feat: provision per-host Postgres user for RAG service instances

[tsivaprasad]

Summary

This PR introduces RAGServiceUserRole, a new resource that creates a dedicated PostgreSQL database user for each RAG service instance running on its co-located host.

Changes

• rag_service_user_role.go — New resource keyed by serviceInstanceID (not serviceID). Handles Create/Delete/Refresh lifecycle. Refresh queries pg_catalog.pg_roles to verify role existence. connectToColocatedPrimary filters instances by HostID before Patroni primary lookup, ensuring the role lands on the correct node.

• orchestrator.go — Refactored GenerateServiceInstanceResources to dispatch by ServiceType. MCP logic extracted into generateMCPInstanceResources. New generateRAGInstanceResources and shared buildServiceInstanceResources helper added.

• resources.go — Registers ResourceTypeRAGServiceUserRole.

• plan_update.go — Skips ServiceInstanceMonitorResource for RAG instances since no Docker container exists yet (swarm.service_instance dependency would be unsatisfied).

Testing

• Covered unit tests
  Manual Verification:

1. Created Cluster

2. Created a database using the following command:
   restish control-plane-local-1 create-database < ../demo/488/rag_create_db.json
   rag_create_db.json

3. The database created successfully

4. Connect to db and confirm that rg service user created

storefront=# SELECT r.rolname AS role, m.rolname AS member FROM pg_auth_members am JOIN pg_roles r ON r.oid = am.roleid JOIN pg_roles m ON m.oid = am.member WHERE m.rolname LIKE 'svc_%';
             role             |   member   
------------------------------+------------
 pgedge_application_read_only | svc_rag_ro
(1 row)

Checklist

• Tests added

Notes for Reviewers

• Why per-host (keyed by serviceInstanceID) instead of per-service? CREATE ROLE is not replicated by Spock in a multi-active setup.
• Why no monitor resource for RAG? ServiceInstanceMonitorResource.Dependencies() hard-codes a dependency on swarm.service_instance. Since this PR provisions only the DB user (no container), that dependency would be unsatisfied and fail the planner.
• Credential re-use on reconciliation: If Refresh finds the role missing in pg_roles, it returns ErrNotFound → Create is called again with a new password. This is intentional — avoids stale credential state across node migrations.

PLAT-489

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 951ac451-faa6-437c-8e9d-faac643f7375

📥 Commits

Reviewing files that changed from the base of the PR and between 3d5d048 and 3dec46f.

📒 Files selected for processing (1)

• server/internal/orchestrator/swarm/orchestrator.go

🚧 Files skipped from review as they are similar to previous changes (1)

• server/internal/orchestrator/swarm/orchestrator.go

---

📝 Walkthrough

Walkthrough

Adds RAG service provisioning and tests; refactors service-instance resource generation to dispatch by service type and centralizes resource building; omits monitor dependency for RAG in workflows; strengthens Postgres role-existence checks and adds a reusable query; updates Makefile tag resolution.

Changes

Cohort / File(s)	Summary
Orchestrator refactor & generators server/internal/orchestrator/swarm/orchestrator.go	GenerateServiceInstanceResources now dispatches on spec.ServiceSpec.ServiceType, delegating to new generateMCPInstanceResources and generateRAGInstanceResources; added buildServiceInstanceResources to convert []resource.Resource → *database.ServiceInstanceResources.
RAG unit tests server/internal/orchestrator/swarm/rag_service_user_role_test.go	Added tests covering RAG resource generation: single-node, multi-node, canonical-node selection, credential-source linking, dispatch for "rag", and unknown-type error handling.
Workflow adjustments server/internal/workflows/plan_update.go	getServiceResources now builds and returns a ServiceResources value; MonitorResource is omitted when serviceSpec.ServiceType == "rag".
Service user-role verification server/internal/orchestrator/swarm/service_user_role.go	ServiceUserRole.Refresh now checks pg_catalog.pg_roles via cluster primary connection; returns resource.ErrNotFound if role missing and logs/wraps query failures.
Postgres helper server/internal/postgres/roles.go	Added exported postgres.UserRoleNeedsCreate(name string) Query[bool] to produce a parameterized SELECT NOT EXISTS query against pg_roles.
Build tooling common.mk	Broadened CONTROL_PLANE_VERSION resolution: fetch tags and prefer git describe --tags --match '<CHANGIE_LATEST>*' with a fallback to literal <CHANGIE_LATEST> if describe fails; adjusted tag-matching behavior.

Poem

🐇 I hopped from spec to service, light and keen,
I made one canonical role, and nodes in between,
Each follower links back where credentials hide,
Monitors pause while roles are verified,
A tiny hop of code, now snug and serene.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 12.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: introducing per-host Postgres user provisioning for RAG service instances, which aligns with the core objective of the changeset.
Description check	✅ Passed	The description follows the template structure with Summary, Changes, Testing, Checklist, and Notes for Reviewers sections. All critical information is included and comprehensive.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch PLAT-489-rag-service-service-user-provisioning

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tsivaprasad]

@coderabbitai review

[coderabbitai]

@tsivaprasad Sure, I'll review the changes in this PR!

---

🧠 Learnings used

Learnt from: rshoemaker
Repo: pgEdge/control-plane PR: 266
File: server/internal/workflows/update_database.go:122-153
Timestamp: 2026-02-09T21:47:53.293Z
Learning: In server/internal/workflows/update_database.go and provision_services.go (Go): Re-running ProvisionServices on already-provisioned service instances is intentional and not destructive. StoreServiceInstance performs an upsert that may transiently reset state to "creating," but the monitor quickly transitions it back to "running" (matching the database instance recovery pattern). CreateServiceUser is SQL-level idempotent (CREATE ROLE IF NOT EXISTS / ALTER ROLE), and resource deployment diffs desired vs. current state. This design supports recovery scenarios where a user retries with a corrected spec after a service failure.

---

Learnt from: rshoemaker
Repo: pgEdge/control-plane PR: 287
File: server/internal/orchestrator/swarm/service_user_role.go:59-60
Timestamp: 2026-03-11T16:05:35.061Z
Learning: In pgEdge/control-plane server/internal/orchestrator/swarm/service_user_role.go (Go): A ResourceVersion bump (e.g., "2" → "3") in ServiceUserRole is a documentation/safety marker only. When the resource Identifier key changes (e.g., from ServiceInstanceID to ServiceID), recreation is driven automatically by the (Type, ID) key mismatch — old resources with the previous identifier are deleted and new ones are created. Do not flag a ResourceVersion bump as a missing recreate trigger when an Identifier change is already causing full recreate.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

server/internal/orchestrator/swarm/orchestrator.go (2)

433-438: Remove unreachable service-type check in MCP generator.

generateMCPInstanceResources is only called from Line 406 (case "mcp"), so this branch is dead and adds noise.

Suggested cleanup

-	// Only MCP is fully implemented in the orchestrator for now.
-	// PostgREST provisioning (container spec, config delivery, service user) is
-	// implemented in follow-up tickets.
-	if spec.ServiceSpec.ServiceType != "mcp" {
-		return nil, fmt.Errorf("service type %q is not yet supported for provisioning", spec.ServiceSpec.ServiceType)
-	}
-
 	// Parse the MCP service config from the untyped config map
 	mcpConfig, errs := database.ParseMCPServiceConfig(spec.ServiceSpec.Config, false)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/internal/orchestrator/swarm/orchestrator.go` around lines 433 - 438,
The runtime check inside generateMCPInstanceResources that returns an error when
spec.ServiceSpec.ServiceType != "mcp" is unreachable because
generateMCPInstanceResources is only invoked from the "case \"mcp\"" branch;
remove that dead branch to clean up noise. Edit the function
generateMCPInstanceResources to delete the if block referencing
spec.ServiceSpec.ServiceType (and the fmt.Errorf return), ensuring no other
logic depends on that check and run tests/compile to confirm no references
remain.

---

593-612: Use buildServiceInstanceResources in the RAG path too.

Line 593-Line 612 duplicates the conversion logic now centralized in buildServiceInstanceResources, increasing drift risk.

Suggested simplification

-	data := make([]*resource.ResourceData, len(orchestratorResources))
-	for i, res := range orchestratorResources {
-		d, err := resource.ToResourceData(res)
-		if err != nil {
-			return nil, fmt.Errorf("failed to convert resource to resource data: %w", err)
-		}
-		data[i] = d
-	}
-
-	return &database.ServiceInstanceResources{
-		ServiceInstance: &database.ServiceInstance{
-			ServiceInstanceID: spec.ServiceInstanceID,
-			ServiceID:         spec.ServiceSpec.ServiceID,
-			DatabaseID:        spec.DatabaseID,
-			HostID:            spec.HostID,
-			State:             database.ServiceInstanceStateCreating,
-		},
-		Resources: data,
-	}, nil
+	return o.buildServiceInstanceResources(spec, orchestratorResources)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/internal/orchestrator/swarm/orchestrator.go` around lines 593 - 612,
Replace the duplicated conversion loop that turns orchestratorResources into
[]*resource.ResourceData (the block using resource.ToResourceData and assembling
database.ServiceInstanceResources with spec.ServiceInstanceID,
ServiceSpec.ServiceID, DatabaseID, HostID and state) by calling the centralized
helper buildServiceInstanceResources(spec, orchestratorResources), returning its
result and propagating any error; remove the manual loop and construction and
ensure error handling mirrors buildServiceInstanceResources' signature.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/internal/orchestrator/swarm/orchestrator.go`:
- Around line 580-591: Don’t rely on the array position — iterate over
spec.DatabaseNodes and create the ServiceUserRole for every node except the
canonical one by explicitly comparing identifiers (e.g., skip when nodeInst.ROID
matches canonicalROID or when nodeInst.NodeName matches the canonical node name)
instead of using spec.DatabaseNodes[1:], then append roles with ServiceID from
spec.ServiceSpec.ServiceID, DatabaseID/DatabaseName from spec, NodeName from
nodeInst, Mode ServiceUserRoleRO and CredentialSource set to &canonicalROID.
- Around line 565-566: The role identity is being keyed by
spec.ServiceSpec.ServiceID (creating canonicalROID via
ServiceUserRoleIdentifier) which makes it shared across all instances; change
the keying to use the service-instance identifier (e.g., spec.ServiceInstanceID
or the appropriate ServiceInstance ID field) when constructing the role
identifier and when creating/looking up the role resource (replace
ServiceUserRoleIdentifier(spec.ServiceSpec.ServiceID, ...) with
ServiceUserRoleIdentifier(spec.ServiceInstanceID, ...) or equivalent). Also, if
RAGServiceUserRole is available in this PR, instantiate/lookup that resource
type instead of ServiceUserRole so the role is scoped per-instance; update the
other occurrences referenced (the blocks around canonicalROID and the later
calls at the 569–574 and 583–589 sites) to use the instance-scoped identifier
consistently.

---

Nitpick comments:
In `@server/internal/orchestrator/swarm/orchestrator.go`:
- Around line 433-438: The runtime check inside generateMCPInstanceResources
that returns an error when spec.ServiceSpec.ServiceType != "mcp" is unreachable
because generateMCPInstanceResources is only invoked from the "case \"mcp\""
branch; remove that dead branch to clean up noise. Edit the function
generateMCPInstanceResources to delete the if block referencing
spec.ServiceSpec.ServiceType (and the fmt.Errorf return), ensuring no other
logic depends on that check and run tests/compile to confirm no references
remain.
- Around line 593-612: Replace the duplicated conversion loop that turns
orchestratorResources into []*resource.ResourceData (the block using
resource.ToResourceData and assembling database.ServiceInstanceResources with
spec.ServiceInstanceID, ServiceSpec.ServiceID, DatabaseID, HostID and state) by
calling the centralized helper buildServiceInstanceResources(spec,
orchestratorResources), returning its result and propagating any error; remove
the manual loop and construction and ensure error handling mirrors
buildServiceInstanceResources' signature.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 87ba96a6-319b-4081-aa9c-8afd6b95d1ec

📥 Commits

Reviewing files that changed from the base of the PR and between bdc9b3d and 67af664.

📒 Files selected for processing (1)

• server/internal/orchestrator/swarm/orchestrator.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

RAG role identity is keyed by service ID instead of service-instance ID.

At Line 565 and Line 569/Line 583, using spec.ServiceSpec.ServiceID makes role identity shared across all instances of the same service. That conflicts with per-host/per-instance role provisioning and can cause credential-source collisions between instances on different hosts.

Suggested direction

-	canonicalROID := ServiceUserRoleIdentifier(spec.ServiceSpec.ServiceID, ServiceUserRoleRO)
+	canonicalROID := ServiceUserRoleIdentifier(spec.ServiceInstanceID, ServiceUserRoleRO)
...
-		ServiceID:    spec.ServiceSpec.ServiceID,
+		ServiceID:    spec.ServiceInstanceID,
...
-				ServiceID:        spec.ServiceSpec.ServiceID,
+				ServiceID:        spec.ServiceInstanceID,

If RAGServiceUserRole exists in this PR, prefer instantiating that resource type here instead of ServiceUserRole.

Also applies to: 569-574, 583-589

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/internal/orchestrator/swarm/orchestrator.go` around lines 565 - 566,
The role identity is being keyed by spec.ServiceSpec.ServiceID (creating
canonicalROID via ServiceUserRoleIdentifier) which makes it shared across all
instances; change the keying to use the service-instance identifier (e.g.,
spec.ServiceInstanceID or the appropriate ServiceInstance ID field) when
constructing the role identifier and when creating/looking up the role resource
(replace ServiceUserRoleIdentifier(spec.ServiceSpec.ServiceID, ...) with
ServiceUserRoleIdentifier(spec.ServiceInstanceID, ...) or equivalent). Also, if
RAGServiceUserRole is available in this PR, instantiate/lookup that resource
type instead of ServiceUserRole so the role is scoped per-instance; update the
other occurrences referenced (the blocks around canonicalROID and the later
calls at the 569–574 and 583–589 sites) to use the instance-scoped identifier
consistently.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

server/internal/orchestrator/swarm/orchestrator.go (1)

565-574: ⚠️ Potential issue | 🟠 Major

RAG role identity is keyed by service ID instead of service-instance ID.

The PR objective states that RAGServiceUserRole should be "keyed by serviceInstanceID" for per-host scoping, but ServiceUserRoleIdentifier and ServiceUserRole are constructed using spec.ServiceSpec.ServiceID. This creates a shared role identity across all instances of the same service rather than per-instance isolation.

Suggested fix

-	canonicalROID := ServiceUserRoleIdentifier(spec.ServiceSpec.ServiceID, ServiceUserRoleRO)
+	canonicalROID := ServiceUserRoleIdentifier(spec.ServiceInstanceID, ServiceUserRoleRO)
 
 	// Canonical read-only role — runs on the node co-located with this instance.
 	canonicalRO := &ServiceUserRole{
-		ServiceID:    spec.ServiceSpec.ServiceID,
+		ServiceID:    spec.ServiceInstanceID,
 		DatabaseID:   spec.DatabaseID,
 		DatabaseName: spec.DatabaseName,
 		NodeName:     spec.NodeName,
 		Mode:         ServiceUserRoleRO,
 	}

Also update lines 585 accordingly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/internal/orchestrator/swarm/orchestrator.go` around lines 565 - 574,
The role identity is being keyed by spec.ServiceSpec.ServiceID causing shared
RAG roles across service instances; update the call to ServiceUserRoleIdentifier
and the ServiceUserRole fields to use the per-instance identifier
(spec.ServiceSpec.ServiceInstanceID) instead of ServiceID so the canonicalROID
and canonicalRO are scoped to the service instance; also make the same
replacement in the subsequent related construction referenced later (the other
canonical role creation around the same block) so all lookups/creations
consistently use ServiceInstanceID.

🧹 Nitpick comments (1)

server/internal/orchestrator/swarm/orchestrator.go (1)

594-612: Consolidate resource conversion by calling buildServiceInstanceResources.

Lines 594-612 duplicate the conversion logic that buildServiceInstanceResources already provides. This function was introduced specifically to share this code path.

♻️ Proposed fix

 	}
 
-	data := make([]*resource.ResourceData, len(orchestratorResources))
-	for i, res := range orchestratorResources {
-		d, err := resource.ToResourceData(res)
-		if err != nil {
-			return nil, fmt.Errorf("failed to convert resource to resource data: %w", err)
-		}
-		data[i] = d
-	}
-
-	return &database.ServiceInstanceResources{
-		ServiceInstance: &database.ServiceInstance{
-			ServiceInstanceID: spec.ServiceInstanceID,
-			ServiceID:         spec.ServiceSpec.ServiceID,
-			DatabaseID:        spec.DatabaseID,
-			HostID:            spec.HostID,
-			State:             database.ServiceInstanceStateCreating,
-		},
-		Resources: data,
-	}, nil
+	return o.buildServiceInstanceResources(spec, orchestratorResources)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@server/internal/orchestrator/swarm/orchestrator.go` around lines 594 - 612,
The code duplicates resource conversion logic already implemented in
buildServiceInstanceResources; remove the manual loop that calls
resource.ToResourceData over orchestratorResources and instead call
buildServiceInstanceResources(spec, orchestratorResources), propagate its
returned (*database.ServiceInstanceResources, error), and handle the error as
before (returning fmt.Errorf or the error directly). Ensure you reference
orchestratorResources and spec when calling buildServiceInstanceResources and
preserve the same error handling semantics as the surrounding function.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@common.mk`:
- Line 18: The CONTROL_PLANE_VERSION assignment runs git describe with --match
'$(CHANGIE_LATEST)*' which becomes --match '*' when CHANGIE_LATEST is empty;
change the logic so you first test whether CHANGIE_LATEST is non-empty and only
then run the git fetch && git describe command (leaving CONTROL_PLANE_VERSION
empty when CHANGIE_LATEST is empty). Concretely, wrap the existing shell
invocation in a conditional that checks $(CHANGIE_LATEST) (or branch between a
no-op/empty echo and the git describe call) so --match is never called with '*'
while keeping the variable assignment behavior around CONTROL_PLANE_VERSION
intact.

---

Duplicate comments:
In `@server/internal/orchestrator/swarm/orchestrator.go`:
- Around line 565-574: The role identity is being keyed by
spec.ServiceSpec.ServiceID causing shared RAG roles across service instances;
update the call to ServiceUserRoleIdentifier and the ServiceUserRole fields to
use the per-instance identifier (spec.ServiceSpec.ServiceInstanceID) instead of
ServiceID so the canonicalROID and canonicalRO are scoped to the service
instance; also make the same replacement in the subsequent related construction
referenced later (the other canonical role creation around the same block) so
all lookups/creations consistently use ServiceInstanceID.

---

Nitpick comments:
In `@server/internal/orchestrator/swarm/orchestrator.go`:
- Around line 594-612: The code duplicates resource conversion logic already
implemented in buildServiceInstanceResources; remove the manual loop that calls
resource.ToResourceData over orchestratorResources and instead call
buildServiceInstanceResources(spec, orchestratorResources), propagate its
returned (*database.ServiceInstanceResources, error), and handle the error as
before (returning fmt.Errorf or the error directly). Ensure you reference
orchestratorResources and spec when calling buildServiceInstanceResources and
preserve the same error handling semantics as the surrounding function.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 439a9683-c4ea-4111-ad7e-fafa43ae3624

📥 Commits

Reviewing files that changed from the base of the PR and between 67af664 and 3d5d048.

📒 Files selected for processing (3)

• common.mk
• server/internal/orchestrator/swarm/orchestrator.go
• server/internal/orchestrator/swarm/rag_service_user_role_test.go

✅ Files skipped from review due to trivial changes (1)

• server/internal/orchestrator/swarm/rag_service_user_role_test.go