[minor] Ensure DRO is exposed through a route

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "build/bin/config/oscap/ssg-rhel9-ds.xml|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-01-12T15:19:33Z",
+  "generated_at": "2026-01-22T06:10:17Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -352,7 +352,7 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 235,
+        "line_number": 249,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -552,7 +552,7 @@
         "hashed_secret": "fee2d55ad9a49a95fc89abe8f414dad66704ebfd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 12,
+        "line_number": 18,
         "type": "Secret Keyword",
         "verified_result": null
       }

image/cli/mascli/functions/gitops_dro

@@ -30,8 +30,10 @@ AWS Secrets Manager Configuration (Required):
       --secrets-path ${COLOR_YELLOW}SECRETS_PATH${TEXT_RESET}                   Secrets Manager path
 
 IBM DRO & IMO Config (Optional):
-      --dro-install-plan ${COLOR_YELLOW}DRO_INSTALL_PLAN${TEXT_RESET} DRO subscription install plan approval('Automatic' or 'Manual'. Default is 'Automatic')
-      --imo-install-plan ${COLOR_YELLOW}IMO_INSTALL_PLAN${TEXT_RESET} IMO subscription install plan approval('Automatic' or 'Manual'. Default is 'Automatic')
+      --dro-install-plan ${COLOR_YELLOW}DRO_INSTALL_PLAN${TEXT_RESET}   DRO subscription install plan approval('Automatic' or 'Manual'. Default is 'Automatic')
+      --imo-install-plan ${COLOR_YELLOW}IMO_INSTALL_PLAN${TEXT_RESET}   IMO subscription install plan approval('Automatic' or 'Manual'. Default is 'Automatic')
+      --dro-public-domain ${COLOR_YELLOW}DRO_PUBLIC_DOMAIN${TEXT_RESET} Domain of DRO if it needs to be exposed publicly
+      --dro-cis-crn ${COLOR_YELLOW}DRO_CIS_CRN${TEXT_RESET}             CIS CRN
 
 Automatic GitHub Push (Optional):
   -P, --github-push ${COLOR_YELLOW}GITHUB_PUSH${TEXT_RESET}        Enable automatic push to GitHub
@@ -116,6 +118,12 @@ function gitops_dro_noninteractive() {
       --imo-install-plan)
       export IMO_INSTALL_PLAN=$1 && shift
         ;;
+      --dro-public-domain)
+      export DRO_PUBLIC_DOMAIN=$1 && shift
+        ;;
+      --dro-cis-crn)
+      export DRO_CIS_CRN=$1 && shift
+        ;;
 
       # Automatic GitHub Push
       -P|--github-push)
@@ -227,6 +235,12 @@ function gitops_dro() {
   echo "${TEXT_DIM}"
   echo_h2 "DRO Operator" "    "
   echo_reset_dim "DRO_NAMESPACE  .......................... ${COLOR_MAGENTA}${DRO_NAMESPACE}"
+  if [[ -n "$DRO_PUBLIC_DOMAIN" ]]; then
+    echo_reset_dim "DRO_PUBLIC_DOMAIN ....................... ${COLOR_MAGENTA}${DRO_PUBLIC_DOMAIN}"
+  fi
+  if [[ -n "$DRO_CIS_CRN" ]]; then
+    echo_reset_dim "DRO_CIS_CRN .......................... ${COLOR_MAGENTA}${DRO_CIS_CRN}"
+  fi
   reset_colors
 
   echo "${TEXT_DIM}"
@@ -249,6 +263,8 @@ function gitops_dro() {
   # ---------------------------------------------------------------------------
   # Note that SECRET_KEY_IBM_ENTITLEMENT cluster-level secret is set up by gitops-cluster
   export SECRET_KEY_IBM_ENTITLEMENT=${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}ibm_entitlement#entitlement_key
+  export SECRET_KET_DRO_TLS_CERT=${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}dro#dro_client_tls_tls_crt_b64
+  export SECRET_KET_DRO_TLS_KEY=${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}dro#dro_client_tls_tls_key_b64
 
   if [ "$DRO_CMM_SETUP" == "true" ]; then
     export SECRET_KEY_DRO_CMM_AUTH_APIKEY=${ACCOUNT_ID}${SECRETS_KEY_SEPERATOR}${CLUSTER_ID}${SECRETS_KEY_SEPERATOR}dro_cmm_auth#api_key

image/cli/mascli/templates/gitops/appset-configs/cluster/ibm-dro.yaml.j2

@@ -7,6 +7,12 @@ ibm_dro:
     dro_cmm_setup: {{ DRO_CMM_SETUP }}
     dro_install_plan: {{ DRO_INSTALL_PLAN }}
     imo_install_plan: {{ IMO_INSTALL_PLAN }}
+{% if DRO_PUBLIC_DOMAIN is defined and DRO_PUBLIC_DOMAIN and CIS_CRN is defined and CIS_CRN %}
+    dro_public_domain: {{ DRO_PUBLIC_DOMAIN }}
+    tls_certificate: "<path:{{ SECRETS_PATH }}:{{ SECRET_KET_DRO_TLS_CERT }} | base64decode >"
+    tls_key: "<path:{{ SECRETS_PATH }}:{{ SECRET_KET_DRO_TLS_KEY }} | base64decode >"
+    cis_crn: {{ CIS_CRN }}
+{% endif %}
 {% if DRO_CMM_SETUP is defined and DRO_CMM_SETUP %}
     dro_cmm:
         auth_apikey: "<path:{{ SECRETS_PATH }}:{{ SECRET_KEY_DRO_CMM_AUTH_APIKEY }}>"

tekton/src/pipelines/gitops/gitops-mas-cluster.yml.j2

@@ -63,6 +63,12 @@ spec:
     - name: imo_install_plan
       type: string
       default: "Automatic"
+    - name: dro_public_domain
+      type: string
+      default: ""
+    - name: dro_cis_crn
+      type: string
+      default: ""
 
     - name: nvidia_gpu_action
       type: string
@@ -426,6 +432,10 @@ spec:
           value: $(params.dro_install_plan)
         - name: imo_install_plan
           value: $(params.imo_install_plan)
+        - name: dro_public_domain
+          value: $(params.dro_public_domain)
+        - name: dro_cis_crn
+          value: $(params.dro_cis_crn)
       taskRef:
         kind: Task
         name: gitops-dro

tekton/src/tasks/gitops/gitops-dro.yml.j2

@@ -41,6 +41,12 @@ spec:
     - name: imo_install_plan
       type: string
       default: "Automatic"
+    - name: dro_public_domain
+      type: string
+      default: ""
+    - name: dro_cis_crn
+      type: string
+      default: ""
   stepTemplate:
     name: gitops-dro
     env:
@@ -74,6 +80,10 @@ spec:
         value: $(params.dro_install_plan)
       - name: IMO_INSTALL_PLAN
         value: $(params.imo_install_plan)
+      - name: DRO_PUBLIC_DOMAIN
+        value: $(params.dro_public_domain)
+      - name: DRO_CIS_CRN
+        value: $(params.dro_cis_crn)
     envFrom:
       - configMapRef:
           name: environment-properties