ibm-mas · tomklapiscak · Dec 1, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/instance-applications/130-ibm-mas-suite/templates/07-postsync-set_welcome_messsage_Job.yaml b/instance-applications/130-ibm-mas-suite/templates/07-postsync-set_welcome_messsage_Job.yaml
@@ -0,0 +1,313 @@
+{{- if .Values.welcome_message }}
+
+{{- /*
+Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash.
+*/}}
+{{- $_job_name_prefix := "set-welcome-message" }}
+
+{{- /*
+Use the build/bin/set-cli-image-digest.sh script to update this value across all charts.
+Included in $_job_hash (see below).
+*/}}
+{{- $_cli_image_digest := "sha256:1b88f88a1a719d006ea1f4b8dcfd1c2625fa7ecc529c3267e7b4b6afaa1c8da0" }}
+
+{{- /*
+A dict of values that influence the behaviour of the job in some way.
+Any changes to values in this dict will trigger a rerun of the job.
+Since jobs must be idemopotent, it's generally safe to pass in values here that are not
+strictly necessary (i.e. including some values that don't actually influence job behaviour).
+We may want to refine this further though for jobs that can take a long time to complete.
+Included in $_job_hash (see below).
+*/}}
+{{- $_job_config_values := omit .Values "junitreporter" }}
+
+{{- /*
+Increment this value whenever you make a change to an immutable field of the Job resource.
+E.g. passing in a new environment variable.
+Included in $_job_hash (see below).
+*/}}
+{{- $_job_version := "v3" }}
+
+{{- /*
+10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest
+This is to ensure ArgoCD will create a new job resource intead of attempting (and failing) to update an
+immutable field of any existing Job resource.
+*/}}
+{{- $_job_hash := print ($_job_config_values | toYaml) $_cli_image_digest $_job_version | adler32sum }}
+
+{{- $_job_name := join "-" (list $_job_name_prefix $_job_hash )}}
+
+{{- /*
+Set as the value for the mas.ibm.com/job-cleanup-group label on the Job resource.
+
+When the auto_delete flag is not set on the root application, a CronJob in the cluster uses this label 
+to identify old Job resources that should be pruned on behalf of ArgoCD.
+
+Any Job resources in the same namespace that have the mas.ibm.com/job-cleanup-group with this value
+will be considered to belong to the same cleanup group. All but the most recent (i.e. with the latest "creation_timestamp")
+Jobs will be automatically deleted.
+
+$_job_cleanup_group can usually just be based on $_job_name_prefix. There are some special cases
+where multiple Jobs are created in our templates using a Helm loop. In those cases, additional descriminators
+must be added to $_job_cleanup_group.
+
+By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators
+are required here.
+
+*/}}
+{{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }}
+
+{{ $ns :=                           printf "mas-%s-core" .Values.instance_id }}
+{{ $np_name :=                      printf "%s-np" $_job_name_prefix }}
+{{ $role_name :=                    printf "%s-r"  $_job_name_prefix }}
+{{ $sa_name :=                      printf "%s-sa" $_job_name_prefix }}
+{{ $rb_name :=                      printf "%s-rb-core" $_job_name_prefix }}
+{{ $job_label :=                    printf "%s-l"  $_job_name_prefix }}
+
+{{ $cm_name :=                      printf "%s-state" $_job_name_prefix}}
+{{ $internalapi_tls_secret_name :=  printf "%s-internalapi-cert-internal" .Values.instance_id}}
+
+
+---
+# Permit outbound communication by the Job pods
+# (Needed to communicate internalapi)
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ $np_name }}
+  namespace: {{ $ns }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "144"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ $job_label }}
+  egress:
+    - {}
+  policyTypes:
+    - Egress
+
+
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ $sa_name }}
+  namespace: {{ $ns }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "144"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+
+
+
+---
+# Job needs to be able to create and read a configmap to hold state about its
+# execution status
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $role_name }}
+  namespace: {{ $ns }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "144"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+rules:
+  - verbs:
+      - get
+      - create
+      - patch
+    apiGroups:
+      - ""
+    resources:
+      - configmaps
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $rb_name }}
+  namespace: {{ $ns }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "145"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $sa_name }}
+    namespace: {{ $ns }}
+roleRef:
+  kind: Role
+  name: {{ $role_name }}
+  apiGroup: rbac.authorization.k8s.io
+
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $_job_name }}
+  namespace: {{ $ns }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "146"
+  labels:
+    mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }}
+{{- if .Values.custom_labels }}
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+spec:
+  parallelism: 1
+  completions: 1
+  backoffLimit: 4
+
+  template:
+    metadata:
+      labels:
+        app: {{ $job_label }}
+{{- if .Values.custom_labels }}
+{{ .Values.custom_labels | toYaml | indent 8 }}
+{{- end }}
+    spec:
+      restartPolicy: Never
+      serviceAccountName: "{{ $sa_name }}"
+      volumes:
+        - name: "tls"
+          secret:
+            secretName: "{{ $internalapi_tls_secret_name }}"
+            defaultMode: 420
+            optional: false
+
+      containers:
+        - name: {{ $_job_name_prefix }}
+          image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
+          imagePullPolicy: IfNotPresent
+
+          env:
+            - name: MAS_INSTANCE_ID
+              value: "{{ .Values.instance_id }}"
+
+            - name: WELCOME_MESSAGE
+              value: "{{ .Values.welcome_message }}"
+
+            - name: STATE_CONFIGMAP_NAME
+              value: "{{ $cm_name }}"
+
+            - name: MAS_CORE_NAMESPACE
+              value: "{{ $ns }}"
+
+          volumeMounts:
+            - name: "tls"
+              mountPath: /etc/mas/tls
+
+          command:
+            - /bin/sh
+            - -c
+            - |
+                INTERNAL_API_URL="https://internalapi.mas-${MAS_INSTANCE_ID}-core.svc:443"
+                WELCOME_MESSAGES_API_URL="${INTERNAL_API_URL}/v1/messages/welcome"
+                CA_FILE="/etc/mas/tls/ca.crt"
+                CERT_FILE="/etc/mas/tls/tls.crt"
+                KEY_FILE="/etc/mas/tls/tls.key"
+
+                echo "MAS Welcome Message Setup"
+                echo "==============================="
+                echo ""
+
+                echo "This Job will ensure that the MAS welcome message (i.e. that shown at the bottom of the login screen)"
+                echo "is set to the value defined in gitops configuration."
+                echo "The welcome message will only be updated if one of the following are true:"
+                echo " - This Job has never been run before (i.e. after the Suite is installed for the first time)"
+                echo " - The welcome message defined in the gitops configuration has changed since the last time this Job ran"
+                echo "If the welcome message is changed via the MAS UI/API, this Job will NOT revert the change - this is intentional."
+                echo ""
+
+                # Escape any characters that may interfere with JSON
+                WELCOME_MESSAGE_ESCAPED=$(echo ${WELCOME_MESSAGE} | jq -Ra .)
+
+                echo "Fetch Welcome Message last set by this Job from ConfigMap ${STATE_CONFIGMAP_NAME}"
+                echo "------------------------------------------------"
+                LAST_APPLIED_WELCOME_MESSAGE_ESCAPED=$(oc get configmap ${STATE_CONFIGMAP_NAME} -ojsonpath='{.data.last-applied}' -n "${MAS_CORE_NAMESPACE}")
+                rc=$?
+                LAST_APPLIED_WELCOME_MESSAGE_ESCAPED='"'${LAST_APPLIED_WELCOME_MESSAGE_ESCAPED}'"'
+
+                if [[ "$rc" != 0 ]]; then
+                    echo "ConfigMap ${STATE_CONFIGMAP_NAME} was not found, Job has never been run, so proceed ..."
+                elif [[ "${WELCOME_MESSAGE_ESCAPED}" != "${LAST_APPLIED_WELCOME_MESSAGE_ESCAPED}" ]]; then
+                    echo "Gitops configuration contains a different welcome message than that last applied by this Job, so proceed ... "
+                else
+                    echo "Gitops configuration and the welcome message last applied by this Job are the same, so abort ..."
+                    exit 0
+                fi
+                echo ""
+
+
+                echo "Setting MAS Welcome Message"
+                echo "---------------------------"
+
+
+                PAYLOAD_FILE="payload.json"
+                echo '{"message": '${WELCOME_MESSAGE_ESCAPED}'}' > ${PAYLOAD_FILE}
+
+                curl -X PUT "${WELCOME_MESSAGES_API_URL}" \
+                    -f \
+                    --cert "${CERT_FILE}" \
+                    --key "${KEY_FILE}" \
+                    --cacert "${CA_FILE}" \
+                    -H 'Content-Type: application/json' \
+                    -d @${PAYLOAD_FILE}
+
+                rc=$?
+
+                echo ""
+                echo "Result"
+                echo "---------------------------"
+
+                if [[ "$rc" == "0" ]]; then
+                    # establish the state configmap
+                    echo "Successfully set welcome message"
+                    echo ""
+
+
+                    echo "Updating ConfigMap ${STATE_CONFIGMAP_NAME}"
+                    echo "---------------------------"
+
+                    CONFIGMAP_YAML_FILE="configmap.yaml"
+
+                    echo '
+                        apiVersion: v1
+                        kind: ConfigMap
+                        metadata:
+                            name: '${STATE_CONFIGMAP_NAME}'
+                            namespace: '${MAS_CORE_NAMESPACE}'
+                        data:
+                            last-applied: '${WELCOME_MESSAGE_ESCAPED} > ${CONFIGMAP_YAML_FILE}
+
+                    oc apply -f ${CONFIGMAP_YAML_FILE}
+                    cm_rc=$?
+
+                    if [[ "${cm_rc}" != "0" ]]; then
+                        echo ""
+                        echo "Failed to update ConfigMap ${STATE_CONFIGMAP_NAME} (rc ${cm_rc})"
+                        echo "Failing Job execution; this needs to be rectified otherwise the Job may revert future changes"
+                        echo "made to the Welcome message by the customer via the MAS UI/API."
+                        exit $cm_rc
+                    fi
+
+                else
+                    echo "Failed with to set Welcome Message (rc $rc)"
+                fi
+
+                exit $rc
+
+{{- end }}
diff --git a/root-applications/ibm-mas-instance-root/templates/130-ibm-mas-suite-app.yaml b/root-applications/ibm-mas-instance-root/templates/130-ibm-mas-suite-app.yaml
@@ -135,6 +135,11 @@ spec:
             {{- if .Values.ibm_mas_suite.internal_certificate_authority }}
             internal_certificate_authority: "{{ .Values.ibm_mas_suite.internal_certificate_authority }}"
             {{- end }}
+
+            {{- if .Values.ibm_mas_suite.welcome_message }}
+            welcome_message: | 
+              {{ .Values.ibm_mas_suite.welcome_message | nindent 14 }}
+            {{- end }}
         - name: ARGOCD_APP_NAME
           value: suiteapp
         {{- if not (empty .Values.avp.secret) }}