From fb5ae8234d9eddad263c0f8e02a7f7efc3c8e70f Mon Sep 17 00:00:00 2001
From: Miguel Angel Nieto Jimenez <mnietoji@redhat.com>
Date: Fri, 8 May 2026 14:11:16 +0200
Subject: [PATCH] [cifmw_setup] Wait for stable cluster after openshift_setup
 changes

The openshift_setup role modifies cluster-wide resources
(Image/cluster additionalTrustedCA, registrySources,
ImageContentSourcePolicy, Network operator config) that trigger
rolling updates of the API server and other control plane components.
Without waiting for these rollouts to complete, subsequent tasks
(e.g. kustomize_deploy) fail with 401 Unauthorized because the API
server pods are being recycled.

Signed-off-by: Miguel Angel Nieto Jimenez <mnietoji@redhat.com>
---
 roles/cifmw_setup/tasks/infra.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/cifmw_setup/tasks/infra.yml b/roles/cifmw_setup/tasks/infra.yml
index 49e911362..24269cbb7 100644
--- a/roles/cifmw_setup/tasks/infra.yml
+++ b/roles/cifmw_setup/tasks/infra.yml
@@ -46,6 +46,15 @@
   ansible.builtin.import_role:
     name: openshift_setup
 
+- name: Wait for cluster to stabilize after openshift_setup changes
+  environment:
+    KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
+    PATH: "{{ cifmw_path }}"
+  ansible.builtin.command:
+    cmd: >-
+      oc adm wait-for-stable-cluster --minimum-stable-period=5s --timeout=30m
+  changed_when: false
+
 - name: Deploy Observability operator.
   when:
     - cifmw_deploy_obs is defined