From 67f5823ad2620f3105c28c56e8c564f0f3a11907 Mon Sep 17 00:00:00 2001
From: Unnati Solanki <unnati.solanki@ibm.com>
Date: Tue, 16 Dec 2025 13:31:39 +0530
Subject: [PATCH 1/4] [patch] Fix Upgrade issue for ocp_idms

---
 .../ocp_idms/tasks/update-pull-secret-dev.yml      | 12 +++++++-----
 .../roles/ocp_idms/tasks/update-pull-secret.yml    | 14 ++++++++------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
index de9277bbc1..0c702ab50d 100644
--- a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
+++ b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
@@ -6,12 +6,14 @@
 - name: "update-pull-secret-dev : Set new secret content"
   vars:
     artifactoryAuthB64: "{{ artifactory_auth | b64encode }}"
-    content:
-      - "{\"auths\":{\"{{ fvt_image_registry }}\":{\"username\":\"{{ artifactory_username }}\",\"password\":\"{{ artifactory_token }}\",\"email\":\"{{ artifactory_username }}\",\"auth\":\"{{ artifactoryAuthB64 }}\"}"
-      - "}"
-      - "}"
   set_fact:
-    new_secret_dev: "{{ content | join('') }}"
+    new_secret_dev:
+      auths:
+        "{{ fvt_image_registry }}":
+          username: "{{ artifactory_username }}"
+          password: "{{ artifactory_token }}"
+          email: "{{ artifactory_username }}"
+          auth: "{{ artifactoryAuthB64 }}"
   no_log: true
 
 # 1.2 Find the existing secret, and we are going to modify it rather than replace
diff --git a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
index d40a158399..a3576a66a6 100644
--- a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
+++ b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
@@ -6,12 +6,14 @@
 - name: "update-pull-secret : Set new secret content"
   vars:
     registryAuthB64: "{{ registry_auth | b64encode }}"
-    content:
-      - "{\"auths\":{\"{{ registry_private_url }}\":{\"username\":\"{{ registry_username }}\",\"password\":\"{{ registry_password }}\",\"email\":\"{{ registry_username }}\",\"auth\":\"{{ registryAuthB64 }}\"}"
-      - "}"
-      - "}"
   set_fact:
-    new_secret: "{{ content | join('') }}"
+    new_secret:
+      auths:
+        "{{ registry_private_url }}":
+          username: "{{ registry_username }}"
+          password: "{{ registry_password }}"
+          email: "{{ registry_username }}"
+          auth: "{{ registryAuthB64 }}"
   no_log: true
 
 # 1.2 Find the existing secret, and we are going to modify it rather than replace
@@ -38,7 +40,7 @@
 # 1.3 Append our new credentials to the secret
 - name: "update-pull-secret : Combine new secret content"
   set_fact:
-    new_secret_string: '{{ secret_string | combine( new_secret, recursive=True) }}'
+    new_secret_string: '{{ secret_string | combine(new_secret, recursive=True) }}'
   no_log: true
 
 # 1.4. Overwrite the secret

From 0ae0aee7a1d4796c6335142e366f03d78a4a6c82 Mon Sep 17 00:00:00 2001
From: Unnati Solanki <unnati.solanki@ibm.com>
Date: Tue, 16 Dec 2025 14:53:17 +0530
Subject: [PATCH 2/4] [patch] Revert due to dict key issue

---
 .../ocp_idms/tasks/update-pull-secret-dev.yml      | 14 ++++++--------
 .../roles/ocp_idms/tasks/update-pull-secret.yml    | 14 ++++++--------
 2 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
index 0c702ab50d..4b846e934a 100644
--- a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
+++ b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
@@ -6,14 +6,12 @@
 - name: "update-pull-secret-dev : Set new secret content"
   vars:
     artifactoryAuthB64: "{{ artifactory_auth | b64encode }}"
+    content:
+      - "{\"auths\":{\"{{ fvt_image_registry }}\":{\"username\":\"{{ artifactory_username }}\",\"password\":\"{{ artifactory_token }}\",\"email\":\"{{ artifactory_username }}\",\"auth\":\"{{ artifactoryAuthB64 }}\"}"
+      - "}"
+      - "}"
   set_fact:
-    new_secret_dev:
-      auths:
-        "{{ fvt_image_registry }}":
-          username: "{{ artifactory_username }}"
-          password: "{{ artifactory_token }}"
-          email: "{{ artifactory_username }}"
-          auth: "{{ artifactoryAuthB64 }}"
+    new_secret_dev: "{{ content | join('') }}"
   no_log: true
 
 # 1.2 Find the existing secret, and we are going to modify it rather than replace
@@ -40,7 +38,7 @@
 # 1.3 Append our new credentials to the secret
 - name: "update-pull-secret-dev : Combine new secret content"
   set_fact:
-    new_secret_string: '{{ secret_string | combine( new_secret_dev, recursive=True) }}'
+    new_secret_string: '{{ secret_string | combine( new_secret_dev | from_json, recursive=True) }}'
   no_log: true
 
 # 1.4. Overwrite the secret
diff --git a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
index a3576a66a6..8e0c702c71 100644
--- a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
+++ b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
@@ -6,14 +6,12 @@
 - name: "update-pull-secret : Set new secret content"
   vars:
     registryAuthB64: "{{ registry_auth | b64encode }}"
+    content:
+      - "{\"auths\":{\"{{ registry_private_url }}\":{\"username\":\"{{ registry_username }}\",\"password\":\"{{ registry_password }}\",\"email\":\"{{ registry_username }}\",\"auth\":\"{{ registryAuthB64 }}\"}"
+      - "}"
+      - "}"
   set_fact:
-    new_secret:
-      auths:
-        "{{ registry_private_url }}":
-          username: "{{ registry_username }}"
-          password: "{{ registry_password }}"
-          email: "{{ registry_username }}"
-          auth: "{{ registryAuthB64 }}"
+    new_secret: "{{ content | join('') }}"
   no_log: true
 
 # 1.2 Find the existing secret, and we are going to modify it rather than replace
@@ -40,7 +38,7 @@
 # 1.3 Append our new credentials to the secret
 - name: "update-pull-secret : Combine new secret content"
   set_fact:
-    new_secret_string: '{{ secret_string | combine(new_secret, recursive=True) }}'
+    new_secret_string: '{{ secret_string | combine( new_secret | from_json, recursive=True) }}'
   no_log: true
 
 # 1.4. Overwrite the secret

From b551f5fc69e4e86df32accf7747dfd8593266fee Mon Sep 17 00:00:00 2001
From: Unnati Solanki <unnati.solanki@ibm.com>
Date: Tue, 16 Dec 2025 18:08:24 +0530
Subject: [PATCH 3/4] [patch] Update pull secret with action

---
 .../action/update_global_pull_secret.py       | 57 +++++++++++++++++++
 .../ocp_idms/tasks/update-pull-secret-dev.yml | 56 ++----------------
 .../ocp_idms/tasks/update-pull-secret.yml     | 56 ++----------------
 3 files changed, 67 insertions(+), 102 deletions(-)
 create mode 100644 ibm/mas_devops/plugins/action/update_global_pull_secret.py

diff --git a/ibm/mas_devops/plugins/action/update_global_pull_secret.py b/ibm/mas_devops/plugins/action/update_global_pull_secret.py
new file mode 100644
index 0000000000..9f89de599f
--- /dev/null
+++ b/ibm/mas_devops/plugins/action/update_global_pull_secret.py
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+
+import logging
+import urllib3
+from ansible_collections.kubernetes.core.plugins.module_utils.k8s.client import get_api_client
+from ansible.errors import AnsibleError
+from ansible.plugins.action import ActionBase
+
+from mas.devops.ocp import updateGlobalPullSecret
+
+urllib3.disable_warnings()  # Disabling warnings will prevent InsecureRequestWarnings from dynClient
+logging.basicConfig(level=logging.INFO, format='%(asctime)s %(name)-20s %(levelname)-8s %(message)s', datefmt='%Y-%m-%d %H:%M:%S')
+
+class ActionModule(ActionBase):
+    """
+    Update the global pull secret in openshift-config namespace with registry credentials.
+    
+    Usage Example
+    -------------
+    tasks:
+      - name: "Update Global Pull Secret"
+        ibm.mas_devops.update_global_pull_secret:
+          registry_url: "{{ registry_private_url }}"
+          username: "{{ registry_username }}"
+          password: "{{ registry_password }}"
+        register: result
+    """
+    def run(self, tmp=None, task_vars=None):
+        super(ActionModule, self).run(tmp, task_vars)
+
+        registryUrl = self._task.args.get('registry_url', None)
+        username = self._task.args.get('username', None)
+        password = self._task.args.get('password', None)
+
+        if registryUrl is None:
+            raise AnsibleError(f"Error: registry_url argument was not provided")
+        if username is None:
+            raise AnsibleError(f"Error: username argument was not provided")
+        if password is None:
+            raise AnsibleError(f"Error: password argument was not provided")
+
+        # Initialize DynamicClient and update the global pull secret
+        host = self._task.args.get('host', None)
+        api_key = self._task.args.get('api_key', None)
+
+        dynClient = get_api_client(api_key=api_key, host=host)
+        result = updateGlobalPullSecret(dynClient, registryUrl, username, password)
+
+        return dict(
+            message=f"Successfully updated global pull secret with credentials for {registryUrl}",
+            success=True,
+            failed=False,
+            changed=result.get('changed', True),
+            name=result.get('name'),
+            namespace=result.get('namespace'),
+            registry=result.get('registry')
+        )
\ No newline at end of file
diff --git a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
index 4b846e934a..4bdd8254ab 100644
--- a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
+++ b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret-dev.yml
@@ -2,57 +2,11 @@
 # 1. Update default cluster image pull secret
 # =============================================================================
 
-# 1.1 Generate the new secret content
-- name: "update-pull-secret-dev : Set new secret content"
-  vars:
-    artifactoryAuthB64: "{{ artifactory_auth | b64encode }}"
-    content:
-      - "{\"auths\":{\"{{ fvt_image_registry }}\":{\"username\":\"{{ artifactory_username }}\",\"password\":\"{{ artifactory_token }}\",\"email\":\"{{ artifactory_username }}\",\"auth\":\"{{ artifactoryAuthB64 }}\"}"
-      - "}"
-      - "}"
-  set_fact:
-    new_secret_dev: "{{ content | join('') }}"
-  no_log: true
-
-# 1.2 Find the existing secret, and we are going to modify it rather than replace
-- name: "update-pull-secret-dev : Retrieve existing pull-secret content"
-  kubernetes.core.k8s_info:
-    api: v1
-    kind: Secret
-    name: pull-secret
-    namespace: openshift-config
-  register: pullsecret
-  no_log: true
-
-- name: "update-pull-secret-dev : Get the original cred secrets"
-  set_fact:
-    original_secret: "{{ item.data }}"
-  with_items: "{{ pullsecret.resources }}"
-  no_log: true
-
-- name: "update-pull-secret-dev : Get the dockerconfigjson info"
-  set_fact:
-    secret_string: '{{ original_secret[".dockerconfigjson"] | b64decode | from_json }}'
-  no_log: true
-
-# 1.3 Append our new credentials to the secret
-- name: "update-pull-secret-dev : Combine new secret content"
-  set_fact:
-    new_secret_string: '{{ secret_string | combine( new_secret_dev | from_json, recursive=True) }}'
-  no_log: true
-
-# 1.4. Overwrite the secret
-- name: "update-pull-secret-dev : Update new pull-secret"
-  kubernetes.core.k8s:
-    definition:
-      apiVersion: v1
-      kind: Secret
-      type: kubernetes.io/dockerconfigjson
-      metadata:
-        name: pull-secret
-        namespace: openshift-config
-      data:
-        .dockerconfigjson: "{{ new_secret_string | to_json | b64encode }}"
+- name: "update-pull-secret-dev : Update global pull secret"
+  ibm.mas_devops.update_global_pull_secret:
+    registry_url: "{{ fvt_image_registry }}"
+    username: "{{ artifactory_username }}"
+    password: "{{ artifactory_token }}"
   register: secretUpdateResult
   no_log: true
 
diff --git a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
index 8e0c702c71..c74a3a42fc 100644
--- a/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
+++ b/ibm/mas_devops/roles/ocp_idms/tasks/update-pull-secret.yml
@@ -2,57 +2,11 @@
 # 1. Update default cluster image pull secret
 # =============================================================================
 
-# 1.1 Generate the new secret content
-- name: "update-pull-secret : Set new secret content"
-  vars:
-    registryAuthB64: "{{ registry_auth | b64encode }}"
-    content:
-      - "{\"auths\":{\"{{ registry_private_url }}\":{\"username\":\"{{ registry_username }}\",\"password\":\"{{ registry_password }}\",\"email\":\"{{ registry_username }}\",\"auth\":\"{{ registryAuthB64 }}\"}"
-      - "}"
-      - "}"
-  set_fact:
-    new_secret: "{{ content | join('') }}"
-  no_log: true
-
-# 1.2 Find the existing secret, and we are going to modify it rather than replace
-- name: "update-pull-secret : Retrieve existing pull-secret content"
-  kubernetes.core.k8s_info:
-    api: v1
-    kind: Secret
-    name: pull-secret
-    namespace: openshift-config
-  register: pullsecret
-  no_log: true
-
-- name: "update-pull-secret : Get the original cred secrets"
-  set_fact:
-    original_secret: "{{ item.data }}"
-  with_items: "{{ pullsecret.resources }}"
-  no_log: true
-
-- name: "update-pull-secret : Get the dockerconfigjson info"
-  set_fact:
-    secret_string: '{{ original_secret[".dockerconfigjson"] | b64decode | from_json }}'
-  no_log: true
-
-# 1.3 Append our new credentials to the secret
-- name: "update-pull-secret : Combine new secret content"
-  set_fact:
-    new_secret_string: '{{ secret_string | combine( new_secret | from_json, recursive=True) }}'
-  no_log: true
-
-# 1.4. Overwrite the secret
-- name: "update-pull-secret : Update new pull-secret"
-  kubernetes.core.k8s:
-    definition:
-      apiVersion: v1
-      kind: Secret
-      type: kubernetes.io/dockerconfigjson
-      metadata:
-        name: pull-secret
-        namespace: openshift-config
-      data:
-        .dockerconfigjson: "{{ new_secret_string | to_json | b64encode }}"
+- name: "update-pull-secret : Update global pull secret"
+  ibm.mas_devops.update_global_pull_secret:
+    registry_url: "{{ registry_private_url }}"
+    username: "{{ registry_username }}"
+    password: "{{ registry_password }}"
   register: secretUpdateResult
   no_log: true
 

From a5b7f511a4eaa523a566f6b823fd3a6f04b39c5e Mon Sep 17 00:00:00 2001
From: Unnati Solanki <unnati.solanki@ibm.com>
Date: Tue, 16 Dec 2025 21:56:43 +0530
Subject: [PATCH 4/4] [patch] Adding to metadata

---
 ibm/mas_devops/meta/runtime.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ibm/mas_devops/meta/runtime.yml b/ibm/mas_devops/meta/runtime.yml
index 8d4c46761c..a32908d084 100644
--- a/ibm/mas_devops/meta/runtime.yml
+++ b/ibm/mas_devops/meta/runtime.yml
@@ -13,3 +13,4 @@ action_groups:
     - verify_workloads
     - wait_for_app_ready
     - wait_for_conditions
+    - update_global_pull_secret