From 7e6e64bebb61068d753293244b2771b275c82e56 Mon Sep 17 00:00:00 2001
From: Bhautik Vala <bhautikvala@ibm.com>
Date: Wed, 17 Dec 2025 12:42:44 +0530
Subject: [PATCH 1/4] [minor] Enable Manage AI Service Integration

---
 src/mas/devops/aiservice.py                   | 25 +++++++++++++++++++
 .../templates/pipelinerun-install.yml.j2      |  8 ++++++
 2 files changed, 33 insertions(+)

diff --git a/src/mas/devops/aiservice.py b/src/mas/devops/aiservice.py
index 3cd0dc40..cae30f87 100644
--- a/src/mas/devops/aiservice.py
+++ b/src/mas/devops/aiservice.py
@@ -44,6 +44,31 @@ def verifyAiServiceInstance(dynClient: DynamicClient, instanceId: str) -> bool:
         logger.error(f"Error: Unable to verify AI Service instance due to failed authorization: {e}")
         return False
 
+def listAiServiceTenantInstances(dynClient: DynamicClient) -> list:
+    """
+    Get a list of AI Service Tenant instances on the cluster
+    """
+    return listInstances(dynClient, "aiservice.ibm.com/v1", "AIServiceTenant")
+
+
+def verifyAiServiceTenantInstance(dynClient: DynamicClient, instanceId: str, tenantId: str) -> bool:
+    """
+    Validate that the chosen AI Service Tenant exists
+    """
+    try:
+        aiserviceTenantAPI = dynClient.resources.get(api_version="aiservice.ibm.com/v1", kind="AIServiceTenant")
+        aiserviceTenantAPI.get(name=f"aiservice-{instanceId}-{tenantId}", namespace=f"aiservice-{instanceId}")
+        return True
+    except NotFoundError:
+        print("NOT FOUND")
+        return False
+    except ResourceNotFoundError:
+        # The AIServiceApp CRD has not even been installed in the cluster
+        print("RESOURCE NOT FOUND")
+        return False
+    except UnauthorizedError as e:
+        logger.error(f"Error: Unable to verify AI Service Tenant due to failed authorization: {e}")
+        return False
 
 def getAiserviceChannel(dynClient: DynamicClient, instanceId: str) -> str:
     """
diff --git a/src/mas/devops/templates/pipelinerun-install.yml.j2 b/src/mas/devops/templates/pipelinerun-install.yml.j2
index 426773e5..196aa1fb 100644
--- a/src/mas/devops/templates/pipelinerun-install.yml.j2
+++ b/src/mas/devops/templates/pipelinerun-install.yml.j2
@@ -570,6 +570,14 @@ spec:
       value: "{{ mas_app_channel_manage }}"
     - name: mas_appws_components
       value: "{{ mas_appws_components }}"
+  {%- if manage_bind_aiservice_instance_id is defined and manage_bind_aiservice_instance_id != "" %}
+    - name: manage_bind_aiservice_instance_id
+      value: "{{ manage_bind_aiservice_instance_id }}"
+  {%- endif %}
+  {%- if manage_bind_aiservice_tenant_id is defined and manage_bind_aiservice_tenant_id != "" %}
+    - name: manage_bind_aiservice_tenant_id
+      value: "{{ manage_bind_aiservice_tenant_id }}"
+  {%- endif %}
   {%- if mas_appws_bindings_health_wsl_flag is defined and mas_appws_bindings_health_wsl_flag != "" %}
     - name: mas_appws_bindings_health_wsl_flag
       value: "{{ mas_appws_bindings_health_wsl_flag }}"

From 70f7da35a060e460f9035e55122fab715405568c Mon Sep 17 00:00:00 2001
From: Bhautik Vala <bhautikvala@ibm.com>
Date: Wed, 17 Dec 2025 21:45:42 +0530
Subject: [PATCH 2/4] [patch] Fix field not found in listInstances

---
 src/mas/devops/ocp.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/mas/devops/ocp.py b/src/mas/devops/ocp.py
index 4219c5cc..692e5ee7 100644
--- a/src/mas/devops/ocp.py
+++ b/src/mas/devops/ocp.py
@@ -252,7 +252,7 @@ def listInstances(dynClient: DynamicClient, apiVersion: str, kind: str) -> list:
     if len(instances) > 0:
         logger.info(f"There are {len(instances)} {kind} instances installed on this cluster:")
     for instance in instances:
-        logger.info(f" * {instance['metadata']['name']} v{instance['status']['versions']['reconciled']}")
+        logger.info(f" * {instance['metadata']['name']} v{instance.get('status', {}).get('versions', {}).get('reconciled', 'N/A')}")
     else:
         logger.info(f"There are no {kind} instances installed on this cluster")
     return instances

From dc8a80b8d1f6c3813102d1c071e28a28fab148ae Mon Sep 17 00:00:00 2001
From: Bhautik Vala <bhautikvala@ibm.com>
Date: Mon, 22 Dec 2025 10:56:25 +0530
Subject: [PATCH 3/4] [patch] Fix precommit

---
 src/mas/devops/aiservice.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/mas/devops/aiservice.py b/src/mas/devops/aiservice.py
index cae30f87..04104c96 100644
--- a/src/mas/devops/aiservice.py
+++ b/src/mas/devops/aiservice.py
@@ -44,6 +44,7 @@ def verifyAiServiceInstance(dynClient: DynamicClient, instanceId: str) -> bool:
         logger.error(f"Error: Unable to verify AI Service instance due to failed authorization: {e}")
         return False
 
+
 def listAiServiceTenantInstances(dynClient: DynamicClient) -> list:
     """
     Get a list of AI Service Tenant instances on the cluster
@@ -70,6 +71,7 @@ def verifyAiServiceTenantInstance(dynClient: DynamicClient, instanceId: str, ten
         logger.error(f"Error: Unable to verify AI Service Tenant due to failed authorization: {e}")
         return False
 
+
 def getAiserviceChannel(dynClient: DynamicClient, instanceId: str) -> str:
     """
     Get the AI Service channel from the subscription

From bf29c093a978ee541e8b72f5426e5f4cb61c6877 Mon Sep 17 00:00:00 2001
From: Bhautik Vala <bhautikvala@ibm.com>
Date: Mon, 22 Dec 2025 13:01:02 +0530
Subject: [PATCH 4/4] [patch] Modify manage encryption vars

---
 .../templates/pipelinerun-install.yml.j2      | 26 +++++++++----------
 .../templates/pipelinerun-upgrade.yml.j2      | 26 +++++++++----------
 2 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/src/mas/devops/templates/pipelinerun-install.yml.j2 b/src/mas/devops/templates/pipelinerun-install.yml.j2
index cb04c62d..650eba43 100644
--- a/src/mas/devops/templates/pipelinerun-install.yml.j2
+++ b/src/mas/devops/templates/pipelinerun-install.yml.j2
@@ -660,19 +660,19 @@ spec:
       value: "{{ mas_app_settings_customization_archive_password }}"
     {%- endif %}
   {%- endif %}
-  {%- if mas_app_settings_crypto_key is defined and mas_app_settings_crypto_key != "" %}
-    - name: mas_app_settings_crypto_key
-      value: "{{ mas_app_settings_crypto_key }}"
-    - name: mas_app_settings_cryptox_key
-      value: "{{ mas_app_settings_cryptox_key }}"
-    - name: mas_app_settings_old_crypto_key
-      value: "{{ mas_app_settings_old_crypto_key }}"
-    - name: mas_app_settings_old_cryptox_key
-      value: "{{ mas_app_settings_old_cryptox_key }}"
-  {%- endif %}
-  {%- if mas_app_settings_override_encryption_secrets_flag is defined and mas_app_settings_override_encryption_secrets_flag != "" %}
-    - name: mas_app_settings_override_encryption_secrets_flag
-      value: "{{ mas_app_settings_override_encryption_secrets_flag }}"
+  {%- if mas_manage_encryptionsecret_crypto_key is defined and mas_manage_encryptionsecret_crypto_key != "" %}
+    - name: mas_manage_encryptionsecret_crypto_key
+      value: "{{ mas_manage_encryptionsecret_crypto_key }}"
+    - name: mas_manage_encryptionsecret_cryptox_key
+      value: "{{ mas_manage_encryptionsecret_cryptox_key }}"
+    - name: mas_manage_encryptionsecret_old_crypto_key
+      value: "{{ mas_manage_encryptionsecret_old_crypto_key }}"
+    - name: mas_manage_encryptionsecret_old_cryptox_key
+      value: "{{ mas_manage_encryptionsecret_old_cryptox_key }}"
+  {%- endif %}
+  {%- if mas_manage_ws_db_encryptionsecret is defined and mas_manage_ws_db_encryptionsecret != "" %}
+    - name: mas_manage_ws_db_encryptionsecret
+      value: "{{ mas_manage_ws_db_encryptionsecret }}"
   {%- endif %}
   {%- if mas_app_settings_default_jms is defined and mas_app_settings_default_jms != "" %}
     - name: mas_app_settings_default_jms
diff --git a/src/mas/devops/templates/pipelinerun-upgrade.yml.j2 b/src/mas/devops/templates/pipelinerun-upgrade.yml.j2
index 7aab35d2..47741f39 100644
--- a/src/mas/devops/templates/pipelinerun-upgrade.yml.j2
+++ b/src/mas/devops/templates/pipelinerun-upgrade.yml.j2
@@ -215,19 +215,19 @@ spec:
       value: "{{ mas_app_settings_customization_archive_password }}"
     {%- endif %}
   {%- endif %}
-  {%- if mas_app_settings_crypto_key is defined and mas_app_settings_crypto_key != "" %}
-    - name: mas_app_settings_crypto_key
-      value: "{{ mas_app_settings_crypto_key }}"
-    - name: mas_app_settings_cryptox_key
-      value: "{{ mas_app_settings_cryptox_key }}"
-    - name: mas_app_settings_old_crypto_key
-      value: "{{ mas_app_settings_old_crypto_key }}"
-    - name: mas_app_settings_old_cryptox_key
-      value: "{{ mas_app_settings_old_cryptox_key }}"
-  {%- endif %}
-  {%- if mas_app_settings_override_encryption_secrets_flag is defined and mas_app_settings_override_encryption_secrets_flag != "" %}
-    - name: mas_app_settings_override_encryption_secrets_flag
-      value: "{{ mas_app_settings_override_encryption_secrets_flag }}"
+  {%- if mas_manage_encryptionsecret_crypto_key is defined and mas_manage_encryptionsecret_crypto_key != "" %}
+    - name: mas_manage_encryptionsecret_crypto_key
+      value: "{{ mas_manage_encryptionsecret_crypto_key }}"
+    - name: mas_manage_encryptionsecret_cryptox_key
+      value: "{{ mas_manage_encryptionsecret_cryptox_key }}"
+    - name: mas_manage_encryptionsecret_old_crypto_key
+      value: "{{ mas_manage_encryptionsecret_old_crypto_key }}"
+    - name: mas_manage_encryptionsecret_old_cryptox_key
+      value: "{{ mas_manage_encryptionsecret_old_cryptox_key }}"
+  {%- endif %}
+  {%- if mas_manage_ws_db_encryptionsecret is defined and mas_manage_ws_db_encryptionsecret != "" %}
+    - name: mas_manage_ws_db_encryptionsecret
+      value: "{{ mas_manage_ws_db_encryptionsecret }}"
   {%- endif %}
   {%- if mas_app_settings_default_jms is defined and mas_app_settings_default_jms != "" %}
     - name: mas_app_settings_default_jms