[minor] Support AI Service configuration in Maximo Manage

[Divyesh-Khokhar]

Description

Adds new Ansible role suite_manage_aiservice_config that automates AI Service configuration for Maximo Manage. The role retrieves AI Service connection details (API key, URL, tenant ID), configures Manage encryption secret properties and imports TLS certificate.

• This removes the need to manually configure AIServices in manage.
  https://www.ibm.com/docs/en/masv-and-l/cd?topic=manage-deploying-maximo-ai-service#taskmaximoaiservice__steps__1

Test Results

Test result:

TASK [suite_manage_aiservice_config : Debug] ***
ok: [localhost] => {
    "msg": [
        "mas_instance_id ................................... fyrerd",
        "mas_workspace_id .................................. masdev",
        "mas_app_id ........................................ manage",
        "",
        "aiservice_instance_id ............................. fyrerd",
        "aiservice_namespace ............................... aiservice-fyrerd",
        "",
        "manage_namespace .................................. mas-fyrerd-manage",
        "manage_encryption_secret_name ..................... masdev-manage-encryptionsecret",
        "",
        "mas_manage_aiservice_configured ................... False",
        "mas_manage_aiservice_version (existing) ........... ",
        "",
        "AI Service is not configured or instance has changed, proceeding with configuration..."
    ]
}

TASK [suite_manage_aiservice_config : Step 1: Retrieve AI Service API key from secret] ***
ok: [localhost]

TASK [suite_manage_aiservice_config : Step 2: Retrieve AI Service URL from aibroker route] ***
ok: [localhost]

TASK [suite_manage_aiservice_config : Step 3: Retrieve AI Service tenant ID from AIServiceTenant CR] ***
ok: [localhost]

TASK [suite_manage_aiservice_config : Step 4: Patch AI Service properties into Manage encryption secret] ***
changed: [localhost]

TASK [suite_manage_aiservice_config : Step 5: Verify AI Service properties in secret] ***
ok: [localhost] => {
    "msg": "Verified: mxe.int.aibrokerapikey is present in secret"
}

TASK [suite_manage_aiservice_config : Step 6: Import AI Service TLS certificate into Manage] ***
changed: [localhost]

TASK [suite_manage_aiservice_config : AI Service configuration completed successfully] ***
ok: [localhost] => {
    "msg": [
        "AI Service properties configured in Manage encryption secret successfully",
        "AI Service TLS certificate imported into Manage truststore",
        "Note: Manage will automatically restart to apply these changes"
    ]
}

---

Jira link: https://jsw.ibm.com/browse/MASAIAUTO-10

[durera]

We don't seem to integrate at a tenant level? Isn't the point of the aiservice architecture that we will have:

mas1 -> aiservice1-mas1 tenant
mas2 -> aiservice1-mas2 tenant

e.g. the api secret used: aiservice-{{ aiservice_instance_id }}-user----apikey-secret" .. that would be the same for every MAS instance using AI Service.

[Divyesh-Khokhar]

Hi @durera ,Thanks for your review.
I have updated the implementation to scope things based on tenant ID rather than instance ID, so each MAS instance integrates with its own AI Service tenant.
e.g. name: "{{ aiservice_tenant_id }}----apikey-secret"

I also discussed the multi-tenant scenario with Jasmin, and he suggested that it is safer to require AISERVICE_TENANT_ID as a mandatory variable, instead of implicitly defaulting to aiservice_tenants_list.resources[0].metadata.name. Assuming the first tenant could lead to incorrect integrations when multiple tenants are present.

Let me know your thoughts. If this is the right approach, I will keep AISERVICE_TENANT_ID mandatory.
e.g. AISERVICE_TENANT_ID="aiservice-aiservice1-user" or "aiservice-aiservice1-xyz" etc.

[durera]

I think requiring explicit AISERVICE_TENANT_ID is correct approach, however I would expect AISERVICE_TENANT_ID is set to just the tenant part, ie user in example above, rather than the full AISERVICE_TENANT_ID=aiservice-{instanceid}-{tenantid}.

This is more consitant with WORKSPACE_ID, which is basically the same thing. Then, when we need the fully qualified tenant id in the code, we can use something like:

AISERVICE_TENANT_FQN: "aiservice-{{ aiservice_instance_id }}-{{ aiservice_tenant_id }}`

[Divyesh-Khokhar]

Thanks David, I will keep the aiservice_tenant_id variable mandatory and construct AISERVICE_TENANT_FQN based on the user provided aiservice_tenant_id, as you suggested.