mas gitops-suite does not configure mongo credentials correctly when mongo-provider is yaml #1919
Description
MAS CLI version
16.0.0
CLI function used
other
What happened?
During Suite deployment with mas gitops-suite and --mongo-provider yaml, the tool:
- Correctly validates the cluster-level MongoDB secret
dev1/masdemo1/mongo(all expected keys are present and non-empty). - Creates the instance-level secret
dev1/masdemo1/inst1/mongoin AWS Secrets Manager.
However, the created instance-level secret has empty credentials (username and password are empty strings), even though the cluster-level secret contains valid values.
This leads to downstream components (e.g. IBM Suite License Service using this instance-level secret) failing with errors such as “The empty string is not valid username”, because the OpenShift secret generated from dev1/masdemo1/inst1/mongo ends up with invalid credentials.
Expected behavior:
When --mongo-provider yaml is used and dev1/masdemo1/mongo is valid:
- mas gitops-suite should populate
dev1/masdemo1/inst1/mongowith non-empty username and password (e.g. copied from the cluster-level secret, set via parameters or generated by the function). - At minimum, the tool should not silently create an instance-level secret with empty credentials.
- If there is any scenario where empty credentials are intentional, this should be:
- clearly documented for
--mongo-provider yaml, and - guarded by validation or prompts, so users do not end up with a broken deployment without explanation.
- clearly documented for
Related usage: gitops-demo/tree/002 - Install Maximo Application Suite Core Platform
Relevant log output
[ibmmas/cli:16.0.0]mascli$ mas gitops-suite \
--github-push \
--mongo-provider yaml \
--sls-channel 3.x \
--mas-channel 9.1.x \
--mas-domain "${MAS_DOMAIN}"
IBM Maximo Application Suite GitOps Manager (v16.0.0)
Powered by https://github.com/ibm-mas/gitops/
1) Review Settings
Target
Account ID ..................... dev1
Region ID ...................... eu-south-1
Cluster ID ..................... masdemo1
Cluster URL .................... https://kubernetes.default.svc
MAS Instance ID ................ inst1
Instance Config Directory ...... /demo-files/mas/working-dir/gitops-demo/dev1/masdemo1/inst1
AWS Secrets Manager
Region ......................... eu-south-1
Secret Key ..................... AKIA<snip>
Access Key ..................... OZVs<snip>
Secrets Path ................... arn:aws:secretsmanager:eu-south-1:<account-id>:secret
Mongo
Mongo Provider ................ yaml
MAS_WIPE_MONGO_DATA ............
IBM Suite License Service
Subscription Channel ........... 3.x
Subscription Install Plan ...... Automatic
IBM Maximo Application Suite
Subscription Channel ....................... 9.1.x
Subscription Install Plan .................. Automatic
MAS Domain ................................. inst1.apps.<rosa-cluster-name>.openshiftapps.com
Domain ..................................... inst1.apps.<rosa-cluster-name>.openshiftapps.com
Image Tags .................................
Annotations ................................
Labels .....................................
MAS Manual Cert Mgt ........................ false
MAS MANUAL CERTS YAML ......................
Cert Manager Namespace ..................... cert-manager
DNS Provider ...............................
Pod Template YAML File ....................
OIDC Config ................................
Allow List .................................
Additional VPN .............................
Enhanced Disaster Recovery .................
Non shared cluster .........................
Java or 3rd Party Code Extensions ..........
Suite Spec Additional Properties ...........
Suite Spec Settings Additional Properties ..
GitOps Target
Automatic Push ................. Enabled
Working Directory .............. /demo-files/mas/working-dir
Host ........................... github.com
Organization ................... luca-banzato
Repository ..................... gitops-demo
Branch ......................... 002
2) Configuring Suite secrets
Logging into AWS SecretsManager ...
NAME : VALUE : TYPE : LOCATION
profile : <not set> : None : None
access_key : ******************** : env :
secret_key : ******************** : env :
region : eu-south-1 : env : ['AWS_REGION', 'AWS_DEFAULT_REGION']
ENFORCE_VALIDATION:true
- Verifying Secret dev1/masdemo1/mongo exists
{
"ARN": "arn:aws:secretsmanager:eu-south-1:<account-id>:secret:dev1/masdemo1/mongo-bS6I04",
"Name": "dev1/masdemo1/mongo",
"LastChangedDate": "2025-11-21T13:34:37.508000+00:00",
"LastAccessedDate": "2025-11-21T00:00:00+00:00",
"Tags": [
{
"Key": "cluster",
"Value": "masdemo1"
},
{
"Key": "source",
"Value": "gitops_mongo"
},
{
"Key": "account",
"Value": "dev1"
}
],
"VersionIdsToStages": {
"06551989-7b4c-4e39-ba0d-9cc10fc76a6a": [
"AWSCURRENT"
]
},
"CreatedDate": "2025-11-21T13:34:37.479000+00:00"
}
Secret Keys to validate username,password,info
String value for secret key username: admi<snip>
String value for secret key password: Hqw5<snip>
String value for secret key info: conf<snip>
- Getting Secret dev1/masdemo1/mongo to set in file /demo-files/mas/tmp-suite/mongo-secret.json
- Getting Secret dev1/masdemo1/inst1/mongo to set in file /demo-files/mas/tmp-suite/mongo-instance-secret.json
- Getting Secret dev1/masdemo1/inst1/docdb to set in file /demo-files/mas/tmp-suite/docdb-federal-instance-secret.json
Secret Manager: Updating dev1/masdemo1/inst1/mongo with tags [{"Key": "source", "Value": "gitops_suite"}, {"Key": "account", "Value": "d ev1"}, {"Key": "cluster", "Value": "masdemo1"}]
- Secret dev1/masdemo1/inst1/mongo creating
{
"ARN": "arn:aws:secretsmanager:eu-south-1:<account-id>:secret:dev1/masdemo1/inst1/mongo-EHITBO",
"Name": "dev1/masdemo1/inst1/mongo",
"VersionId": "1ba76459-59da-4bed-b871-e5c4bf04157a"
}
- Secret dev1/masdemo1/inst1/mongo created
3) Cloning GitHub repo luca-banzato gitops-demo
[2025-11-21 14:50:32.697] git clone https://git:****@github.com/luca-banzato/gitops-demo.git -b 002
-------------------------------------------------
Cloning into 'gitops-demo'...
remote: Enumerating objects: 607, done.
remote: Counting objects: 100% (75/75), done.
remote: Compressing objects: 100% (51/51), done.
remote: Total 607 (delta 54), reused 40 (delta 19), pack-reused 532 (from 1)
Receiving objects: 100% (607/607), 14.00 MiB | 19.06 MiB/s, done.
Resolving deltas: 100% (281/281), done.
4) Generating Suite Spec additional properties
5) Generating Suite Spec Settings additional properties
6) Generating Argo Project and Applications
- Base Config
- IBM Suite License Service
- IBM Maximo Application Suite Core Platform
7) Commit and push changes to GitHub repo luca-banzato gitops-demo
git: Changing to directory /demo-files/mas/working-dir/gitops-demo
[2025-11-21 14:50:34.763] git add -v .
-------------------------------------------------
git: Added 3 files
[2025-11-21 14:50:34.811] git commit -m "gitops-suite commit"
-------------------------------------------------
[002 6f9b1d2] gitops-suite commit
3 files changed, 105 insertions(+)
create mode 100644 dev1/masdemo1/inst1/ibm-mas-instance-base.yaml
create mode 100644 dev1/masdemo1/inst1/ibm-mas-suite.yaml
create mode 100644 dev1/masdemo1/inst1/ibm-sls.yaml
[2025-11-21 14:50:34.848] git fetch origin 002
-------------------------------------------------
From https://github.com/luca-banzato/gitops-demo
* branch 002 -> FETCH_HEAD
[2025-11-21 14:50:35.351] git pull origin --rebase
-------------------------------------------------
Current branch 002 is up to date.
[2025-11-21 14:50:35.913] git pull origin 002 --rebase
-------------------------------------------------
From https://github.com/luca-banzato/gitops-demo
* branch 002 -> FETCH_HEAD
Current branch 002 is up to date.
[2025-11-21 14:50:36.433] git push -u origin 002
-------------------------------------------------
Enumerating objects: 12, done.
Counting objects: 100% (12/12), done.
Delta compression using up to 8 threads
Compressing objects: 100% (7/7), done.
Writing objects: 100% (8/8), 1.97 KiB | 1.97 MiB/s, done.
Total 8 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
To https://github.com/luca-banzato/gitops-demo.git
1a7c1c2..6f9b1d2 002 -> 002
branch '002' set up to track 'origin/002'.
git: Pushing changes to branch 002 success
git: Deleting git clone directory /demo-files/mas/working-dir/gitops-demo
[ibmmas/cli:16.0.0]mascli$
[ibmmas/cli:16.0.0]mascli$
[ibmmas/cli:16.0.0]mas$ oc get licenseservice
NAME VERSION STATUS INITIALIZED LICENSEID REGISTRATIONKEY AGE
sls 3.12.2 NotReady REDACTED REDACTED 2m37s
[ibmmas/cli:16.0.0]mas$ oc describe licenseservice
Name: sls
Namespace: mas-inst1-sls
Labels: app.kubernetes.io/instance=sls.masdemo1.inst1
Annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/sync-wave: 105
API Version: sls.ibm.com/v1
Kind: LicenseService
Metadata:
Creation Timestamp: 2025-11-21T14:54:52Z
Generation: 1
Resource Version: 21692668
UID: 100fa088-7d48-4408-bf1f-82167adce602
Spec:
License:
Accept: true
Mongo:
Auth Mechanism: DEFAULT
Certificates:
Alias: mongodb-rootca
Crt: -----BEGIN CERTIFICATE-----
MIIB2DCCAX+gAwIBAgIRANsySPLpCmmhkpD4jXQD6HEwCgYIKoZIzj0EAwIwMjEw
[REDACTED]
-----END CERTIFICATE-----
Config Db: admin
Nodes:
Host: mongodb-0.mongodb-svc.mongodb.svc.cluster.local
Port: 27017
Retry Writes: false
Secret Name: sls-mongo-credentials
Settings:
Auth:
Enforce: true
Registration:
Open: true
Registry: icr.io/cpopen
Status:
Conditions:
Last Transition Time: 2025-11-21T14:55:10Z
Message: MongoDB configuration (certificates or credentials) is not valid. Ensure that mongo configuration, including certificates and credentials is correct
Reason: NotReady
Status: False
Type: Ready
Last Transition Time: 2025-11-21T14:55:10Z
Message: MongoDB configuration (certificates or credentials) is not valid: The empty string is not valid username
Reason: IncorrectMongoCredentialsOrCertificates
Status: False
Type: SystemDatabaseReady
Last Transition Time: 2025-11-21T14:55:10Z
Message:
Reason:
Status: False
Type: Successful
Ansible Result:
Changed: 0
Completion: 2025-11-21T14:57:32.042565+00:00
Failures: 1
Ok: 33
Skipped: 17
Last Transition Time: 2025-11-21T14:55:10Z
Message: NotReady: MongoDB configuration (certificates or credentials) is not valid. Ensure that mongo configuration, including certificates and credentials is correct
Reason: Failed
Status: True
Type: Failure
Last Transition Time: 2025-11-21T14:57:33Z
Message: Running reconciliation
Reason: Running
Status: True
Type: Running
License Id: REDACTED
Registration Key: REDACTED
Versions:
Reconciled: 3.12.2
Events: <none>
[ibmmas/cli:16.0.0]mascli$
[ibmmas/cli:16.0.0]mascli$
[ibmmas/cli:16.0.0]mascli$
[ibmmas/cli:16.0.0]mascli$ aws secretsmanager get-secret-value --secret-id dev1/masdemo1/inst1/mongo --query SecretString --output json
"{\"info\": \"config:\\n configDb: admin\\n authMechanism: DEFAULT\\n retryWrites: false\\n hosts:\\n - host: \\\"mongodb-0.mongodb-svc.mongodb.svc.cluster.local\\\"\\n port: 27017\\ncertificates:\\n- alias: mongodb-rootca\\n crt: |\\n -----BEGIN CERTIFICATE-----\\n MIIB2DCCAX+gAwIBAgIRANsySPLpCmmhkpD4jXQD6HEwCgYIKoZIzj0EAwIwMjEw\\n [REDACTED] -----END CERTIFICATE-----\", \"username\": \"\", \"password\": \"\"}"