mas gitops-cluster requires non-documented AWS secret

[luca-banzato]

MAS CLI version

16.0.0

CLI function used

other

What happened?

Command executed:

mas gitops-cluster \
  --github-push \
  --cluster-url "${CLUSTER_URL}" \
  --icr-username "${ICR_USERNAME}" \
  --icr-password "${ICR_PASSWORD}" \
  --catalog-version v9-251030-amd64 \
  --catalog-image icr.io/cpopen/ibm-maximo-operator-catalog

On a clean installation, following the guide for ibm-mas/gitops-demo, the command above fails during ArgoCD Application generation because it expects an AWS Secrets Manager secret (dev1/masdemo1/cloudwatch) that:

• is not documented as required,
• is not configured in the gitops-demo/002 instructions,
• and is not clearly marked as mandatory in the MAS CLI function gitops_cluster (see: image/cli/mascli/functions/gitops_cluster for version 16.0.0).

The failure occurs when verifying the secret, before the GitOps workflow has completed successfully.

As a consequence:

1. It is necessary to manually create the AWS secret (dev1/masdemo1/cloudwatch) to proceed, even though this is not documented in the mas gitops-cluster help or gitops-demo/002 flow.

2. After the failure, the local git directory working-dir/gitops-demo must be manually removed before re-running the command, because the previous run leaves it in a non-clean state, and the next execution fails on git clone:

   fatal: destination path 'working-dir/gitops-demo' already exists and is not an empty directory.

Either:

• The cloudwatch secret requirement should be optional / disabled when not configured,
  Or
• The requirement and the exact secret name/location should be clearly documented in gitops-demo/002 (and/or validated via a clear pre-check with actionable error message).

Relevant log output

[ibmmas/cli:16.0.0]mascli$ mas gitops-cluster \
  --github-push \
  --cluster-url "${CLUSTER_URL}" \
  --icr-username "${ICR_USERNAME}" \
  --icr-password "${ICR_PASSWORD}" \
  --catalog-version v9-251030-amd64 \
  --catalog-image icr.io/cpopen/ibm-maximo-operator-catalog

[Output omitted]

17) Generating Argo Applications
- Base Config
- IBM Operator Catalog
- Redhat Cert Manager
- Cluster Logging Operator
ENFORCE_VALIDATION:true
- Verifying Secret dev1/masdemo1/cloudwatch exists

An error occurred (ResourceNotFoundException) when calling the DescribeSecret operation: Secrets Manager can't find the specified secret.
Error: Secret dev1/masdemo1/cloudwatch does not exist
[ibmmas/cli:16.0.0]mascli$
[ibmmas/cli:16.0.0]mascli$ # Secret created on AWS Secrets Manager
[ibmmas/cli:16.0.0]mascli$
[ibmmas/cli:16.0.0]mascli$ mas gitops-cluster \
  --github-push \
  --cluster-url "${CLUSTER_URL}" \
  --icr-username "${ICR_USERNAME}" \
  --icr-password "${ICR_PASSWORD}" \
  --catalog-version v9-251030-amd64 \
  --catalog-image icr.io/cpopen/ibm-maximo-operator-catalog

[Output omitted]

16) Cloning GitHub repo <github-user> gitops-demo

[2025-11-21 11:21:37.850] git clone https://git:****@github.com/<github-user>/gitops-demo.git -b 002
-------------------------------------------------
fatal: destination path 'working-dir/gitops-demo' already exists and is not an empty directory.
[ibmmas/cli:16.0.0]mascli$