ibm-mas · whitfiea · Mar 3, 2026 · Dec 9, 2025 · Dec 11, 2025 · Dec 13, 2025
@@ -3,7 +3,7 @@
     "files": "build/bin/config/oscap/ssg-rhel9-ds.xml|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-03-02T06:45:07Z",
+  "generated_at": "2026-03-02T12:58:50Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -564,7 +564,7 @@
         "hashed_secret": "146abac680841f15b3e7b5259e1dfcdd9de49fdd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 13,
+        "line_number": 17,
         "type": "Secret Keyword",
         "verified_result": null
       }

@@ -14,7 +14,11 @@ Basic Configuration:
   -a, --account-id ${COLOR_YELLOW}ACCOUNT_ID${TEXT_RESET}          Account name that the cluster belongs to
   -c, --cluster-id ${COLOR_YELLOW}CLUSTER_ID${TEXT_RESET}          Cluster ID
 
-  --efs-csi-driver-role-arn ${COLOR_YELLOW}EFS_CSI_DRIVER_ROLE_ARN${TEXT_RESET}    ARN of the IAM Role to assign to the EFS CSI driver
+  -r, --efs-csi-driver-role-arn ${COLOR_YELLOW}EFS_CSI_DRIVER_ROLE_ARN${TEXT_RESET}               ARN of the IAM Role to assign to the EFS CSI driver
+  --efs-catalog-source ${COLOR_YELLOW}EFS_CATALOG_SOURCE${TEXT_RESET}                             EFS catalog source
+  --efs-catalog-source-namespace ${COLOR_YELLOW}EFS_CATALOG_SOURCE_NAMESPACE${TEXT_RESET}         EFS catalog source namespace
+  --efs-channel ${COLOR_YELLOW}EFS_CHANNEL${TEXT_RESET}                                           EFS channel
+  --efs-subscription-source-namespace ${COLOR_YELLOW}EFS_SUBSCRIPTION_SOURCE_NAMESPACE${TEXT_RESET} EFS subscription source namespace
 
 Automatic GitHub Push (Optional):
   -P, --github-push ${COLOR_YELLOW}GITHUB_PUSH${TEXT_RESET}        Enable automatic push to GitHub
@@ -51,10 +55,21 @@ function gitops_efs_csi_driver_noninteractive() {
       -c|--cluster-id)
         export CLUSTER_ID=$1 && shift
         ;;
-
-      --efs-csi-driver-role-arn)
+      -r|--efs-csi-driver-role-arn)
         export EFS_CSI_DRIVER_ROLE_ARN=$1 && shift
         ;;
+      --efs-catalog-source)
+        export EFS_CATALOG_SOURCE=$1 && shift
+        ;;
+      --efs-catalog-source-namespace)
+        export EFS_CATALOG_SOURCE_NAMESPACE=$1 && shift
+        ;;
+      --efs-channel)
+        export EFS_CHANNEL=$1 && shift
+        ;;
+      --efs-subscription-source-namespace)
+        export EFS_SUBSCRIPTION_SOURCE_NAMESPACE=$1 && shift
+        ;;
 
 
       # Automatic GitHub Push
@@ -91,6 +106,11 @@ function gitops_efs_csi_driver_noninteractive() {
       esac
   done
 
+  [[ -z "$EFS_CATALOG_SOURCE" ]] && export EFS_CATALOG_SOURCE="redhat-operators"
+  [[ -z "$EFS_CATALOG_SOURCE_NAMESPACE" ]] && export EFS_CATALOG_SOURCE_NAMESPACE="openshift-marketplace"
+  [[ -z "$EFS_CHANNEL" ]] && export EFS_CHANNEL="stable"
+  [[ -z "$EFS_SUBSCRIPTION_SOURCE_NAMESPACE" ]] && export EFS_SUBSCRIPTION_SOURCE_NAMESPACE="openshift-cluster-csi-drivers"
+
   [[ -z "$GITOPS_WORKING_DIR" ]] && gitops_efs_csi_driver_help "GITOPS_WORKING_DIR is not set"
   [[ -z "$ACCOUNT_ID" ]] && gitops_efs_csi_driver_help "ACCOUNT_ID is not set"
   [[ -z "$CLUSTER_ID" ]] && gitops_efs_csi_driver_help "CLUSTER_ID is not set"
@@ -154,7 +174,11 @@ function gitops_efs_csi_driver() {
 
   echo "${TEXT_DIM}"
   echo_h2 "EFS CSI Driver" "    "
-  echo_reset_dim "EFS_CSI_DRIVER_ROLE_ARN  .......................... ${COLOR_MAGENTA}${EFS_CSI_DRIVER_ROLE_ARN}"
+  echo_reset_dim "Role ARN ............................... ${COLOR_MAGENTA}${EFS_CSI_DRIVER_ROLE_ARN}"
+  echo_reset_dim "Catalog Source ......................... ${COLOR_MAGENTA}${EFS_CATALOG_SOURCE}"
+  echo_reset_dim "Catalog Source Namespace ............... ${COLOR_MAGENTA}${EFS_CATALOG_SOURCE_NAMESPACE}"
+  echo_reset_dim "Channel ................................ ${COLOR_MAGENTA}${EFS_CHANNEL}"
+  echo_reset_dim "Subscription Source Namespace .......... ${COLOR_MAGENTA}${EFS_SUBSCRIPTION_SOURCE_NAMESPACE}"
   reset_colors
 
 

@@ -1236,17 +1236,19 @@ function gitops_iac_provision_rdsdb2(){
     echo RDS_DB2_CONFIG_FACILITIES
   fi
   APP_PARAMS=(
-  "manage $RDS_MANAGE_DB2_INSTANCE_CLASS $RDS_MANAGE_DB2_STORAGE_TYPE $RDS_MANAGE_ALLOCATED_STORAGE"
-  "iot $RDS_IOT_DB2_INSTANCE_CLASS $RDS_IOT_DB2_STORAGE_TYPE $RDS_IOT_ALLOCATED_STORAGE"
-  "facilities $RDS_FACILITIES_DB2_INSTANCE_CLASS $RDS_FACILITIES_DB2_STORAGE_TYPE $RDS_FACILITIES_ALLOCATED_STORAGE"
+  "manage $RDS_MANAGE_DB2_INSTANCE_CLASS $RDS_MANAGE_DB2_STORAGE_TYPE $RDS_MANAGE_ALLOCATED_STORAGE $RDS_MANAGE_JDBC_CONNECTION_URL_ADDITIONAL_PARAMS"
+  "iot $RDS_IOT_DB2_INSTANCE_CLASS $RDS_IOT_DB2_STORAGE_TYPE $RDS_IOT_ALLOCATED_STORAGE $RDS_IOT_JDBC_CONNECTION_URL_ADDITIONAL_PARAMS"
+  "facilities $RDS_FACILITIES_DB2_INSTANCE_CLASS $RDS_FACILITIES_DB2_STORAGE_TYPE $RDS_FACILITIES_ALLOCATED_STORAGE $RDS_FACILITIES_JDBC_CONNECTION_URL_ADDITIONAL_PARAMS"
   )
 
   for row in "${APP_PARAMS[@]}"; do
-    read -r app instance storage allocated <<< "$row"
+    read -r app instance storage allocated additional_params<<< "$row"
 
     if check_params "$app" "$instance" "$storage" "$allocated"; then
       export RDS_APP="$app"
       export RDS_S3_APP_NAME="$app"
+      export RDS_JDBC_CONNECTION_URL_ADDITIONAL_PARAMS=$(set_ssl_params "$additional_params")
+      echo "Additional params for $app - ${RDS_JDBC_CONNECTION_URL_ADDITIONAL_PARAMS}"
       echo "Generating rds-db2-$app.tf file ${GITOPS_CLUSTER_DIR}/rds-db2-$app.tf"
       jinjanate_commmon $CLI_DIR/templates/gitops/appset-configs/cluster/instance/ibm-iac-rdsdb2.tf.j2 ${GITOPS_CLUSTER_DIR}/db2rds-$app.tf
 
@@ -1693,3 +1695,44 @@ function check_params() {
   echo "$app_name"
   return 0
 }
+
+
+# Function to set or append SSL connection parameters
+# Usage: set_ssl_params "$ADDITIONAL_PARAMS"
+# Returns: SSL connection string with default or appended values
+# Example: set_ssl_params "" returns "sslConnection=true;sslVersion=TLSv1.2"
+#          set_ssl_params "param1=value1" returns "param1=value1;sslConnection=true;sslVersion=TLSv1.2"
+#          set_ssl_params "sslConnection=true" returns "sslConnection=true;sslVersion=TLSv1.2"
+#          set_ssl_params "sslVersion=TLSv1.2" returns "sslVersion=TLSv1.2;sslConnection=true"
+#          set_ssl_params "sslConnection=true;sslVersion=TLSv1.2" returns "sslConnection=true;sslVersion=TLSv1.2"
+function set_ssl_params() {
+  local additional_params="$1"
+  local result="$additional_params"
+
+  # If additional_params is empty, return default SSL settings
+  if [[ -z "$additional_params" ]]; then
+    echo "sslConnection=true;sslVersion=TLSv1.2"
+    return 0
+  fi
+
+  # Check if sslConnection is missing and append it
+  if [[ "$additional_params" != *"sslConnection="* ]]; then
+    if [[ -n "$result" ]]; then
+      result="${result};sslConnection=true"
+    else
+      result="sslConnection=true"
+    fi
+  fi
+
+  # Check if sslVersion is missing and append it
+  if [[ "$additional_params" != *"sslVersion="* ]]; then
+    if [[ -n "$result" ]]; then
+      result="${result};sslVersion=TLSv1.2"
+    else
+      result="sslVersion=TLSv1.2"
+    fi
+  fi
+
+  echo "$result"
+  return 0
+}
@@ -67,7 +67,7 @@ JDBC Configuration (required if MAS_CONFIG_TYPE is "jdbc"):
   --jdbc-type ${COLOR_YELLOW}JDBC_TYPE${TEXT_RESET}                           Set to 'incluster-db2' when wanting to use the gitops configured, via gitops-db2u-database, db2u cluster (defaults to incluster-db2)
   --jdbc-instance-name ${COLOR_YELLOW}JDBC_INSTANCE_NAME${TEXT_RESET}         The JDBC instance name to use. Required for all JDBC_TYPE's
   --jdbc-connection-url ${COLOR_YELLOW}JDBC_CONNECTION_URL${TEXT_RESET}       The JDBC connection URL. Required when JDBC_TYPE is not incluster-db2 and rds-db2
-  --jdbc-certificate-file ${COLOR_YELLOW}JDBC_CERTIFICATE_FILE${TEXT_RESET}   Path to file containing CA Certificate for JDBC server. Required when JDBC_TYPE is not incluster-db2
+  --jdbc-certificate-file ${COLOR_YELLOW}JDBC_CERTIFICATE_FILE${TEXT_RESET}   Path to file containing CA Certificate for JDBC server. Required when JDBC_TYPE is not incluster-db2 and rds-db2
   --jdbc-route ${COLOR_YELLOW}JDBC_ROUTE${TEXT_RESET}                         By default routes are not exposed to public. To expose route, set this to public.
 
 SMTP Configuration (required if MAS_CONFIG_TYPE is "smtp"): 
@@ -902,9 +902,14 @@ function gitops_mas_config() {
         export JDBC_CONFIG_SECRET_ID=${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}${MAS_INSTANCE_ID}${SECRETS_KEY_SEPERATOR}jdbc${SECRETS_KEY_SEPERATOR}${JDBC_INSTANCE_NAME}${SECRETS_KEY_SEPERATOR}config
         export SECRET_KEY_DB2_DBNAME=${JDBC_CONFIG_SECRET_ID}#db2_dbname
         export SECRET_KEY_DB2_NAMESPACE=${JDBC_CONFIG_SECRET_ID}#db2_namespace
+        export SECRET_KEY_JDBC_INSTANCE_NAME=${JDBC_CONFIG_SECRET_ID}#jdbc_instance_name
+        export SECRET_KEY_JDBC_CONNECTION_URL=${JDBC_CONFIG_SECRET_ID}#jdbc_connection_url
+        export SECRET_KEY_JDBC_CERTIFICATE_CONTENT=${JDBC_CONFIG_SECRET_ID}#ca_b64
       elif [ "${JDBC_TYPE}" == "rds-db2" ]; then
+        # For rds-db2, the certificate is already stored in AWS Secrets Manager by gitops_rds_db2_database
         export JDBC_CONFIG_SECRET_ID=${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}${MAS_INSTANCE_ID}${SECRETS_KEY_SEPERATOR}jdbc${SECRETS_KEY_SEPERATOR}${JDBC_INSTANCE_NAME}${SECRETS_KEY_SEPERATOR}config
-        export JDBC_CERTIFICATE_CONTENT_B64=$(cat $JDBC_CERTIFICATE_FILE | base64 -w0)
+        export SECRET_KEY_JDBC_CONNECTION_URL=${JDBC_CONFIG_SECRET_ID}#jdbc_connection_url
+        export SECRET_KEY_JDBC_CERTIFICATE_CONTENT=${JDBC_CONFIG_SECRET_ID}#ca_b64
       else
         # This secret we are creating here
         export JDBC_CONFIG_SECRET_ID=${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}${MAS_INSTANCE_ID}${SECRETS_KEY_SEPERATOR}jdbc${SECRETS_KEY_SEPERATOR}${JDBC_INSTANCE_NAME}${SECRETS_KEY_SEPERATOR}config
@@ -913,10 +918,10 @@ function gitops_mas_config() {
         sm_update_secret $JDBC_CONFIG_SECRET_ID "{ \"jdbc_connection_url\": \"${JDBC_CONNECTION_URL}\", \"jdbc_instance_name\": \"${JDBC_INSTANCE_NAME}\", \"ca_b64\": \"${JDBC_CERTIFICATE_CONTENT_B64}\" }" "${TAGS}"
         echo_reset_dim "JDBC_INSTANCE_NAME ........................ ${COLOR_MAGENTA}$JDBC_INSTANCE_NAME"
         echo_reset_dim "JDBC_CONNECTION_URL ....................... ${COLOR_MAGENTA}${JDBC_CONNECTION_URL}"
+        export SECRET_KEY_JDBC_CONNECTION_URL=${JDBC_CONFIG_SECRET_ID}#jdbc_connection_url
+        export SECRET_KEY_JDBC_CERTIFICATE_CONTENT=${JDBC_CONFIG_SECRET_ID}#ca_b64
+        export SECRET_KEY_JDBC_INSTANCE_NAME=${JDBC_CONFIG_SECRET_ID}#jdbc_instance_name
       fi
-      export SECRET_KEY_JDBC_CONNECTION_URL=${JDBC_CONFIG_SECRET_ID}#jdbc_connection_url
-      export SECRET_KEY_JDBC_CERTIFICATE_CONTENT=${JDBC_CONFIG_SECRET_ID}#ca_b64
-      export SECRET_KEY_JDBC_INSTANCE_NAME=${JDBC_CONFIG_SECRET_ID}#jdbc_instance_name
     fi
 
     # Source: gitops_suite_smtp_config

@@ -1,7 +1,8 @@
 merge-key: "{{ ACCOUNT_ID }}/{{ CLUSTER_ID }}"
 
 efs_csi_driver:
-  catalog_source: redhat-operators
-  catalog_source_namespace: openshift-marketplace
-  channel: stable
+  catalog_source: {{ EFS_CATALOG_SOURCE }}
+  catalog_source_namespace: {{ EFS_CATALOG_SOURCE_NAMESPACE }}
+  channel: {{ EFS_CHANNEL }}
+  subscription_source_namespace: {{ EFS_SUBSCRIPTION_SOURCE_NAMESPACE }}
   role_arn: {{ EFS_CSI_DRIVER_ROLE_ARN }}
@@ -8,7 +8,11 @@ mas_config_api_version: "config.mas.ibm.com"
 use_postdelete_hooks: {{ USE_POSTDELETE_HOOKS }}
 
 jdbc_type: {{ JDBC_TYPE }}
+{% if JDBC_TYPE == "rds-db2" %}
+jdbc_instance_name: {{ JDBC_INSTANCE_NAME }}
+{% else %}
 jdbc_instance_name: <path:{{ SECRETS_PATH }}:{{ SECRET_KEY_JDBC_INSTANCE_NAME }}>
+{% endif %}
 jdbc_instance_username: <path:{{ SECRETS_PATH }}:{{ SECRET_KEY_JDBC_USERNAME }}>
 jdbc_instance_password: <path:{{ SECRETS_PATH }}:{{ SECRET_KEY_JDBC_PASSWORD }}>
 mas_config_dir: {{ MAS_CONFIG_DIR }}

@@ -1,9 +1,11 @@
 {%- if RDS_APP | upper == "MANAGE" -%}
 {{RDS_DB2_CONFIG_MANAGE}}
-{%- endif -%}
+{% endif -%}
 {%- if RDS_APP | upper == "IOT" -%}
 {{RDS_DB2_CONFIG_IOT}}
-{%- endif -%}
+{% endif -%}
 {%- if RDS_APP | upper == "FACILITIES" -%}
 {{RDS_DB2_CONFIG_FACILITIES}}
-{%- endif -%}
+{% endif -%}
+db2comm: "SSL"
+ssl_svcename: "50001"
@@ -11,8 +11,8 @@ module "efs" {
 
   }
 
-    throughput_mode              = each.value.throughput_mode
-    efs_mount_ingress_subnet_ids = local.cluster.internal_subnet_ids
-    efs_mount_egress_subnet_ids  = local.cluster.external_subnet_ids
-    efs_worker_subnet_id_list    = local.cluster.internal_subnet_ids
+  throughput_mode              = each.value.throughput_mode
+  efs_mount_ingress_subnet_ids = local.cluster.external_subnet_ids
+  efs_mount_egress_subnet_ids  = local.cluster.external_subnet_ids
+  efs_worker_subnet_id_list    = local.cluster.internal_subnet_ids
 }
@@ -10,7 +10,6 @@ locals {
   mas-saas-license-db2-json-{{RDS_APP}} = jsondecode(data.aws_secretsmanager_secret_version.mas-saas-license-db2-{{RDS_APP}}.secret_string)
   ibm_customer_id_{{RDS_APP}}           = local.mas-saas-license-db2-json-{{RDS_APP}}["ibm_customer_id"]
   ibm_site_id_{{RDS_APP}}               = local.mas-saas-license-db2-json-{{RDS_APP}}["ibm_site_id"]
-  secret_suffix_{{RDS_APP}}             = join("-", ["rds", var.instance_name, "{{RDS_APP}}"])
 }
 
 module "db2rds-{{RDS_APP}}" {
@@ -25,8 +24,8 @@ module "db2rds-{{RDS_APP}}" {
   username                            = "db2admin"
   subnet_grp_id_list                  = local.cluster.internal_subnet_ids
   db2_egress_subnet_ids               = local.cluster.external_subnet_ids
-  db2_ingress_subnet_ids              = local.cluster.internal_subnet_ids
-  db2_additional_ingress_cidrs        = local.cluster.cidrs.workload_internal
+  db2_ingress_subnet_ids              = local.cluster.external_subnet_ids
+  db2_additional_ingress_cidrs        = local.cluster.cidrs.workload_external
   db2_additional_egress_cidrs         = local.cluster.cidrs.workload_external
   db2_instance_class                  = "{{RDS_MANAGE_DB2_INSTANCE_CLASS}}"
   db2_storage_type                    = "gp3"
@@ -45,7 +44,9 @@ module "db2rds-{{RDS_APP}}" {
   backup_retention_period             = 30
   monitoring_interval                 = 30
   db2_preferred_backup_window         = "01:00-02:00"
-  db2_port                            = "50001"
+  db2_port                            = "50000"
+  db2_ssl_port                        = "50001"
+  connection_url_additional_params    = "{{RDS_JDBC_CONNECTION_URL_ADDITIONAL_PARAMS}}"
   db2_parameters_file_path            = "./db2_parameters-{{RDS_APP}}.yaml"
   major_engine_version                = "11.5"
   s3_bucket_name_for_audit_log        = join("-", [var.cluster_name, var.instance_name, "rds", "auditlog", "{{RDS_APP}}"])

@@ -225,6 +225,7 @@
         - gitops-deprovision-suite
         - gitops-dro
         - gitops-efs
+        - gitops-efs-csi-driver
         - gitops-jdbc-config
         - gitops-kafka
         - gitops-kafka-config

@@ -889,9 +889,6 @@ spec:
           kind: Task
           name: gitops-rds-db2-database
       when:
-        - input: "$(params.db2_action_iot)"
-          operator: notin
-          values: [""]
         - input: "$(params.jdbc_type_iot)"
           operator: in
           values: ["rds-db2"]
@@ -1100,9 +1097,6 @@ spec:
           kind: Task
           name: gitops-rds-db2-database
       when:
-        - input: "$(params.db2_action_manage)"
-          operator: notin
-          values: [""]
         - input: "$(params.jdbc_type_manage)"
           operator: in
           values: ["rds-db2"]
@@ -1448,9 +1442,6 @@ spec:
           kind: Task
           name: gitops-rds-db2-database
       when:
-        - input: "$(params.db2_action_facilities)"
-          operator: notin
-          values: [""]
         - input: "$(params.jdbc_type_facilities)"
           operator: in
           values: ["rds-db2"]

@@ -45,6 +45,24 @@ spec:
     - name: mas_catalog_image
       type: string
 
+    - name: role_arn
+      type: string
+    - name: efs_catalog_source
+      type: string
+      default: "redhat-operators"
+    - name: efs_catalog_source_namespace
+      type: string
+      default: "openshift-marketplace"
+    - name: efs_channel
+      type: string
+      default: "stable"
+    - name: efs_subscription_source_namespace
+      type: string
+      default: "openshift-cluster-csi-drivers"
+    - name: efs_install_action
+      type: string
+      default: ""
+
     - name: dro_namespace
       type: string
       default: "ibm-software-central"
@@ -396,6 +414,46 @@ spec:
         - name: gitops-cluster-configs
           workspace: gitops-cluster-configs
 
+    - name: gitops-efs-csi-driver
+      runAfter:
+        - gitops-cluster
+      params:
+        - name: cluster_name
+          value: $(params.cluster_name)
+        - name: account
+          value: $(params.account)
+        - name: git_branch
+          value: $(params.git_branch)
+        - name: github_org
+          value: $(params.github_org)
+        - name: github_repo
+          value: $(params.github_repo)
+        - name: github_host
+          value: $(params.github_host)
+        - name: git_commit_msg
+          value: $(params.git_commit_msg)
+        - name: role_arn
+          value: $(params.role_arn)
+        - name: efs_catalog_source
+          value: $(params.efs_catalog_source)
+        - name: efs_catalog_source_namespace
+          value: $(params.efs_catalog_source_namespace)
+        - name: efs_channel
+          value: $(params.efs_channel)
+        - name: efs_subscription_source_namespace
+          value: $(params.efs_subscription_source_namespace)
+      taskRef:
+        kind: Task
+        name: gitops-efs-csi-driver
+      when:
+        - input: "$(params.efs_install_action)"
+          operator: in
+          values: ["install"]
+      workspaces:
+        - name: configs
+          workspace: configs
+
+
     - name: gitops-dro
       runAfter:
         - gitops-cluster