-subscription.yaml @@ -1,4 +1,4 @@ - +{{- if (not (hasPrefix "9.1." .Values.aiservice_channel)) }} --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup @@ -27,3 +27,4 @@ spec: name: ibm-aiservice-tenant source: "{{ .Values.mas_catalog_source }}" sourceNamespace: openshift-marketplace +{{- end }} diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml index e0f386c73..db4822009 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/06-aiservice-workspace.yaml @@ -3,7 +3,11 @@ apiVersion: aiservice.ibm.com/v1 kind: AIServiceTenant metadata: name: "{{ .Values.tenantNamespace }}" + {{- if hasPrefix "9.1." .Values.aiservice_channel }} + namespace: "{{ .Values.aiservice_namespace }}" + {{- else }} namespace: "{{ .Values.tenantNamespace }}" + {{- end }} annotations: argocd.argoproj.io/sync-wave: "307" ansible.sdk.operatorframework.io/verbosity: "{{ .Values.aiservice_operator_log_level }}" diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml index 5b2f4190b..1b1820da7 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml @@ -37,12 +37,18 @@ where multiple Jobs are created in our templates using a Helm loop. In those cas must be added to $_job_cleanup_group.By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators are required here.*/}} {{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} + +{{- $_namespace := .Values.aiservice_namespace }} +{{- if not (hasPrefix "9.1." .Values.aiservice_channel) }} + {{- $_namespace = .Values.tenantNamespace }} +{{- end }} + --- apiVersion: v1 kind: ServiceAccount metadata: name: postsync-manage-aiservice-job - namespace: "{{ .Values.tenantNamespace }}" + namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "309" @@ -51,7 +57,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: postsync-manage-aiservice-job-role - namespace: "{{ .Values.tenantNamespace }}" + namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "310" rules: @@ -63,13 +69,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: postsync-manage-aiservice-job-rolebinding - namespace: "{{ .Values.tenantNamespace }}" + namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "311" subjects: - kind: ServiceAccount name: postsync-manage-aiservice-job - namespace: "{{ .Values.tenantNamespace }}" + namespace: "{{ $_namespace }}" roleRef: kind: Role name: postsync-manage-aiservice-job-role @@ -79,7 +85,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: allow-postsync-manage-ai-tenant-job - namespace: "{{ .Values.tenantNamespace }}" + namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "312" spec: @@ -95,7 +101,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ $_job_name }} - namespace: "{{ .Values.tenantNamespace }}" + namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "313" argocd.argoproj.io/hook: PostSync @@ -140,6 +146,8 @@ spec: value: "{{ .Values.aiservice_s3_secretkey }}" - name: AVP_TYPE value: "aws" + - name: TARGET_NAMESPACE + value: "{{ $_namespace }}" command: - /bin/sh - -c @@ -158,7 +166,7 @@ spec: echo "Retrieve AIBroker API Key for tenant: ${AISERVICE_TENANT}" echo "================================================================================" - AISERVICE_APIKEY_SECRET=$(oc get secret ${AISERVICE_TENANT}----apikey-secret -n ${AISERVICE_TENANT} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) + AISERVICE_APIKEY_SECRET=$(oc get secret ${AISERVICE_TENANT}----apikey-secret -n ${TARGET_NAMESPACE} -o jsonpath="{.data.AIBROKER_APIKEY}" | base64 --decode) if [ -z "$AISERVICE_APIKEY_SECRET" ]; then echo "AISERVICE_APIKEY_SECRET is empty" exit 1 From c2800bb9f6fac3834e856fc004cb27e96d907fae Mon Sep 17 00:00:00 2001 From: Josef Harte Date: Fri, 27 Feb 2026 16:56:47 +0000 Subject: [PATCH 12/12] release-aware --- .../templates/08-aiservice-postsyncjob.yaml | 25 +++++++++++-------- .../ibm-aiservice-instance-root/values.yaml | 3 +++ .../100-ibm-aiservice-tenant-app.yaml | 6 ++++- 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml index 1b1820da7..4d2dcf887 100644 --- a/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml +++ b/instance-applications/115-ibm-aiservice-tenant/templates/08-aiservice-postsyncjob.yaml @@ -38,16 +38,21 @@ must be added to $_job_cleanup_group.By convention, we sha1sum this value to gua are required here.*/}} {{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} -{{- $_namespace := .Values.aiservice_namespace }} -{{- if not (hasPrefix "9.1." .Values.aiservice_channel) }} - {{- $_namespace = .Values.tenantNamespace }} +{{- $_namespace := .Values.tenantNamespace }} +{{- if hasPrefix "9.1." .Values.aiservice_channel }} + {{- $_namespace = .Values.aiservice_namespace }} +{{- end }} + +{{- $_name_suffix := "" }} +{{- if hasPrefix "9.1." .Values.aiservice_channel }} + {{- $_name_suffix = printf "-%s" .Values.tenantNamespace }} {{- end }} --- apiVersion: v1 kind: ServiceAccount metadata: - name: postsync-manage-aiservice-job + name: "postsync-manage-aiservice-job{{ $_name_suffix }}" namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "309" @@ -56,7 +61,7 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: postsync-manage-aiservice-job-role + name: "postsync-manage-aiservice-job-role{{ $_name_suffix }}" namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "310" @@ -68,23 +73,23 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: postsync-manage-aiservice-job-rolebinding + name: "postsync-manage-aiservice-job-rolebinding{{ $_name_suffix }}" namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "311" subjects: - kind: ServiceAccount - name: postsync-manage-aiservice-job + name: "postsync-manage-aiservice-job{{ $_name_suffix }}" namespace: "{{ $_namespace }}" roleRef: kind: Role - name: postsync-manage-aiservice-job-role + name: "postsync-manage-aiservice-job-role{{ $_name_suffix }}" apiGroup: rbac.authorization.k8s.io --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-postsync-manage-ai-tenant-job + name: "allow-postsync-manage-ai-tenant-job{{ $_name_suffix }}" namespace: "{{ $_namespace }}" annotations: argocd.argoproj.io/sync-wave: "312" @@ -121,7 +126,7 @@ spec: {{ .Values.custom_labels | toYaml | indent 8 }} {{- end }} spec: - serviceAccountName: postsync-manage-aiservice-job + serviceAccountName: "postsync-manage-aiservice-job{{ $_name_suffix }}" restartPolicy: Never containers: - name: postsync-manage-aiservice-run diff --git a/root-applications/ibm-aiservice-instance-root/values.yaml b/root-applications/ibm-aiservice-instance-root/values.yaml index b1ec892c2..243b4cb3e 100644 --- a/root-applications/ibm-aiservice-instance-root/values.yaml +++ b/root-applications/ibm-aiservice-instance-root/values.yaml @@ -193,6 +193,9 @@ ibm_aiservice: mas_aiservice_storage_host: "true" mas_aiservice_storage_port: "true" + # SLS + mas_aiservice_sls_registration_key_secret: "sls-registration-key" + mas_aiservice_db_host: "mas_aiservice_db_host" mas_aiservice_db_port: "mas_aiservice_db_port" mas_aiservice_db_secret_name: "mas_aiservice_db_secret_name" diff --git a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml index b5fff8eb6..d212a82d9 100644 --- a/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml +++ b/root-applications/ibm-aiservice-tenant-root/templates/100-ibm-aiservice-tenant-app.yaml @@ -25,7 +25,11 @@ spec: project: "{{ .Values.argo.projects.apps }}" destination: server: {{ .Values.cluster.url }} - namespace: "{{ .Values.ibm_aiservice_tenant.tenantNamespace }}" + {{- if hasPrefix "9.1." .Values.ibm_aiservice_tenant.aiservice_channel }} + namespace: "{{ .Values.aiservice_namespace }}" + {{- else }} + namespace: "{{ .Values.tenantNamespace }}" + {{- end }} source: repoURL: "{{ .Values.source.repo_url }}" path: instance-applications/115-ibm-aiservice-tenant