ibm-mas · durera · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
@@ -13,3 +13,4 @@ action_groups:
     - verify_workloads
     - wait_for_app_ready
     - wait_for_conditions
+    - update_global_pull_secret
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+
+import logging
+import urllib3
+from ansible_collections.kubernetes.core.plugins.module_utils.k8s.client import get_api_client
+from ansible.errors import AnsibleError
+from ansible.plugins.action import ActionBase
+
+from mas.devops.ocp import updateGlobalPullSecret
+
+urllib3.disable_warnings()  # Disabling warnings will prevent InsecureRequestWarnings from dynClient
+logging.basicConfig(level=logging.INFO, format='%(asctime)s %(name)-20s %(levelname)-8s %(message)s', datefmt='%Y-%m-%d %H:%M:%S')
+
+class ActionModule(ActionBase):
+    """
+    Update the global pull secret in openshift-config namespace with registry credentials.
+
+    Usage Example
+    -------------
+    tasks:
+      - name: "Update Global Pull Secret"
+        ibm.mas_devops.update_global_pull_secret:
+          registry_url: "{{ registry_private_url }}"
+          username: "{{ registry_username }}"
+          password: "{{ registry_password }}"
+        register: result
+    """
+    def run(self, tmp=None, task_vars=None):
+        super(ActionModule, self).run(tmp, task_vars)
+
+        registryUrl = self._task.args.get('registry_url', None)
+        username = self._task.args.get('username', None)
+        password = self._task.args.get('password', None)
+
+        if registryUrl is None:
+            raise AnsibleError(f"Error: registry_url argument was not provided")
+        if username is None:
+            raise AnsibleError(f"Error: username argument was not provided")
+        if password is None:
+            raise AnsibleError(f"Error: password argument was not provided")
+
+        # Initialize DynamicClient and update the global pull secret
+        host = self._task.args.get('host', None)
+        api_key = self._task.args.get('api_key', None)
+
+        dynClient = get_api_client(api_key=api_key, host=host)
+        result = updateGlobalPullSecret(dynClient, registryUrl, username, password)
+
+        return dict(
+            message=f"Successfully updated global pull secret with credentials for {registryUrl}",
+            success=True,
+            failed=False,
+            changed=result.get('changed', True),
+            name=result.get('name'),
+            namespace=result.get('namespace'),
+            registry=result.get('registry')
+        )
@@ -2,57 +2,11 @@
 # 1. Update default cluster image pull secret
 # =============================================================================
 
-# 1.1 Generate the new secret content
-- name: "update-pull-secret-dev : Set new secret content"
-  vars:
-    artifactoryAuthB64: "{{ artifactory_auth | b64encode }}"
-    content:
-      - "{\"auths\":{\"{{ fvt_image_registry }}\":{\"username\":\"{{ artifactory_username }}\",\"password\":\"{{ artifactory_token }}\",\"email\":\"{{ artifactory_username }}\",\"auth\":\"{{ artifactoryAuthB64 }}\"}"
-      - "}"
-      - "}"
-  set_fact:
-    new_secret_dev: "{{ content | join('') }}"
-  no_log: true
-
-# 1.2 Find the existing secret, and we are going to modify it rather than replace
-- name: "update-pull-secret-dev : Retrieve existing pull-secret content"
-  kubernetes.core.k8s_info:
-    api: v1
-    kind: Secret
-    name: pull-secret
-    namespace: openshift-config
-  register: pullsecret
-  no_log: true
-
-- name: "update-pull-secret-dev : Get the original cred secrets"
-  set_fact:
-    original_secret: "{{ item.data }}"
-  with_items: "{{ pullsecret.resources }}"
-  no_log: true
-
-- name: "update-pull-secret-dev : Get the dockerconfigjson info"
-  set_fact:
-    secret_string: '{{ original_secret[".dockerconfigjson"] | b64decode | from_json }}'
-  no_log: true
-
-# 1.3 Append our new credentials to the secret
-- name: "update-pull-secret-dev : Combine new secret content"
-  set_fact:
-    new_secret_string: '{{ secret_string | combine( new_secret_dev, recursive=True) }}'
-  no_log: true
-
-# 1.4. Overwrite the secret
-- name: "update-pull-secret-dev : Update new pull-secret"
-  kubernetes.core.k8s:
-    definition:
-      apiVersion: v1
-      kind: Secret
-      type: kubernetes.io/dockerconfigjson
-      metadata:
-        name: pull-secret
-        namespace: openshift-config
-      data:
-        .dockerconfigjson: "{{ new_secret_string | to_json | b64encode }}"
+- name: "update-pull-secret-dev : Update global pull secret"
+  ibm.mas_devops.update_global_pull_secret:
+    registry_url: "{{ fvt_image_registry }}"
+    username: "{{ artifactory_username }}"
+    password: "{{ artifactory_token }}"
   register: secretUpdateResult
   no_log: true
 

@@ -2,57 +2,11 @@
 # 1. Update default cluster image pull secret
 # =============================================================================
 
-# 1.1 Generate the new secret content
-- name: "update-pull-secret : Set new secret content"
-  vars:
-    registryAuthB64: "{{ registry_auth | b64encode }}"
-    content:
-      - "{\"auths\":{\"{{ registry_private_url }}\":{\"username\":\"{{ registry_username }}\",\"password\":\"{{ registry_password }}\",\"email\":\"{{ registry_username }}\",\"auth\":\"{{ registryAuthB64 }}\"}"
-      - "}"
-      - "}"
-  set_fact:
-    new_secret: "{{ content | join('') }}"
-  no_log: true
-
-# 1.2 Find the existing secret, and we are going to modify it rather than replace
-- name: "update-pull-secret : Retrieve existing pull-secret content"
-  kubernetes.core.k8s_info:
-    api: v1
-    kind: Secret
-    name: pull-secret
-    namespace: openshift-config
-  register: pullsecret
-  no_log: true
-
-- name: "update-pull-secret : Get the original cred secrets"
-  set_fact:
-    original_secret: "{{ item.data }}"
-  with_items: "{{ pullsecret.resources }}"
-  no_log: true
-
-- name: "update-pull-secret : Get the dockerconfigjson info"
-  set_fact:
-    secret_string: '{{ original_secret[".dockerconfigjson"] | b64decode | from_json }}'
-  no_log: true
-
-# 1.3 Append our new credentials to the secret
-- name: "update-pull-secret : Combine new secret content"
-  set_fact:
-    new_secret_string: '{{ secret_string | combine( new_secret, recursive=True) }}'
-  no_log: true
-
-# 1.4. Overwrite the secret
-- name: "update-pull-secret : Update new pull-secret"
-  kubernetes.core.k8s:
-    definition:
-      apiVersion: v1
-      kind: Secret
-      type: kubernetes.io/dockerconfigjson
-      metadata:
-        name: pull-secret
-        namespace: openshift-config
-      data:
-        .dockerconfigjson: "{{ new_secret_string | to_json | b64encode }}"
+- name: "update-pull-secret : Update global pull secret"
+  ibm.mas_devops.update_global_pull_secret:
+    registry_url: "{{ registry_private_url }}"
+    username: "{{ registry_username }}"
+    password: "{{ registry_password }}"
   register: secretUpdateResult
   no_log: true