[AAP-63314] P4.4: Controller - Pass Workload TTL to Gateway

[arrestle]

[AAP-63314] P4.4: Controller - Pass Workload TTL to Gateway

SUMMARY

Passes job.timeout as workload_ttl_seconds when Controller requests a workload identity JWT from Gateway, enabling the Gateway to issue JWTs with TTLs matched to the job's expected runtime.

This is the final link in the P4 TTL chain:

job.timeout (Controller)
    → workload_ttl_seconds in POST /api/gateway/v1/workload_identity_tokens (DAB client)
        → two-priority TTL calculation (Gateway, AAP-63312)
            → JWT exp = workload duration + 60s clock skew

Design decisions:

1. Source: Uses instance.timeout directly — this reflects the effective job timeout (from job template, or 0 if not set)
2. Zero handling: job.timeout = 0 sends workload_ttl_seconds=0, signaling Gateway to use platform default (jwt_default_ttl_seconds)
3. No fallback logic here: TTL priority and platform fallback are handled by the Gateway (AAP-63312) — Controller's only responsibility is to pass the value

Related:

• Depends on DAB PR (AAP-63314) adding workload_ttl_seconds to request_workload_jwt() — see django-ansible-base/AAP-63314.pr.md
• Depends on AAP-63312 (Gateway accepts and uses the parameter)
• Builds on AAP-62693 (P2.4 - this PR's branch, which added _request_workload_identity_token)
• Part of ANSTRAT-1019 (AAP as OIDC Provider)

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• API

TESTING INSTRUCTIONS

Unit Tests

make test_unit PYTEST_ARGS="-k workload_ttl_seconds or workload_identity_token"

Expected: New parametrized test covers both cases:

• test_request_workload_identity_token_workload_ttl_seconds[job-timeout-passed-as-ttl] — job.timeout=3600 → workload_ttl_seconds=3600
• test_request_workload_identity_token_workload_ttl_seconds[no-timeout-sends-zero-for-gateway-fallback] — job.timeout=0 → workload_ttl_seconds=0

Integration (aap-dev)

1. Configure DAB to use the AAP-63314 DAB branch (which includes AAP-63312 serializer + client changes)
2. Launch a job template with a job timeout set (e.g., 3600s)
3. Verify Gateway issues JWT with ~3660s TTL (timeout + 60s clock skew):

   kubectl logs deployment/controller-task | grep "workload identity token"

ADDITIONAL INFORMATION

Modified files:

• awx/main/tasks/jobs.py — one-line addition to _request_workload_identity_token()
• awx/main/tests/unit/tasks/test_jobs.py — one parametrized test replacing two near-identical tests

---

Assisted-by: Claude

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}