From 6cccf73e89a6a340379df8f58588ada5938e23d5 Mon Sep 17 00:00:00 2001
From: Jeremy Lenz <jlenz@redhat.com>
Date: Tue, 5 May 2026 11:12:21 -0400
Subject: [PATCH 1/3] Fix Kafka listener binding to survive container restarts

Kafka was configured to bind to the container hostname (iop-core-kafka),
which resolves to the container's IP at startup. When the container
restarts it gets a new IP, causing connection refused errors in the
advisor service and other Kafka consumers.

Binding to all interfaces (PLAINTEXT://:9092) avoids this.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 src/roles/iop_kafka/templates/kafka/kraft.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/roles/iop_kafka/templates/kafka/kraft.j2 b/src/roles/iop_kafka/templates/kafka/kraft.j2
index 96b9041be..c7d12d2a2 100644
--- a/src/roles/iop_kafka/templates/kafka/kraft.j2
+++ b/src/roles/iop_kafka/templates/kafka/kraft.j2
@@ -37,7 +37,7 @@ controller.quorum.voters=1@iop-core-kafka:9093
 #     listeners = listener_name://host_name:port
 #   EXAMPLE:
 #     listeners = PLAINTEXT://your.host.name:9092
-listeners=PLAINTEXT://iop-core-kafka:9092,CONTROLLER://iop-core-kafka:9093
+listeners=PLAINTEXT://:9092,CONTROLLER://:9093
 
 # Name of listener used for communication between brokers.
 inter.broker.listener.name=PLAINTEXT

From 8f3bb0e123c50bce36d8bb47c4cc6c0825ce00a7 Mon Sep 17 00:00:00 2001
From: Jeremy Lenz <jlenz@redhat.com>
Date: Tue, 5 May 2026 11:12:30 -0400
Subject: [PATCH 2/3] Add prodsec and telemetry rule packages to IoP engine
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without these packages, the engine only loads insights_kafka_service.rules
which contains no diagnostic rules — only a metadata emitter. Advisor
receives results with 0 reports on every upload.

Adding prodsec.rules and telemetry.rules.plugins gives the engine actual
rules to evaluate against uploaded archives.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 src/roles/iop_engine/defaults/main.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/roles/iop_engine/defaults/main.yaml b/src/roles/iop_engine/defaults/main.yaml
index 895acb00b..603f31ae9 100644
--- a/src/roles/iop_engine/defaults/main.yaml
+++ b/src/roles/iop_engine/defaults/main.yaml
@@ -7,3 +7,5 @@ iop_engine_packages:
   - "insights.specs.default"
   - "insights.specs.insights_archive"
   - "insights_kafka_service.rules"
+  - "prodsec.rules"
+  - "telemetry.rules.plugins"

From 690c2ac923f682722790486202abc7a46f28bf4e Mon Sep 17 00:00:00 2001
From: Jeremy Lenz <jlenz@redhat.com>
Date: Tue, 5 May 2026 13:48:10 -0400
Subject: [PATCH 3/3] Add iop_engine_extra_packages for downstream rule package
 extension

Packages like prodsec.rules and telemetry.rules.plugins only exist in
downstream Satellite engine images, not the community quay.io images.
Loading them from the community image causes the engine to crash on
startup with no log output.

Revert to the three base packages in defaults and introduce
iop_engine_extra_packages (default: []) as an extension point for
downstream deployments to add image-specific packages without modifying
the upstream role.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 docs/iop.md                                         | 12 +++++++++++-
 src/roles/iop_engine/defaults/main.yaml             |  4 ++--
 src/roles/iop_engine/templates/engine/config.yml.j2 |  2 +-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/docs/iop.md b/docs/iop.md
index a69581b1f..b55a9175e 100644
--- a/docs/iop.md
+++ b/docs/iop.md
@@ -136,4 +136,14 @@ Gateway certificates are configured per certificate source:
 
 ### Container Images
 
-All IOP images default to `quay.io/iop/<service>:foreman-3.16`. Each role exposes `iop_<role>_container_image` and `iop_<role>_container_tag` variables to override.
+All IOP images default to `quay.io/iop/<service>:foreman-3.18`. Each role exposes `iop_<role>_container_image` and `iop_<role>_container_tag` variables to override.
+
+### Engine Rule Packages
+
+The engine loads Python rule packages listed in `iop_engine_packages`. A separate `iop_engine_extra_packages` list (default: `[]`) is available for downstream deployments to add packages that are not present in the community images:
+
+```yaml
+iop_engine_extra_packages:
+  - "prodsec.rules"
+  - "telemetry.rules.plugins"
+```
diff --git a/src/roles/iop_engine/defaults/main.yaml b/src/roles/iop_engine/defaults/main.yaml
index 603f31ae9..f2d210e3e 100644
--- a/src/roles/iop_engine/defaults/main.yaml
+++ b/src/roles/iop_engine/defaults/main.yaml
@@ -7,5 +7,5 @@ iop_engine_packages:
   - "insights.specs.default"
   - "insights.specs.insights_archive"
   - "insights_kafka_service.rules"
-  - "prodsec.rules"
-  - "telemetry.rules.plugins"
+
+iop_engine_extra_packages: []
diff --git a/src/roles/iop_engine/templates/engine/config.yml.j2 b/src/roles/iop_engine/templates/engine/config.yml.j2
index a62b79022..1d1e21db0 100644
--- a/src/roles/iop_engine/templates/engine/config.yml.j2
+++ b/src/roles/iop_engine/templates/engine/config.yml.j2
@@ -1,7 +1,7 @@
 plugins:
   default_component_enabled: true
   packages:
-{% for package in iop_engine_packages %}
+{% for package in iop_engine_packages + iop_engine_extra_packages %}
       - {{ package }}
 {% endfor %}
 configs: []