ibm-mas
diff --git a/‎README.md‎
Lines changed: 53 additions & 0 deletions b/‎README.md‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎bin/mas-devops-create-initial-users-for-saas‎
Lines changed: 146 additions & 0 deletions b/‎bin/mas-devops-create-initial-users-for-saas‎
Lines changed: 146 additions & 0 deletions
diff --git a/‎setup.py‎
Lines changed: 9 additions & 5 deletions b/‎setup.py‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎src/mas/devops/mas.py‎
Lines changed: 39 additions & 0 deletions b/‎src/mas/devops/mas.py‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎src/mas/devops/templates/pipelinerun-install.yml.j2‎
Lines changed: 62 additions & 0 deletions b/‎src/mas/devops/templates/pipelinerun-install.yml.j2‎
Lines changed: 62 additions & 0 deletions
@@ -37,3 +37,56 @@ updateTektonDefinitions(pipelinesNamespace, "/mascli/templates/ibm-mas-tekton.ya
 pipelineURL = launchUpgradePipeline(self.dynamicClient, instanceId)
 print(pipelineURL)
 ```
+
+
+mas-devops-create-initial-users
+---------------------------------------------
+
+
+Add to /etc/hosts
+```
+127.0.0.1               tgk01-masdev.mas-tgk01-manage.svc.cluster.local
+127.0.0.1               coreapi.mas-tgk01-core.svc.cluster.local
+127.0.0.1               admin-dashboard.mas-tgk01-core.svc.cluster.local
+```
+
+```bash
+SM_AWS_REGION=""
+SM_AWS_ACCESS_KEY_ID=""
+SM_AWS_SECRET_ACCESS_KEY=""
+
+aws configure set default.region ${SM_AWS_REGION}
+aws configure set aws_access_key_id ${SM_AWS_ACCESS_KEY_ID}
+aws configure set aws_secret_access_key ${SM_AWS_SECRET_ACCESS_KEY}
+
+
+oc login --token=sha256~xxx --server=https://xxx:6443
+
+oc port-forward service/admin-dashboard 8445:443 -n mas-tgk01-core
+oc port-forward service/coreapi 8444:443 -n mas-tgk01-core
+oc port-forward service/tgk01-masdev 8443:443 -n mas-tgk01-manage
+
+mas-devops-create-initial-users-for-saas \
+    --mas-instance-id tgk01 \
+    --mas-workspace-id masdev \
+    --log-level INFO \
+    --initial-users-secret-name "aws-dev/noble4/tgk01/initial_users" \
+    --manage-api-port 8443 \
+    --coreapi-port 8444 \
+    --admin-dashboard-port 8445
+    
+
+mas-devops-create-initial-users-for-saas \
+    --mas-instance-id tgk01 \
+    --mas-workspace-id masdev \
+    --log-level INFO \
+    --initial-users-yaml-file /home/tom/workspaces/notes/mascore3423/example-users-single.yaml \
+    --manage-api-port 8443 \
+    --coreapi-port 8444 \
+    --admin-dashboard-port 8445
+```
+
+Example of initial_users secret:
+```json
+{"john.smith1@example.com":"primary,john1,smith1","john.smith2@example.com":"primary,john2,smith2","john.smith3@example.com":"secondary,john3,smith3"}
+```
@@ -0,0 +1,146 @@
+#!/usr/bin/env python3
+
+# *****************************************************************************
+# Copyright (c) 2025 IBM Corporation and other Contributors.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# *****************************************************************************
+
+from kubernetes import client, config
+from kubernetes.config.config_exception import ConfigException
+import argparse
+import logging
+import urllib3
+urllib3.disable_warnings()
+import yaml
+import json
+import sys
+
+import boto3
+from botocore.exceptions import ClientError
+
+from mas.devops.users import MASUserUtils
+
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+
+    # Primary Options
+    parser.add_argument("--mas-instance-id", required=True)
+    parser.add_argument("--mas-workspace-id", required=True)
+    parser.add_argument("--log-level", required=False, choices=["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"], default="INFO")
+    parser.add_argument("--coreapi-port", required=False, default=443)
+    parser.add_argument("--admin-dashboard-port", required=False, default=443)
+    parser.add_argument("--manage-api-port", required=False, default=443)
+
+
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument("--initial-users-yaml-file")
+    group.add_argument("--initial-users-secret-name")
+
+    args, unknown = parser.parse_known_args()
+
+    log_level = getattr(logging, args.log_level)
+
+    logger = logging.getLogger()
+    logger.setLevel(log_level)
+
+    ch = logging.StreamHandler()
+    ch.setLevel(log_level)
+    chFormatter = logging.Formatter(
+        "%(asctime)-25s %(name)-50s [%(threadName)s] %(levelname)-8s %(message)s"
+    )
+    ch.setFormatter(chFormatter)
+    logger.addHandler(ch)
+
+    mas_instance_id = args.mas_instance_id
+    mas_workspace_id = args.mas_workspace_id
+    initial_users_yaml_file = args.initial_users_yaml_file
+    initial_users_secret_name = args.initial_users_secret_name
+    coreapi_port = args.coreapi_port
+    admin_dashboard_port = args.admin_dashboard_port
+    manage_api_port = args.manage_api_port
+
+
+    logger.info("Configuration:")
+    logger.info("--------------")
+    logger.info(f"mas_instance_id:           {mas_instance_id}")
+    logger.info(f"mas_workspace_id:          {mas_workspace_id}")
+    logger.info(f"initial_users_yaml_file:   {initial_users_yaml_file}")
+    logger.info(f"initial_users_secret_name: {initial_users_secret_name}")
+    logger.info(f"log_level:                 {log_level}")
+    logger.info(f"coreapi_port:              {coreapi_port}")
+    logger.info(f"admin_dashboard_port:      {admin_dashboard_port}")
+    logger.info(f"manage_api_port:           {manage_api_port}")
+    logger.info("")
+
+    try:
+        # Try to load in-cluster configuration
+        config.load_incluster_config()
+        logger.debug("Loaded in-cluster configuration")
+    except ConfigException:
+        # If that fails, fall back to kubeconfig file
+        config.load_kube_config()
+        logger.debug("Loaded kubeconfig file")
+
+
+    user_utils = MASUserUtils(mas_instance_id, mas_workspace_id, client.api_client.ApiClient(), coreapi_port=coreapi_port, admin_dashboard_port=admin_dashboard_port, manage_api_port=manage_api_port)
+
+    if initial_users_secret_name is not None:
+
+        logger.info(f"Loading initial_users configuration from secret {initial_users_secret_name}")
+
+        session = boto3.session.Session()
+        aws_sm_client = session.client(
+            service_name='secretsmanager',
+        )
+        try:
+            initial_users_secret = aws_sm_client.get_secret_value( # pragma: allowlist secret
+                SecretId=initial_users_secret_name
+            )
+        except ClientError as e:
+            if e.response['Error']['Code'] == 'ResourceNotFoundException':
+                logger.info(f"Secret {initial_users_secret_name} was not found, nothing to do, exiting now.")
+                sys.exit(0)
+
+            raise Exception(f"Failed to fetch secret {initial_users_secret_name}: {str(e)}")
+        
+        secret_json = json.loads(initial_users_secret['SecretString'])
+        initial_users = user_utils.parse_initial_users_from_aws_secret_json(secret_json)
+    elif initial_users_yaml_file is not None:
+        with open(initial_users_yaml_file, 'r') as file:
+            initial_users = yaml.safe_load(file)
+    else:
+        raise Exception("Something unexpected happened")
+    
+    
+    result = user_utils.create_initial_users_for_saas(initial_users)
+
+    # if user details were sourced from an AWS SM secret, remove the completed entries from the secret
+    # so we don't try and resync them the next time round (and potentially undo an update made by a customer)
+    if initial_users_secret_name is not None:
+        has_updates = False
+        for completed_user in result["completed"]:
+            logger.info(f"Removing synced user {completed_user['email']} from {initial_users_secret_name} secret")
+            secret_json.pop(completed_user["email"])
+            has_updates = True
+
+        if has_updates:
+            logger.info(f"Updating secret {initial_users_secret_name}")
+            try:
+                aws_sm_client.update_secret( # pragma: allowlist secret
+                    SecretId=initial_users_secret_name,
+                    SecretString=json.dumps(secret_json)
+                )
+            except ClientError as e:
+                raise Exception(f"Failed to update secret {initial_users_secret_name}: {str(e)}")
+            
+
+    if len(result["failed"]) > 0:
+        failed_user_ids = list(map(lambda u : u["email"], result["failed"]))
+        raise Exception(f"Sync failed for the following user IDs {failed_user_ids}")
@@ -60,14 +60,17 @@ def get_version(rel_path):
         'kubernetes',              # Apache Software License
         'kubeconfig',              # BSD License
         'jinja2',                  # BSD License
-        'jinja2-base64-filters'    # MIT License
+        'jinja2-base64-filters',   # MIT License
+        'semver',                  # BSD License
+        'boto3'                    # Apache Software License
     ],
     extras_require={
         'dev': [
-            'build',       # MIT License
-            'flake8',      # MIT License
-            'pytest',      # MIT License
-            'pytest-mock'  # MIT License
+            'build',        # MIT License
+            'flake8',       # MIT License
+            'pytest',       # MIT License
+            'pytest-mock',  # MIT License
+            'requests-mock'  # Apache Software License
         ]
     },
     classifiers=[
@@ -85,6 +88,7 @@ def get_version(rel_path):
     ],
     scripts=[
         'bin/mas-devops-db2-validate-config',
+        'bin/mas-devops-create-initial-users-for-saas',
         'bin/mas-devops-saas-job-cleaner'
     ]
 )
@@ -18,6 +18,7 @@
 from openshift.dynamic import DynamicClient
 from openshift.dynamic.exceptions import NotFoundError, ResourceNotFoundError, UnauthorizedError
 from jinja2 import Environment, FileSystemLoader
+import semver
 
 from .ocp import getStorageClasses
 from .olm import getSubscription
@@ -305,3 +306,41 @@ def patchPendingPVC(dynClient: DynamicClient, namespace: str, pvcName: str, stor
     except NotFoundError:
         logger.error(f"PVC {pvcName} does not exist")
         return False
+
+
+def isVersionBefore(_compare_to_version, _current_version):
+    """
+    The method does a modified semantic version comparison,
+    as we want to treat any pre-release as == to the real release
+    but in strict semantic versioning it is <
+    ie. '8.6.0-pre.m1dev86' is converted to '8.6.0'
+    """
+    if _current_version is None:
+        print("Version is not informed. Returning False")
+        return False
+
+    strippedVersion = _current_version.split("-")[0]
+    if '.x' in strippedVersion:
+        strippedVersion = strippedVersion.replace('.x', '.0')
+    current_version = semver.VersionInfo.parse(strippedVersion)
+    compareToVersion = semver.VersionInfo.parse(_compare_to_version)
+    return current_version.compare(compareToVersion) < 0
+
+
+def isVersionEqualOrAfter(_compare_to_version, _current_version):
+    """
+    The method does a modified semantic version comparison,
+    as we want to treat any pre-release as == to the real release
+    but in strict semantic versioning it is <
+    ie. '8.6.0-pre.m1dev86' is converted to '8.6.0'
+    """
+    if _current_version is None:
+        print("Version is not informed. Returning False")
+        return False
+
+    strippedVersion = _current_version.split("-")[0]
+    if '.x' in strippedVersion:
+        strippedVersion = strippedVersion.replace('.x', '.0')
+    current_version = semver.VersionInfo.parse(strippedVersion)
+    compareToVersion = semver.VersionInfo.parse(_compare_to_version)
+    return current_version.compare(compareToVersion) >= 0
@@ -816,6 +816,68 @@ spec:
       value: "{{ mas_aibroker_db_secret_value }}"
 {%- endif %}
 
+# TODO: Fix type for storage sizes and max conn pool size
+{%- if mas_app_channel_facilities is defined and mas_app_channel_facilities != "" %}
+
+    # Real Estate anda Facilities Application
+    # -------------------------------------------------------------------------
+    - name: mas_app_channel_facilities
+      value: "{{ mas_app_channel_facilities }}"
+
+{%- if mas_ws_facilities_size is defined and mas_ws_facilities_size != "" %}    
+    - name: mas_ws_facilities_size
+      value: "{{ mas_ws_facilities_size }}"
+{%- endif %}
+{%- if mas_ws_facilities_routes_timeout is defined and mas_ws_facilities_routes_timeout != "" %}    
+    - name: mas_ws_facilities_routes_timeout
+      value: "{{ mas_ws_facilities_routes_timeout }}"
+{%- endif %}
+{%- if mas_ws_facilities_liberty_extension_XML is defined and mas_ws_facilities_liberty_extension_XML != "" %}    
+    - name: mas_ws_facilities_liberty_extension_XML
+      value: "{{ mas_ws_facilities_liberty_extension_XML }}"
+{%- endif %}
+{%- if mas_ws_facilities_vault_secret is defined and mas_ws_facilities_vault_secret != "" %}    
+    - name: mas_ws_facilities_vault_secret
+      value: "{{ mas_ws_facilities_vault_secret }}"
+{%- endif %}
+{%- if mas_ws_facilities_pull_policy is defined and mas_ws_facilities_pull_policy != "" %}    
+    - name: mas_ws_facilities_pull_policy
+      value: "{{ mas_ws_facilities_pull_policy }}"
+{%- endif %}
+    - name: mas_ws_facilities_storage_log_class
+      value: "{{ mas_ws_facilities_storage_log_class }}"
+{%- if mas_ws_facilities_storage_log_mode is defined and mas_ws_facilities_storage_log_mode != "" %}    
+    - name: mas_ws_facilities_storage_log_mode
+      value: "{{ mas_ws_facilities_storage_log_mode }}"
+{%- endif %}
+# {%- if mas_ws_facilities_storage_log_size is defined and mas_ws_facilities_storage_log_size != "" %}    
+#     - name: mas_ws_facilities_storage_log_size
+#       value: "{{ mas_ws_facilities_storage_log_size }}"
+# {%- endif %}
+    - name: mas_ws_facilities_storage_userfiles_class
+      value: "{{ mas_ws_facilities_storage_userfiles_class }}"
+{%- if mas_ws_facilities_storage_userfiles_mode is defined and mas_ws_facilities_storage_userfiles_mode != "" %}    
+    - name: mas_ws_facilities_storage_userfiles_mode
+      value: "{{ mas_ws_facilities_storage_userfiles_mode }}"
+{%- endif %}
+# {%- if mas_ws_facilities_storage_userfiles_size is defined and mas_ws_facilities_storage_userfiles_size != "" %}    
+#     - name: mas_ws_facilities_storage_userfiles_size
+#       value: "{{ mas_ws_facilities_storage_userfiles_size }}"
+# {%- endif %}
+{%- if mas_ws_facilities_dwfagents is defined and mas_ws_facilities_dwfagents != "" %}
+    - name: mas_ws_facilities_dwfagents
+      value: "{{ mas_ws_facilities_dwfagents }}"
+{%- endif %}
+# {%- if mas_ws_facilities_db_maxconnpoolsize is defined and mas_ws_facilities_db_maxconnpoolsize != "" %}    
+#     - name: mas_ws_facilities_db_maxconnpoolsize
+#       value: "{{ mas_ws_facilities_db_maxconnpoolsize }}"
+# {%- endif %}
+
+    - name: db2_action_facilities
+      value: "{{ db2_action_facilities}}"
+
+{%- endif %}
+
   workspaces:
     # The generated configuration files
     # -------------------------------------------------------------------------