Add private key file spec to ansible

[michaeljguarino]

The intention here is to allow the controller to both:

• add the appropriate ansible playbook flag
• ensure permissions are properly set before execution (since using standard file bindings w/ stacks don't support that)

Test Plan

n/a

Checklist

• If required, I have updated the Plural documentation accordingly.
• I have added tests to cover my changes.
• I have added a meaningful title and summary to convey the impact of this PR to a user.

Plural Flow: console

[greptile-apps]

Greptile Summary

Added privateKeyFile field to ansible stack configuration across the entire stack (GraphQL schema, Go types, Elixir schema, CRDs), but the implementation is incomplete.

Critical Issue:

• The private_key_file field is stored and passed through the API layers but is never used in lib/console/deployments/stacks/commands.ex:78-85 where ansible commands are constructed
• The PR description states the intention is to "add the appropriate ansible playbook flag" and "ensure permissions are properly set before execution", but neither of these are implemented
• The ansible_args function needs to add the --private-key flag when private_key_file is present
• No code was added to set file permissions (e.g., File.chmod(path, 0o600)) on the private key file, though this pattern exists elsewhere in the codebase for SSH keys

Confidence Score: 2/5

• This PR is incomplete and will not achieve its stated goals
• The PR adds the field through all API layers correctly, but fails to implement the core functionality described in the PR description. The private key file path will be stored but never used in ansible command execution, and no permission-setting code was added.
• Pay close attention to lib/console/deployments/stacks/commands.ex which requires implementation changes

Important Files Changed

Filename	Overview
lib/console/deployments/stacks/commands.ex	Not modified - missing implementation to use privateKeyFile in ansible_args function
go/controller/api/v1alpha1/infrastructurestack_types.go	Added PrivateKeyFile field to AnsibleConfiguration struct with proper kubebuilder validation
go/controller/internal/controller/infrastructurestack_controller.go	Added PrivateKeyFile to stackConfigurationAttributes mapping
lib/console/schema/stack.ex	Added private_key_file field to ansible embedded schema and changeset
lib/console/graphql/deployments/stack.ex	Added private_key_file field to GraphQL schema and input types
schema/schema.graphql	Added privateKeyFile to AnsibleConfiguration type and input with proper documentation

_{Last reviewed commit: f984032}

[greptile-apps]

_{18 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

lib/console/deployments/stacks/commands.ex
private_key_file field is not being used here. The PR adds the field to the schema but doesn't include it in the ansible command args. For SSH key authentication, you likely need to add the --private-key flag:

(if ansible.private_key_file, do: ["--private-key", ansible.private_key_file], else: []) ++

Also, the PR description mentions "ensure permissions are properly set before execution" but there's no code to set file permissions (e.g., chmod 600) on the private key file.

[michaeljguarino]

@greptileai the functionality will be implemented in our deployment-operator, not in this codebase

[greptile-apps]

Got it - so the actual implementation of setting permissions and adding the ansible playbook flag will happen in the deployment-operator, not in console. This PR is just adding the spec/schema to define the PrivateKeyFile field so that the deployment-operator can consume it.

In that case, the PR looks good as-is. You're correctly:

1. Adding the CRD field definition for PrivateKeyFile
2. Adding it to the GraphQL schema so it can be configured via the API
3. Adding it to the input types for creating/updating service deployments

The deployment-operator will then read this field and handle the actual file permissions and ansible flag logic.