mas gitops-mas-config JDBC config for Manage requires undocumented credentials

[luca-banzato]

MAS CLI version

16.0.0

CLI function used

other

What happened?

When configuring JDBC for the Manage application using a non-DB2 database:

mas gitops-mas-config \
  --github-push \
  --mas-config-type jdbc \
  --config-action upsert \
  --mas-config-scope wsapp \
  --mas-app-id "manage" \
  --mas-workspace-id "${MAS_WORKSPACE_ID}" \
  --jdbc-type "incluster-oracle" \
  --jdbc-instance-name "oracle-${MAS_INSTANCE_ID}-manage" \
  --jdbc-connection-url "jdbc:oracle:thin:@//oracle-svc.oracle.svc.cluster.local:1521/ORCLPDB1" \
  --jdbc-certificate-file "/demo-files/oracle/ca.crt"

the CLI:

• never specifies what kind of values are supported for --jdbc-type flag (for my installation I used incluster-oracle, which is an arbitrary value decided by myself)
• never asks for any credential, e.g:
  • database username
  • database password

and there are no flags in the command to provide them.

Despite this, for the configuration to work at runtime, the Manage app needs valid DB credentials. In practice, the CLI and GitOps flow implicitly expect that the credentials already exist in AWS Secrets Manager at:

dev1/masdemo1/inst1/jdbc/oracle-inst1-manage/credentials

This secret:

• is not created by mas gitops-mas-config
• is not mentioned in the JDBC configuration guide
• and is not validated by the CLI

As a result:

• The user runs mas gitops-mas-config successfully, without ever being prompted for DB credentials.
• The generated GitOps configuration for Manage is incomplete: at runtime, the app has no JDBC credentials and cannot connect to the Oracle database.
• The only way to make it work is to manually create the AWS secret above with username and password, even though the CLI never asked for them and the documentation doesn’t state this requirement.

Expected behavior:

• For --mas-config-type jdbc and --jdbc-type incluster-oracle, the CLI should handle DB credentials explicitly, for example:

1. Interactive or flag-based credentials input - Prompt the user for:
   • DB username
   • DB password
     Or allow specifying them via flags (e.g. --jdbc-username, --jdbc-password or a path to a credentials file/secret).
2. Secret creation/validation - Either:
   • Create/update the secret, e.g.: dev1/masdemo1/inst1/jdbc/oracle-<MAS_INSTANCE_ID>-manage/credentials, with username and password taken from the user input, or, if the secret is meant to be pre-created, check for its presence and fail with a clear error if missing, explicitly stating:
     • required secret path
     • required keys (username, password)
     • and that they hold the DB user and password

At the moment, the CLI flow gives the impression that JDBC config is fully defined by URL and certificate, but in reality it relies on hidden, undocumented DB credentials in AWS Secrets Manager that the user is never asked to provide during configuration.

Without manually creating this secret and populating these fields, the Manage JDBC configuration cannot work, even though the CLI completes without asking for DB credentials.

Where it is used: gitops-demo/tree/002 - JDBC Configuration for Manage

Relevant log output

No relevant logs available