addressing review comments

tsivaprasad · tsivaprasad · commit 7a20ebbd5d14 · 2026-04-03T18:09:59.000+05:30
diff --git a/server/internal/orchestrator/swarm/orchestrator.go b/server/internal/orchestrator/swarm/orchestrator.go
@@ -594,6 +594,12 @@ func (o *Orchestrator) buildServiceInstanceResources(spec *database.ServiceInsta
 // instance. RAG only requires read access, so a single ServiceUserRoleRO is
 // created per database node using the same canonical+per-node pattern as MCP.
 func (o *Orchestrator) generateRAGInstanceResources(spec *database.ServiceInstanceSpec) (*database.ServiceInstanceResources, error) {
+	// Parse the RAG service config to extract API keys.
+	ragConfig, errs := database.ParseRAGServiceConfig(spec.ServiceSpec.Config, false)
+	if len(errs) > 0 {
+		return nil, fmt.Errorf("failed to parse RAG service config: %w", errors.Join(errs...))
+	}
+
 	canonicalROID := ServiceUserRoleIdentifier(spec.ServiceSpec.ServiceID, ServiceUserRoleRO)
 
 	// Canonical read-only role — runs on the node co-located with this instance.
@@ -623,6 +629,24 @@ func (o *Orchestrator) generateRAGInstanceResources(spec *database.ServiceInstan
 		})
 	}
 
+	// Service data directory resource (host-side bind mount directory).
+	dataDirID := spec.ServiceInstanceID + "-data"
+	dataDir := &filesystem.DirResource{
+		ID:     dataDirID,
+		HostID: spec.HostID,
+		Path:   filepath.Join(o.cfg.DataDir, "services", spec.ServiceInstanceID),
+	}
+
+	// API key files resource — writes provider keys into a "keys" subdirectory.
+	keysResource := &RAGServiceKeysResource{
+		ServiceInstanceID: spec.ServiceInstanceID,
+		HostID:            spec.HostID,
+		ParentID:          dataDirID,
+		Keys:              extractRAGAPIKeys(ragConfig),
+	}
+
+	orchestratorResources = append(orchestratorResources, dataDir, keysResource)
+
 	return o.buildServiceInstanceResources(spec, orchestratorResources)
 }
 
diff --git a/server/internal/orchestrator/swarm/rag_service_keys_resource.go b/server/internal/orchestrator/swarm/rag_service_keys_resource.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/pgEdge/control-plane/server/internal/database"
+	"github.com/pgEdge/control-plane/server/internal/filesystem"
 	"github.com/pgEdge/control-plane/server/internal/resource"
 )
 
@@ -23,23 +24,22 @@ func RAGServiceKeysResourceIdentifier(serviceInstanceID string) resource.Identif
 }
 
 // RAGServiceKeysResource manages provider API key files on the host filesystem.
-// Keys are written to KeysDir and bind-mounted read-only into the RAG container.
+// Keys are written to a "keys" subdirectory under the service data directory
+// and bind-mounted read-only into the RAG container.
 // The directory and all files are removed when the service is deleted.
 type RAGServiceKeysResource struct {
 	ServiceInstanceID string            `json:"service_instance_id"`
 	HostID            string            `json:"host_id"`
-	KeysDir           string            `json:"keys_dir"` // absolute path on host
-	Keys              map[string]string `json:"keys"`     // filename → key value
+	ParentID          string            `json:"parent_id"` // DirResource ID for the service data directory
+	Keys              map[string]string `json:"keys"`      // filename → key value
 }
 
 func (r *RAGServiceKeysResource) ResourceVersion() string {
 	return "1"
 }
 
 func (r *RAGServiceKeysResource) DiffIgnore() []string {
-	return []string{
-		"/keys_dir",
-	}
+	return nil
 }
 
 func (r *RAGServiceKeysResource) Identifier() resource.Identifier {
@@ -51,19 +51,30 @@ func (r *RAGServiceKeysResource) Executor() resource.Executor {
 }
 
 func (r *RAGServiceKeysResource) Dependencies() []resource.Identifier {
-	return nil
+	return []resource.Identifier{
+		filesystem.DirResourceIdentifier(r.ParentID),
+	}
 }
 
 func (r *RAGServiceKeysResource) TypeDependencies() []resource.Type {
 	return nil
 }
 
+func (r *RAGServiceKeysResource) keysDir(rc *resource.Context) (string, error) {
+	parentPath, err := filesystem.DirResourceFullPath(rc, r.ParentID)
+	if err != nil {
+		return "", fmt.Errorf("failed to get service data dir path: %w", err)
+	}
+	return filepath.Join(parentPath, "keys"), nil
+}
+
 func (r *RAGServiceKeysResource) Refresh(ctx context.Context, rc *resource.Context) error {
-	if r.KeysDir == "" {
+	keysDir, err := r.keysDir(rc)
+	if err != nil {
 		return resource.ErrNotFound
 	}
 
-	info, err := os.Stat(r.KeysDir)
+	info, err := os.Stat(keysDir)
 	if os.IsNotExist(err) {
 		return resource.ErrNotFound
 	}
@@ -75,7 +86,7 @@ func (r *RAGServiceKeysResource) Refresh(ctx context.Context, rc *resource.Conte
 	}
 
 	for name := range r.Keys {
-		if _, err := os.Stat(filepath.Join(r.KeysDir, name)); err != nil {
+		if _, err := os.Stat(filepath.Join(keysDir, name)); err != nil {
 			if os.IsNotExist(err) {
 				return resource.ErrNotFound
 			}
@@ -87,40 +98,77 @@ func (r *RAGServiceKeysResource) Refresh(ctx context.Context, rc *resource.Conte
 }
 
 func (r *RAGServiceKeysResource) Create(ctx context.Context, rc *resource.Context) error {
-	if err := os.MkdirAll(r.KeysDir, 0o700); err != nil {
+	keysDir, err := r.keysDir(rc)
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(keysDir, 0o700); err != nil {
 		return fmt.Errorf("failed to create keys directory: %w", err)
 	}
-	return r.writeKeyFiles()
+	return r.writeKeyFiles(keysDir)
 }
 
 func (r *RAGServiceKeysResource) Update(ctx context.Context, rc *resource.Context) error {
-	return r.writeKeyFiles()
+	keysDir, err := r.keysDir(rc)
+	if err != nil {
+		return err
+	}
+	if err := r.removeStaleKeyFiles(keysDir); err != nil {
+		return err
+	}
+	return r.writeKeyFiles(keysDir)
 }
 
 func (r *RAGServiceKeysResource) Delete(ctx context.Context, rc *resource.Context) error {
-	if r.KeysDir == "" {
+	keysDir, err := r.keysDir(rc)
+	if err != nil {
+		// Parent dir is gone or unresolvable; nothing to clean up.
 		return nil
 	}
-	if err := os.RemoveAll(r.KeysDir); err != nil {
+	if err := os.RemoveAll(keysDir); err != nil {
 		return fmt.Errorf("failed to remove keys directory: %w", err)
 	}
 	return nil
 }
 
-func (r *RAGServiceKeysResource) writeKeyFiles() error {
+func (r *RAGServiceKeysResource) writeKeyFiles(keysDir string) error {
 	for name, key := range r.Keys {
 		if err := validateKeyFilename(name); err != nil {
 			return err
 		}
-		path := filepath.Join(r.KeysDir, name)
+		path := filepath.Join(keysDir, name)
 		if err := os.WriteFile(path, []byte(key), 0o600); err != nil {
 			return fmt.Errorf("failed to write key file %q: %w", name, err)
 		}
 	}
 	return nil
 }
 
-// validateKeyFilename rejects filenames that could escape KeysDir via path traversal.
+// removeStaleKeyFiles deletes key files in keysDir that are no longer in r.Keys.
+// This handles the case where a pipeline (and its key files) has been removed.
+func (r *RAGServiceKeysResource) removeStaleKeyFiles(keysDir string) error {
+	entries, err := os.ReadDir(keysDir)
+	if os.IsNotExist(err) {
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("failed to read keys directory: %w", err)
+	}
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		if _, ok := r.Keys[entry.Name()]; !ok {
+			path := filepath.Join(keysDir, entry.Name())
+			if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+				return fmt.Errorf("failed to remove stale key file %q: %w", entry.Name(), err)
+			}
+		}
+	}
+	return nil
+}
+
+// validateKeyFilename rejects filenames that could escape the keys directory via path traversal.
 func validateKeyFilename(name string) error {
 	if filepath.Clean(name) != name || filepath.IsAbs(name) || strings.ContainsAny(name, `/\`) {
 		return fmt.Errorf("invalid key filename %q", name)
diff --git a/server/internal/orchestrator/swarm/rag_service_keys_resource_test.go b/server/internal/orchestrator/swarm/rag_service_keys_resource_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/pgEdge/control-plane/server/internal/database"
+	"github.com/pgEdge/control-plane/server/internal/filesystem"
 	"github.com/pgEdge/control-plane/server/internal/resource"
 )
 
@@ -36,27 +37,60 @@ func TestRAGServiceKeysResource_Executor(t *testing.T) {
 
 func TestRAGServiceKeysResource_DiffIgnore(t *testing.T) {
 	r := &RAGServiceKeysResource{}
-	ignored := r.DiffIgnore()
-	if len(ignored) != 1 || ignored[0] != "/keys_dir" {
-		t.Errorf("DiffIgnore() = %v, want [\"/keys_dir\"]", ignored)
+	if got := r.DiffIgnore(); len(got) != 0 {
+		t.Errorf("DiffIgnore() = %v, want empty", got)
 	}
 }
 
-func TestRAGServiceKeysResource_RefreshEmptyKeysDir(t *testing.T) {
+func TestRAGServiceKeysResource_Dependencies(t *testing.T) {
+	r := &RAGServiceKeysResource{ParentID: "storefront-rag-host1-data"}
+	deps := r.Dependencies()
+	if len(deps) != 1 {
+		t.Fatalf("Dependencies() len = %d, want 1", len(deps))
+	}
+	want := filesystem.DirResourceIdentifier("storefront-rag-host1-data")
+	if deps[0] != want {
+		t.Errorf("Dependencies()[0] = %v, want %v", deps[0], want)
+	}
+}
+
+// ragKeysRC returns a resource.Context with a DirResource whose FullPath is set to parentFullPath.
+func ragKeysRC(t *testing.T, parentID, parentFullPath string) *resource.Context {
+	t.Helper()
+	parentDir := &filesystem.DirResource{
+		ID:       parentID,
+		HostID:   "host-1",
+		Path:     parentFullPath,
+		FullPath: parentFullPath,
+	}
+	data, err := resource.ToResourceData(parentDir)
+	if err != nil {
+		t.Fatalf("ToResourceData() error = %v", err)
+	}
+	state := resource.NewState()
+	state.Add(data)
+	return &resource.Context{State: state}
+}
+
+func TestRAGServiceKeysResource_RefreshMissingParentID(t *testing.T) {
 	r := &RAGServiceKeysResource{ServiceInstanceID: "inst1"}
-	err := r.Refresh(context.Background(), nil)
+	// rc with an empty State — parent dir not found → ErrNotFound
+	err := r.Refresh(context.Background(), &resource.Context{State: resource.NewState()})
 	if err != resource.ErrNotFound {
 		t.Errorf("Refresh() = %v, want ErrNotFound", err)
 	}
 }
 
 func TestRAGServiceKeysResource_RefreshMissingDir(t *testing.T) {
+	parentID := "inst1-data"
+	rc := ragKeysRC(t, parentID, "/nonexistent/path/that/does/not/exist")
 	r := &RAGServiceKeysResource{
 		ServiceInstanceID: "inst1",
-		KeysDir:           "/nonexistent/path/that/does/not/exist/keys",
+		HostID:            "host-1",
+		ParentID:          parentID,
 		Keys:              map[string]string{"default_rag.key": "sk-test"},
 	}
-	err := r.Refresh(context.Background(), nil)
+	err := r.Refresh(context.Background(), rc)
 	if err != resource.ErrNotFound {
 		t.Errorf("Refresh() = %v, want ErrNotFound", err)
 	}
diff --git a/server/internal/orchestrator/swarm/rag_service_user_role.go b/server/internal/orchestrator/swarm/rag_service_user_role.go
@@ -111,7 +111,7 @@ func (r *RAGServiceUserRole) Create(ctx context.Context, rc *resource.Context) e
 		Logger()
 	logger.Info().Msg("creating RAG service user role")
 
-	r.Username = database.GenerateServiceUsername(r.ServiceID)
+	r.Username = database.GenerateServiceUsername(r.ServiceID, ServiceUserRoleRO)
 	if r.Password == "" {
 		password, err := utils.RandomString(32)
 		if err != nil {
diff --git a/server/internal/orchestrator/swarm/rag_service_user_role_test.go b/server/internal/orchestrator/swarm/rag_service_user_role_test.go
