Add AAP plugin for Ansible Automation Platform deployment

[eurijon]

Deploys the AAP operator and AnsibleAutomationPlatform CR with configurable components (controller, EDA, hub, lightspeed).

Requires aap_license_file pointing to a valid manifest.zip on the Landing Zone. The plugin validates the file exists before deployment and waits for full reconciliation.

OSAC-931

Summary by CodeRabbit

• New Features

  • Added Ansible Automation Platform (AAP) plugin with license file configuration
  • Added AAP operator deployment and validation tasks for infrastructure setup
  • Configured AAP component enablement and customization options

• Chores

  • Added plugin manifest and updated configuration schemas

[coderabbitai]

Warning

Rate limit exceeded

@eurijon has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 29 minutes and 54 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 79c40393-584f-4049-8829-dcfc60a486c3

📥 Commits

Reviewing files that changed from the base of the PR and between 26c31e3 and 3c5f96f.

📒 Files selected for processing (5)

• config/global.example.yaml
• plugins/aap/plugin.yaml
• plugins/aap/tasks/deploy.yaml
• plugins/aap/tasks/pre-validate.yaml
• schemas/variables.yaml

Walkthrough

This PR adds complete Ansible Automation Platform (AAP) plugin support to the enclave framework. It introduces a schema property for the license file path, a plugin manifest defining the AAP operator and feature configuration, pre-validation for the license file, and a comprehensive Kubernetes deployment workflow that manages operator availability, license secrets, custom resource creation, and component readiness polling.

Changes

AAP Plugin Support

Layer / File(s)	Summary
Schema and Configuration Contract schemas/variables.yaml, config/global.example.yaml	Adds aap_license_file property to the schema and documents it in the example configuration as the path to an AAP license manifest ZIP.
Plugin Manifest Definition plugins/aap/plugin.yaml	Defines the AAP addon plugin with ansible-automation-platform-operator 2.5.0, required license input, target namespace ansible-aap, and default configuration for controller/EDA/hub enablement, image pull policy, Redis mode, and TLS termination.
Pre-deployment Validation plugins/aap/tasks/pre-validate.yaml	Validates that aap_license_file variable is set and the file exists on the filesystem before proceeding.
AAP Deployment Orchestration plugins/aap/tasks/deploy.yaml	Orchestrates multi-step deployment: waits for operator availability, loads and creates license secret, deploys AnsibleAutomationPlatform CR with configurable flags, polls for reconciliation completion, conditionally waits for component readiness, and outputs aggregated status.

Sequence Diagram

sequenceDiagram
  participant PreValidator as Pre-validator
  participant Operator as AAP Operator
  participant Secret as License Secret
  participant AAPV1 as AAPv1 CR
  participant Controller as AutomationController
  participant EDA as EDA
  participant Hub as AutomationHub

  PreValidator->>PreValidator: Validate aap_license_file exists
  Operator->>Operator: Wait for Available=True
  PreValidator->>Secret: Load license file & create Secret
  Secret-->>AAPV1: License reference
  Operator->>AAPV1: Deploy AnsibleAutomationPlatform CR
  AAPV1->>AAPV1: Poll for Successful=True
  AAPV1->>Controller: Conditionally wait for Successful=True
  AAPV1->>EDA: Conditionally wait for Successful=True
  AAPV1->>Hub: Conditionally wait for Successful=True
  Controller-->>Operator: Component status (Successful/Unknown/disabled)
  EDA-->>Operator: Component status (Successful/Unknown/disabled)
  Hub-->>Operator: Component status (Successful/Unknown/disabled)
  Operator->>Operator: Emit readiness summary

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

The PR introduces a complete new plugin with schema, manifest, validation, and orchestration logic. While each file is straightforward, the deployment workflow requires careful review of the Kubernetes polling logic, retry mechanics, conditional status checking, and component readiness orchestration. The changes are focused and localized to the AAP plugin directory with no existing code modifications.

Suggested labels

plugins, operators, deployment

Suggested reviewers

• maorfr

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add AAP plugin for Ansible Automation Platform deployment' directly and clearly summarizes the main change: introducing a new AAP plugin for deploying Ansible Automation Platform.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aap-plugin

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/aap/tasks/deploy.yaml`:
- Around line 18-35: The tasks "Read AAP license file" and "Create AAP license
Secret" currently register sensitive data (__r_aap_license_content and
__r_aap_license) but don't prevent it from appearing in logs; add task-level
no_log: true to both tasks so Ansible redacts the slurped license content and
the created secret on success/failure, keeping the existing registers and
variable names intact.

In `@plugins/aap/tasks/pre-validate.yaml`:
- Around line 2-14: The stat task currently references {{ aap_license_file }}
before the conditional fail runs, causing an undefined-variable error; update
the "Check AAP license file exists" task to (1) use a safe default for the path
argument (e.g. path: "{{ aap_license_file | default('') }}") so templating never
errors and (2) add a when guard to only run the stat when aap_license_file is
defined and non-empty (e.g. when: aap_license_file is defined and
aap_license_file | length > 0), leaving the Fail task (which checks
aap_license_file is not defined or the registered
__r_aap_license_stat.stat.exists is false) unchanged.

In `@schemas/variables.yaml`:
- Around line 241-243: The schema entry for aap_license_file currently allows
empty strings; update the variable schema for aap_license_file to enforce
non-empty values by adding a JSON Schema constraint (e.g., minLength: 1) to the
aap_license_file definition so validation fails fast if the value is empty;
locate the aap_license_file entry and add the minLength (or equivalent
non-empty) constraint to its definition.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d8b9fe16-5775-472b-bfee-88d1c9ba7b82

📥 Commits

Reviewing files that changed from the base of the PR and between ac242f5 and 26c31e3.

📒 Files selected for processing (5)

• config/global.example.yaml
• plugins/aap/plugin.yaml
• plugins/aap/tasks/deploy.yaml
• plugins/aap/tasks/pre-validate.yaml
• schemas/variables.yaml

[rporres]

nit: in general I think we tend to name configuration properties and defaults using camel case... not enforced in any way, unfortunately

[rporres]

should we check that the license file has the expected shape/format/whatever?