RHOAIENG-32026: remove duplication for mysql commands

[fege]

Description

Address comments of previous PRs

• https://github.com/opendatahub-io/opendatahub-tests/pull/504/files#r2264915363 mask mysql credentials
• https://github.com/opendatahub-io/opendatahub-tests/pull/504/files#r2265897634 Remove code duplication for mysql commands

How Has This Been Tested?

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Tests
  • Improved database-related negative tests by standardizing credential-based MySQL execution.
  • Introduced reusable utilities for secure DB command execution, enhancing test stability and consistency.
  • Maintains existing test behavior while simplifying setup of migration state.
  • Provides clearer diagnostics through consistent command output handling.
  • No changes to user-facing functionality or public interfaces.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Replaces direct MySQL CLI invocations in negative tests with two new helper utilities: one that writes a MySQL credentials file onto the DB Pod and one that runs SQL via that credentials file; conftest now uses these helpers to read the latest migration version and mark it dirty.

Changes

Cohort / File(s)	Summary
New MySQL helper utilities tests/model_registry/negative_tests/utils.py	Added create_mysql_credentials_file(pod: Pod) to write a base64-encoded /tmp/.my.cnf using MODEL_REGISTRY_DB_SECRET_STR_DATA, and execute_mysql_command(sql_query: str, pod: Pod) -> str to run mysql --defaults-file=/tmp/.my.cnf -e <query> <db> and return output.
Refactor negative tests to use helpers tests/model_registry/negative_tests/conftest.py	Replaced direct pod.execute([... mysql ...]) calls with create_mysql_credentials_file(...) and execute_mysql_command(...) to obtain the latest migration version and to set dirty = 1; preserved parsing and return of latest_migration_version.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b3d96d and 7f4c872.

📒 Files selected for processing (2)

• tests/model_registry/negative_tests/conftest.py (2 hunks)
• tests/model_registry/negative_tests/utils.py (1 hunks)

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/cherry-pick', '/lgtm', '/verified', '/hold', '/wip', '/build-push-pr-image'}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (6)

tests/model_registry/negative_tests/conftest.py (3)

28-28: Fix typo in imported helper name.

It should be create_mysql_credentials_file for clarity and consistency.

-from tests.model_registry.negative_tests.utils import execute_mysql_command, crate_mysql_credentials_file
+from tests.model_registry.negative_tests.utils import execute_mysql_command, create_mysql_credentials_file

---

143-148: Make result parsing deterministic (use mysql -N -B) and simplify cast.

With -N -B (proposed in utils comment), the output will be a single line number. Parse it directly.

-    crate_mysql_credentials_file(model_registry_db_instance_pod=model_registry_db_instance_pod)
-    output = execute_mysql_command(
+    create_mysql_credentials_file(model_registry_db_instance_pod=model_registry_db_instance_pod)
+    output = execute_mysql_command(
         sql_query="SELECT version FROM schema_migrations ORDER BY version DESC LIMIT 1;",
         model_registry_db_instance_pod=model_registry_db_instance_pod,
     )
-    latest_migration_version = int(output.strip().split()[1])
+    latest_migration_version = int(output.strip())

---

149-152: Address Ruff S608 (string-built SQL) and harden.

The value is already int-sanitized; annotate to silence S608 and avoid false positives.

-    execute_mysql_command(
-        sql_query=f"UPDATE schema_migrations SET dirty = 1 WHERE version = {latest_migration_version};",
+    execute_mysql_command(
+        sql_query=f"UPDATE schema_migrations SET dirty = 1 WHERE version = {latest_migration_version};",  # noqa: S608 - latest_migration_version is int-sanitized
         model_registry_db_instance_pod=model_registry_db_instance_pod,
     )

Optionally, add a quick guard to fail fast if the SELECT returned empty output to avoid ValueError on int().

tests/model_registry/negative_tests/utils.py (3)

6-6: Rename helper to ‘create_mysql_credentials_file’.

Fix the typo to improve readability; update imports/callers accordingly (see conftest diff).

-def crate_mysql_credentials_file(model_registry_db_instance_pod: Pod) -> None:
+def create_mysql_credentials_file(model_registry_db_instance_pod: Pod) -> None:

---

16-18: Set restrictive permissions on the credentials file.

Ensure the file isn’t world-readable. Use umask 077 during creation.

-    model_registry_db_instance_pod.execute(
-        command=["bash", "-c", f"echo '{b64_content}' | base64 --decode > /tmp/.my.cnf"]
-    )
+    model_registry_db_instance_pod.execute(
+        command=["bash", "-c", f"umask 077 && echo '{b64_content}' | base64 -d > /tmp/.my.cnf"]
+    )

Optional: add a small helper to delete /tmp/.my.cnf in a test finalizer to reduce credential residue.

---

1-33: Minor cleanup: centralize the credentials path.

Define a module-level constant (e.g., CREDENTIALS_PATH = "/tmp/.my.cnf") and reuse it in both helpers.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d413fbb and 5b3d96d.

📒 Files selected for processing (2)

• tests/model_registry/negative_tests/conftest.py (2 hunks)
• tests/model_registry/negative_tests/utils.py (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-07-09T08:50:22.172Z

Learnt from: fege
PR: opendatahub-io/opendatahub-tests#409
File: tests/model_registry/negative_tests/test_db_migration.py:47-57
Timestamp: 2025-07-09T08:50:22.172Z
Learning: In negative tests for model registry database migration failures (like test_db_migration_negative), the model registry pod is expected to be in a failed state (not Running) when the database is dirty. The test fetches logs from the failed pod to verify the expected error message about dirty database version, so waiting for Running status would be inappropriate.

Applied to files:

• tests/model_registry/negative_tests/conftest.py

📚 Learning: 2025-08-21T19:08:14.982Z

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#527
File: tests/model_registry/rbac/conftest.py:358-359
Timestamp: 2025-08-21T19:08:14.982Z
Learning: In tests/model_registry/rbac/conftest.py, the model catalog configmap only exists in one specific namespace (py_config["model_registry_namespace"]) regardless of where model registry instances are deployed, making it a shared resource that serves all model registry instances across namespaces.

Applied to files:

• tests/model_registry/negative_tests/conftest.py

🧬 Code graph analysis (2)

tests/model_registry/negative_tests/conftest.py (1)

tests/model_registry/negative_tests/utils.py (2)

• execute_mysql_command (21-33)
• crate_mysql_credentials_file (6-18)

tests/model_registry/negative_tests/utils.py (1)

tests/model_registry/negative_tests/conftest.py (1)

• model_registry_db_instance_pod (157-164)

🪛 Ruff (0.12.2)

tests/model_registry/negative_tests/conftest.py

150-150: Possible SQL injection vector through string-based query construction

(S608)

[sheltoncyril]

/lgtm

[sheltoncyril]

Hey, is this a typo? ("crate" instead of "create")

[dbasunag]

Thank you for catching it. @fege this looks like a typo.

[fege]

thanks for fixing @sheltoncyril

[dbasunag]

Thank you for catching it. @fege this looks like a typo.

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.