feat: add support for mTLS EventStreams

[mkanoor]

This depends on

• Gateway PR which adds mTLS Routes
• Platform collection which can be used by the installer
• Installer changes to create a mTLS route

Adding a new event stream for mTLS support. A new credential has been added which can be used in conjuction with a new mTLS EventStream. When the mTLS EventStream is created if the user has added a Certificate we add it to the Gateway which can then be pulled by Envoy.

Customers in the financial sector have a requirement to use Certificate based auth when sending events to EventStreams.

This change uses the permissive mTLS feature in Envoy to dynamically update the certificates without having to restart the server. As long as Gateway has the latest Certifcate Envoy can pull it in via Secret Discovery Service (SDS) so the data flow is EDA --> Gateway <-- Envoy

This is not a breaking change but its an optional feature that requires the Gateway changes

Create a Certificate using OpenSSL

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
    -subj "/C=US/ST=NJ/L=Mahwah/O=Demo/OU=R&D Department/CN=agent1.example.com" \
    -keyout agent1.key  -out agent1.crt

Add a new mTLS Credential (my_mtls) in EDA and load the above certificate
Add a new mTLS EventStream using the mTLS Credential (my_mtls)
Send an Event Payload to the above EventStream and it should be successful.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 35.53719% with 78 lines in your changes missing coverage. Please review.

Project coverage is 93.54%. Comparing base (b6c03d4) to head (1420594).
Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
src/aap_eda/services/sync_certs.py	29.00%	71 Missing ⚠️
src/aap_eda/api/views/event_stream.py	50.00%	7 Missing ⚠️

@@            Coverage Diff             @@
##             main    #1358      +/-   ##
==========================================
- Coverage   93.92%   93.54%   -0.38%     
==========================================
  Files         320      323       +3     
  Lines       18837    18980     +143     
==========================================
+ Hits        17692    17755      +63     
- Misses       1145     1225      +80     

Flag	Coverage Δ
unit-int-tests-3.11	93.48% <35.53%> (-0.38%)	⬇️
unit-int-tests-3.12	93.54% <35.53%> (-0.38%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/aap_eda/api/views/eda_credential.py	99.11% <100.00%> (+<0.01%)	⬆️
src/aap_eda/core/exceptions.py	100.00% <100.00%> (ø)
...da/core/management/commands/create_initial_data.py	98.78% <100.00%> (+<0.01%)	⬆️
src/aap_eda/api/views/event_stream.py	84.95% <50.00%> (-5.05%)	⬇️
src/aap_eda/services/sync_certs.py	29.00% <29.00%> (ø)

... and 14 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Alex-Izquierdo]

1. Can you add missing return type hints?
2. It is not crazy to expect that the interaction with gateway will continue growing. I would consider to implement a GatewayClient and separate concerns in the service. A client would also help with tests

[Alex-Izquierdo]

I guess that you have already checked that gateway returns 200 but it is still a weird response for a delete operation which is usually 204. I suggest to add 204 as well for more resilience.

[Alex-Izquierdo]

Actually, looking at https://github.com/ansible-automation-platform/aap-gateway/pull/833 the ca-certificates view inherits from DRF viewset, so it should return 204, not 200.

[Alex-Izquierdo]

Signals should be covered by tests

[sonarqubecloud]

Quality Gate failed

Failed conditions
E Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE