Helm Charts Reference¤

This page consolidates all Helm chart documentation into a single searchable reference. Use your browser's search function (Ctrl+F or Cmd+F) to quickly find specific charts, configuration options, or resources.

For a visual overview of how these charts relate to each other, see The Source Repository.

---

Cluster Applications¤

EFS CSI Driver¤

Helm chart link: 000-efs-csi-driver

Installs the AWS EFS CSI Driver operator to enable EFS-backed persistent volumes in OpenShift.

Configuration¤

Values¤

# EFS CSI Driver operator configuration
efs_csi_driver:
  # Operator catalog source
  # Default: redhat-operators
  catalog_source: redhat-operators

  # Catalog source namespace
  # Default: openshift-marketplace
  catalog_source_namespace: openshift-marketplace

  # Subscription channel
  # Default: stable
  channel: stable

  # Subscription source namespace
  # Default: openshift-cluster-csi-drivers
  subscription_source_namespace: openshift-cluster-csi-drivers

  # IAM role ARN for EFS CSI driver (required for AWS)
  # Example: arn:aws:iam::123456789012:role/efs-csi-driver-role
  role_arn: ""

  # Storage class name (optional)
  # If not specified, uses default storage class naming
  storage_class_name: ""

# Custom storage class definitions (optional)
# Define multiple storage classes with different EFS configurations
storage_class_definitions: {}
  # Example:
  # efs-general:
  #   provisioner: efs.csi.aws.com
  #   parameters:
  #     provisioningMode: efs-ap
  #     fileSystemId: fs-12345678
  #     directoryPerms: "700"
  #   reclaimPolicy: Delete
  #   volumeBindingMode: Immediate

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic configuration with IAM role:

efs_csi_driver:
  role_arn: "arn:aws:iam::123456789012:role/efs-csi-driver-role"

With custom storage class name:

efs_csi_driver:
  role_arn: "arn:aws:iam::123456789012:role/efs-csi-driver-role"
  storage_class_name: efs-rwx

With multiple custom storage classes:

efs_csi_driver:
  role_arn: "arn:aws:iam::123456789012:role/efs-csi-driver-role"

storage_class_definitions:
  efs-general:
    provisioner: efs.csi.aws.com
    parameters:
      provisioningMode: efs-ap
      fileSystemId: fs-abcd1234
      directoryPerms: "755"
    reclaimPolicy: Delete
    volumeBindingMode: Immediate

  efs-retain:
    provisioner: efs.csi.aws.com
    parameters:
      provisioningMode: efs-ap
      fileSystemId: fs-abcd1234
      directoryPerms: "700"
    reclaimPolicy: Retain
    volumeBindingMode: Immediate

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ServiceAccount	presync-cleanup-operatorgroup	openshift-cluster-csi-drivers	PreSync Hook	cluster_admin_role
Role	presync-cleanup-operatorgroup	openshift-cluster-csi-drivers	PreSync Hook	cluster_admin_role
RoleBinding	presync-cleanup-operatorgroup	openshift-cluster-csi-drivers	PreSync Hook	cluster_admin_role
NetworkPolicy	presync-cleanup-operatorgroup	openshift-cluster-csi-drivers	PreSync Hook	cluster_admin_role
Job	presync-cleanup-operatorgroup	openshift-cluster-csi-drivers	PreSync Hook	cluster_admin_role
OperatorGroup	openshift-cluster-csi-drivers	openshift-cluster-csi-drivers	Always	cluster_admin_role
Secret	aws-efs-cloud-credentials	openshift-cluster-csi-drivers	Always	cluster_admin_role
Subscription	aws-efs-csi-driver-operator	openshift-cluster-csi-drivers	Always	cluster_admin_role
ClusterCSIDriver	efs.csi.aws.com	N/A (cluster-scoped)	Always	cluster_admin_role
StorageClass	Custom EFS storage classes	N/A (cluster-scoped)	When storage_class_definitions provided	cluster_admin_role

---

IBM Operator Catalog¤

Helm chart link: 000-ibm-operator-catalog

Configuration¤

Values¤

ibm_operator_catalog:
  # MAS Operator Catalog version
  # Specifies which version of the IBM Maximo Application Suite operator catalog to use
  # Example: v8-230414-amd64, v9-260326-amd64
  # Default: v8-230414-amd64
  mas_catalog_version: v9-260326-amd64

  # MAS Operator Catalog image
  # Container image location for the operator catalog
  # Default: icr.io/cpopen/ibm-maximo-operator-catalog
  mas_catalog_image: icr.io/cpopen/ibm-maximo-operator-catalog

  # IBM Entitlement Key (required)
  # Your IBM entitlement key for accessing IBM container images
  # Can be obtained from https://myibm.ibm.com/products-services/containerlibrary
  ibm_entitlement_key: ""

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic configuration with entitlement key:

ibm_operator_catalog:
  mas_catalog_version: v9-260326-amd64
  mas_catalog_image: icr.io/cpopen/ibm-maximo-operator-catalog
  ibm_entitlement_key: "your-entitlement-key-here"

Using a specific catalog version:

ibm_operator_catalog:
  mas_catalog_version: v8-230414-amd64
  mas_catalog_image: icr.io/cpopen/ibm-maximo-operator-catalog
  ibm_entitlement_key: "your-entitlement-key-here"

With custom catalog image registry:

ibm_operator_catalog:
  mas_catalog_version: v9-260326-amd64
  mas_catalog_image: my-registry.example.com/ibm-maximo-operator-catalog
  ibm_entitlement_key: "your-entitlement-key-here"

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ServiceAccount	default	openshift-marketplace	Always	cluster_admin_role
Secret	ibm-entitlement	openshift-marketplace	Always	cluster_admin_role
CatalogSource	ibm-operator-catalog	openshift-marketplace	Always	cluster_admin_role

---

Image Mirroring¤

Helm chart link: 000-image-mirroring

Establishes resources necessary to support image mirroring via an ImageDigestMirrorSet:

• ecr-token-rotator CronJob that rotates the ECR login token and injects it into the global pull-secret.
• mas-ecr ImageDigestMirrorSet that redirects all image pulls from icr.io and cp.icr.io to ECR

Configuration¤

Values¤

image_mirroring:
  # AWS ECR host (required for ECR mirroring)
  # The ECR registry hostname where images are mirrored
  # Example: 123456789012.dkr.ecr.us-east-1.amazonaws.com
  ecr_host: ""

  # Repository path prefix (optional)
  # Prefix to prepend to repository paths in the mirror registry
  # Example: "mas-images" or "250731"
  repo_path_prefix: ""

  # AWS Access Key ID (required for ECR authentication)
  # IAM user credentials with ECR read permissions
  # Required IAM policy actions:
  #   - ecr:GetAuthorizationToken
  #   - ecr:BatchGetImage
  #   - ecr:GetDownloadUrlForLayer
  aws_access_key_id: ""

  # AWS Secret Access Key (required for ECR authentication)
  # Corresponding secret for the AWS access key
  aws_secret_access_key: ""

  # Additional image digest sources (optional)
  # List of additional registries to include in ImageDigestMirrorSet
  # Example: ["somehost.com/repo", "another-registry.com/images"]
  additional_image_digest_sources: []

  # Additional image tag sources (optional)
  # List of registries to include in ImageTagMirrorSet for development/testing
  # Creates a separate ImageTagMirrorSet resource when specified
  # Example: ["dev-registry.com/repo"]
  additional_image_tag_sources: []

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic ECR mirroring configuration:

image_mirroring:
  ecr_host: "123456789012.dkr.ecr.us-east-1.amazonaws.com"
  repo_path_prefix: "mas-images"
  aws_access_key_id: "AKIAIOSFODNN7EXAMPLE"
  aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

With additional digest sources:

ecr_host: "123456789012.dkr.ecr.us-east-1.amazonaws.com"
repo_path_prefix: "250731"
aws_access_key_id: "AKIAIOSFODNN7EXAMPLE"
aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
additional_image_digest_sources:
  - "backup-registry.example.com/mas"
  - "secondary-ecr.dkr.ecr.us-west-2.amazonaws.com"

Development environment with tag-based mirroring:

ecr_host: "123456789012.dkr.ecr.us-east-1.amazonaws.com"
repo_path_prefix: "dev"
aws_access_key_id: "AKIAIOSFODNN7EXAMPLE"
aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
additional_image_tag_sources:
  - "dev-registry.example.com/mas-dev"

Required IAM Policy¤

The AWS credentials must have the following IAM policy attached:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ECRAccess",
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Resource": "*"
    }
  ]
}

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	aws	default	Always	cluster_admin_role
ImageDigestMirrorSet	mas-ecr	N/A (cluster-scoped)	Always	cluster_admin_role
ImageTagMirrorSet	mas-ecr-dev	N/A (cluster-scoped)	When additional_image_tag_sources is set	cluster_admin_role
Role	ecr-token-updater-role	default	When ecr_host is set	cluster_admin_role
ServiceAccount	ecr-token-updater-sa	default	When ecr_host is set	cluster_admin_role
RoleBinding	ecr-token-updater-rolebinding	default	When ecr_host is set	cluster_admin_role
CronJob	ecr-token-updater	default	When ecr_host is set	cluster_admin_role
Job	ECR token updater sync hook jobs	default	Hook jobs associated with image mirroring	cluster_admin_role

---

Job Cleaner¤

Helm chart link: 000-job-cleaner

Deploys the mas-saas-job-cleaner-cron CronJob, responsible for cleaning up orphaned Job resources in the cluster. It works by grouping Jobs in the cluster according to the mas.ibm.com/job-cleanup-group label, then deleting all Jobs from each group except for the one with the latest creationTimestamp.

For safety, the CronJob is assigned a ServiceAccount that can only list and delete Job resources (so it can never delete any other type of resource). Furthermore, the logic ensures that only Job resources with the mas.ibm.com/job-cleanup-group label can be deleted.

The mas-devops-saas-job-cleaner command executed by this CronJob is defined in python-devops.

In MAS SaaS, Job resources are routinely orphaned (i.e. marked for deletion by ArgoCD) since, when an update is required to an immutable Job field (e.g. its image tag), a new version of the Job resource must be created with a different name. When auto_delete: false is set, ArgoCD will (by design) not perform this cleanup for us. Over time, Job resources will accumulate and put pressure on the K8S API server.

Configuration¤

Values¤

This chart has no configurable values. It deploys with default settings that work for all MAS SaaS environments.

The CronJob runs on a schedule and automatically cleans up orphaned Job resources that have the mas.ibm.com/job-cleanup-group label.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ClusterRole	mas-saas-job-cleaner-role	N/A (cluster-scoped)	Always	cluster_admin_role
ServiceAccount	mas-saas-job-cleaner-sa	job-cleaner	Always	cluster_admin_role
ClusterRoleBinding	mas-saas-job-cleaner-rolebinding	N/A (cluster-scoped)	Always	cluster_admin_role
CronJob	mas-saas-job-cleaner-cron	job-cleaner	Always	cluster_admin_role

---

Red Hat Cert Manager¤

Helm chart link: 010-redhat-cert-manager

Configuration¤

Values¤

redhat_cert_manager:
  # Enable sync hooks for post-deployment tasks
  # When true, creates Jobs to update AWS Secrets Manager with cluster information
  # Default: true
  run_sync_hooks: true

  # Subscription channel for the cert-manager operator
  # Default: stable-v1
  channel: stable-v1

  # Install plan approval strategy
  # Options: "Automatic" or "Manual"
  # Default: Automatic
  redhat_cert_manager_install_plan: Automatic

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic configuration with automatic updates:

redhat_cert_manager:
  run_sync_hooks: true
  channel: stable-v1
  redhat_cert_manager_install_plan: Automatic

Manual approval for updates:

redhat_cert_manager:
  run_sync_hooks: true
  channel: stable-v1
  redhat_cert_manager_install_plan: Manual

Disable sync hooks:

redhat_cert_manager:
  run_sync_hooks: false
  channel: stable-v1
  redhat_cert_manager_install_plan: Automatic

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	operatorgroup	cert-manager-operator	Always	cluster_admin_role
Subscription	openshift-cert-manager-operator	cert-manager-operator	Always	cluster_admin_role
ClusterRole	cert-manager operator cluster roles	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	cert-manager operator cluster role bindings	N/A (cluster-scoped)	Always	cluster_admin_role
Secret	cert-manager related secrets	cert-manager and default	Always and hook-driven as applicable	cluster_admin_role
ServiceAccount	cert-manager hook service accounts	default	When run_sync_hooks is true	cluster_admin_role
Job	postsync-rhcm-update-sm-job-*	default	When run_sync_hooks is true	cluster_admin_role

Note: The PostSync Job updates AWS Secrets Manager with cluster information for use by other charts.

---

IBM CIS Cert Manager¤

Helm chart link: 020-ibm-cis-cert-manager

Configuration¤

Values¤

ibm_cis_cert_manager:
  # DNS provider for certificate management
  # Options: "cis" (IBM Cloud Internet Services) or other DNS providers
  # When set to "cis", deploys IBM CIS webhook for cert-manager
  dns_provider: ""

  # OpenShift cluster domain (required when dns_provider is "cis")
  # The base domain of your OpenShift cluster
  # Example: apps.cluster-name.example.com
  ocp_cluster_domain: ""

  # IBM Cloud API key (required when dns_provider is "cis")
  # API key with permissions to manage DNS records in IBM CIS
  cis_apikey: ""

  # Public cluster domain (optional)
  # External domain for public-facing routes
  # Example: public.example.com
  ocp_public_cluster_domain: ""

  # Enable ingress controller configuration (optional)
  # When true, creates a public IngressController
  # Default: false
  ingress: false

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic IBM CIS configuration:

ibm_cis_cert_manager:
  dns_provider: "cis"
  ocp_cluster_domain: "apps.prod-cluster.example.com"
  cis_apikey: "your-ibm-cloud-api-key"

With public domain and ingress:

ibm_cis_cert_manager:
  dns_provider: "cis"
  ocp_cluster_domain: "apps.prod-cluster.example.com"
  ocp_public_cluster_domain: "public.example.com"
  cis_apikey: "your-ibm-cloud-api-key"
  ingress: true

Non-CIS DNS provider:

ibm_cis_cert_manager:
  dns_provider: "route53"
  # CIS-specific resources will not be created

Prerequisites¤

When using IBM CIS as the DNS provider:

1. IBM Cloud Account with CIS service provisioned
2. API Key with the following permissions:
3. DNS Records: Read, Write
4. DNS Zones: Read
5. Domain configured in IBM CIS
6. cert-manager operator installed (via redhat-cert-manager chart)

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ConfigMap	placeholder	default	Always	cluster_admin_role
ServiceAccount	cert-manager-webhook-ibm-cis	cert-manager	When dns_provider is "cis"	cluster_admin_role
Role	cert-manager-webhook-ibm-cis	cert-manager	When dns_provider is "cis"	cluster_admin_role
RoleBinding	cert-manager-webhook-ibm-cis	cert-manager	When dns_provider is "cis"	cluster_admin_role
RoleBinding	cert-manager-webhook-ibm-cis:webhook-authentication-reader	kube-system	When dns_provider is "cis"	cluster_admin_role
RoleBinding	system:openshift:scc:anyuid	cert-manager	When dns_provider is "cis"	cluster_admin_role
ClusterRole	cert-manager-webhook-ibm-cis:domain-solver	N/A (cluster-scoped)	When dns_provider is "cis"	cluster_admin_role
ClusterRoleBinding	cert-manager-webhook-ibm-cis:domain-solver	N/A (cluster-scoped)	When dns_provider is "cis"	cluster_admin_role
ClusterRoleBinding	cert-manager-webhook-ibm-cis:auth-delegator	N/A (cluster-scoped)	When dns_provider is "cis"	cluster_admin_role
Issuer	cert-manager-webhook-ibm-cis-self-signed-issuer	cert-manager	When dns_provider is "cis"	cluster_admin_role
Certificate	cert-manager-webhook-ibm-cis-root-ca-certificate	cert-manager	When dns_provider is "cis"	cluster_admin_role
Issuer	cert-manager-webhook-ibm-cis-root-ca-issuer	cert-manager	When dns_provider is "cis"	cluster_admin_role
Certificate	cert-manager-webhook-ibm-cis-serving-cert	cert-manager	When dns_provider is "cis"	cluster_admin_role
Deployment	cert-manager-webhook-ibm-cis	cert-manager	When dns_provider is "cis"	cluster_admin_role
APIService	v1alpha1.acme.cis.ibm.com	N/A (cluster-scoped)	When dns_provider is "cis"	cluster_admin_role
Service	cert-manager-webhook-ibm-cis	cert-manager	When dns_provider is "cis"	cluster_admin_role
Secret	cis-api-key	cert-manager	When dns_provider is "cis"	cluster_admin_role
Route	cis-proxy-route	cert-manager	When dns_provider is "cis"	cluster_admin_role
IngressController	public	openshift-ingress-operator	When dns_provider is "cis" and ingress is true	cluster_admin_role

---

IBM DRO¤

Helm chart link: 030-ibm-dro

The dro_cmm_setup being set to true is used to configure connectivity to CMM which is an internal IBM tool, and is not required outside of IBM.

Configuration¤

Values¤

ibm_dro:
  # DRO namespace
  # Namespace where DRO operators will be installed
  # Default: ibm-software-central
  dro_namespace: "ibm-software-central"

  # IBM Entitlement Key (required)
  # Your IBM entitlement key for accessing IBM container images
  ibm_entitlement_key: ""

  # Enable sync hooks for post-deployment tasks
  # When true, creates Jobs to update AWS Secrets Manager
  # Default: true
  run_sync_hooks: true

  # CMM setup (IBM internal only)
  # Enable connectivity to CMM (Centralized Metering and Monitoring)
  # Set to false for non-IBM deployments
  # Default: false
  dro_cmm_setup: false

  # DRO operator install plan approval
  # Options: "Automatic" or "Manual"
  # Default: Automatic
  dro_install_plan: Automatic

  # IBM Metrics Operator install plan approval
  # Options: "Automatic" or "Manual"
  # Default: Automatic
  imo_install_plan: Automatic

  # Public domain configuration (optional)
  # Required for exposing DRO publicly with custom domain
  dro_public_domain: ""

  # TLS certificate for public domain (optional, base64 encoded)
  # Required when dro_public_domain is set
  tls_certificate: ""

  # TLS private key for public domain (optional, base64 encoded)
  # Required when dro_public_domain is set
  tls_key: ""

  # IBM CIS CRN (optional)
  # Cloud Internet Services CRN for DNS management
  # Required when dro_public_domain is set
  cis_crn: ""

  # CMM configuration (IBM internal only, optional)
  # Only used when dro_cmm_setup is true
  dro_cmm:
    # CMM authentication API key
    auth_apikey: ""

    # CMM authentication URL
    auth_url: ""

    # CMM service URL
    cmm_url: ""

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic DRO installation:

ibm_dro:
  dro_namespace: "ibm-software-central"
  ibm_entitlement_key: "your-entitlement-key"
  run_sync_hooks: true
  dro_cmm_setup: false
  dro_install_plan: Automatic
  imo_install_plan: Automatic

With public domain and TLS:

ibm_dro:
  dro_namespace: "ibm-software-central"
  ibm_entitlement_key: "your-entitlement-key"
  run_sync_hooks: true
  dro_cmm_setup: false
  dro_install_plan: Automatic
  imo_install_plan: Automatic
  dro_public_domain: "dro.example.com"
  tls_certificate: "LS0tLS1CRUdJTi..." # base64 encoded cert
  tls_key: "LS0tLS1CRUdJTi..." # base64 encoded key
  cis_crn: "crn:v1:bluemix:public:internet-svcs:..."

With manual install plan approval:

ibm_dro:
  dro_namespace: "ibm-software-central"
  ibm_entitlement_key: "your-entitlement-key"
  run_sync_hooks: true
  dro_cmm_setup: false
  dro_install_plan: Manual
  imo_install_plan: Manual

IBM internal with CMM (IBM only):

ibm_dro:
  dro_namespace: "ibm-software-central"
  ibm_entitlement_key: "your-entitlement-key"
  run_sync_hooks: true
  dro_cmm_setup: true
  dro_install_plan: Automatic
  imo_install_plan: Automatic
  dro_cmm:
    auth_apikey: "cmm-api-key"
  auth_url: "https://cmm-auth.example.com"
  cmm_url: "https://cmm.example.com"

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	ibm-mas-operator-group	ibm-software-central	When cluster_admin_role is true	cluster_admin_role
Secret	redhat-marketplace-pull-secret	ibm-software-central	When application_admin_role is true	application_admin_role
Subscription	ibm-metrics-operator	ibm-software-central	When cluster_admin_role is true	cluster_admin_role
Subscription	ibm-data-reporter-operator	ibm-software-central	When cluster_admin_role is true	cluster_admin_role
MarketplaceConfig	marketplaceconfig	ibm-software-central	When application_admin_role is true	application_admin_role
ClusterRole	DRO cluster roles	N/A (cluster-scoped)	When cluster_admin_role is true	cluster_admin_role
ClusterRoleBinding	metric-state-view-binding	N/A (cluster-scoped)	When cluster_admin_role is true	cluster_admin_role
ClusterRoleBinding	reporter-cluster-monitoring-binding	N/A (cluster-scoped)	When cluster_admin_role is true	cluster_admin_role
ClusterRoleBinding	manager-cluster-monitoring-binding	N/A (cluster-scoped)	When cluster_admin_role is true	cluster_admin_role
Certificate	DRO certificate resources	ibm-software-central	When cluster_admin_role is true	cluster_admin_role
ClusterIssuer	DRO cluster issuer resources	N/A (cluster-scoped)	When cluster_admin_role is true	cluster_admin_role
Secret	ibm-data-reporter-operator-api-token	ibm-software-central	When application_admin_role is true	application_admin_role
Secret	aws	ibm-software-central	When application_admin_role and run_sync_hooks are true	application_admin_role
ServiceAccount	postsync-ibm-dro-update-sm-sa	ibm-software-central	When application_admin_role and run_sync_hooks are true	application_admin_role
Role	postsync-ibm-dro-update-sm-r	ibm-software-central	When application_admin_role and run_sync_hooks are true	application_admin_role
RoleBinding	postsync-ibm-dro-update-sm-rb	ibm-software-central	When application_admin_role and run_sync_hooks are true	application_admin_role
Job	postsync-ibm-dro-update-sm-job-*	ibm-software-central	When application_admin_role and run_sync_hooks are true	application_admin_role
Secret	dest-header-map-secret	ibm-software-central	When cluster_admin_role and dro_cmm_setup are true	cluster_admin_role
Secret	auth-header-map-secret	ibm-software-central	When cluster_admin_role and dro_cmm_setup are true	cluster_admin_role
Secret	auth-body-data-secret	ibm-software-central	When cluster_admin_role and dro_cmm_setup are true	cluster_admin_role
ConfigMap	kazaam-configmap	ibm-software-central	When cluster_admin_role and dro_cmm_setup are true	cluster_admin_role
DataReporterConfig	datareporterconfig	ibm-software-central	When cluster_admin_role and dro_cmm_setup are true	cluster_admin_role

---

IBM DRO Cleanup¤

Helm chart link: 032-ibm-dro-cleanup

This chart must be managed by an Application in a later syncwave than ibm-dro to ensure the PostDelete hook can complete before the ibm dro application is removed (otherwise the pods responsible for managing the MarketplaceConfig finalizers will be removed before they get a chance to complete).

Configuration¤

Values¤

This chart has no configurable values. It automatically handles cleanup of MarketplaceConfig resources during DRO application deletion via a PostDelete hook.

The cleanup job runs in the same namespace as the DRO installation (ibm-software-central by default).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ConfigMap	placeholder	ibm-software-central	Always	cluster_admin_role
Job	postdelete-delete-marketplaceconfigs-job	ibm-software-central	PostDelete hook only	cluster_admin_role

Note: The PostDelete Job is only created during application deletion to clean up MarketplaceConfig resources.

---

CIS Compliance¤

Helm chart link: 040-cis-compliance

Configuration¤

Values¤

cis_compliance:
  # Configuration flag (internal use)
  # This flag is used by the parent application to determine readiness
  # Default: true
  config: true

  # Compliance Operator install plan approval
  # Options: "Automatic" or "Manual"
  # Default: Automatic
  cis_install_plan: Automatic

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic configuration with automatic updates:

cis_compliance:
  config: true
  cis_install_plan: Automatic

Manual approval for operator updates:

cis_compliance:
  config: true
  cis_install_plan: Manual

About CIS Compliance¤

This chart installs the OpenShift Compliance Operator and configures it to run CIS (Center for Internet Security) benchmark scans on your cluster. The TailoredProfiles included are specifically configured for ROSA (Red Hat OpenShift Service on AWS) environments, disabling rules that cannot be modified in managed OpenShift services.

The compliance scans run automatically based on the ScanSetting configuration and results are stored as ComplianceCheckResult resources in the cluster.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	compliance-operator	openshift-compliance	Always	cluster_admin_role
Subscription	compliance-operator-sub	openshift-compliance	Always	cluster_admin_role
ScanSetting	default-auto-apply	openshift-compliance	Always	cluster_admin_role
ScanSettingBinding	mas-cis-compliance	openshift-compliance	Always	cluster_admin_role
TailoredProfile	mas-ocp4-cis-node-rosa-tailoredprofile	openshift-compliance	Always	cluster_admin_role
TailoredProfile	mas-ocp4-cis-rosa-tailoredprofile	openshift-compliance	Always	cluster_admin_role
ServiceAccount	compliance cleanup service accounts	openshift-compliance	Cleanup resources as applicable	cluster_admin_role
Role	compliance cleanup roles	openshift-compliance	Cleanup resources as applicable	cluster_admin_role
RoleBinding	compliance cleanup role bindings	openshift-compliance	Cleanup resources as applicable	cluster_admin_role

Note: The TailoredProfiles disable specific rules that cannot be modified in ROSA environments (e.g., Kubelet config modifications).

---

CIS Compliance Cleanup¤

Helm chart link: 041-cis-compliance-cleanup

This chart must be managed by an Application in a later syncwave than cis-compliance to ensure the PostDelete hook can complete before the cis-compliance operator is removed (otherwise the pods responsible for managing the ProfileBundle finalizers will be removed before they get a chance to complete).

Configuration¤

Values¤

This chart has no configurable values. It automatically handles cleanup of ProfileBundle resources during CIS Compliance operator deletion via a PostDelete hook.

The cleanup job runs in the openshift-compliance namespace.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ConfigMap	placeholder	openshift-compliance	Always	cluster_admin_role
Job	postdelete-delete-profilebundles-job	openshift-compliance	PostDelete hook only	cluster_admin_role

Note: The PostDelete Job is only created during application deletion to clean up ProfileBundle resources.

---

NFD Operator¤

Helm chart link: 050-nfd-operator

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	openshift-nfd-group	openshift-nfd	Always	cluster_admin_role
Subscription	nfd-operator	openshift-nfd	Always	cluster_admin_role
NodeFeatureDiscovery	nfd-master-worker	openshift-nfd	Always	cluster_admin_role

---

NVIDIA GPU Operator¤

Helm chart link: 051-nvidia-gpu-operator

Configuration¤

Values¤

nvidia_gpu_operator:
  # NFD (Node Feature Discovery) configuration
  # NFD is a prerequisite for GPU operator
  nfd_namespace: "openshift-nfd"
  nfd_channel: "stable"
  nfd_install_plan: Automatic
  nfd_image: ""  # Optional: custom NFD image

  # GPU Operator configuration
  # Namespace where GPU operator will be installed
  # Default: nvidia-gpu-operator
  gpu_namespace: "nvidia-gpu-operator"

  # GPU Operator subscription channel
  # Default: v24.3
  gpu_channel: "v24.3"

  # NVIDIA GPU driver version
  # Specify the driver version to install
  # Default: 575.57.08
  gpu_driver_version: 575.57.08

  # GPU driver repository path
  # Container registry path for GPU drivers
  # Default: nvcr.io/nvidia
  gpu_driver_repository_path: "nvcr.io/nvidia"

  # GPU Operator install plan approval
  # Options: "Automatic" or "Manual"
  # Default: Automatic
  gpu_install_plan: Automatic

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic GPU operator installation:

nvidia_gpu_operator:
  nfd_namespace: "openshift-nfd"
  nfd_channel: "stable"
  nfd_install_plan: Automatic
  gpu_namespace: "nvidia-gpu-operator"
  gpu_channel: "v24.3"
  gpu_driver_version: 575.57.08
  gpu_driver_repository_path: "nvcr.io/nvidia"
  gpu_install_plan: Automatic

With specific driver version:

nvidia_gpu_operator:
  nfd_namespace: "openshift-nfd"
  nfd_channel: "stable"
  nfd_install_plan: Automatic
  gpu_namespace: "nvidia-gpu-operator"
  gpu_channel: "v24.3"
  gpu_driver_version: 550.90.07
  gpu_driver_repository_path: "nvcr.io/nvidia"
  gpu_install_plan: Automatic

With custom driver repository:

nvidia_gpu_operator:
  nfd_namespace: "openshift-nfd"
  nfd_channel: "stable"
  nfd_install_plan: Automatic
  gpu_namespace: "nvidia-gpu-operator"
  gpu_channel: "v24.3"
  gpu_driver_version: 575.57.08
  gpu_driver_repository_path: "my-registry.example.com/nvidia"
  gpu_install_plan: Automatic

Prerequisites¤

• OpenShift cluster with GPU-enabled nodes
• Sufficient cluster resources for GPU workloads
• Node Feature Discovery (NFD) operator (automatically installed by this chart)

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	nvidia-gpu-operator-group	nvidia-gpu-operator	Always	cluster_admin_role
Subscription	gpu-operator-certified	nvidia-gpu-operator	Always	cluster_admin_role
ClusterPolicy	gpu-cluster-policy	N/A (cluster-scoped)	Always	cluster_admin_role
SecurityContextConstraints	ibm-mas-customscc	N/A (cluster-scoped)	Always	cluster_admin_role

---

Group Sync Operator¤

Helm chart link: 052-group-sync-operator

Configuration¤

Values¤

group_sync_operator:
  # Cron schedule for group synchronization
  # How often to sync groups from IBM Security Verify
  # Default: */30 * * * * (every 30 minutes)
  # Format: standard cron expression
  cron_schedule: "*/30 * * * *"

  # IBM Security Verify tenant URL (required)
  # The base URL of your IBM Security Verify tenant
  # Example: https://your-tenant.verify.ibm.com
  isv_tenant_url: ""

  # IBM Security Verify client ID (required)
  # OAuth client ID for API access
  isv_client_id: ""

  # IBM Security Verify client secret (required)
  # OAuth client secret for API access
  isv_client_secret: ""

  # List of groups to synchronize (required)
  # Array of group names or patterns to sync from IBM Security Verify
  # Example: ["mas-admins", "mas-users", "mas-developers"]
  isv_groups: []

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic group sync configuration:

group_sync_operator:
  cron_schedule: "*/30 * * * *"
  isv_tenant_url: "https://my-company.verify.ibm.com"
  isv_client_id: "your-client-id"
  isv_client_secret: "your-client-secret"
  isv_groups:
    - "mas-admins"
    - "mas-users"

Hourly synchronization:

group_sync_operator:
  cron_schedule: "0 * * * *"  # Every hour at minute 0
  isv_tenant_url: "https://my-company.verify.ibm.com"
  isv_client_id: "your-client-id"
  isv_client_secret: "your-client-secret"
  isv_groups:
    - "cluster-admins"
    - "developers"
    - "operators"

Multiple groups with frequent sync:

group_sync_operator:
  cron_schedule: "*/15 * * * *"  # Every 15 minutes
  isv_tenant_url: "https://my-company.verify.ibm.com"
  isv_client_id: "your-client-id"
  isv_client_secret: "your-client-secret"
  isv_groups:
    - "mas-admins"
    - "mas-users"
    - "mas-developers"
    - "mas-operators"
  - "mas-viewers"

Prerequisites¤

• IBM Security Verify tenant with configured groups
• OAuth application credentials (client ID and secret) with group read permissions
• Group Sync Operator version 0.0.31 or higher

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	group-sync-operator	group-sync-operator	Always	cluster_admin_role
Subscription	group-sync-operator	group-sync-operator	Always	cluster_admin_role
Secret	isv-group-sync	group-sync-operator	Always	cluster_admin_role
GroupSync	isv-group-sync	group-sync-operator	Always	cluster_admin_role

Note: The GroupSync resource synchronizes groups from IBM Security Verify based on the configured schedule.

---

Falcon Operator¤

Helm chart link: 053-falcon-operator

Configuration¤

Values¤

falcon_operator:
  # CrowdStrike Falcon OAuth2 client ID (required)
  # Obtain from CrowdStrike Falcon console
  client_id: ""

  # CrowdStrike Falcon OAuth2 client secret (required)
  # Obtain from CrowdStrike Falcon console
  client_secret: ""

  # CrowdStrike cloud region (optional)
  # Specify the cloud region for your Falcon instance
  # Options: us-1, us-2, eu-1, us-gov-1
  # If not specified, defaults to us-1
  cloud_region: ""

  # Node sensor configuration (optional)
  # Advanced configuration for the FalconNodeSensor resource
  # Allows customization of sensor behavior and resource limits
  node_sensor: {}
    # Example configuration:
    # falcon:
    #   tags:
    #     - "environment:production"
    #     - "cluster:mas-prod"
    # node:
    #   resources:
    #     limits:
    #       cpu: "1000m"
    #       memory: "512Mi"

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic Falcon operator installation:

falcon_operator:
  client_id: "your-falcon-client-id"
  client_secret: "your-falcon-client-secret"

With specific cloud region:

falcon_operator:
  client_id: "your-falcon-client-id"
  client_secret: "your-falcon-client-secret"
  cloud_region: "eu-1"

With custom node sensor configuration:

falcon_operator:
  client_id: "your-falcon-client-id"
  client_secret: "your-falcon-client-secret"
  cloud_region: "us-1"
  node_sensor:
    falcon:
      tags:
        - "environment:production"
        - "cluster:mas-prod"
        - "owner:platform-team"
    node:
      resources:
        limits:
          cpu: "1000m"
          memory: "512Mi"
        requests:
          cpu: "500m"
          memory: "256Mi"

Prerequisites¤

• CrowdStrike Falcon account with API credentials
• OAuth2 API client created in Falcon console with appropriate permissions
• Sufficient cluster resources for sensor deployment on all nodes

For more information, see the CrowdStrike Falcon Operator documentation.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	falcon-operator	falcon-operator	Always	cluster_admin_role
Subscription	falcon-operator	falcon-operator	Always	cluster_admin_role
FalconNodeSensor	falcon-node-sensor	falcon-operator	Always	cluster_admin_role

---

Cluster Logging Operator¤

Helm chart link: 054-cluster-logging-operator

Also installs log forwarder for non-MCSP accounts or when indicated.

Configuration¤

Values¤

cluster_logging_operator:
  # Enable cluster logging operator installation
  # Set to false to skip installation
  # Default: true
  install: true

  # AWS credentials for CloudWatch log forwarding (required)
  # IAM user credentials with CloudWatch Logs write permissions
  aws_access_key_id: ""
  aws_secret_access_key: ""

  # Cluster Logging Operator subscription channel
  # Default: stable
  channel: "stable"

  # Install plan approval strategy
  # Options: "Automatic" or "Manual"
  # Default: Automatic
  install_plan: Automatic

  # Enable syslog forwarder
  # When true, uses syslog forwarder instead of direct CloudWatch forwarding
  # Default: false
  use_syslog_forwarder: false

  # Setup log forwarding configuration (optional)
  # When true, configures additional log forwarding resources
  # Default: false
  setup_log_forwarding: false

  # Log forwarder client URL (required when setup_log_forwarding is true)
  # URL of the syslog receiver endpoint
  log_forwarder_client_url: ""

  # Syslog forwarder version (required when setup_log_forwarding is true)
  # Container image version for the syslog forwarder
  syslog_forwarder_version: ""

  # Log forwarder pull secret (required when setup_log_forwarding is true)
  # Secret for pulling syslog forwarder container image
  log_forwarder_pullsecret: ""

  # DLC CA certificate bundle (required when setup_log_forwarding is true)
  # CA certificate bundle for TLS verification
  log_forwarder_dlc_cert: ""

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic CloudWatch logging:

cluster_logging_operator:
  install: true
  aws_access_key_id: "AKIAIOSFODNN7EXAMPLE"
  aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  channel: "stable"
  install_plan: Automatic
  use_syslog_forwarder: false
  setup_log_forwarding: false

With syslog forwarder:

cluster_logging_operator:
  install: true
  aws_access_key_id: "AKIAIOSFODNN7EXAMPLE"
  aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  channel: "stable"
  install_plan: Automatic
  use_syslog_forwarder: true
  setup_log_forwarding: true
  log_forwarder_client_url: "syslog://logs.example.com:514"
  syslog_forwarder_version: "1.0.0"
  log_forwarder_pullsecret: "your-pull-secret"
  log_forwarder_dlc_cert: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

Manual operator updates:

cluster_logging_operator:
  install: true
  aws_access_key_id: "AKIAIOSFODNN7EXAMPLE"
  aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  channel: "stable"
  install_plan: Manual
  use_syslog_forwarder: false
  setup_log_forwarding: false

Prerequisites¤

• AWS account with CloudWatch Logs enabled
• IAM credentials with CloudWatch Logs write permissions
• For syslog forwarding: syslog receiver endpoint and TLS certificates

For more information, see the OpenShift Cluster Logging documentation.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	cluster-logging-operator	openshift-logging	Always	cluster_admin_role
Subscription	cluster-logging-operator	openshift-logging	Always	cluster_admin_role
Secret	cloudwatch	openshift-logging	Always	cluster_admin_role
ClusterLogging	instance	openshift-logging	When channel version ≤ 5.9	cluster_admin_role
ClusterLogForwarder	instance	openshift-logging	Always	cluster_admin_role
ServiceAccount	collector	openshift-logging	When channel version ≥ 6.0	cluster_admin_role
ClusterRole	collect-application-logs	N/A (cluster-scoped)	When channel version ≥ 6.0	cluster_admin_role
ClusterRole	collect-audit-logs	N/A (cluster-scoped)	When channel version ≥ 6.0	cluster_admin_role
ClusterRole	collect-infrastructure-logs	N/A (cluster-scoped)	When channel version ≥ 6.0	cluster_admin_role
ClusterRoleBinding	collect-application-logs	N/A (cluster-scoped)	When channel version ≥ 6.0	cluster_admin_role
ClusterRoleBinding	collect-audit-logs	N/A (cluster-scoped)	When channel version ≥ 6.0	cluster_admin_role
ClusterRoleBinding	collect-infrastructure-logs	N/A (cluster-scoped)	When channel version ≥ 6.0	cluster_admin_role
ServiceAccount	syslog-forwarder	openshift-logging	When setup_log_forwarding is true	cluster_admin_role
ClusterRole	syslog-forwarder	N/A (cluster-scoped)	When setup_log_forwarding is true	cluster_admin_role
ClusterRoleBinding	syslog-forwarder	N/A (cluster-scoped)	When setup_log_forwarding is true	cluster_admin_role
Secret	syslog-pullsecret	openshift-logging	When setup_log_forwarding is true	cluster_admin_role
Secret	dlc-cert	openshift-logging	When setup_log_forwarding is true	cluster_admin_role
Secret	syslog-forwarder	openshift-logging	When setup_log_forwarding is true	cluster_admin_role
ConfigMap	syslog-forwarder	openshift-logging	When setup_log_forwarding is true	cluster_admin_role
Service	syslog-forwarder	openshift-logging	When setup_log_forwarding is true	cluster_admin_role
Deployment	syslog-forwarder	openshift-logging	When setup_log_forwarding is true	cluster_admin_role

Note: The syslog forwarder resources are only created when setup_log_forwarding is enabled. The ClusterLogForwarder resource is created for both supported operator version ranges, but the API group and collector RBAC differ between channel versions.

---

Instana Agent Operator¤

Helm chart link: 055-instana-agent-operator

is responsible for updating the Instana agent custom resource with the connection information for each DB2 instance in the cluster.

Configuration¤

Values¤

instana_agent_operator:
  # Enable Instana agent installation
  # Set to false to skip installation
  # Default: true
  install: true

  # Storage class for JKS (Java KeyStore) persistent volume
  # Used to store certificates and keys
  # Example: gp3, efs-sc
  jks_storage_class: ""

  # Instana agent key (required)
  # Your Instana agent key for authentication
  # Obtain from Instana backend
  key: ""

  # Instana endpoint host (required)
  # Hostname of your Instana backend
  # Example: ingress-red-saas.instana.io
  endpoint_host: ""

  # Instana endpoint port (required)
  # Port number for Instana backend connection
  # Default: 443
  endpoint_port: "443"

  # Additional environment variables (optional)
  # Custom environment variables for the Instana agent
  env: {}
    # Example:
    # INSTANA_AGENT_ZONE: "production"
    # INSTANA_AGENT_TAGS: "cluster:mas-prod,env:production"

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic Instana agent installation:

instana_agent_operator:
  install: true
  jks_storage_class: "gp3"
  key: "your-instana-agent-key"
  endpoint_host: "ingress-red-saas.instana.io"
  endpoint_port: "443"

With custom environment variables:

instana_agent_operator:
  install: true
  jks_storage_class: "gp3"
  key: "your-instana-agent-key"
  endpoint_host: "ingress-red-saas.instana.io"
  endpoint_port: "443"
  env:
    INSTANA_AGENT_ZONE: "production"
    INSTANA_AGENT_TAGS: "cluster:mas-prod,env:production,owner:platform-team"
    INSTANA_AGENT_MODE: "APM"

With custom endpoint port:

instana_agent_operator:
  install: true
  jks_storage_class: "efs-sc"
  key: "your-instana-agent-key"
  endpoint_host: "instana.example.com"
  endpoint_port: "8443"

Prerequisites¤

• Instana backend instance with agent key
• Storage class available for persistent volumes
• Network connectivity to Instana backend endpoint

DB2 Integration¤

This chart includes a CronJob that automatically discovers DB2 instances in the cluster and updates the InstanaAgent configuration with their connection details. This enables automatic monitoring of DB2 databases without manual configuration.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	instana-agent	instana-agent	Always	cluster_admin_role
Subscription	instana-agent	instana-agent	Always	cluster_admin_role
InstanaAgent	instana-agent	instana-agent	Always	cluster_admin_role
PersistentVolumeClaim	instana-agent	instana-agent	Always	cluster_admin_role
Secret	instana-agent-key	instana-agent	Always	cluster_admin_role
Secret	db2-passwords	instana-agent	Always	cluster_admin_role
ClusterRole	instana-agent-db2-config-role	N/A (cluster-scoped)	Always	cluster_admin_role
ServiceAccount	instana-agent-db2-config-sa	instana-agent	Always	cluster_admin_role
Role	instana-agent-db2-config-role	instana-agent	Always	cluster_admin_role
RoleBinding	instana-agent-db2-config-role	instana-agent	Always	cluster_admin_role
RoleBinding	instana-agent-db2-config-sa-edit	instana-agent	Always	cluster_admin_role
NetworkPolicy	instana-agent-db2-config-netpol	instana-agent	Always	cluster_admin_role
CronJob	instana-agent-db2-config	instana-agent	Always	cluster_admin_role

Note: The CronJob automatically updates the InstanaAgent configuration with DB2 instance connection details.

---

Custom Service Account¤

Helm chart link: 060-custom-sa

Configuration¤

Values¤

custom_sa:
  # Namespace where custom service accounts will be created
  # Default: default
  custom_sa_namespace: "default"

  # Custom service account details (required)
  # Map of service account names to ClusterRole names
  # Format: key-value pairs where key is SA name and value is ClusterRole
  # Example:
  #   my-app-sa: view
  #   automation-sa: edit
  #   admin-sa: cluster-admin
  custom_sa_details: {}

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Single service account with view permissions:

custom_sa:
  custom_sa_namespace: "default"
  custom_sa_details:
    readonly-sa: view

Multiple service accounts with different roles:

custom_sa:
  custom_sa_namespace: "automation"
  custom_sa_details:
    app-reader: view
    app-editor: edit
    app-admin: admin
    cluster-viewer: cluster-reader

Service accounts in specific namespace:

custom_sa:
  custom_sa_namespace: "mas-prod-core"
  custom_sa_details:
    pipeline-sa: edit
    monitoring-sa: view
    backup-sa: admin

How It Works¤

1. Creates a ServiceAccount in the specified namespace for each entry in custom_sa_details
2. Creates a ClusterRoleBinding that binds the ServiceAccount to the specified ClusterRole
3. Optionally runs a PostSync hook to store the ServiceAccount tokens in AWS Secrets Manager

Common ClusterRoles¤

• view - Read-only access to most objects
• edit - Read/write access to most objects (no RBAC changes)
• admin - Full access within a namespace
• cluster-admin - Full cluster access
• cluster-reader - Read-only cluster access

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ServiceAccount	<custom_sa_name>	Configurable via custom_sa_namespace	For each entry in custom_sa_details	cluster_admin_role
ClusterRoleBinding	<custom_sa_name>-crb	N/A (cluster-scoped)	For each entry in custom_sa_details	cluster_admin_role
Secret	postsync-custom-sa-update-sm	default	When run_sync_hooks is true	cluster_admin_role
ServiceAccount	postsync-custom-sa-update-sm-sa	default	When run_sync_hooks is true	cluster_admin_role
Role	postsync-custom-sa-update-sm-role	default	When run_sync_hooks is true	cluster_admin_role
RoleBinding	postsync-custom-sa-update-sm-rolebinding	default	When run_sync_hooks is true	cluster_admin_role
ClusterRole	postsync-custom-sa-update-sm-cluster-role	N/A (cluster-scoped)	When run_sync_hooks is true	cluster_admin_role
ClusterRoleBinding	postsync-custom-sa-update-sm-cluster-rolebinding	N/A (cluster-scoped)	When run_sync_hooks is true	cluster_admin_role
Job	postsync-custom-sa-update-sm-job-*	default	When run_sync_hooks is true	cluster_admin_role

Note: Service accounts are created dynamically based on the custom_sa_details configuration. Each service account is bound to a specified ClusterRole. The PostSync Job updates AWS Secrets Manager with service account tokens.

---

IBM RBAC¤

Helm chart link: 061-ibm-rbac

Configuration¤

Values¤

ibm_rbac:
  # Group to ClusterRole bindings (required)
  # Maps OpenShift groups to ClusterRoles for IBM RBAC
  # Groups are typically synchronized from IBM Security Verify via Group Sync Operator
  # Format: List of binding configurations
  binding_to_group: []
    # Example structure:
    # - group: "mas-cluster-admins"
    #   clusterrole: "cluster-admin"
    # - group: "mas-sre-team"
    #   clusterrole: "sre-editor"
    # - group: "mas-dba-team"
    #   clusterrole: "dba"

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic IBM RBAC configuration:

ibm_rbac:
  binding_to_group:
    - group: "mas-cluster-admins"
      clusterrole: "cluster-admin"
    - group: "mas-sre-editors"
      clusterrole: "sre-editor"
    - group: "mas-sre-readers"
      clusterrole: "sre-reader"

Complete IBM RBAC setup:

ibm_rbac:
  binding_to_group:
    - group: "mas-cluster-admins"
      clusterrole: "cluster-admin"
    - group: "mas-sre-editors"
      clusterrole: "sre-editor"
    - group: "mas-sre-readers"
      clusterrole: "sre-reader"
    - group: "mas-dba-editors"
      clusterrole: "dba-editor"
    - group: "mas-dba-readers"
      clusterrole: "dba-reader"
    - group: "mas-network-team"
      clusterrole: "network"
    - group: "mas-network-readers"
      clusterrole: "network-reader"
    - group: "mas-provisioning-team"
      clusterrole: "provisioning"
    - group: "mas-automation"
      clusterrole: "sre-automation-admin"

Minimal configuration:

binding_to_group:
  - group: "platform-admins"
    clusterrole: "cluster-admin"
  - group: "platform-viewers"
    clusterrole: "view"

IBM RBAC Roles¤

This chart creates the following custom ClusterRoles:

• dba - Database administrator role with permissions for DB2 and database operations
• dba-editor - DBA role with edit permissions
• dba-reader - DBA role with read-only permissions
• network - Network administrator role for network policy and ingress management
• network-reader - Network role with read-only permissions
• sre-editor - Site Reliability Engineer role with edit permissions
• sre-reader - SRE role with read-only permissions
• sre-automation-admin - Automation service account role with elevated permissions
• provisioning - Provisioning role for cluster resource management

Prerequisites¤

• Group Sync Operator installed and configured
• Groups synchronized from IBM Security Verify or other identity provider
• Groups must exist in OpenShift before bindings are created

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ClusterRole	dba	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRole	network	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRole	sre-editor	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	cluster-admin	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	dba-editor	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	dba-reader	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	network-reader	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	network	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	provisioning	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	sre-automation-admin	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	sre-editor	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	sre-reader	N/A (cluster-scoped)	Always	cluster_admin_role
Group	OpenShift groups referenced by IBM RBAC bindings	N/A (cluster-scoped)	Always	cluster_admin_role

Note: ClusterRoleBindings reference groups that are synchronized by the Group Sync Operator.

---

Cluster Promotion¤

Helm chart link: 200-cluster-promotion

Configuration¤

Values¤

promotion:
  # GitHub Personal Access Token (required)
  # Token with permissions to create pull requests in target repository
  github_pat: ""

  # Target GitHub host (required)
  # GitHub server hostname
  # Example: github.com or github.ibm.com
  target_github_host: ""

  # Target GitHub repository (required)
  # Repository name where changes will be promoted
  target_github_repo: ""

  # Target GitHub organization (required)
  # Organization or user owning the target repository
  target_github_org: ""

  # Target GitHub path (required)
  # Path within the repository where changes will be committed
  # Example: config/clusters
  target_github_path: ""

  # Target Git branch (required)
  # Branch where changes will be committed
  # Example: main, develop
  target_git_branch: ""

  # Create target pull request (required)
  # Whether to create a PR or commit directly
  # Options: "true" or "false"
  create_target_pr: "true"

  # Cluster values to promote (required)
  # List of cluster configuration values to include in promotion
  # Example: ["cluster-id", "region", "environment"]
  cluster_values: []

  # Target PR title (optional)
  # Title for the pull request when create_target_pr is true
  # Default: "Cluster promotion for <cluster_id>"
  target_pr_title: ""

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic cluster promotion with PR:

promotion:
  github_pat: "ghp_xxxxxxxxxxxx"
  target_github_host: "github.com"
  target_github_repo: "mas-config"
  target_github_org: "my-company"
  target_github_path: "config/production"
  target_git_branch: "main"
  create_target_pr: "true"
  cluster_values:
    - "cluster-id"
    - "region"
    - "environment"
  target_pr_title: "Promote cluster configuration to production"

Direct commit without PR:

promotion:
  github_pat: "ghp_xxxxxxxxxxxx"
  target_github_host: "github.com"
  target_github_repo: "mas-config"
  target_github_org: "my-company"
  target_github_path: "config/staging"
  target_git_branch: "develop"
  create_target_pr: "false"
  cluster_values:
    - "cluster-id"
    - "region"

Enterprise GitHub with custom values:

promotion:
  github_pat: "ghp_xxxxxxxxxxxx"
  target_github_host: "github.ibm.com"
  target_github_repo: "mas-gitops-config"
  target_github_org: "ibm-mas"
  target_github_path: "clusters/production"
  target_git_branch: "main"
  create_target_pr: "true"
  cluster_values:
    - "cluster-id"
    - "region"
    - "environment"
  - "account-id"
  - "cluster-domain"
target_pr_title: "Automated cluster promotion - Production"

How It Works¤

1. Cluster Verify Job - Validates the current cluster state and configuration
2. Cluster Promoter Job - Extracts specified cluster values and commits them to the target repository
3. Pull Request - Optionally creates a PR for review before merging changes

This enables automated promotion of cluster configurations from one environment to another (e.g., dev → staging → production).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ConfigMap	cluster-promoter-<cluster_id>-cm	mas-syncres	Always	cluster_admin_role
ServiceAccount	cluster-verify-sa	mas-syncres	Always	cluster_admin_role
ClusterRole	cluster-verify-cr	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	cluster-verify-crb	N/A (cluster-scoped)	Always	cluster_admin_role
Job	cluster-verify-*	mas-syncres	Always	cluster_admin_role
Job	cluster-promoter-*	mas-syncres	Always	cluster_admin_role

Note: The cluster-verify Job validates the cluster state before the cluster-promoter Job promotes configuration changes to the next environment level.

---

MAS Provisioner¤

Helm chart link: 300-mas-provisioner

Configuration¤

Values¤

mas_provisioner:
  # Account alias (required)
  # Identifier for the AWS account
  account_alias: ""

  # IBM Entitlement Key (required)
  # Your IBM entitlement key for accessing IBM container images
  ibm_entitlement: ""

  # Provisioner domain (required)
  # Domain where the provisioner service will be exposed
  # Example: provisioner.mas.example.com
  provisioner_domain: ""

  # Provisioner namespace (required)
  # Namespace where provisioner will be deployed
  # Default: mas-provisioner
  provisioner_namespace: "mas-provisioner"

  # Provisioner version (required)
  # Container image version for the provisioner service
  provisioner_version: ""

  # Enable mTLS (required)
  # Enable mutual TLS for secure communication
  # Options: true or false
  enable_mtls: false

  # Service port (required)
  # Port number for the provisioner service
  # Default: 8080
  service_port: 8080

  # Status repository URL (required)
  # Git repository URL for storing provisioning status
  status_repo_url: ""

  # MAS annotations repository URL (required)
  # Git repository URL for MAS annotations
  mas_annotations_repo_url: ""

  # Base branch (required)
  # Git branch to use for repositories
  # Default: main
  base_branch: "main"

  # Async poll interval (required)
  # Polling interval in seconds for async operations
  # Default: 30
  async_poll_interval: 30

  # Async poll max (required)
  # Maximum number of polling attempts
  # Default: 100
  async_poll_max: 100

  # Enable PagerDuty alerts (required)
  # Enable alerting via PagerDuty
  # Options: true or false
  enable_pd_alert: false

  # Enable OCM alerts (required)
  # Enable alerting via OpenShift Cluster Manager
  # Options: true or false
  enable_ocm_alert: false

  # GitHub token (required)
  # Personal access token for GitHub API access
  github_token: ""

  # Storage class (optional)
  # Storage class for persistent volumes
  storage_class: ""

  # Git root CA certificate (optional)
  # Root CA certificate for Git server TLS verification
  git_root_ca: ""

  # CSB client CA certificate (optional)
  # Client CA certificate for Cloud Service Broker
  csb_client_ca: ""

  # Instana API token (optional)
  # API token for Instana monitoring integration
  instana_api_token: ""

  # Instana URL prefix (optional)
  # URL prefix for Instana backend
  # Example: https://instana.example.com
  instana_url_prefix: ""

  # OCM API token (optional)
  # API token for OpenShift Cluster Manager
  ocm_api_token: ""

  # PagerDuty integration key (optional)
  # Integration key for PagerDuty alerts
  pagerduty_integration: ""

Base Cluster Values¤

This chart inherits common cluster configuration values. The most frequently used base values are:

account:
  id: string                    # AWS account identifier

region:
  id: string                    # AWS region identifier

cluster:
  id: string                    # Unique cluster identifier
  url: string                   # OpenShift cluster API URL
  nonshared: boolean            # Whether cluster is dedicated (true) or shared (false)

sm:                             # Secrets Manager configuration
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base cluster values including optional fields like notifications, custom_labels, devops, and cli_image_repo, see the Cluster Base Values Reference.

Usage Examples¤

Basic provisioner configuration:

mas_provisioner:
  account_alias: "mas-prod"
  ibm_entitlement: "your-entitlement-key"
  provisioner_domain: "provisioner.mas.example.com"
  provisioner_namespace: "mas-provisioner"
  provisioner_version: "1.0.0"
  enable_mtls: false
  service_port: 8080
  status_repo_url: "https://github.com/my-org/mas-status"
  mas_annotations_repo_url: "https://github.com/my-org/mas-annotations"
  base_branch: "main"
  async_poll_interval: 30
  async_poll_max: 100
  enable_pd_alert: false
  enable_ocm_alert: false
  github_token: "ghp_xxxxxxxxxxxx"

With monitoring and alerting:

mas_provisioner:
  account_alias: "mas-prod"
  ibm_entitlement: "your-entitlement-key"
  provisioner_domain: "provisioner.mas.example.com"
  provisioner_namespace: "mas-provisioner"
  provisioner_version: "1.0.0"
  enable_mtls: true
  service_port: 8443
  status_repo_url: "https://github.com/my-org/mas-status"
  mas_annotations_repo_url: "https://github.com/my-org/mas-annotations"
  base_branch: "main"
  async_poll_interval: 30
  async_poll_max: 100
  enable_pd_alert: true
  enable_ocm_alert: true
  github_token: "ghp_xxxxxxxxxxxx"
  storage_class: "gp3"
  instana_api_token: "your-instana-token"
  instana_url_prefix: "https://instana.example.com"
  ocm_api_token: "your-ocm-token"
  pagerduty_integration: "your-pd-integration-key"

With custom certificates:

mas_provisioner:
  account_alias: "mas-prod"
  ibm_entitlement: "your-entitlement-key"
  provisioner_domain: "provisioner.mas.example.com"
  provisioner_namespace: "mas-provisioner"
  provisioner_version: "1.0.0"
  enable_mtls: true
  service_port: 8443
  status_repo_url: "https://github.enterprise.com/my-org/mas-status"
  mas_annotations_repo_url: "https://github.enterprise.com/my-org/mas-annotations"
  base_branch: "main"
  async_poll_interval: 30
  async_poll_max: 100
  enable_pd_alert: false
  enable_ocm_alert: false
  github_token: "ghp_xxxxxxxxxxxx"
  git_root_ca: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
  csb_client_ca: |
    -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----

Important Notes¤

• Internal Use Only: This service is designed for internal IBM use and handles AWS Marketplace order notifications
• Security: Always use mTLS in production environments
• Monitoring: Enable Instana integration for production deployments
• Alerting: Configure PagerDuty or OCM alerts for critical notifications

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	ibm-entitlement	mas-provisioner	Always	cluster_admin_role
ServiceAccount	mas-provisioner	mas-provisioner	Always	cluster_admin_role
Issuer	mas-provisioner-selfsigned-issuer	mas-provisioner	Always	cluster_admin_role
Certificate	mas-provisioner-ca	mas-provisioner	Always	cluster_admin_role
Issuer	mas-provisioner-ca-issuer	mas-provisioner	Always	cluster_admin_role
Certificate	mas-provisioner-cert	mas-provisioner	Always	cluster_admin_role
Certificate	mas-provisioner-console-cert	mas-provisioner	Always	cluster_admin_role
Secret	ibm-cos-credentials	mas-provisioner	Always	cluster_admin_role
Secret	ibm-sls-credentials	mas-provisioner	Always	cluster_admin_role
Secret	ibm-mongo-credentials	mas-provisioner	Always	cluster_admin_role
Secret	ibm-gitops-credentials	mas-provisioner	Always	cluster_admin_role
Secret	mas-provisioner-callback-url	mas-provisioner	Always	cluster_admin_role
Secret	mas-provisioner-storage	mas-provisioner	Always	cluster_admin_role
PersistentVolumeClaim	mas-provisioner-pvc	mas-provisioner	Always	cluster_admin_role
Service	mas-provisioner	mas-provisioner	Always	cluster_admin_role
Service	mas-provisioner-console	mas-provisioner	Always	cluster_admin_role
Deployment	mas-provisioner	mas-provisioner	Always	cluster_admin_role
Route	mas-provisioner	mas-provisioner	Always	cluster_admin_role

Note: This service is for internal IBM use only and handles AWS Marketplace order notifications.

---

Instance Applications¤

IBM Sync Resources¤

Helm chart link: 000-ibm-sync-resources

Various resources required to run Jobs contained in the 91-ibm-sync-jobs chart. This application has a lower syncwave (90) than that of the 91-ibm-sync-jobs application responsible for running the jobs. This is to ensure that the resources to persist long enough for the PostDelete hooks in that 91-ibm-sync-jobs to complete, while still being cleaned up successfully when MAS instance is deprovisioned.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	AWS/IBM Suite shared credential secrets	Instance-specific namespaces	Always	application_admin_role
ServiceAccount	Sync resource job service accounts	Instance-specific namespaces	Always	application_admin_role
Role	Sync resource job roles	Instance-specific namespaces	Always	application_admin_role
RoleBinding	Sync resource job role bindings	Instance-specific namespaces	Always	application_admin_role
ClusterRole	IBM Suite DNS/cert sync cluster roles	N/A (cluster-scoped)	Always	application_admin_role
ClusterRoleBinding	IBM Suite DNS/cert sync cluster role bindings	N/A (cluster-scoped)	Always	application_admin_role
NetworkPolicy	Sync resource job network policy	Instance-specific namespaces	Always	application_admin_role

Configuration¤

This chart does not accept additional configuration values beyond the base instance values.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Sync Jobs¤

Helm chart link: 010-ibm-sync-jobs

Defines Jobs to perform various tasks that need to happen before ibm-sls and the suite are installed, and after they are removed. It also performs various tasks for CP4D when it is set to be installed or upgraded.

Supporting resources are defined in the 90-ibm-sync-resources chart which is managed by an application with a lower syncwave (90). This is to ensure that these resources perist long enough for any PostDelete hooks in this chart to complete.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ConfigMap	placeholder	Instance-specific namespace	Always	application_admin_role
Job	AWS DocDB add/remove user jobs	Instance-specific namespaces	When DocDB integration is configured	application_admin_role
Job	IBM MAS suite cert sync job	Instance-specific namespace	When suite certificate sync is enabled	application_admin_role

Configuration¤

This chart does not accept additional configuration values beyond the base instance values.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM SLS¤

Helm chart link: 100-ibm-sls

Contains a job that runs last (07-postsync-update-sm_Job.yaml). This registers the ${ACCOUNT_ID}/${CLUSTER_ID}/${INSTANCE_ID}/sls secret in the Secrets Vault used to share some information that is generated at runtime with other ArgoCD Applications.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	ibm-sls	Instance SLS namespace	Always	application_admin_role
Subscription	ibm-sls	Instance SLS namespace	Always	application_admin_role
Secret	ibm-entitlement	Instance SLS namespace	Always	application_admin_role
Secret	mongo-credentials	Instance SLS namespace	Always	application_admin_role
Secret	sls-entitlement	Instance SLS namespace	Always	application_admin_role
LicenseService	sls instance CR	Instance SLS namespace	Always	application_admin_role
NetworkPolicy	post-sync update secret manager network policy	Instance SLS namespace	Always	application_admin_role
Secret	post-sync update secret manager runtime secret	Instance SLS namespace	Always	application_admin_role
ServiceAccount	post-sync update secret manager service account	Instance SLS namespace	Always	application_admin_role
Role	post-sync update secret manager roles	Instance SLS namespace	Always	application_admin_role
RoleBinding	post-sync update secret manager role binding	Instance SLS namespace	Always	application_admin_role
Job	post-sync update secret manager job	Instance SLS namespace	When run_sync_hooks and application_admin_role are enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_sls:
  # SaaS Licensing (when using IBM Customer Number)
  ibm_customer_number: string (optional)
  subscription_id: string (optional)

  # Traditional Licensing (when not using ICN)
  sls_channel: string
  sls_entitlement_file: string (secret reference)
  ibm_entitlement_key: string (secret reference)

  # MongoDB Configuration
  mongodb_provider: string
  user_action: string
  docdb_host: string (secret reference)
  docdb_port: string (secret reference)
  docdb_master_username: string (secret reference)
  docdb_master_password: string (secret reference)
  docdb_master_info: string (secret reference)
  sls_mongo_username: string (secret reference)
  sls_mongo_password: string (secret reference)
  sls_mongo_secret_name: string

  # Operator Configuration
  icr_cp_open: string
  sls_install_plan: string
  run_sync_hooks: boolean

  # MongoDB Specification
  mongo_spec:
    authMechanism: string
    configDb: string
    secretName: string
    retryWrites: boolean (optional)
    nodes:
      - host: string
        port: number
    certificates:
      - alias: string
        crt: string (multiline)

  # Certificate Authority (optional)
  internal_certificate_authority: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM CP4D¤

Helm chart link: 110-ibm-cp4d

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	ibm-entitlement-key	CP4D instance namespace	Always	cluster_admin_role
ServiceAccount	CP4D service accounts	CP4D instance namespace	Always and hook-driven as applicable	cluster_admin_role
Role	CP4D namespace roles	CP4D instance namespace	Always	cluster_admin_role
RoleBinding	CP4D namespace role bindings	CP4D instance namespace	Always	cluster_admin_role
ClusterRole	CP4D cluster roles	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	CP4D cluster role bindings	N/A (cluster-scoped)	Always	cluster_admin_role
Job	CP4D install and verification jobs	CP4D operators namespace	Version-dependent and always for verification hooks as applicable	cluster_admin_role
Ibmcpd	CP4D platform custom resource	CP4D instance namespace	Always	cluster_admin_role
ConfigMap	CP4D service dependency config maps	CP4D operators namespace	When optional services are enabled	cluster_admin_role
Subscription	CP4D service subscriptions	CP4D operators namespace	When optional services are enabled	cluster_admin_role
OperandRegistry	CP4D operand registries	CP4D operators namespace	When WSL or SPSS services are enabled	cluster_admin_role
OperandConfig	CP4D operand configuration	CP4D operators namespace	When optional services are enabled	cluster_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_cp4d:
  cpd_operators_namespace: string
  cpd_instance_namespace: string
  cpd_cs_control_namespace: string
  ibm_entitlement_key: string (secret reference)
  namespace_scope_channel: string (secret reference)
  namespace_scope_install_plan: string
  cpd_ibm_licensing_channel: string (secret reference)
  cpd_ibm_licensing_version: string (secret reference)
  cpd_licensing_install_plan: string
  cpfs_channel: string (secret reference)
  cpfs_size: string
  cpfs_install_plan: string
  cpd_scale_config: string
  cpd_admin_login_sa: string
  cpd_platform_channel: string (secret reference)
  cpd_platform_cr_name: string
  cpd_platform_install_plan: string
  cpd_product_version: string
  cpd_iam_integration: string
  cpd_primary_storage_class: string
  cpd_metadata_storage_class: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM CP4D Operators¤

Helm chart link: 110-ibm-cp4d-operators

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	ibm-entitlement-key	CP4D operators namespace	Always	cluster_admin_role
ServiceAccount	CP4D operator service accounts	CP4D operators namespace	Always	cluster_admin_role
Role	CP4D operator namespace roles	CP4D operators namespace and openshift-marketplace	Always	cluster_admin_role
RoleBinding	CP4D operator namespace role bindings	CP4D operators namespace	Always	cluster_admin_role
ClusterRole	CP4D operator cluster roles	N/A (cluster-scoped)	Always	cluster_admin_role
ClusterRoleBinding	CP4D operator cluster role bindings	N/A (cluster-scoped)	Always	cluster_admin_role
OperatorGroup	common-service	CP4D operators namespace	Always	cluster_admin_role
Subscription	CP4D and prerequisite operator subscriptions	CP4D operators namespace	Always	cluster_admin_role
NamespaceScope	cpd-operators	CP4D operators namespace	Always	cluster_admin_role
Job	CP4D prerequisite and upgrade cleanup jobs	CP4D operators namespace	Always	cluster_admin_role
ConfigMap	common-service-maps	kube-public	Always	cluster_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_cp4d:
  cpd_operators_namespace: string
  cpd_instance_namespace: string
  cpd_cs_control_namespace: string
  ibm_entitlement_key: string (secret reference)
  namespace_scope_channel: string (secret reference)
  namespace_scope_install_plan: string
  cpd_ibm_licensing_channel: string (secret reference)
  cpd_ibm_licensing_version: string (secret reference)
  cpd_licensing_install_plan: string
  cpfs_channel: string (secret reference)
  cpfs_size: string
  cpfs_install_plan: string
  cpd_scale_config: string
  cpd_admin_login_sa: string
  cpd_platform_channel: string (secret reference)
  cpd_platform_cr_name: string
  cpd_platform_install_plan: string
  cpd_product_version: string
  cpd_iam_integration: string
  cpd_primary_storage_class: string
  cpd_metadata_storage_class: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM CS Control¤

Helm chart link: 110-ibm-cs-control

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
OperatorGroup	IBM CS control operator group	CP4D operators namespace	Always	application_admin_role
Subscription	IBM licensing/operator subscription	CP4D operators namespace	Always	application_admin_role
IBMLicensing	IBM licensing instance	CP4D operators namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_cp4d:
  cpd_operators_namespace: string
  cpd_instance_namespace: string
  cpd_cs_control_namespace: string
  ibm_entitlement_key: string (secret reference)
  namespace_scope_channel: string (secret reference)
  namespace_scope_install_plan: string
  cpd_ibm_licensing_channel: string (secret reference)
  cpd_ibm_licensing_version: string (secret reference)
  cpd_licensing_install_plan: string
  cpfs_channel: string (secret reference)
  cpfs_size: string
  cpfs_install_plan: string
  cpd_scale_config: string
  cpd_admin_login_sa: string
  cpd_platform_channel: string (secret reference)
  cpd_platform_cr_name: string
  cpd_platform_install_plan: string
  cpd_product_version: string
  cpd_iam_integration: string
  cpd_primary_storage_class: string
  cpd_metadata_storage_class: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Db2u¤

Helm chart link: 110-ibm-db2u

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	DB2 registry pull secret	DB2 operator namespace	Always	application_admin_role
OperatorGroup	DB2 operator group	DB2 operator namespace	Always	application_admin_role
Subscription	DB2 operator subscription	DB2 operator namespace	Always	application_admin_role
Issuer	DB2 CA issuer resources	DB2 operator namespace	Always	application_admin_role
Certificate	DB2 CA certificate	DB2 operator namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_db2u:
  db2_namespace: string
  db2_install_plan: string
  db2_channel: string (or secret reference)
  ibm_entitlement_key: string (secret reference)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM ODH¤

Helm chart link: 112-ibm-odh

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Namespace	ODH and serverless namespaces	ODH-related namespaces	Always	application_admin_role
OperatorGroup	ODH operator groups	ODH-related namespaces	Always	application_admin_role
Subscription	ODH/operator subscriptions	ODH-related namespaces	Always	application_admin_role
ServiceAccount	ODH service mesh service account	ODH-related namespaces	Always	application_admin_role
DSCInitialization	ODH DSC initialization CR	ODH namespace	Always	application_admin_role
DataScienceCluster	ODH data science cluster CR	ODH namespace	Always	application_admin_role
PeerAuthentication	Istio peer authentication for ODH	ODH namespace	Always	application_admin_role
DestinationRule	Istio destination rule for ODH	ODH namespace	Always	application_admin_role
NetworkPolicy	ODH network policy	ODH namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_odh:
  openshift_namespace: string
  odh_pipeline_channel: string
  odh_pipeline_installplan: string
  pipeline_catalog_source: string
  service_mesh_namespace: string
  service_mesh_channel: string
  service_mesh_catalog_source: string
  service_mesh_sourceNamespace: string
  operatorName: string
  serverless_channel: string
  authorino_catalog_source: string
  odh_channel: string
  odh_catalog_source: string
  odh_operator_version: string
  odh_namespace: string

  aiservice_namespace: string
  pull_secret_name: string (secret reference)

  # Serverless Operator
  serverless_namespace: string
  serverless_operator_name: string
  serverless_operator_source: string
  serverless_operator_sourceNamespace: string

  # OpenDataHub Operator
  opendatahub_OperatorGroup_name: string
  opendatahub_name: string
  opendatahub_namespace: string
  opendatahub_installPlanApproval: string
  opendatahub_channel: string
  opendatahub_source: string
  opendatahub_sourceNamespace: string
  aiservice_odh_model_deployment_type: string
  primary_storage_class: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM AI Service¤

Helm chart link: 113-ibm-aiservice

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	AI Service S3/DRO/JDBC/knowledge-model secrets	AI Service namespace	Always	application_admin_role
OperatorGroup	AI Service operator group	AI Service namespace	Always	application_admin_role
Subscription	AI Service operator subscription	AI Service namespace	Always	application_admin_role
AIServiceApp	AI Service application CR	AI Service namespace	Always	application_admin_role
ServiceAccount	Post-sync migration service account	AI Service namespace	Always	application_admin_role
Role	Post-sync migration roles	AI Service namespace	Always	application_admin_role
RoleBinding	Post-sync migration role binding	AI Service namespace	Always	application_admin_role
NetworkPolicy	Post-sync migration network policy	AI Service namespace	Always	application_admin_role
Job	Post-sync migration job	AI Service namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_aiservice:
  aiservice_instance_id: string
  aiservice_namespace: string
  ibm_entitlement_key: string (secret reference)

  # DRO Configuration
  drocfg_registration_key: string (secret reference)
  drocfg_url: string (secret reference)
  drocfg_ca_b64enc: string (secret reference)
  aiservice_dro_token_secret: string
  aiservice_dro_cacert_secret: string

  environment_type: string

  # S3 Configuration
  aiservice_s3_endpoint_url: string
  aiservice_s3_bucket_prefix: string
  aiservice_s3_templates_bucket: string
  aiservice_s3_tenants_bucket: string
  aiservice_s3_secret: string
  aiservice_s3_ssl: string
  aiservice_s3_accesskey: string (secret reference)
  aiservice_s3_secretkey: string (secret reference)
  aiservice_s3_host: string (secret reference)
  aiservice_s3_port: string
  aiservice_s3_region: string (secret reference)

  # JDBC Configuration
  jdbccfg_username: string (secret reference)
  jdbccfg_password: string (secret reference)
  jdbccfg_url: string (secret reference)
  jdbccfg_sslenabled: string (secret reference)
  jdbccfg_ca_b64enc: string (secret reference)
  aiservice_jdbc_secret: string
  use_aws_db2: boolean

  # MAS Entitlement
  entitlement_key: string (secret reference)

  # Development Registry Entitlement
  artifactory_token: string (secret reference)

  # Operator Configuration
  aiservice_channel: string
  mas_catalog_source: string
  mas_icr_cp: string
  mas_icr_cpopen: string

  aiservice_domain: string
  in_saas_env: boolean
  aiservice_storage_class: string
  aiservice_operator_log_level: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM AI Service Tenant¤

Helm chart link: 115-ibm-aiservice-tenant

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Namespace	AI Service tenant namespace	Tenant namespace	Always	application_admin_role
Secret	Tenant RSL/SLS/DRO/WX secrets	Tenant namespace	Always	application_admin_role
OperatorGroup	AI Service tenant operator group	Tenant namespace	Always	application_admin_role
Subscription	AI Service tenant operator subscription	Tenant namespace	Always	application_admin_role
AIServiceTenant	AI Service tenant CR	Tenant namespace	Always	application_admin_role
ServiceAccount	Migration and post-sync service accounts	Tenant namespace	Always	application_admin_role
Role	Migration and post-sync roles	Tenant namespace	Always	application_admin_role
RoleBinding	Migration and post-sync role bindings	Tenant namespace	Always	application_admin_role
NetworkPolicy	Tenant migration and ingress network policies	Tenant namespace	Always	application_admin_role
Job	Migration, post-sync, and secret setup jobs	Tenant namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_aiservice_tenant:
  # AI Service Configuration
  tenant_id: string
  aiservice_namespace: string
  aiservice_instance_id: string
  catalog_channel: string
  catalog_source: string
  tenantNamespace: string

  mas_icr_cp: string
  mas_icr_cpopen: string

  # DRO Configuration
  drocfg_url: string
  drocfg_registration_key: string (secret reference)
  drocfg_ca_b64enc: string (secret reference)

  # SLS Configuration
  slscfg_ca_b64enc: string (secret reference)
  slscfg_url: string (secret reference)
  slscfg_registration_key: string (secret reference)
  aiservice_sls_subscription_id: string

  # RSL Configuration
  rsl_url: string
  rsl_org_id: string (secret reference)
  rsl_token: string (secret reference)
  rsl_ca_crt: string (secret reference)

  # S3 Configuration for Manage Job
  aiservice_s3_accesskey: string (secret reference)
  aiservice_s3_secretkey: string (secret reference)
  aiservice_s3_region: string (secret reference)

  # WatsonX Configuration
  aiservice_watsonxai_url: string
  aiservice_watsonxai_project_id: string (secret reference)
  aiservice_watsonxai_apikey: string (secret reference)
  aiservice_watsonxai_on_prem: string
  aiservice_watsonxai_ca_crt: string (secret reference, optional)
  aiservice_watsonxai_instance_id: string
  aiservice_watsonxai_username: string
  aiservice_watsonxai_version: string
  aiservice_watsonxai_verify: string

  # Tenant Entitlement
  tenant_entitlement_type: string
  tenant_entitlement_start_date: string
  tenant_entitlement_end_date: string

  aiservice_operator_log_level: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Db2u Database¤

Helm chart link: 120-ibm-db2u-database

Contains a presync hook (00-presync-await-crd_Job.yaml) that ensures we wait for the db2uclusters CRD to be installed before attempting to sync.

Contains a job that runs last (05-postsync-setup-db2_Job.yaml). This registers the ${ACCOUNT_ID}/${CLUSTER_ID}/${MAS_INSTANCE_ID}/db2/${DB2_INSTANCE_NAME}/config secret in the Secrets Vault used to share some information that is generated at runtime with other ArgoCD Applications. This job also performs some special configuration steps that are required if the Db2u database is intended for use by the Manage MAS Application.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
StorageClass	Db2 storage class definitions	DB2 application namespace / cluster	When storage classes are managed by this chart	application_admin_role
ServiceAccount	Pre/post-sync DB2 job service accounts	DB2 application namespace	Always	application_admin_role
Role	Pre/post-sync DB2 job roles	DB2 application namespace and related namespaces	Always	application_admin_role
RoleBinding	Pre/post-sync DB2 job role bindings	DB2 application namespace and related namespaces	Always	application_admin_role
Issuer	DB2 TLS issuers	DB2 application namespace	Always	application_admin_role
Certificate	DB2 TLS certificates	DB2 application namespace	Always	application_admin_role
Db2uInstance	Db2u instance CR	DB2 application namespace	Always	application_admin_role
CronJob	Db2 backup cron job	DB2 application namespace	When backups are enabled	application_admin_role
ConfigMap	Db2 script/config maps	DB2 application namespace	Always	application_admin_role
Route	Db2 TLS route	DB2 application namespace	When route exposure is enabled	application_admin_role
Service	Db2 services, including HADR services	DB2 application namespace	Always	application_admin_role
Secret	Post-sync DB2 generated secret	DB2 application namespace	Always	application_admin_role
NetworkPolicy	HADR network policy	DB2 application namespace	When HADR is enabled	application_admin_role
Job	Pre/post-sync DB2 setup jobs	DB2 application namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

db2_namespace: string
db2_instance_name: string
db2_dbname: string
db2_version: string
db2_tls_version: string
db2_table_org: string
db2_node_label: string
db2_dedicated_node: string
replica_db: string

# Instance Registry Configuration
db2_instance_registry:
  key: value

# Database Configuration
db2_database_db_config:
  key: value

# Audit Configuration (optional)
db2_addons_audit_config:
  key: value

# DBM Configuration (optional)
db2_instance_dbm_config:
  key: value

# Cluster Configuration
db2_mln_count: string
db2_num_pods: string

# Storage Configuration
db2_meta_storage_class: string
db2_meta_storage_size: string
db2_meta_storage_accessmode: string
db2_data_storage_class: string
db2_data_storage_size: string
db2_data_storage_accessmode: string
db2_backup_storage_class: string
db2_backup_storage_size: string
db2_backup_storage_accessmode: string
db2_logs_storage_class: string
db2_logs_storage_size: string
db2_logs_storage_accessmode: string
db2_audit_logs_storage_class: string
db2_audit_logs_storage_size: string
db2_audit_logs_storage_accessmode: string

# Optional Storage
db2_temp_storage_class: string (optional)
db2_temp_storage_size: string (optional)
db2_temp_storage_accessmode: string (optional)
db2_archivelogs_storage_class: string (optional)
db2_archivelogs_storage_size: string (optional)
db2_archivelogs_storage_accessmode: string (optional)

# Resource Limits
db2_cpu_requests: string
db2_cpu_limits: string
db2_memory_requests: string
db2_memory_limits: string

# Affinity and Tolerations
db2_affinity_key: string
db2_affinity_value: string
db2_tolerate_key: string
db2_tolerate_value: string
db2_tolerate_effect: string

cluster_domain: string (secret reference)

# MAS Configuration
mas_application_id: string
mas_annotations: (optional)
  key: value

jdbc_route: string
jdbc_connection_url_additional_params: string (optional)
db2_timezone: string

# Storage Class Definitions (optional)
storage_class_definitions:
  key: value

# Backup Configuration
auto_backup: boolean
db2_backup_bucket_name: string (secret reference, when backup enabled)
db2_backup_bucket_endpoint: string (secret reference, when backup enabled)
db2_backup_bucket_access_key: string (secret reference, when backup enabled)
db2_backup_bucket_secret_key: string (secret reference, when backup enabled)
db2_backup_notify_slack_url: string (optional, when backup enabled)
db2_backup_icd_auth_key: string (secret reference, optional, when backup enabled)

allow_list: string (optional)

# Production Database Access (optional)
production_database_access:
  type: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM DBS RDS Database¤

Helm chart link: 120-ibm-dbs-rds-database

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ConfigMap	RDS setup and backup script config maps	Application namespace	Always	application_admin_role
Secret	RDS post-sync generated secret	Application namespace	When post-sync setup runs	application_admin_role
Job	RDS post-sync setup job	Application namespace	Always	application_admin_role
CronJob	RDS backup cron jobs	Application namespace	When backups are enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

db2_namespace: string
mas_application_id: string
db2_instance_name: string
host: string (secret reference)
port: string (secret reference)
dbname: string (secret reference)
rds_admin_db_name: string (secret reference)
user: string (secret reference)
password: string (secret reference)
jdbc_connection_url: string (secret reference)
jdbc_connection_url_additional_params: string (optional)
replica_db: string

# Database Configuration (optional)
db2_database_db_config:
  key: value

# Backup Configuration (optional)
backup:
  enabled: boolean
  s3_bucket_name: string
  s3_prefix: string
  compression: string
  util_impact_priority: number
  num_files: number
  parallelism: number
  num_buffers: number
  full:
    enabled: boolean
    schedule: string (cron format)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Spark¤

Helm chart link: 120-ibm-spark

Spark extends jupyter notebooks features inside Watson Studio notebooks which can be leveraged by Maximo Predict data sets.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Subscription	Spark operator subscription	CP4D instance namespace	Always	application_admin_role
AnalyticsEngine	Spark service CR	CP4D instance namespace	Always	application_admin_role
ServiceAccount	Spark control-plane service account	CP4D instance namespace	When control-plane job is enabled	application_admin_role
ClusterRole	Spark control-plane cluster roles	N/A (cluster-scoped)	When control-plane job is enabled	application_admin_role
ClusterRoleBinding	Spark control-plane cluster role binding	N/A (cluster-scoped)	When control-plane job is enabled	application_admin_role
Job	Spark control-plane job	CP4D instance namespace	When control-plane job is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_spark:
  ccs_version: string (secret reference)
  cpd_service_block_storage_class: string
  cpd_service_scale_config: string
  cpd_service_storage_class: string
  spark_channel: string (secret reference)
  spark_version: string (secret reference)
  spark_install_plan: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM SPSS¤

Helm chart link: 120-ibm-spss

SPSS Modeler optional dependency for Predict

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Subscription	SPSS operator subscriptions	CP4D instance namespace	Always	application_admin_role
Spss	SPSS service CR	CP4D instance namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_spss:
  ccs_version: string (secret reference)
  cpd_service_block_storage_class: string
  cpd_service_scale_config: string
  cpd_service_storage_class: string
  spss_channel: string (secret reference)
  spss_version: string (secret reference)
  spss_install_plan: string
  canvasbase_channel: string (secret reference)
  canvasbase_install_plan: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM WML¤

Helm chart link: 120-ibm-wml

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Subscription	WML operator subscription	CP4D instance namespace	Always	application_admin_role
WmlBase	Watson Machine Learning service CR	CP4D instance namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_wml:
  ccs_version: string (secret reference)
  cpd_service_block_storage_class: string
  cpd_service_scale_config: string
  cpd_service_storage_class: string
  wml_channel: string (secret reference)
  wml_version: string (secret reference)
  wml_install_plan: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM WSL¤

Helm chart link: 120-ibm-wsl

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Subscription	WSL operator subscription	CP4D instance namespace	Always	application_admin_role
WS	Watson Studio Local service CR	CP4D instance namespace	Always	application_admin_role
ServiceAccount	WSL post-verify service account	CP4D instance namespace	Always	application_admin_role
Role	WSL post-verify roles	CP4D instance namespace	Always	application_admin_role
RoleBinding	WSL post-verify role binding	CP4D instance namespace	Always	application_admin_role
Secret	WSL post-verify runtime secret	CP4D instance namespace	Always	application_admin_role
Job	WSL post-verify job	CP4D instance namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_wsl:
  cpd_service_storage_class: string
  cpd_service_block_storage_class: string
  cpd_service_scale_config: string
  wsl_version: string (secret reference)
  wsl_channel: string (secret reference)
  ccs_version: string (secret reference)
  datarefinery_version: string (secret reference)
  ws_runtimes_version: string (secret reference)
  wsl_install_plan: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Db2u JDBC Config Rotate Password¤

Helm chart link: 130-ibm-db2u-jdbc-config-rotate-password

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	DB2U JDBC credential secret	MAS core namespace	Always	application_admin_role

---

IBM JDBC Config¤

Helm chart link: 130-ibm-jdbc-config

Create a JdbcCfg CR instance and associated credentials secret for use by MAS.

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

If using incluster-db2, a pre-sync hook (00-presync-create-db2-user_Job.yaml) will run that sets up an LDAP user in DB2 with the credentials provided in the JDBC config.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	JDBC credential and pre-sync runtime secrets	MAS core namespace and database namespaces	Always	application_admin_role
ServiceAccount	DB2 user management service accounts	MAS core namespace	When DB2 user management hooks run	application_admin_role
Role	DB2 user management roles	MAS core namespace and database namespaces	When DB2 user management hooks run	application_admin_role
RoleBinding	DB2 user management role bindings	Database namespaces	When DB2 user management hooks run	application_admin_role
NetworkPolicy	DB2/RDS user management network policies	MAS core namespace	When pre-sync user management jobs run	application_admin_role
Job	Pre-sync and post-delete JDBC management jobs	MAS core namespace	Always	application_admin_role
JdbcCfg	MAS JDBC configuration CR	MAS core namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

jdbc_type: string
jdbc_instance_name: string (or secret reference)
jdbc_instance_username: string (secret reference)
jdbc_instance_password: string (secret reference)
mas_config_dir: string
jdbc_connection_url: string (secret reference)
jdbc_route: string

# For incluster-db2 type
db2_dbname: string (secret reference, optional)
db2_namespace: string (secret reference, optional)

# Label configurations
app_suite_jdbccfg_labels:
  mas.ibm.com/applicationId: string
  mas.ibm.com/configScope: string
  mas.ibm.com/instanceId: string

system_suite_jdbccfg_labels:
  mas.ibm.com/configScope: string
  mas.ibm.com/instanceId: string

ws_suite_jdbccfg_labels:
  mas.ibm.com/configScope: string
  mas.ibm.com/instanceId: string
  mas.ibm.com/workspaceId: string

wsapp_suite_jdbccfg_labels:
  mas.ibm.com/applicationId: string
  mas.ibm.com/configScope: string
  mas.ibm.com/instanceId: string
  mas.ibm.com/workspaceId: string

jdbc_ca_pem:
  crt: string (multiline, base64 decoded from secret)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Kafka Config¤

Helm chart link: 130-ibm-kafka-config

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	Kafka credential secret	MAS core namespace	Always	application_admin_role
KafkaCfg	MAS Kafka configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete Kafka configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

suite_kafka_username: string (secret reference)
suite_kafka_password: string (secret reference)

kafka_config:
  config:
    hosts:
      - host: string
        port: number
    credentials:
      secretName: string
    saslMechanism: string
  certificates:
    - alias: string
      crt: string (multiline)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS App Config¤

Helm chart link: 130-ibm-mas-app-config

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
AppCfg	MAS application configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete app configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

system_appcfg_labels:
  mas.ibm.com/configScope: string
  mas.ibm.com/instanceId: string

maf_enabled: boolean

persistentVolume:
  name: string
  size: string
  storageClassName: string

# Pod Templates (optional)
mas_appcfg_pod_templates:
  key: value

Note: This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS BAS Config¤

Helm chart link: 130-ibm-mas-bas-config

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	DRO API token secret	MAS core namespace	Always	application_admin_role
BasCfg	MAS BAS configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete BAS configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

dro_api_token: string (secret reference)
dro_endpoint_url: string (secret reference)
mas_segment_key: string (secret reference, optional)

# Pod Templates (optional)
mas_bascfg_pod_templates:
  key: value

dro_contact:
  email: string
  first_name: string
  last_name: string

dro_ca:
  crt: string (multiline)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS IDP Config¤

Helm chart link: 130-ibm-mas-idp-config

Currently only supports LDAP.

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	LDAP credential secret	MAS core namespace	Always	application_admin_role
IDPCfg	MAS IDP configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete IDP configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

suite_ldap_bind_dn: string (secret reference)
suite_ldap_bind_password: string (secret reference)
suite_ldap_display_name: string
suite_ldap_url: string
suite_ldap_basedn: string
suite_ldap_userid_map: string

suite_ldap_certificate:
  crt: string (multiline)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS Mongo Config¤

Helm chart link: 130-ibm-mas-mongo-config

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	Mongo credential secret	MAS core namespace	Always	application_admin_role
MongoCfg	MAS Mongo configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete Mongo configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

username: string (secret reference)
password: string (secret reference)

config:
  hosts:
    - host: string
      port: number
  authMechanism: string
  configDb: string
  retryWrites: boolean (optional)
  credentials:
    secretName: string

certificates:
  - alias: string
    crt: string (multiline)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS SLS Config¤

Helm chart link: 130-ibm-mas-sls-config

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	SLS registration secret	MAS core namespace	Always	application_admin_role
SlsCfg	MAS SLS configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete SLS configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

# Pod Templates (optional)
mas_slscfg_pod_templates:
  key: value

registration_key: string (secret reference)
url: string (or secret reference)

ca:
  crt: string (multiline, base64 decoded from secret)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS SMTP Config¤

Helm chart link: 130-ibm-mas-smtp-config

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	SMTP credential secret	MAS core namespace	Always	application_admin_role
SmtpCfg	MAS SMTP configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete SMTP configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

suite_smtp_username: string (secret reference)
suite_smtp_password: string (secret reference)
suite_smtp_display_name: string
suite_smtp_host: string
suite_smtp_port: string
suite_smtp_security: string
suite_smtp_authentication: string
suite_smtp_default_sender_email: string
suite_smtp_default_sender_name: string
suite_smtp_default_recipient_email: string
suite_smtp_default_should_email_passwords: string

# Pod Templates (optional)
mas_smtpcfg_pod_templates:
  key: value

# Disabled Templates (optional)
suite_smtp_disabled_templates: string

# CA Certificate (optional)
smtp_config_ca_certificate:
  crt: string (multiline)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS Suite¤

Helm chart link: 130-ibm-mas-suite

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
ClusterIssuer	IBM CIS cluster issuers	N/A (cluster-scoped)	When CIS integration is enabled	application_admin_role
OperatorGroup	IBM MAS operator group	MAS core namespace	Always	application_admin_role
Secret	Suite certificate and entitlement secrets	MAS core namespace	Always	application_admin_role
Subscription	IBM MAS operator subscription	MAS core namespace	Always	application_admin_role
Suite	MAS Suite CR	MAS core namespace	Always	application_admin_role
NetworkPolicy	Post-sync and post-delete job network policies	MAS core namespace	When associated jobs are enabled	application_admin_role
ServiceAccount	Post-sync and post-delete job service accounts	MAS core namespace	When associated jobs are enabled	application_admin_role
Role	Post-sync and post-delete job roles	MAS core namespace	When associated jobs are enabled	application_admin_role
RoleBinding	Post-sync and post-delete job role bindings	MAS core namespace	When associated jobs are enabled	application_admin_role
Job	Post-sync suite configuration jobs	MAS core namespace	When associated jobs are enabled	application_admin_role
ConfigMap	Suite helper and runtime configuration config maps	MAS core namespace	When associated jobs or certificate management features are enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_mas_suite:
  cert_manager_namespace: string
  ibm_entitlement_key: string (secret reference)
  domain: string
  mas_feature_usage: string
  mas_deployment_progression: string
  mas_usability_metrics: string

  # DNS Configuration (optional)
  dns_provider: string
  mas_workspace_id: string
  mas_config_dir: string
  mas_domain: string
  ocp_cluster_domain: string

  # CIS Configuration (optional, when dns_provider is 'cis')
  cis_mas_domain: string
  cis_subdomain: string
  cis_email: string
  cis_crn: string
  cis_apikey: string (secret reference)
  cis_enhanced_security: string
  cis_proxy: string
  cis_waf: string
  cis_service_name: string
  update_dns_entries: string
  delete_wildcards: string
  override_edge_certs: string

  # Operator Configuration
  mas_channel: string
  mas_install_plan: string
  icr_cp: string
  icr_cp_open: string

  # Certificate Management
  mas_manual_cert_mgmt: boolean
  routing_mode: string (optional)
  ingress_controller_name: string (optional)

  # Annotations and Labels (optional)
  mas_annotations:
    key: value
  mas_labels:
    key: value
  mas_image_tags:
    key: value

  # Manual Certificates (optional)
  ca_cert: string
  tls_cert: string
  tls_key: string
  manual_certs:
    key: value

  # Pod Templates (optional)
  mas_pod_templates:
    key: value

  # OIDC Configuration (optional)
  oidc:
    key: value

  # Additional Configuration (optional)
  allow_list: string
  suite_spec_additional_properties:
    key: value
  suite_spec_settings_additional_properties:
    key: value
  internal_certificate_authority: string
  welcome_message: string (multiline)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Object Storage Config¤

Helm chart link: 130-ibm-objectstorage-config

Contains a post-delete hook (postdelete-delete-cr.yaml) that will ensure the config CR is deleted when the ArgoCD application managing this chart is deleted (this will not happen by default as the config CR is asserted to be owned by the Suite CR by the MAS entity managers).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	Object storage credential secret	MAS core namespace	Always	application_admin_role
ObjectStorageCfg	MAS object storage configuration CR	MAS core namespace	Always	application_admin_role
Job	Post-delete object storage configuration cleanup job	MAS core namespace	When use_postdelete_hooks is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_name: string
mas_config_chart: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

suite_objectstorage_username: string (secret reference)
suite_objectstorage_password: string (secret reference)

objectstorage_config:
  config:
    url: string
    credentials:
      secretName: string
  certificates:
    - alias: string
      crt: string (multiline)

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM Watson Studio Config¤

Helm chart link: 130-ibm-watson-studio-config

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	Watson Studio credential secret	MAS core namespace	Always	application_admin_role
WatsonStudioCfg	Watson Studio configuration CR	MAS core namespace	Always	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_config_chart: string
mas_config_name: string
mas_config_scope: string
mas_workspace_id: string
mas_application_id: string
mas_config_kind: string
mas_config_api_version: string
use_postdelete_hooks: boolean

suite_watson_studio_secret_name: string

suite_wscfg_labels:
  mas.ibm.com/applicationId: string
  mas.ibm.com/configScope: string
  mas.ibm.com/instanceId: string
  mas.ibm.com/workspaceId: string

suite_watson_studio_username: string (secret reference)
suite_watson_studio_password: string (secret reference)

watson_studio_config:
  config:
    credentials:
      secretName: string
    endpoint: string (secret reference)
  displayName: string
  type: string

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS Workspace¤

Helm chart link: 220-ibm-mas-workspace

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Workspace	MAS workspace CR	MAS core namespace	Always	application_admin_role
NetworkPolicy	Post-sync workspace label job network policy	MAS core namespace	When post-sync job is enabled	application_admin_role
ServiceAccount	Post-sync workspace label service account	MAS core namespace	When post-sync job is enabled	application_admin_role
Role	Post-sync workspace label roles	MAS core namespace	When post-sync job is enabled	application_admin_role
RoleBinding	Post-sync workspace label role binding	MAS core namespace	When post-sync job is enabled	application_admin_role
Job	Post-sync workspace label job	MAS core namespace	When post-sync job is enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_workspace_id: string
mas_workspace_name: string
allow_list: string (optional)

Note: This chart does not use a top-level key wrapper. Values are specified at the root level.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS Suite App Install¤

Helm chart link: 500-540-ibm-mas-suite-app-install

Certain templates are enabled only for specific MAS editions (mas_edition) and/or applications (mas_app_id).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
StorageClass	Application-specific storage classes	Application namespace / cluster	When required by the target MAS app	application_admin_role
ConfigMap	Placeholder and JVM/custom config maps	Application namespace	When required by the target MAS app	application_admin_role
NetworkPolicy	Pre/post-sync SCC job network policies	Application namespace	When sync hook jobs are enabled	application_admin_role
ServiceAccount	Pre/post-sync SCC job service accounts	Application namespace	When sync hook jobs are enabled	application_admin_role
ClusterRole	SCC management cluster roles	N/A (cluster-scoped)	When sync hook jobs are enabled	application_admin_role
ClusterRoleBinding	SCC management cluster role bindings	N/A (cluster-scoped)	When sync hook jobs are enabled	application_admin_role
Secret	Entitlement and suite certificate secrets	Application namespace	When required by the target MAS app	application_admin_role
OperatorGroup	MAS application operator group	Application namespace	When required by the target MAS app	application_admin_role
ResourceQuota	MVI resource quota	Application namespace	When required by the target MAS app	application_admin_role
Subscription	MAS application operator subscription	Application namespace	When required by the target MAS app	application_admin_role
Job	Pre/post-sync SCC and helper jobs	Application namespace	When sync hook jobs are enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

ibm_suite_app_{mas_app_id}_install:
  ibm_entitlement_key: string (secret reference)
  mas_instance_id: string
  mas_app_id: string
  mas_app_install_plan: string
  mas_edition: string
  mas_app_namespace: string
  mas_app_channel: string
  mas_app_catalog_source: string
  mas_app_api_version: string
  mas_app_kind: string
  run_sync_hooks: boolean

  # Application Specification (optional)
  # Application-specific configuration varies by MAS app

  # Certificate Management
  mas_manual_cert_mgmt: boolean
  public_tls_secret_name: string (optional)
  ca_cert: string (optional)
  tls_cert: string (optional)
  tls_key: string (optional)

  # GPU Configuration (optional)
  gpu_request_quota: string

  # Storage Configuration (optional)
  storage_class_definitions:
    key: value

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. The top-level key uses the pattern ibm_suite_app_{mas_app_id}_install where {mas_app_id} is replaced with the actual application ID (e.g., manage, monitor, predict).

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

IBM MAS Suite App Config¤

Helm chart link: 510-550-ibm-mas-suite-app-config

Certain templates are enabled only for specific MAS applications (mas_app_id).

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
StorageClass	Application configuration storage classes	Application namespace / cluster	When required by the target MAS app	application_admin_role
ConfigMap	Placeholder, sanity/verify scripts, and runtime config maps	Application namespace	When required by the target MAS app	application_admin_role
Secret	Application-specific configuration secrets	Application namespace	When required by the target MAS app	application_admin_role
NetworkPolicy	Post-sync and recurring job network policies	Application namespace	When associated jobs are enabled	application_admin_role
ServiceAccount	Post-sync and recurring job service accounts	Application namespace	When associated jobs are enabled	application_admin_role
Role	Post-sync and recurring job roles	Application namespace	When associated jobs are enabled	application_admin_role
RoleBinding	Post-sync and recurring job role bindings	Application namespace	When associated jobs are enabled	application_admin_role
ClusterRole	Verify job cluster roles	N/A (cluster-scoped)	When cluster-level verification is enabled	application_admin_role
ClusterRoleBinding	Verify job cluster role bindings	N/A (cluster-scoped)	When cluster-level verification is enabled	application_admin_role
CronJob	Recurring update/app-role cron jobs	Application namespace	When associated recurring jobs are enabled	application_admin_role
Job	Post-sync verification and helper jobs	Application namespace	When associated jobs are enabled	application_admin_role

Configuration¤

This chart accepts the following configuration values in the ArgoCD Application values:

mas_app_id: string
mas_app_namespace: string
mas_app_ws_apiversion: string
mas_app_ws_kind: string
mas_workspace_id: string

# Server Bundles Configuration (optional)
# Application-specific server bundle configuration

# Customization Archives (optional)
customization_archive_secret_names:
  - secret_name: string
    password: string (secret reference)
    username: string (secret reference)

# Manage Logging Configuration (optional)
manage_logging_secret_name: string
manage_logging_access_secret_key: string (secret reference)

# Global Secrets (optional)
# Application-specific global secrets configuration

# Update Schedule (optional)
manage_update_schedule: string

# Facilities Configuration (optional)
facilities_vault_secret_name: string
facilities_vault_secret_value: string (secret reference)
facilities_liberty_extensions_secret_name: string
facilities_liberty_extensions_b64_secret_value: string (secret reference)

# Application Workspace Specification
# Application-specific workspace configuration varies by MAS app

# Certificate Management
mas_manual_cert_mgmt: boolean
run_sanity_test: boolean
public_tls_secret_name: string (optional)
ca_cert: string (optional)
tls_cert: string (optional)
tls_key: string (optional)

# Storage Configuration (optional)
storage_class_definitions:
  key: value

Note: Values marked with "(secret reference)" should use the format <path:secrets/path:key> to reference secrets stored in the Secrets Vault. This chart does not use a top-level key wrapper. Configuration varies significantly by MAS application.

Base Instance Values¤

This chart inherits common instance configuration values. The most frequently used base values are:

account:
  id: string                    # Account identifier
  name: string                  # Account name

region:
  id: string                    # Region identifier
  name: string                  # Region name

cluster:
  id: string                    # Cluster identifier
  name: string                  # Cluster name

instance:
  id: string                    # MAS instance identifier

sm:                             # Secrets Manager configuration
  aws_secret_region: string
  aws_access_key_id: string (secret reference)
  aws_secret_access_key: string (secret reference)

For complete documentation of all base instance values including optional fields like custom_labels, argocluster_instance, application_admin_service_account, mas_wipe_mongo_data, allow_list, additional_vpn, application_configuration, use_postdelete_hooks, additional_resources, extensions, enhanced_dr, and cli_image_repo, see the Instance Base Values Reference.

---

Application Admin RBAC¤

Helm chart link: 600-application-admin-rbac

---

IBM Post Sync Jobs¤

Helm chart link: 600-ibm-post-sync-jobs

Defines Jobs to perform various tasks that need to happen after MAS applications are installed and ready.

Resources Created¤

Resource Type	Resource Name	Namespace	Condition	Installed By
Secret	Initial user/bootstrap runtime secret	MAS core namespace	Always	application_admin_role
NetworkPolicy	Initial user creation network policy	MAS core namespace	Always	application_admin_role
ServiceAccount	Initial user creation service account	MAS core namespace	Always	application_admin_role
Role	Initial user creation roles	MAS core namespace	Always	application_admin_role
RoleBinding	Initial user creation role bindings	MAS core namespace	Always	application_admin_role
Job	Initial user creation post-sync job	MAS core namespace	Always	application_admin_role

---