From 6a0b870a3fcd63955386511a7f18b684879bc8c0 Mon Sep 17 00:00:00 2001
From: Tony Kay <tony.g.kay@gmail.com>
Date: Wed, 27 May 2026 15:59:08 -0600
Subject: [PATCH] feat: allow manifest injection via internal service URL

Add two new variables to ocp4_workload_ansible_automation_platform:

- manifest_inject_host: override controller_host for the license
  injection task (e.g. "aap.aap.svc.cluster.local" to bypass the
  external route)
- manifest_inject_validate_certs: allow disabling TLS validation
  when using internal HTTP endpoints

When the deployer runs inside the cluster, the external route hostname
may be unreachable if ingress is slow to come up or the load balancer
is misconfigured. Using the internal service URL makes manifest
injection resilient to ingress issues.

Fully backward-compatible: defaults are empty (use route hostname)
and validate_certs: true, matching current behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../defaults/main.yml                                      | 6 ++++++
 .../tasks/workload.yml                                     | 7 +++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/roles/ocp4_workload_ansible_automation_platform/defaults/main.yml b/roles/ocp4_workload_ansible_automation_platform/defaults/main.yml
index 99515db..15175a2 100644
--- a/roles/ocp4_workload_ansible_automation_platform/defaults/main.yml
+++ b/roles/ocp4_workload_ansible_automation_platform/defaults/main.yml
@@ -39,6 +39,12 @@ ocp4_workload_ansible_automation_platform_token_lifecycle_retries: 5
 ocp4_workload_ansible_automation_platform_deploy_wait_timeout: 1800
 ocp4_workload_ansible_automation_platform_manifest_inject_retries: 3
 ocp4_workload_ansible_automation_platform_manifest_inject_delay: 5
+# Override to use an internal service URL for manifest injection.
+# When set, bypasses the external route hostname (useful when ingress
+# is slow to come up or unreachable from the deployer pod).
+# Example: "aap.aap.svc.cluster.local"
+ocp4_workload_ansible_automation_platform_manifest_inject_host: ""
+ocp4_workload_ansible_automation_platform_manifest_inject_validate_certs: true
 # Additional manifest overrides to be merged into the Template used to deploy AAP
 ocp4_workload_ansible_automation_platform_aap_manifest_overrides: {}
 
diff --git a/roles/ocp4_workload_ansible_automation_platform/tasks/workload.yml b/roles/ocp4_workload_ansible_automation_platform/tasks/workload.yml
index 0ca043e..79829f0 100644
--- a/roles/ocp4_workload_ansible_automation_platform/tasks/workload.yml
+++ b/roles/ocp4_workload_ansible_automation_platform/tasks/workload.yml
@@ -91,10 +91,13 @@
   - name: Inject AAP2 Controller manifest
     ansible.controller.license:
       manifest: /tmp/aap-manifest.zip
-      controller_host: "{{ automation_controller_hostname }}"
+      controller_host: >-
+        {{ ocp4_workload_ansible_automation_platform_manifest_inject_host
+           if ocp4_workload_ansible_automation_platform_manifest_inject_host | default('') | length > 0
+           else automation_controller_hostname }}
       controller_username: admin
       controller_password: "{{ _ocp4_workload_ansible_automation_platform_admin_password }}"
-      validate_certs: true
+      validate_certs: "{{ ocp4_workload_ansible_automation_platform_manifest_inject_validate_certs }}"
     register: r_aap_license
     until: not r_aap_license.failed
     retries: "{{ ocp4_workload_ansible_automation_platform_manifest_inject_retries }}"