feat: add support for rule engine system credential

[ttuffin]

Adding rule engine system credential for event persistence. Update containerized deployment to support new database for the event persistence feature.

https://redhat.atlassian.net/browse/AAP-66375

Summary by CodeRabbit

• New Features

  • Add configurable event-persistence DB settings with password or TLS certificate auth and validation.
  • Automatically create/update the Rule Engine persistence credential during initialization when configured.

• Tests

  • Added unit tests for credential creation, missing-required-settings validation, password vs. certificate auth, and root-certificate handling.

• Chores

  • Updated local Docker setup to provision the event-persistence database at container startup.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds EVENT_PERSISTENCE_* defaults, updates the create_initial_data management command to validate persistence settings and create/update a managed Rule Engine credential (password or certificate auth, reads TLS files), adds unit tests for these flows, and updates Docker Compose plus a Postgres init script to provision the persistence DB.

Changes

Cohort / File(s)	Summary
Initial data command src/aap_eda/core/management/commands/create_initial_data.py	Added Command._update_rule_engine_credentials() and call from handle(); validates EVENT_PERSISTENCE_* settings, selects cert vs password auth, reads TLS files, builds credential inputs, and creates/updates a managed EdaCredential using CredentialType EDA_RULE_ENGINE.
Configuration defaults src/aap_eda/settings/defaults.py	Introduced new EVENT_PERSISTENCE_* defaults: EVENT_PERSISTENCE_DB_HOST, EVENT_PERSISTENCE_DB_PORT, EVENT_PERSISTENCE_DB_NAME (eda_event_persistence), EVENT_PERSISTENCE_DB_USER, EVENT_PERSISTENCE_DB_PASSWORD, EVENT_PERSISTENCE_PGSSLMODE (prefer), EVENT_PERSISTENCE_PGSSLCERT, EVENT_PERSISTENCE_PGSSLKEY, EVENT_PERSISTENCE_PGSSLROOTCERT.
Unit tests tests/unit/commands/test_create_initial_data.py	Added five DB tests covering: no credential when host unset; password-auth credential creation and stored inputs; ImproperlyConfigured when required settings missing; cert-auth creation with empty password and embedded cert/key contents; rootcert inclusion.
Docker Compose & Postgres init tools/docker/docker-compose-dev.yaml, tools/docker/docker-compose-mac.yml, tools/docker/docker-compose-stage.yaml, tools/docker/postgres/initdb.d/create_event_persistence_db.sh	Added EDA_EVENT_PERSISTENCE_DB_* env vars to shared env anchors and propagated to the postgres service; mounted create_event_persistence_db.sh into Postgres init directory; added init script to conditionally create the event-persistence role and database.

Sequence Diagram(s)

sequenceDiagram
    participant Cmd as create_initial_data.Command
    participant Settings as Settings
    participant FS as Filesystem
    participant ORM as Django ORM

    Cmd->>Settings: read EVENT_PERSISTENCE_* values
    Cmd->>Cmd: return early if host unset
    Cmd->>Cmd: validate required settings or raise ImproperlyConfigured
    alt cert auth configured
        Cmd->>FS: read EVENT_PERSISTENCE_PGSSLCERT
        Cmd->>FS: read EVENT_PERSISTENCE_PGSSLKEY
        opt EVENT_PERSISTENCE_PGSSLROOTCERT provided
            Cmd->>FS: read EVENT_PERSISTENCE_PGSSLROOTCERT
        end
    end
    Cmd->>ORM: resolve CredentialType(EDA_RULE_ENGINE)
    Cmd->>ORM: create/update managed EdaCredential with computed inputs
    ORM-->>Cmd: persist credential

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding support for a rule engine system credential, which is the primary focus of this changeset.
Description check	✅ Passed	The description addresses the core changes (rule engine credential, event persistence database, containerized deployment updates) and includes a relevant issue link, though it lacks detailed explanations of why, how, and testing approaches.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/drools_credential

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/docker/postgres/initdb.d/create_event_persistence_db.sh`:
- Around line 1-8: The script create_event_persistence_db.sh currently hardcodes
'eda_event_persistence' in the psql query; update it to use the environment
variable EDA_EVENT_PERSISTENCE_DB_NAME (with a sensible default like
eda_event_persistence) instead of the literal string. Read and sanitize/quote
the shell variable (e.g., set a default via parameter expansion) and substitute
that variable into the SELECT ... WHERE NOT EXISTS (... datname = '...')\gexec
block so the psql command creates the configured DB name used by the
application.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9070a890-6526-45a9-afd1-2af27213f256

📥 Commits

Reviewing files that changed from the base of the PR and between 98efb3c and a13ab59.

📒 Files selected for processing (7)

• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/settings/defaults.py
• tests/unit/commands/test_create_initial_data.py
• tools/docker/docker-compose-dev.yaml
• tools/docker/docker-compose-mac.yml
• tools/docker/docker-compose-stage.yaml
• tools/docker/postgres/initdb.d/create_event_persistence_db.sh

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.92%. Comparing base (7bd3475) to head (1458112).

@@            Coverage Diff             @@
##             main    #1512      +/-   ##
==========================================
+ Coverage   91.89%   91.92%   +0.02%     
==========================================
  Files         239      239              
  Lines       10763    10794      +31     
==========================================
+ Hits         9891     9922      +31     
  Misses        872      872              

Flag	Coverage Δ
unit-int-tests-3.11	91.92% <100.00%> (+0.02%)	⬆️
unit-int-tests-3.12	91.92% <100.00%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...da/core/management/commands/create_initial_data.py	98.32% <100.00%> (+0.16%)	⬆️
src/aap_eda/settings/defaults.py	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tools/docker/docker-compose-dev.yaml`:
- Around line 54-58: Update the docker-compose postgres service to pass the
EDA_EVENT_PERSISTENCE_DB_NAME and EDA_EVENT_PERSISTENCE_DB_USER environment
variables into the container (so the init script sees the configured values) and
then modify the init script create_event_persistence_db.sh to reference
$EDA_EVENT_PERSISTENCE_DB_USER and $EDA_EVENT_PERSISTENCE_DB_NAME (instead of
the hardcoded OWNER eda) and ensure the script creates or verifies the role
exists before assigning ownership; target the env vars
EDA_EVENT_PERSISTENCE_DB_NAME / EDA_EVENT_PERSISTENCE_DB_USER and the init
script create_event_persistence_db.sh for these changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cfd255e6-acf1-46c2-af9a-e5692fea2f3b

📥 Commits

Reviewing files that changed from the base of the PR and between d3b4350 and e510dc3.

📒 Files selected for processing (7)

• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/settings/defaults.py
• tests/unit/commands/test_create_initial_data.py
• tools/docker/docker-compose-dev.yaml
• tools/docker/docker-compose-mac.yml
• tools/docker/docker-compose-stage.yaml
• tools/docker/postgres/initdb.d/create_event_persistence_db.sh

🚧 Files skipped from review as they are similar to previous changes (5)

• tools/docker/postgres/initdb.d/create_event_persistence_db.sh
• tools/docker/docker-compose-mac.yml
• tools/docker/docker-compose-stage.yaml
• src/aap_eda/settings/defaults.py
• src/aap_eda/core/management/commands/create_initial_data.py

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

tools/docker/docker-compose-dev.yaml (1)

88-94: ⚠️ Potential issue | 🟠 Major

Propagate event-persistence DB password into the Postgres bootstrap path

Line 88-Line 94 wires DB name/user, but the bootstrap flow still doesn’t carry a password into role creation. With a custom EDA_EVENT_PERSISTENCE_DB_USER, tools/docker/postgres/initdb.d/create_event_persistence_db.sh creates a login role without a password, while the app connects using EDA_EVENT_PERSISTENCE_DB_PASSWORD (Line 58). That can cause auth failures at runtime.

Suggested compose-side adjustment

   postgres:
     environment:
       POSTGRESQL_USER: eda
       POSTGRESQL_PASSWORD: secret
       POSTGRESQL_ADMIN_PASSWORD: secret
       POSTGRESQL_DATABASE: eda
       EDA_EVENT_PERSISTENCE_DB_NAME: ${EDA_EVENT_PERSISTENCE_DB_NAME:-eda_event_persistence}
       EDA_EVENT_PERSISTENCE_DB_USER: ${EDA_EVENT_PERSISTENCE_DB_USER:-eda}
+      EDA_EVENT_PERSISTENCE_DB_PASSWORD: ${EDA_EVENT_PERSISTENCE_DB_PASSWORD:-secret}

Also update tools/docker/postgres/initdb.d/create_event_persistence_db.sh to apply EDA_EVENT_PERSISTENCE_DB_PASSWORD when creating/updating the role.

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tools/docker/docker-compose-dev.yaml` around lines 88 - 94, The compose
service must export EDA_EVENT_PERSISTENCE_DB_PASSWORD into the Postgres
container and the init script create_event_persistence_db.sh must consume that
variable when creating/updating the DB role; add
EDA_EVENT_PERSISTENCE_DB_PASSWORD to the service environment in the compose
snippet (using ${EDA_EVENT_PERSISTENCE_DB_PASSWORD:-...}) and update
create_event_persistence_db.sh to use that env var in the role
creation/alteration command (e.g., CREATE ROLE/ALTER ROLE ... PASSWORD '...') so
the persisted role has the same password the app expects.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/aap_eda/core/management/commands/create_initial_data.py`:
- Around line 2514-2529: The validation block that builds the required dict when
EVENT_PERSISTENCE_DB_HOST is set is missing the database name; update the
required dictionary (the variable named required used in the create_initial_data
logic) to include "EVENT_PERSISTENCE_DB_NAME":
settings.EVENT_PERSISTENCE_DB_NAME (respecting the existing use_cert_auth
branch), so the subsequent missing = [k for k, v in required.items() if not v]
and the ImproperlyConfigured raise will also catch a missing DB name.

---

Duplicate comments:
In `@tools/docker/docker-compose-dev.yaml`:
- Around line 88-94: The compose service must export
EDA_EVENT_PERSISTENCE_DB_PASSWORD into the Postgres container and the init
script create_event_persistence_db.sh must consume that variable when
creating/updating the DB role; add EDA_EVENT_PERSISTENCE_DB_PASSWORD to the
service environment in the compose snippet (using
${EDA_EVENT_PERSISTENCE_DB_PASSWORD:-...}) and update
create_event_persistence_db.sh to use that env var in the role
creation/alteration command (e.g., CREATE ROLE/ALTER ROLE ... PASSWORD '...') so
the persisted role has the same password the app expects.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3bb354cd-8a5b-4d78-9c3f-26bf331c781e

📥 Commits

Reviewing files that changed from the base of the PR and between e510dc3 and 5753b4e.

📒 Files selected for processing (7)

• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/settings/defaults.py
• tests/unit/commands/test_create_initial_data.py
• tools/docker/docker-compose-dev.yaml
• tools/docker/docker-compose-mac.yml
• tools/docker/docker-compose-stage.yaml
• tools/docker/postgres/initdb.d/create_event_persistence_db.sh

✅ Files skipped from review due to trivial changes (2)

• tools/docker/postgres/initdb.d/create_event_persistence_db.sh
• src/aap_eda/settings/defaults.py

🚧 Files skipped from review as they are similar to previous changes (2)

• tools/docker/docker-compose-stage.yaml
• tools/docker/docker-compose-mac.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/unit/commands/test_create_initial_data.py`:
- Around line 257-381: Tests for rule-engine credentials are flaky because they
rely on implicit EVENT_PERSISTENCE_* defaults; add a fixture (e.g.,
isolated_event_persistence_settings) that explicitly clears/resets all
EVENT_PERSISTENCE_DB_* and EVENT_PERSISTENCE_PGSSL* keys, use that fixture in
each rule-engine test
(test_create_initial_data_rule_engine_cred_not_created_without_host,
test_create_initial_data_rule_engine_cred_with_password_auth,
test_create_initial_data_rule_engine_cred_missing_required,
test_create_initial_data_rule_engine_cred_cert_auth,
test_create_initial_data_rule_engine_cred_with_rootcert), and keep per-test
override_settings(...) only for the scenario-specific values
(host/port/user/password/PGSSLCERT/PGSSLKEY/PGSSLROOTCERT) so each test runs
with deterministic event persistence settings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d9f84f88-6341-495b-bdd6-69be4c2db7fc

📥 Commits

Reviewing files that changed from the base of the PR and between 5753b4e and 1458112.

📒 Files selected for processing (7)

• src/aap_eda/core/management/commands/create_initial_data.py
• src/aap_eda/settings/defaults.py
• tests/unit/commands/test_create_initial_data.py
• tools/docker/docker-compose-dev.yaml
• tools/docker/docker-compose-mac.yml
• tools/docker/docker-compose-stage.yaml
• tools/docker/postgres/initdb.d/create_event_persistence_db.sh

✅ Files skipped from review due to trivial changes (2)

• tools/docker/postgres/initdb.d/create_event_persistence_db.sh
• src/aap_eda/settings/defaults.py

🚧 Files skipped from review as they are similar to previous changes (4)

• tools/docker/docker-compose-dev.yaml
• src/aap_eda/core/management/commands/create_initial_data.py
• tools/docker/docker-compose-stage.yaml
• tools/docker/docker-compose-mac.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ttuffin]

/run-e2e