Skip to content

feat: allow AAP2 manifest injection via internal service URL#148

Open
tonykay wants to merge 1 commit into
mainfrom
fix/aap2-manifest-inject-internal
Open

feat: allow AAP2 manifest injection via internal service URL#148
tonykay wants to merge 1 commit into
mainfrom
fix/aap2-manifest-inject-internal

Conversation

@tonykay

@tonykay tonykay commented May 27, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds ocp4_workload_ansible_automation_platform_manifest_inject_host to override the controller host for license injection (e.g. aap.aap.svc.cluster.local)
  • Adds ocp4_workload_ansible_automation_platform_manifest_inject_validate_certs to allow disabling TLS when using internal HTTP endpoints
  • Fully backward-compatible: defaults are empty string and true, matching current behavior

Problem

When the deployer runs as a pod inside the cluster, manifest injection connects to the AAP controller via its external Route hostname. If the cluster ingress is slow to come up or the load balancer is misconfigured (Connection refused), manifest injection fails even though the controller API is healthy on the internal network.

We've hit this repeatedly on IBM Cloud shared clusters where the ingress VIP is unreachable during provisioning.

Usage

In agnosticv, set:

ocp4_workload_ansible_automation_platform_manifest_inject_host: "aap.aap.svc.cluster.local"
ocp4_workload_ansible_automation_platform_manifest_inject_validate_certs: false
ocp4_workload_ansible_automation_platform_manifest_inject_retries: 60
ocp4_workload_ansible_automation_platform_manifest_inject_delay: 10

Test plan

  • Deploy with defaults (no override) — behavior identical to before
  • Deploy with manifest_inject_host set to internal URL — manifest injection uses internal service, bypasses route
  • Verify AAP console still accessible via external route after provisioning

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

@tonykay @claude
feat: allow manifest injection via internal service URL
6a0b870 
Add two new variables to ocp4_workload_ansible_automation_platform:

- manifest_inject_host: override controller_host for the license
  injection task (e.g. "aap.aap.svc.cluster.local" to bypass the
  external route)
- manifest_inject_validate_certs: allow disabling TLS validation
  when using internal HTTP endpoints

When the deployer runs inside the cluster, the external route hostname
may be unreachable if ingress is slow to come up or the load balancer
is misconfigured. Using the internal service URL makes manifest
injection resilient to ingress issues.

Fully backward-compatible: defaults are empty (use route hostname)
and validate_certs: true, matching current behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wkulhanek wkulhanek Awaiting requested review from wkulhanek wkulhanek is a code owner

@agonzalezrh agonzalezrh Awaiting requested review from agonzalezrh agonzalezrh is a code owner

@stencell stencell Awaiting requested review from stencell stencell is a code owner

@fridim fridim Awaiting requested review from fridim fridim is a code owner

@rut31337 rut31337 Awaiting requested review from rut31337 rut31337 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tonykay