[minor] Ensure DRO is exposed through a route

Nivedithaa Mahendran · Nivedithaa Mahendran · commit 908ecefe7c20 · 2026-01-09T15:21:09.000+05:30
diff --git a/cluster-applications/030-ibm-dro/templates/08-postsync-update-sm_Job.yaml b/cluster-applications/030-ibm-dro/templates/08-postsync-update-sm_Job.yaml
@@ -190,8 +190,8 @@ spec:
               mountPath: /etc/mas/creds/aws
             - name: ibm-data-reporter-operator-api-token
               mountPath: /etc/mas/creds/ibm-data-reporter-operator-api-token
-            - name: dro-client-tls
-              mountPath: /etc/mas/creds/dro-client-tls
+            - name: dro-tls-secret
+              mountPath: /etc/mas/creds/dro-tls-secret
           command:
             - /bin/sh
             - -c
@@ -260,17 +260,17 @@ spec:
 
               if [[ -n "${DRO_PUBLIC_DOMAIN}" ]]; then
                 wait_for_resource "certificate" "dro-client-certificate" "${DRO_NAMESPACE}"
-                export DRO_CLIENT_TLS_CA_CRT=$(cat /etc/mas/creds/dro-client-tls/ca.crt | base64 -w0)
+                export DRO_CLIENT_TLS_CA_CRT=$(cat /etc/mas/creds/dro-tls-secret/ca.crt | base64 -w0)
                 if [[ -z "${DRO_CLIENT_TLS_CA_CRT}" ]]; then
                   echo "Failed to fetch ca.crt"
                   exit 1
                 fi
-                export DRO_CLIENT_TLS_TLS_CRT=$(cat /etc/mas/creds/dro-client-tls/tls.crt | base64 -w0)
+                export DRO_CLIENT_TLS_TLS_CRT=$(cat /etc/mas/creds/dro-tls-secret/tls.crt | base64 -w0)
                 if [[ -z "${DRO_CLIENT_TLS_TLS_CRT}" ]]; then
                   echo "Failed to fetch tls.crt"
                   exit 1
                 fi
-                export DRO_CLIENT_TLS_TLS_KEY=$(cat /etc/mas/creds/dro-client-tls/tls.key | base64 -w0)
+                export DRO_CLIENT_TLS_TLS_KEY=$(cat /etc/mas/creds/dro-tls-secret/tls.key | base64 -w0)
                 if [[ -z "${DRO_CLIENT_TLS_TLS_KEY}" ]]; then
                   echo "Failed to fetch tls.key"
                   exit 1
@@ -307,9 +307,9 @@ spec:
             secretName: ibm-data-reporter-operator-api-token
             defaultMode: 420
             optional: false
-        - name: dro-client-tls
+        - name: dro-tls-secret
           secret:
-            secretName: dro-client-tls
+            secretName: dro-tls-secret
             defaultMode: 420
             optional: false
   backoffLimit: 4
diff --git a/cluster-applications/030-ibm-dro/templates/12-0-dro-cluster-issuer-staging.yaml b/cluster-applications/030-ibm-dro/templates/12-0-dro-cluster-issuer-staging.yaml
@@ -1,4 +1,4 @@
-{{- if and (eq .Values.dns_provider "cis") (not .Values.mas_manual_cert_mgmt) }}
+{{- if (eq .Values.dns_provider "cis") }}
 
 {{ $cis_apiservice_group_name := "acme.cis.ibm.com" }}
 {{ $cis_stg_issuer_name       := printf "%s-cis-le-stg" .Values.cluster_id }}
@@ -10,6 +10,7 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "138"
   name: "{{ $cis_stg_issuer_name }}"
+  namespace: "{{ .Values.dro_namespace }}"
 {{- if .Values.custom_labels }}
   labels:
 {{ .Values.custom_labels | toYaml | indent 4 }}
diff --git a/cluster-applications/030-ibm-dro/templates/12-1-dro-cluster-issuer-prod.yaml b/cluster-applications/030-ibm-dro/templates/12-1-dro-cluster-issuer-prod.yaml
@@ -1,34 +1,35 @@
-{{- if and (eq .Values.dns_provider "cis") (not .Values.mas_manual_cert_mgmt) }}
+{{- if (eq .Values.dns_provider "cis") }}
 
 {{ $cis_apiservice_group_name :=  "acme.cis.ibm.com" }}
 {{ $cis_prod_issuer_name      :=  printf "%s-cis-le-prod" .Values.cluster_id }}
 ---
-# apiVersion: cert-manager.io/v1
-# kind: ClusterIssuer
-# metadata:
-#   annotations:
-#     argocd.argoproj.io/sync-wave: "138"
-#   name: "{{ $cis_prod_issuer_name }}"
-# {{- if .Values.custom_labels }}
-#   labels:
-# {{ .Values.custom_labels | toYaml | indent 4 }}
-# {{- end }}
-# spec:
-#   acme:
-#     preferredChain: ''
-#     privateKeySecretRef:
-#       name: cis-letsencrypt-production-account-key
-#     server: 'https://acme-v02.api.letsencrypt.org/directory'
-#     solvers:
-#       - dns01:
-#           webhook:
-#             config:
-#               apiKeySecretRef:
-#                 key: key
-#                 name: cis-api-key
-#               crn: >-
-#                 {{ .Values.cis_crn }}
-#             groupName: {{ $cis_apiservice_group_name }}
-#             solverName: cis
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "138"
+  name: "{{ $cis_prod_issuer_name }}"
+  namespace: "{{ .Values.dro_namespace }}"
+{{- if .Values.custom_labels }}
+  labels:
+{{ .Values.custom_labels | toYaml | indent 4 }}
+{{- end }}
+spec:
+  acme:
+    preferredChain: ''
+    privateKeySecretRef:
+      name: cis-letsencrypt-production-account-key
+    server: 'https://acme-v02.api.letsencrypt.org/directory'
+    solvers:
+      - dns01:
+          webhook:
+            config:
+              apiKeySecretRef:
+                key: key
+                name: cis-api-key
+              crn: >-
+                {{ .Values.cis_crn }}
+            groupName: {{ $cis_apiservice_group_name }}
+            solverName: cis
 
 {{- end }}
diff --git a/cluster-applications/030-ibm-dro/templates/13-0-dro-selfsigncertificate.yaml b/cluster-applications/030-ibm-dro/templates/13-0-dro-selfsigncertificate.yaml
diff --git a/cluster-applications/030-ibm-dro/templates/13-dro-certificate.yaml b/cluster-applications/030-ibm-dro/templates/13-dro-certificate.yaml
@@ -1,18 +1,20 @@
-{{- if and (eq .Values.dns_provider "cis") (not .Values.mas_manual_cert_mgmt) }}
+{{- if (eq .Values.dns_provider "cis") }}
 {{- if .Values.dro_public_domain }}
 ---
-# apiVersion: cert-manager.io/v1
-# kind: Certificate
-# metadata:
-#   name: dro-tls-cert
-#   namespace: ibm-software-central
-# spec:
-#   secretName: dro-tls-secret # The Secret that will be created
-#   issuerRef:
-#     name: letsencrypt-staging # Name of the ClusterIssuer created in Step 1
-#     kind: ClusterIssuer
-#   commonName: dro-{{ .Values.cluster_id }}
-#   privateKey:
-#     rotationPolicy: Always
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "139"
+  name: dro-tls-cert
+  namespace: "{{ .Values.dro_namespace }}"
+spec:
+  secretName: dro-tls-secret
+  issuerRef:
+    name: letsencrypt-staging
+    kind: ClusterIssuer
+  commonName: dro-{{ .Values.cluster_id }}
+  privateKey:
+    rotationPolicy: Always
 {{- end }}
 {{- end }}
diff --git a/cluster-applications/031-ibm-dro-public/templates/01-dro-public-route.yaml b/cluster-applications/031-ibm-dro-public/templates/01-dro-public-route.yaml
@@ -1,19 +1,16 @@
-{{- if and (eq .Values.dns_provider "cis") (not .Values.mas_manual_cert_mgmt) }}
+{{- if (eq .Values.dns_provider "cis") }}
 {{- if .Values.dro_public_domain }}
-# {{- $existingSecret := lookup "v1" "Secret" "ibm-software-central" "dro-client-tls" }}
 ---
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
   name: ibm-data-reporter-public-route
-  namespace: ibm-software-central
+  namespace: "{{ .Values.dro_namespace }}"
   labels:
     type: external
-    route.openshift.io/destination-ca-certificate-secret: dro-server-tls
 
 spec:
   host: "dro.{{ .Values.cluster_id }}.{{ .Values.dro_public_domain }}"
-  # host: "dro.apps.noble6.cp.fyre.ibm.com"
   to:
     kind: Service
     name: ibm-data-reporter-operator-controller-manager-metrics-service
