Fix IoP advisor integration: Kafka listener binding and engine rule packages#488
Merged
ehelms merged 3 commits intotheforeman:masterfrom May 6, 2026
Merged
Conversation
jeremylenz
force-pushed
the
fix-iop-advisor-engine-config
branch
from
98ee545 to
5e1de09
Compare
ehelms
approved these changes
May 5, 2026
vkrizan
approved these changes
May 5, 2026
vkrizan
left a comment
vkrizan
left a comment
There was a problem hiding this comment.
Thanks!
More concerns deserve a commit each. 😁
Kafka was configured to bind to the container hostname (iop-core-kafka), which resolves to the container's IP at startup. When the container restarts it gets a new IP, causing connection refused errors in the advisor service and other Kafka consumers. Binding to all interfaces (PLAINTEXT://:9092) avoids this. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Without these packages, the engine only loads insights_kafka_service.rules which contains no diagnostic rules — only a metadata emitter. Advisor receives results with 0 reports on every upload. Adding prodsec.rules and telemetry.rules.plugins gives the engine actual rules to evaluate against uploaded archives. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
jeremylenz
force-pushed
the
fix-iop-advisor-engine-config
branch
from
5e1de09 to
8f3bb0e
Compare
Contributor
Author
|
Split into 2 commits. |
Packages like prodsec.rules and telemetry.rules.plugins only exist in downstream Satellite engine images, not the community quay.io images. Loading them from the community image causes the engine to crash on startup with no log output. Revert to the three base packages in defaults and introduce iop_engine_extra_packages (default: []) as an extension point for downstream deployments to add image-specific packages without modifying the upstream role. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
prodsec.rulesandtelemetry.rules.pluginsto the engine package list so diagnostic rules are loaded and advisor receives findingsDetails
Kafka listener fix (
src/roles/iop_kafka/templates/kafka/kraft.j2): The previous config bound Kafka to the container hostname (iop-core-kafka:9092), which resolves to the container's IP. When the container restarts it gets a new IP, causing connection refused errors in the advisor service and other consumers. Binding to all interfaces (PLAINTEXT://:9092) avoids this.Engine packages (
src/roles/iop_engine/defaults/main.yaml): Withoutprodsec.rulesandtelemetry.rules.plugins, the engine only loadsinsights_kafka_service.ruleswhich contains no diagnostic rules — only metadata. Advisor receives results with 0 reports on every upload.Test plan
deploy-devinsights-client🤖 Generated with Claude Code