infra.aap_configuration.hub_namespace role ignores ah_token and uses aap_token instead, causing it to fail

[phess]

This issue has been found in a published version of this role/collection and confirmed against the devel branch.

Summary

The infra.aap_configuration.hub_namespace role, when used via infra.aap_configuration.dispatch, ignores the ah_token variable and relies entirely on aap_token instead.

This may affect infra.aap_configuration.hub_namespace when used directly as well -- I have not tested this yet.

Issue Type

• Bug Report

Ansible, Collection, Controller details

$ ansible --version
ansible [core 2.16.12]
  config file = /var/home/phess/.ansible.cfg
  configured module search path = ['/var/home/phess/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.13/site-packages/ansible
  ansible collection location = /home/phess/tmp
  executable location = /usr/bin/ansible
  python version = 3.13.0 (main, Oct  8 2024, 00:00:00) [GCC 14.2.1 20240912 (Red Hat 14.2.1-3)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True


$ ansible-galaxy collection list                                                                         
# /home/phess/tmp/ansible_collections                                                                    
Collection                               Version     
---------------------------------------- ----------- 
ansible.hub                              1.0.0       
infra.aap_configuration                  3.1.0-devel 
infra.aap_configuration                  3.1.0       
infra.aap_configuration                  3.1.0-devel 

• ansible installation method: OS package

OS / ENVIRONMENT

Controller: Fedora Workstation 41 x86_64
Target: RHEL 9.4 running AAP Gateway 2.5.20250115 and RHEL 9.4 running Hub 4.10.1.

Desired Behavior

All Hub roles should prefer ah_token to aap_token. More generally, they should prefer ah_* to aap_* variables.

Actual Behavior

I have a playbook that defines multiple objects to create on AAP such as Gateway organizations, Gateway teams, Controller projects, Controller inventories, and also Hub namespaces. Only the Hub objects fail to be created and this is because of the role using aap_token for authentication against Hub, rather than using ah_token.
The playbook is pasted below:

---                                    
- name: Create objects but fail on Hub
  hosts: localhost                     
  vars:                                
    aap_hostname: '{{ my_aap_host }}'   # defined in creds.yml
    aap_username: admin                
    #aap_password: '{{ my_aap_pass | default(omit, True) }}'  # not using password, just token
    aap_token: '{{ my_aap_gateway_token }}'   # defined in creds.yml
    ah_token: '{{ my_ah_token }}'                       # defined in creds.yml
    aap_validate_certs: False          
    ah_path_prefix: galaxy             
    hub_namespaces:                    
    - name: testing123                 
      description: testing namespace creation
      email: root@localhost.example.com
      avatar_url: ""
      groups: []
      links: []
    - aap_organizations:
      - name: myorg
        ...
    - aap_teams:
        ...
    - controller_projects:
        ...
    - controller_inventories:
        ...

  tasks:                               
    - include_role:                    
        name: infra.aap_configuration.dispatch
      vars:                            
        gateway_configuration_dispatcher_roles:
          - { role: gateway_organizations, var: aap_organizations, tags: organizations}
          - { role: gateway_teams, var: aap_teams, tags: teams}
        controller_configuration_dispatcher_roles:
          - { role: controller_projects, var: controller_projects, tags: [ inventories, projects ] }
          - { role: controller_inventories, var: controller_inventories, tags: inventories }
        hub_configuration_dispatcher_roles:
          - { role: hub_namespace, var: hub_namespaces, tags: namespaces }

I run this playbook with:

$ ansible-playbook -e @creds.yml create-stuff.yml

The hub task fails with a credentials issue, namely Invalid Automation Hub authentication credentials for api/galaxy/v3/namespaces/ (HTTP 401):

TASK [infra.aap_configuration.hub_namespace : Create Namespace | Wait for finish the namespace creation] **********************************************************************************************************
FAILED - RETRYING: [localhost]: Create Namespace | Wait for finish the namespace creation (50 retries left).
failed: [localhost] (item=Create/Update Namespace testing123 | Wait for finish the Namespace creation) => {"__namespaces_job_async_result_item": {"__hub_namespace_item": {"avatar_url": "", "description": "testing namespace creation", "email": "root@localhost.example.com", "groups": [], "links": [], "name": "testing123"}, "ansible_job_id": "j819286296504.160373", "ansible_loop_var": "__hub_namespace_item", "changed": false, "failed": 0, "finished": 0, "results_file": "/var/home/phess/.ansible_async/j819286296504.160373", "started": 1}, "ansible_job_id": "j819286296504.160373", "ansible_loop_var": "__namespaces_job_async_result_item", "attempts": 2, "changed": false, "finished": 1, "msg": "Invalid Automation Hub authentication credentials for api/galaxy/v3/namespaces/ (HTTP 401).", "results_file": "/var/home/phess/.ansible_async/j819286296504.160373", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

This is because the token to be used here is an Automation Hub token, not a Gateway token.
However, the hub_namespace role ignores the ah_token variable and attempts to use aap_token instead, which naturally fails because aap_token is a Gateway token, not a Hub token.

If I pass the correct Hub token in the aap_token, then all tasks fail but the Hub task succeeds.
If I modify the hub_namespaces role source code (I can submit a PR with my changes) then I can get it to prefer ah_token if it exists, and then all roles in my playbook succeed.

STEPS TO REPRODUCE

This minimal playbook works as a reproducer:

---         
- name: Create objects but fail on Hub 
  hosts: localhost
  vars:  
    aap_hostname: '{{ my_aap_host }}'
    aap_username: admin
    aap_token: '{{ my_aap_gateway_token }}'
    ah_token: '{{ my_ah_token }}'
    aap_validate_certs: False
    ah_path_prefix: galaxy
    hub_namespaces:
    - name: testing123
      description: testing namespace creation
      email: root@localhost.example.com
      avatar_url: ""
      groups: []
      links: []
  tasks: 
    - include_role:
        name: infra.aap_configuration.dispatch
      vars:
        hub_configuration_dispatcher_roles:
          - { role: hub_namespace, var: hub_namespaces, tags: namespaces }

The changes that allow the hub_namespace to prefer ah_token to aap_token can be viewed at devel...phess:infra.aap_configuration:devel but they are minimal and target the ah_token variable only, but I believe a more proper solution is to have all ah_* variables take precedence against aap_* variables.

Please let me know if a PR where the same logic is applied to all ah_* variables would be desirable.