fix(vm_workload_showroom): remap .ssh ownership for ansible-runner container (rootless podman uid mapping)

[prakhar1985]

What breaks

When showroom_ansible_runner_api: true is set, every lab that uses the ZT runner to execute solve/validate playbooks fails on every module with:

fatal: [node]: UNREACHABLE! => {
  "msg": "Failed to connect to the host via ssh: Can't open user config file /app/.ssh/config: Permission denied"
}

Solver and validator cannot connect to any lab node. Every click of Check or Solve in the showroom UI fails immediately.

---

Commits in this PR

1. Fix .ssh ownership for ansible-runner container (rootless podman uid mapping)

The .ssh directory is created owned by showroom:showroom (uid=1888, mode 700) and volume-mounted into the ansible-runner-api container at /app/.ssh.

The container runs as uid=1001 (default user in the UBI9 image). In rootless podman, the showroom user's UID namespace maps:

container uid	host uid
0	1888 (showroom)
1	231072 (first subuid)
1001	232072 (first subuid + 1000)

The container process (uid=232072 on host) cannot read files owned by uid=1888 with 700 permissions. Every SSH attempt by Ansible fails before a connection is even opened.

Fix: after writing the SSH config, run podman unshare chown -R 1001:1001 on the .ssh directory. podman unshare executes inside the showroom user's user namespace, so uid=1001 inside translates to the correct host uid (232072) that the container process actually runs as.

Gated on showroom_ansible_runner_api — no-op for deployments not using the runner.

---

2. Fix volumes: indent crash and environment: Python dict rendering in ansible_runner_api_service.j2

Two bugs in the template introduced by the "add userdata to runner api" commit that crash podman-compose at startup with:

yaml.parser.ParserError: while parsing a block collection
  in "container-compose.yml", line 63, column 7
expected <block end>, but found '?'

Bug 1 — volumes: wrong indentation:
The {# dns_search #} Jinja2 comment left trailing whitespace that caused volumes: to be indented at the same level as the ports: list items (6 spaces instead of 4). YAML saw it as a non-sequence item inside a sequence and failed to parse.
Fix: remove the comment line entirely.

Bug 2 — environment: rendered as Python dict repr:
{{ f_user_data | combine({...}) }} is rendered by Jinja2 as a Python dict string "{'key': 'value', 'list': ['item']}" which is not valid YAML environment variable format — podman-compose cannot parse it.
Fix: iterate the dict and emit proper YAML key: "value" pairs, converting any list values to comma-separated strings.

---

Why this regressed in v1.6.8

This was not a problem in v1.6.6 because with showroom_ssh_method: password the sshkey block in 22-showroom-users-security.yml never ran, so no .ssh directory was explicitly created by the showroom role. The container either had an empty mount or no mount at all, and labs used password auth — the permission issue never triggered.

v1.6.7 (PR #63) replaced ansible_runner_api_service.j2 with service_runtime_automation.j2 and dropped the .ssh mount entirely — fully breaking any lab that needs SSH key auth in the runner.

v1.6.8 (PR #64) restored the .ssh mount and added a new task in 20-showroom-user-setup.yml to explicitly create the .ssh directory when showroom_ansible_runner_api: true — but created it owned by showroom:showroom which the container cannot read.

---

Tested on

• ocpvdev01.rhdp.net ZeroTouch single-pod deployments, GUIDs fg8gg and 7xl28
• After all three fixes: showroom starts cleanly, all modules connect to lab nodes, validation checks run correctly

cc @andrjone @miteshget