fix: use workdir variable instead of ansible_env.HOME prefix

galaxy.yml

@@ -24,10 +24,11 @@ tags:
 
 dependencies:
   ansible.posix: ">=1.0.0"
+  community.crypto: ">=2.0.0"
 
 repository: https://github.com/agnosticd/osp-on-ocp
 documentation: https://github.com/agnosticd/osp-on-ocp
 homepage: https://github.com/agnosticd/osp-on-ocp
 issues: https://github.com/agnosticd/osp-on-ocp/issues
 
-build_ignore: []
+build_ignore: []

roles/ocp4_workload_rhoso_deployment/defaults/main.yml

@@ -19,12 +19,23 @@ ocp4_workload_rhoso_deployment_guid: "{{ guid }}"
 ocp4_workload_rhoso_deployment_bastion_ssh_private_key: "{{ bastion_ssh_key_path | default('~/.ssh/bastion_' ~ guid) }}"
 ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_path | default('~/.ssh/bastion_' ~ guid ~ '.pub') }}"
 
+# ============================================================================
+# Inventory hostnames — must match what AgnosticD sets in add_host
+# ============================================================================
+ocp4_workload_rhoso_deployment_nfs_host: "nfsserver"
+ocp4_workload_rhoso_deployment_compute_host: "compute01"
+
 # ============================================================================
 # Content files — OpenStack YAML manifests shipped in the role's files/ dir.
 # The role copies these to a working directory on the bastion, then applies them.
 # ============================================================================
 ocp4_workload_rhoso_deployment_files_directory: "openstack-files"
 
+# Full working directory path on the bastion.
+# Uses /tmp to ensure it is writable by any SSH connection user.
+# Override to use a different absolute path.
+ocp4_workload_rhoso_deployment_workdir: "/tmp/{{ ocp4_workload_rhoso_deployment_files_directory }}"
+
 # Manifest files shipped under roles/ocp4_workload_rhoso_deployment/files/
 ocp4_workload_rhoso_deployment_content_files:
 - osp-ng-nncp-w1.yaml

roles/ocp4_workload_rhoso_deployment/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: Restart nfs-server
   ansible.builtin.raw: systemctl restart nfs-server
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true

roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml

@@ -1,7 +1,7 @@
 ---
 - name: Read Cinder NFS configuration file
   ansible.builtin.slurp:
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/nfs-cinder-conf"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/nfs-cinder-conf"
   register: _ocp4_workload_rhoso_deployment_nfs_cinder_conf
   delegate_to: bastion
 
@@ -33,7 +33,7 @@
 - name: Create OpenStack Control Plane
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-ctlplane-deploy.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-ctlplane-deploy.yaml"
   retries: 5
   delay: 10
   delegate_to: bastion

roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml

@@ -2,13 +2,13 @@
 - name: Apply data plane network configuration
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-netconfig.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-netconfig.yaml"
   delegate_to: bastion
 
 - name: Set hostname for compute node
   ansible.builtin.hostname:
     name: "{{ ocp4_workload_rhoso_deployment_compute_nodes[0].hostname }}"
-  delegate_to: compute01
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}"
   become: true
 
 - name: Configure static eth1 interface for control plane
@@ -17,7 +17,7 @@
       nmcli con add con-name "static-eth1" ifname eth1
       type ethernet ip4 {{ ocp4_workload_rhoso_deployment_compute_nodes[0].ctlplane_ip }}/24
       ipv4.dns "172.22.0.89"
-  delegate_to: compute01
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}"
   become: true
   register: _ocp4_workload_rhoso_deployment_compute_eth1
   changed_when: >-
@@ -30,7 +30,7 @@
 - name: Activate static-eth1 connection on compute
   ansible.builtin.command:
     cmd: nmcli con up "static-eth1"
-  delegate_to: compute01
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}"
   become: true
   changed_when: true
 
@@ -39,7 +39,7 @@
     cmd: >-
       nmcli con add con-name "eth0-dhcp" ifname eth0
       type ethernet ipv4.method auto ipv6.method ignore
-  delegate_to: compute01
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}"
   become: true
   register: _ocp4_workload_rhoso_deployment_compute_eth0
   changed_when: >-
@@ -52,14 +52,14 @@
 - name: Activate eth0-dhcp connection on compute
   ansible.builtin.command:
     cmd: nmcli con up "eth0-dhcp"
-  delegate_to: compute01
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}"
   become: true
   changed_when: true
 
 - name: Set stable ID for eth0 connection on compute
   ansible.builtin.command:
     cmd: nmcli con mod eth0-dhcp connection.stable-id user-set
-  delegate_to: compute01
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}"
   become: true
   changed_when: true
 
@@ -90,7 +90,7 @@
 
 - name: Generate nova migration SSH key pair
   community.crypto.openssh_keypair:
-    path: "{{ ansible_env.HOME }}/nova-migration-key"
+    path: "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key"
     type: ecdsa
     size: 521
     force: false
@@ -101,8 +101,8 @@
     src: "{{ item }}"
   register: _ocp4_workload_rhoso_deployment_nova_keys
   loop:
-  - "{{ ansible_env.HOME }}/nova-migration-key"
-  - "{{ ansible_env.HOME }}/nova-migration-key.pub"
+  - "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key"
+  - "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key.pub"
   delegate_to: bastion
 
 - name: Create nova migration SSH key secret
@@ -193,15 +193,15 @@
 - name: Apply data plane node set
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-node-set-deploy.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-node-set-deploy.yaml"
   retries: 5
   delay: 10
   delegate_to: bastion
 
 - name: Apply data plane deployment
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-deployment.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-deployment.yaml"
   retries: 5
   delay: 10
   delegate_to: bastion
@@ -236,7 +236,7 @@
 
 - name: Display Data Plane Deployment status
   ansible.builtin.debug:
-    msg: |
+    msg: |-
       === OpenStack Data Plane Deployment Status ===
       Message: {{ _ocp4_workload_rhoso_deployment_dp_status.resources[0].status.get('message', 'No message') }}
       Conditions: {{ _ocp4_workload_rhoso_deployment_dp_status.resources[0].status.get('conditions', []) | map(attribute='type') | list }}

roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml

@@ -1,15 +1,15 @@
 ---
 - name: Create working directory for OpenStack files
   ansible.builtin.file:
-    path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}"
+    path: "{{ ocp4_workload_rhoso_deployment_workdir }}"
     state: directory
     mode: "0755"
   delegate_to: bastion
 
 - name: Copy OpenStack configuration files to working directory
   ansible.builtin.copy:
     src: "{{ item }}"
-    dest: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item }}"
+    dest: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item }}"
     mode: "0644"
   loop: "{{ ocp4_workload_rhoso_deployment_content_files }}"
   delegate_to: bastion
@@ -32,15 +32,15 @@
 
 - name: Replace UUID placeholder with guid in manifest files
   ansible.builtin.replace:
-    path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item }}"
+    path: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item }}"
     regexp: "UUID"
     replace: "{{ ocp4_workload_rhoso_deployment_guid }}"
   loop: "{{ ocp4_workload_rhoso_deployment_uuid_replacement_files }}"
   delegate_to: bastion
 
 - name: Replace external IP placeholders for worker nodes
   ansible.builtin.replace:
-    path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item.file }}"
+    path: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item.file }}"
     regexp: "{{ item.placeholder }}"
     replace: "{{ item.value }}"
   loop:
@@ -58,7 +58,7 @@
 - name: Apply OpenStack operator OperatorGroup and Subscription
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-openstack-operator.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-openstack-operator.yaml"
   delegate_to: bastion
 
 - name: Wait for OpenStack operator install plan
@@ -114,7 +114,7 @@
 - name: Initialize the OpenStack operator
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-openstack-operator-init.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-openstack-operator-init.yaml"
   delegate_to: bastion
 
 - name: Wait for OpenStack operator to be ready

roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml

@@ -2,19 +2,19 @@
 - name: Apply NodeNetworkConfigurationPolicy for worker node 1
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w1.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w1.yaml"
   delegate_to: bastion
 
 - name: Apply NodeNetworkConfigurationPolicy for worker node 2
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w2.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w2.yaml"
   delegate_to: bastion
 
 - name: Apply NodeNetworkConfigurationPolicy for worker node 3
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w3.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w3.yaml"
   delegate_to: bastion
 
 - name: Wait for all NNCPs to be created
@@ -55,7 +55,7 @@
 - name: Apply NetworkAttachmentDefinitions for isolated networks
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-netattach.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-netattach.yaml"
   delegate_to: bastion
 
 - name: Wait for MetalLB additional CRDs
@@ -75,15 +75,15 @@
 - name: Apply MetalLB IP address pools
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-metal-lb-ip-address-pools.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-metal-lb-ip-address-pools.yaml"
   retries: 5
   delay: 10
   delegate_to: bastion
 
 - name: Apply MetalLB L2 advertisements
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-metal-lb-l2-advertisements.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-metal-lb-l2-advertisements.yaml"
   retries: 5
   delay: 10
   delegate_to: bastion

roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml

@@ -9,7 +9,7 @@
     {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }}
     {{ ocp4_workload_rhoso_deployment_nfs_glance_path }}
     {{ ocp4_workload_rhoso_deployment_nfs_aap_path }}
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true
   changed_when: true
 
@@ -20,7 +20,7 @@
     {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} *(rw,sync,no_root_squash)
     {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} *(rw,sync,no_root_squash)
     EXPORTS
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true
   changed_when: true
   notify: Restart nfs-server
@@ -30,31 +30,31 @@
     nmcli con show "static-eth1" 2>/dev/null ||
     nmcli con add con-name "static-eth1" ifname eth1
     type ethernet ip4 {{ ocp4_workload_rhoso_deployment_nfs_server_ip }}/24
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true
   changed_when: true
 
 - name: Activate static network connection on NFS server
   ansible.builtin.raw: nmcli con up "static-eth1"
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true
   changed_when: true
 
 - name: Start and enable NFS server
   ansible.builtin.raw: systemctl enable --now nfs-server
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true
   changed_when: true
 
 - name: Export NFS shares
   ansible.builtin.raw: exportfs -ra
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true
   changed_when: true
 
 - name: Verify NFS exports
   ansible.builtin.raw: exportfs -v
-  delegate_to: nfs-server
+  delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
   become: true
   register: _ocp4_workload_rhoso_deployment_nfs_exports
   changed_when: false

roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml

@@ -101,7 +101,7 @@
 
 - name: Clean up working directory on bastion
   ansible.builtin.file:
-    path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}"
+    path: "{{ ocp4_workload_rhoso_deployment_workdir }}"
     state: absent
   delegate_to: bastion
 

roles/ocp4_workload_rhoso_deployment/tasks/security.yml

@@ -2,7 +2,7 @@
 - name: Create OpenStack control plane secret
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-ctlplane-secret.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-ctlplane-secret.yaml"
   delegate_to: bastion
 
 - name: Verify osp-secret was created
@@ -18,7 +18,7 @@
 - name: Create libvirt secret
   kubernetes.core.k8s:
     state: present
-    src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-libvirt-secret.yaml"
+    src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-libvirt-secret.yaml"
   delegate_to: bastion
 
 - name: Verify libvirt-secret was created

roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml

@@ -0,0 +1,24 @@
+---
+# AgnosticD excludes isolated VMs from direct SSH plays (hosts: all:!isolated)
+# so no SSH proxy is configured for them in the EE inventory.
+# We configure the proxy here using variables AgnosticD already sets:
+#   public_ip_address: bastion external SSH hostname
+#   bastion_ssh_port:   bastion NodePort
+#   ansible_user:       cloud-user
+#
+# ProxyCommand (not ProxyJump) is used so that -o StrictHostKeyChecking=no
+# and -o UserKnownHostsFile=/dev/null apply to BOTH the bastion hop and
+# the final VM connection, preventing interactive host-key prompts in AAP.
+
+- name: Configure isolated VM connections via bastion ProxyCommand
+  ansible.builtin.add_host:
+    name: "{{ item }}"
+    ansible_ssh_common_args: >-
+      -o StrictHostKeyChecking=no
+      -o UserKnownHostsFile=/dev/null
+      -o "ProxyCommand=ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
+      -W %h:%p -p {{ hostvars[item]['bastion_ssh_port'] }}
+      {{ hostvars[item]['ansible_user'] | default('cloud-user') }}@{{ hostvars[item]['public_ip_address'] }}"
+  loop:
+  - "{{ ocp4_workload_rhoso_deployment_nfs_host }}"
+  - "{{ ocp4_workload_rhoso_deployment_compute_host }}"

roles/ocp4_workload_rhoso_deployment/tasks/workload.yml

@@ -1,4 +1,7 @@
 ---
+- name: Set up bastion ProxyCommand for isolated VM connections
+  ansible.builtin.include_tasks: setup_hosts.yml
+
 - name: Prerequisites — install NMState, MetalLB, verify cert-manager
   ansible.builtin.include_tasks: prerequisites.yml
   when: ocp4_workload_rhoso_deployment_phase_prerequisites | bool