ibm-mas · Hardik-Prajapati-10 · Nov 24, 2025 · Nov 27, 2025 · Nov 28, 2025 · Nov 28, 2025
@@ -3,7 +3,7 @@
     "files": "build/bin/config/oscap/ssg-rhel9-ds.xml|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-12-11T07:52:20Z",
+  "generated_at": "2025-12-12T06:03:00Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -390,23 +390,23 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 664,
+        "line_number": 688,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "effb7852555adce89885fb075fb43a77a1e0e77e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 849,
+        "line_number": 884,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "2582aea6f911bd00fc04cb25e0ec16d5ead62068",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 851,
+        "line_number": 886,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -444,7 +444,7 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 582,
+        "line_number": 587,
         "type": "Secret Keyword",
         "verified_result": null
       }

@@ -17,7 +17,7 @@ GitOps Configuration:
   -c, --cluster-id ${COLOR_YELLOW}CLUSTER_ID${TEXT_RESET}                      Cluster ID
   -s, --sls-service ${COLOR_YELLOW}STANDALONE_SLS_SERVICE${TEXT_RESET}         for ibm internal use only.
   --config-action ${COLOR_YELLOW}CONFIG_ACTION${TEXT_RESET}                    One of upsert|remove.
-  --mas-config-type ${COLOR_YELLOW}MAS_CONFIG_TYPE${TEXT_RESET}                One of bas|jdbc|kafka|ldap-default|mongo|objectstorage|sls|smtp
+  --mas-config-type ${COLOR_YELLOW}MAS_CONFIG_TYPE${TEXT_RESET}                One of appcfg|bas|jdbc|kafka|ldap-default|mongo|objectstorage|sls|smtp
   --mas-config-scope ${COLOR_YELLOW}MAS_CONFIG-SCOPE${TEXT_RESET}              One of system|ws|app|wsapp
   --disable-postdelete-hooks ${COLOR_YELLOW}USE_POSTDELETE_HOOKS${TEXT_RESET}  Unless set (or USE_POSTDELETE_HOOKS exported and set to false), PostDelete hooks will be deployed to ensure config CRs are properly cleaned up by ArgoCD on deletion. !!! PostDelete hooks should never be used when ArgoCD version < 2.10 !!! 
 
@@ -48,6 +48,11 @@ DRO Configuration (required if MAS_CONFIG_TYPE is "bas"):
   --mas-segment-key ${COLOR_YELLOW}MAS_SEGMENT_KEY${TEXT_RESET}                 The segment key for authentication for Segment
   --mas-bascfg-pod-template-yaml ${COLOR_YELLOW}MAS_BASCFG_POD_TEMPLATE_YAML${TEXT_RESET}               The location of a file containing the POD template
 
+MAF Configuration (required if MAS_CONFIG_TYPE is "appcfg"):
+  --maf-enabled ${COLOR_YELLOW}MAF_ENABLED${TEXT_RESET}                         Enable MAF for the application configuration (true|false)
+  --maf-storageClassName ${COLOR_YELLOW}MAF_STORAGE_CLASSNAME${TEXT_RESET}   Storage class name to use for MAF persistent storage
+  --mas-appcfg-pod-template-yaml ${COLOR_YELLOW}MAS_APPCFG_POD_TEMPLATE_YAML${TEXT_RESET}   
+
 IDP/LDAP Configuration (required if MAS_CONFIG_TYPE is "ldap-default"):
   --idpcfg-display-name ${COLOR_YELLOW}IDPCFG_DISPLAY_NAME${TEXT_RESET}       Display name for IDPCfg resource
   --ldap-url ${COLOR_YELLOW}LDAP_URL${TEXT_RESET}                             Url of the LDAP server. In the form protocol://host:port
@@ -202,7 +207,15 @@ function gitops_mas_config_noninteractive() {
       --mas-bascfg-pod-template-yaml)
         export MAS_BASCFG_POD_TEMPLATE_YAML=$1 && shift
         ;;
-
+      --mas-appcfg-pod-template-yaml)
+        export MAS_APPCFG_POD_TEMPLATE_YAML=$1 && shift
+        ;;
+      --maf-enabled)
+        export MAF_ENABLED=$1 && shift
+        ;; 
+      --maf-storageClassName)
+        export MAF_STORAGE_CLASSNAME=$1 && shift
+        ;;
       # LDAP
       --idpcfg-display-name)
         export IDPCFG_DISPLAY_NAME=$1 && shift
@@ -355,9 +368,9 @@ function gitops_mas_config_noninteractive() {
     gitops_mas_config_help "Invalid CONFIG_ACTION \"${CONFIG_ACTION}\"; must be one of 'upsert' or 'remove'"
   fi
 
-  [[ -z "$MAS_CONFIG_TYPE" ]] && gitops_mas_config_help "MAS_CONFIG_TYPE is not set"
-  if ! [[ "$MAS_CONFIG_TYPE" =~ ^(bas|jdbc|kafka|ldap-default|mongo|objectstorage|sls|smtp|watsonstudio)$ ]]; then
-    gitops_mas_config_help "Invalid MAS_CONFIG_TYPE \"${MAS_CONFIG_TYPE}\"; must be one of bas|jdbc|kafka|ldap-default|mongo|objectstorage|sls|smtp|watsonstudio"
+  [[ -z "$MAS_CONFIG_TYPE" ]] && gitops_mas_config_help "MAS_INSTANCE_ID is not set"
+  if ! [[ "$MAS_CONFIG_TYPE" =~ ^(appcfg|bas|jdbc|kafka|ldap-default|mongo|objectstorage|sls|smtp|watsonstudio)$ ]]; then
+    gitops_mas_config_help "Invalid MAS_CONFIG_TYPE \"${MAS_CONFIG_TYPE}\"; must be one of appcfg|bas|jdbc|kafka|ldap-default|mongo|objectstorage|sls|smtp|watsonstudio"
   fi
 
   [[ -z "$MAS_CONFIG_SCOPE" ]] && gitops_mas_config_help "MAS_CONFIG_SCOPE is not set"
@@ -393,6 +406,11 @@ function gitops_mas_config_noninteractive() {
       [[ -z "$DRO_CA_CERTIFICATE_FILE" ]] && gitops_mas_config_help "DRO_CA_CERTIFICATE_FILE is not set"
     fi
 
+    if [ "${MAS_CONFIG_TYPE}" == "appcfg" ]; then
+      [[ -z "$MAF_ENABLED" ]] && gitops_mas_config_help "MAF_ENABLED is not set"
+      # [[ -z "$MAS_APPCFG_POD_TEMPLATE_YAML" ]] && gitops_mas_config_help "MAS_APPCFG_POD_TEMPLATE_YAML is not set"
+      [[ -z "$MAF_STORAGE_CLASSNAME" ]] && gitops_mas_config_help "MAF_STORAGE_CLASSNAME is not set"
+    fi
     # if [ "${MAS_CONFIG_TYPE}" == "sls" ]; then
       # No specific parameters required for sls at present; they are all fetched from SM
     # fi
@@ -596,7 +614,13 @@ function gitops_mas_config() {
       echo_reset_dim "Pod Template YAML File  ........ ${COLOR_MAGENTA}${MAS_BASCFG_POD_TEMPLATE_YAML}"
       reset_colors
     fi
-
+    if [ "${MAS_CONFIG_TYPE}" == "appcfg" ]; then
+      echo "${TEXT_DIM}"
+      echo_reset_dim "MAF Enabled  ................... ${COLOR_MAGENTA}${MAF_ENABLED}"
+      echo_reset_dim "MAF Storage Class Name  ........ ${COLOR_MAGENTA}${MAF_STORAGE_CLASSNAME}"
+      echo_reset_dim "Pod Template YAML File  ........ ${COLOR_MAGENTA}${MAS_APPCFG_POD_TEMPLATE_YAML}"
+      reset_colors
+    fi
     if [ "${MAS_CONFIG_TYPE}" == "sls" ]; then
       echo "${TEXT_DIM}"
       echo_reset_dim "SLS URL  ....................... ${COLOR_MAGENTA}https://sls.mas-${MAS_INSTANCE_ID}-sls.svc"
@@ -752,6 +776,17 @@ function gitops_mas_config() {
       fi
     fi
 
+    if [ "${MAS_CONFIG_TYPE}" == "appcfg" ]; then
+
+      # Set pod template yaml
+      # ---------------------------------------------------------------------------
+      if [[ -n "$MAS_APPCFG_POD_TEMPLATE_YAML" && -s "$MAS_APPCFG_POD_TEMPLATE_YAML" ]]; then
+        export MAS_APPCFG_POD_TEMPLATE=$(yq eval '.podTemplates' ${MAS_APPCFG_POD_TEMPLATE_YAML})
+        echo -e "\n - MAS_APPCFG_POD_TEMPLATE CONTENT .................. ${MAS_APPCFG_POD_TEMPLATE}"
+      fi
+
+    fi
+
     if [ "${MAS_CONFIG_TYPE}" == "sls" ]; then
       if [ -z "$STANDALONE_SLS_SERVICE" ]; then
         export SECRET_NAME_SLS="${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}${MAS_INSTANCE_ID}${SECRETS_KEY_SEPERATOR}sls"

@@ -42,6 +42,7 @@ IBM Maximo Application Suite:
       --mas-pod-template-yaml ${COLOR_YELLOW}MAS_POD_TEMPLATE_YAML${TEXT_RESET}                                           The location of a file containing the POD template
       --allow-list ${COLOR_YELLOW}ALLOW_LIST${TEXT_RESET}                                                                 List of IPs or CIDR range to whitelist
       --additional-vpn ${COLOR_YELLOW}ADDITIONAL_VPN{TEXT_RESET}                                                          Manage additional client VPN
+      --application-configuration ${COLOR_YELLOW}APPLICATION_CONFIGURATION${TEXT_RESET}                                   Application Configuration enable/disable (true/false)
       --extensions ${COLOR_YELLOW}EXTENSIONS${TEXT_RESET}                                                                 To enable JAVA or 3rd party code extensions
       --enhanced-dr ${COLOR_YELLOW}ENHANCED_DR${TEXT_RESET}                                                               To enable Enhanced Disaster Recovery
       --is-non-shared-cluster ${COLOR_YELLOW}IS_NON_SHARED_CLUSTER${TEXT_RESET}                                           To enable Non shared cluster
@@ -268,6 +269,9 @@ function gitops_suite_noninteractive() {
       --additional-vpn)
         export ADDITIONAL_VPN=$1 && shift
         ;;
+      --application-configuration)
+        export APPLICATION_CONFIGURATION=$1 && shift
+        ;;
       --extensions)
         export EXTENSIONS=$1 && shift
         ;;
@@ -561,6 +565,7 @@ function gitops_suite() {
   echo_reset_dim "OIDC Config ................................ ${COLOR_MAGENTA}${OIDC_CONFIG}"
   echo_reset_dim "Allow List ................................. ${COLOR_MAGENTA}${ALLOW_LIST}"
   echo_reset_dim "Additional VPN ............................. ${COLOR_MAGENTA}${ADDITIONAL_VPN}"
+  echo_reset_dim "Application Configuration .................. ${COLOR_MAGENTA}${APPLICATION_CONFIGURATION}"
   echo_reset_dim "Enhanced Disaster Recovery ................. ${COLOR_MAGENTA}${ENHANCED_DR}"
   echo_reset_dim "Non shared cluster ......................... ${COLOR_MAGENTA}${IS_NON_SHARED_CLUSTER}"
   echo_reset_dim "Java or 3rd Party Code Extensions .......... ${COLOR_MAGENTA}${EXTENSIONS}"

@@ -0,0 +1,24 @@
+mas_config_name: "{{ MAS_CONFIG_NAME }}"
+mas_config_chart: ibm-mas-app-config
+mas_config_scope: {{ MAS_CONFIG_SCOPE }}
+mas_workspace_id: {{ MAS_WORKSPACE_ID }}
+mas_application_id: {{ MAS_APP_ID }}
+mas_config_kind: "AppCfg"
+mas_config_api_version: "config.mas.ibm.com"
+use_postdelete_hooks: {{ USE_POSTDELETE_HOOKS }}
+
+system_appcfg_labels:
+    mas.ibm.com/configScope: system
+    mas.ibm.com/instanceId: "{{ MAS_INSTANCE_ID }}"
+
+maf_enabled: {{ MAF_ENABLED }}
+
+persistentVolume:
+  name: app-config
+  size: 2Gi
+  storageClassName: {{ MAF_STORAGE_CLASSNAME }}
+
+{% if MAS_APPCFG_POD_TEMPLATE is defined and MAS_APPCFG_POD_TEMPLATE !='' %}
+mas_appcfg_pod_templates:
+  {{ MAS_APPCFG_POD_TEMPLATE | indent(2) }}
+{% endif %}
@@ -35,6 +35,10 @@ allow_list: {{ ALLOW_LIST }}
 additional_vpn: {{ ADDITIONAL_VPN }}
 {% endif %}
 
+{% if APPLICATION_CONFIGURATION is defined and APPLICATION_CONFIGURATION != '' %}
+application_configuration: {{ APPLICATION_CONFIGURATION }}
+{% endif %}
+
 {% if EXTENSIONS is defined and EXTENSIONS != '' %}
 extensions: {{ EXTENSIONS }}
 {% endif %}

@@ -155,6 +155,29 @@ spec:
           hs.message = ""
           return hs
 
+      config.mas.ibm.com/AppCfg:
+        health.lua: |
+          hs = {}
+          if obj.status ~= nil then
+            if obj.status.conditions ~= nil then
+              for i, condition in ipairs(obj.status.conditions) do
+                if condition.type == "Failure" and condition.status == "True" then
+                  hs.status = "Degraded"
+                  hs.message = condition.message
+                  return hs
+                end
+                if condition.type == "Successful" and condition.status == "True" then
+                  hs.status = "Healthy"
+                  hs.message = condition.message
+                  return hs
+                end
+              end
+            end
+          end
+          hs.status = "Progressing"
+          hs.message = ""
+          return hs
+
       apps.mas.ibm.com/AIServiceTenant:
         health.lua: |
           hs = {}

@@ -249,9 +249,9 @@
         - gitops-suite
         - gitops-odh
         - gitops-deprovision-odh
-
         - gitops-aiservice
         - gitops-aiservice-tenant
         - gitops-deprovision-aiservice-tenant
         - gitops-deprovision-aiservice
-
+        - gitops-app-config
+        - gitops-delete-app-config
@@ -229,6 +229,20 @@ spec:
       type: string
     - name: additional_vpn
       type: string
+    - name: application_configuration
+      type: string
+      default: "true"
+
+    # maf parameters
+    # ------------------------------------------------------------------------- 
+    - name: mas_appcfg_pod_template_yaml
+      type: string
+      default: ""
+    - name: maf_enabled
+      type: string
+    - name: maf_storageClassName
+      type: string
+      default: ""
 
    # standalone sls
     - name: sls_service
@@ -446,6 +460,8 @@ spec:
           value: $(params.enhanced_dr)
         - name: additional_vpn
           value: $(params.additional_vpn)
+        - name: application_configuration
+          value: $(params.application_configuration)
         - name: extensions
           value: $(params.extensions)
         - name: sls_service
@@ -735,6 +751,56 @@ spec:
         - name: shared-additional-configs
           workspace: shared-additional-configs
 
+
+    # 6. MAS Suite App Config
+    # -------------------------------------------------------------------------
+    - name: gitops-maf-config
+      runAfter:
+        - gitops-suite-config
+      params:
+        - name: cluster_name
+          value: $(params.cluster_name)
+        - name: account
+          value: $(params.account)
+        - name: secrets_path
+          value: $(params.secrets_path)
+        - name: mas_instance_id
+          value: $(params.mas_instance_id)
+        - name: git_branch
+          value: $(params.git_branch)
+        - name: github_org
+          value: $(params.github_org)
+        - name: github_repo
+          value: $(params.github_repo)
+        - name: github_host
+          value: $(params.github_host)
+        - name: git_commit_msg
+          value: $(params.git_commit_msg)
+        - name: github_pat
+          value: $(params.github_pat)
+        - name: avp_aws_secret_region
+          value: $(params.avp_aws_secret_region)
+        - name: cluster_url
+          value: $(params.cluster_url)
+        - name: maf_enabled
+          value: $(params.maf_enabled)
+        - name: mas_appcfg_pod_template_yaml
+          value: $(params.mas_appcfg_pod_template_yaml)
+        - name: maf_storageClassName
+          value: $(params.maf_storageClassName)
+      taskRef:
+        kind: Task
+        name: gitops-app-config
+      when:
+        - input: "$(params.maf_enabled)"
+          operator: in
+          values: ["true"]
+      workspaces:
+        - name: configs
+          workspace: configs
+        - name: shared-gitops-configs
+          workspace: shared-gitops-configs
+
     # -------------------------------------------------------------------------
     # Deprovision task section
     # -------------------------------------------------------------------------
@@ -825,3 +891,26 @@ spec:
         - name: configs
           workspace: configs
 
+
+    # 3. Deprovision app config
+    # -------------------------------------------------------------------------
+    - name: gitops-deprovision-app-config
+      params:
+        {{ lookup('template', pipeline_src_dir ~ '/taskdefs/gitops/common/gitops-params.yml.j2') | indent(8) }}
+        {{ lookup('template', pipeline_src_dir ~ '/taskdefs/gitops/common/secrets-params.yml.j2') | indent(8) }}
+        {{ lookup('template', pipeline_src_dir ~ '/taskdefs/gitops/common/git-params.yml.j2') | indent(8) }}
+
+        - name: mas_instance_id
+          value: $(params.mas_instance_id)
+        - name: maf_enabled
+          value: $(params.maf_enabled)
+      taskRef:
+        kind: Task
+        name: gitops-delete-app-config
+      when:
+        - input: "$(params.maf_enabled)"
+          operator: in
+          values: ["false"]
+      workspaces:
+        - name: configs
+          workspace: configs