Move admin password and db encryption secret creation to common

- this allows us to run the pulp-content role before the pulp-api role
- the pulp-content role now runs before the pulp-api role
- now the content PVC is created before the database migrations happen,
  making it possible to wait for the restore role to finish migrating
  data if it is already running.
- Move signing secret configuration to common role

playbooks/pulp.yml

@@ -64,12 +64,14 @@
     - common
     - postgres
     - { role: "pulp-web", when: [ ingress_type | lower != 'route' ] }
-    - pulp-content  # If file storage is used, this role will create the PVC which is needed by the restore management pod
 
   tasks:
 
-    # Hack to import variables ahead of time since we not longer statically include all roles
-    # Eventually, these roles should be re-written, but this is safer for now
+    # If file storage is used, this role will create the PVC,
+    # which is needed by the restore management pod
+    - include_role:
+        name: pulp-content
+
     - name: Pre-load role variables for all roles
       include_vars: "{{ item }}"
       loop:

roles/common/defaults/main.yml

@@ -7,3 +7,13 @@ bundle_cacert_secret: ''
 
 is_k8s: false
 is_openshift: false
+
+
+# Secret to lookup that provide the admin password
+#
+admin_password_secret: ''
+
+admin_password_name: '{{ ansible_operator_meta.name }}-admin-password'
+
+# signing_service.yml
+__gpg_init_container_image: "quay.io/centos/centos:stream9"

roles/common/tasks/main.yml

@@ -56,3 +56,15 @@
 
 - name: Check if k8s or Openshift
   include_tasks: check_k8s_or_openshift.yml
+
+- name: Configure Admin Password from secret
+  include_tasks:
+    file: admin_password_configuration.yml
+
+- name: Configure DB fields encryption key from secret
+  include_tasks:
+    file: db_fields_encryption_configuration.yml
+
+- name: Configure Signing Service
+  include_tasks: signing_service.yml
+  when: signing_secret is defined

roles/pulp-api/defaults/main.yml

@@ -14,12 +14,6 @@ api:
 # see: https://github.com/operator-framework/operator-sdk/issues/1770
 raw_spec: "{{ vars['_pulp_pulpproject_org_pulp']['spec'] }}"
 
-# Secret to lookup that provide the admin password
-#
-admin_password_secret: ''
-
-admin_password_name: '{{ ansible_operator_meta.name }}-admin-password'
-
 # Set content host
 content_host: '{{ ansible_operator_meta.name }}-content-svc'
 content_port: '24816'
@@ -91,7 +85,5 @@ keycloak_protocol_available: false
 keycloak_port_available: false
 keycloak_realm_available: false
 
-__gpg_init_container_image: "quay.io/centos/centos:stream9"
-
 gunicorn_timeout: 90
 gunicorn_api_workers: 2

roles/pulp-api/tasks/main.yml

@@ -89,15 +89,6 @@
     - pulp-server
   no_log: "{{ no_log }}"
 
-- include_tasks:
-    file: admin_password_configuration.yml
-
-- include_tasks:
-    file: db_fields_encryption_configuration.yml
-
-- include_tasks: signing_service.yml
-  when: signing_secret is defined
-
 - k8s_status:
     api_version: "{{ api_version }}"
     kind: "{{ kind }}"