cli
cli copied to clipboard
ibm-mas
Suite.spec.certManagerNamespace does not update when ibm-cert-manager is migrated to RH cert manager
MAS CLI version
latest
CLI function used
update
What happened?
This issue is submitted by IBM MAS support. As we have encountered a lot of issues on environments having two cert-managers and certificates not renewing when the environment had cert-managers migrated, we tried to test the migration of ibm-cert-manager to RH cert manager. Migration seems to be successful as pods associated to ibm-cert-manager were all deleted in the ibm-common-services namespace. However, Suite.spec.certManagerNamespace did not update automatically from ibm-common-services to cert-manger even after doing a mas-upgrade to get to the latest MAS version. Should spec.certManagerNamespace be manually updated to cert-manager? This is always a point of confusion in customer issues.
Relevant log output
apiVersion: core.mas.ibm.com/v1
kind: Suite
metadata:
resourceVersion: '252540'
name: test
uid: bcfbb27b-719d-4394-b2a8-54b829a67c3a
creationTimestamp: '2025-06-21T19:47:00Z'
generation: 1
managedFields:
<snip>
manager: OpenAPI-Generator
operation: Update
subresource: status
time: '2025-06-21T20:53:00Z'
- apiVersion: core.mas.ibm.com/v1
fieldsType: FieldsV1
fieldsV1:
'f:status':
.: {}
'f:conditions': {}
manager: ansible-operator
operation: Update
subresource: status
time: '2025-06-21T20:59:11Z'
namespace: mas-test-core
finalizers:
- core.mas.ibm.com/finalizer
labels:
mas.ibm.com/instanceId: test
spec:
certManagerNamespace: ibm-common-services
domain: test.apps.o1-905148.cp.fyre.ibm.com
license:
accept: true
settings:
dataDictionary:
catalog: ibm-operator-catalog
icr:
cp: cp.icr.io/cp
cpopen: icr.io/cpopen
manualCertMgmt: false
status:
apis:
internal:
url: 'https://internalapi.mas-test-core.svc'
cert-manager:
external:
duration: 8760h0m0s
name: mas-test-core-public-issuer
renewBefore: 720h0m0s
internal:
duration: 175200h0m0s
name: mas-test-core-internal-issuer
renewBefore: 2160h0m0s
conditions:
- lastTransitionTime: '2025-06-21T20:50:30Z'
message: Controller updated primary entity manager to supported version (9.0.11)
reason: VersionUpdateCompleted
status: 'True'
type: ControllerHealth
- lastTransitionTime: '2025-06-21T20:51:01Z'
message: MAS is ready to use
reason: Ready
status: 'True'
type: Ready
- lastTransitionTime: '2025-06-21T19:53:32Z'
message: MongoDB configuration was successfully verified
reason: Ready
status: 'True'
type: SystemDatabaseReady
- lastTransitionTime: '2025-06-21T19:50:15Z'
message: CoreIDP truststore ready
reason: Ready
status: 'True'
type: IDPReady
- lastTransitionTime: '2025-06-21T20:35:16Z'
message: BasCfg reconciliation is complete
reason: Ready
status: 'True'
type: BASIntegrationReady
- lastTransitionTime: '2025-06-21T19:52:31Z'
message: MAS Licensing API endpoint check succeeded
reason: Ready
status: 'True'
type: SLSIntegrationReady
- lastTransitionTime: '2025-06-21T19:48:59Z'
message: MAS Routes ready
reason: Ready
status: 'True'
type: RoutesReady
- ansibleResult:
changed: 0
completion: '2025-06-21T20:59:11.42784+00:00'
failures: 0
ok: 216
skipped: 104
lastTransitionTime: '2025-06-21T19:50:04Z'
message: Awaiting next reconciliation
reason: Successful
status: 'True'
type: Running
- lastTransitionTime: '2025-06-21T20:59:11Z'
message: Last reconciliation succeeded
reason: Successful
status: 'True'
type: Successful
- lastTransitionTime: '2025-06-21T19:50:05Z'
message: ''
reason: ''
status: 'False'
type: Failure
domain: test.apps.o1-905148.cp.fyre.ibm.com
keys:
jwt: test-keys-jwt
ltpa: test-keys-ltpa
podTemplates: []
settings:
dataDictionary:
catalog: ibm-operator-catalog
channel: 1.1.x
podTemplates: []
strategy: Automatic
walkme: enabled
customUserDataModel:
emailTypes:
- id: work
value: Work
- id: home
value: Home
phoneTypes:
- id: work
value: Work
- id: mobile
value: Mobile
secrets:
certificates:
external:
- test-cert-public
images:
pullSecretName: ibm-entitlement
certManager:
certificates:
privateKey:
size: '2048'
manualCertMgmt: false
trustDefaultCAs: true
cors:
allowedOrigins: []
userDataValidation:
allowSpecialChars: false
userDataObfuscation:
obfuscateDataOnDeletion: false
sso:
idpSessionTimeout: 12h
refreshTokenTimeout: 12h
disableLtpaCookie: false
allowDefaultSsoCookieName: false
customLoginPage: 'https://auth.test.apps.o1-905148.cp.fyre.ibm.com/login'
accessTokenTimeout: 30m
idleTimeout: '1800'
seamlessLogin: false
useOnlyCustomCookieName: true
defaultIDP: local
allowCustomCacheKey: false
ssoCookieName: ltpatoken2_test
rhm:
secretName: ''
userDataPrivacyAccess: NO_ACCESS
images:
pullPolicy: IfNotPresent
registry: cp.icr.io/cp
icr:
cp: cp.icr.io/cp
cpopen: icr.io/cpopen
locale:
country: GB
language: en
versions:
controller: 9.0.11
generation: '1'
reconciled: 9.0.11
supported:
- 8.11.1
- 8.11.10
- 8.11.11
- 8.11.12
- 8.11.13
- 8.11.14
- 8.11.15
- 8.11.16
- 8.11.17
- 8.11.18
- 8.11.19
- 8.11.2
- 8.11.20
- 8.11.21
- 8.11.3
- 8.11.4
- 8.11.5
- 8.11.6
- 8.11.7
- 8.11.8
- 8.11.9
- 9.0.0
- 9.0.1
- 9.0.10
- 9.0.11
- 9.0.2
- 9.0.3
- 9.0.5
- 9.0.6
- 9.0.7
- 9.0.8
- 9.0.9
