Wait for DNS before install_ca role

roles/install_ca/meta/main.yml

@@ -27,4 +27,6 @@ galaxy_info:
 
 # List your role dependencies here, one per line. Be sure to remove the '[]' above,
 # if you add dependencies to this list.
-dependencies: []
+dependencies:
+  - role: openshift_dns_ready
+    when: cifmw_install_ca_url is defined

roles/openshift_dns_ready/README.md

@@ -0,0 +1,23 @@
+# openshift_dns_ready
+
+A role to wait for the OpenShift DNS operator to be ready before proceeding with tasks that require DNS resolution.
+
+## Privilege escalation
+
+None required.
+
+## Parameters
+
+* `cifmw_openshift_dns_ready_timeout`: (Integer) Timeout in seconds for `oc wait --timeout`. Default: `60`.
+* `cifmw_openshift_dns_ready_path_prefix`: (String) Directories prepended to `PATH` when `cifmw_path` is unset, so non-interactive SSH finds `oc` (e.g. under `~/.crc/bin`). Default includes `~/.crc/bin`, `~/bin`, `~/.local/bin`.
+* `cifmw_path`: (String) When set (framework bootstrap / CRC), used as `PATH` for `oc` instead of the prefix above.
+* `cifmw_openshift_kubeconfig`: (String) Path to kubeconfig file. If set, exported as `KUBECONFIG`. Inherited from framework defaults.
+* `cifmw_openshift_dns_ready_delegate_to`: (String) Optional inventory hostname to run `oc` on. If unset, uses `cifmw_target_host` (hypervisor in adoption/reproducer), then the current host. Override only when needed; a host without `oc` fails.
+
+## Usage
+
+Used before tasks that require DNS resolution in OpenShift, such as downloading certificates from URLs or accessing external services.
+
+## How it works
+
+The role runs `oc wait dns.operator.openshift.io/default --for=condition=Available=true` so the cluster DNS operator is ready before proceeding. The command is delegated when `cifmw_target_host` is set so `oc` runs on the hypervisor (or another host that has the CLI and kubeconfig). `PATH` is set explicitly so delegated runs match interactive shells (where `oc` is often on `PATH` via profile).

roles/openshift_dns_ready/defaults/main.yml

@@ -0,0 +1,25 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# All variables intended for modification should be placed in this file.
+# All variables within this role should have a prefix of "cifmw_openshift_dns_ready"
+
+# Timeout in seconds passed to `oc wait --timeout`
+cifmw_openshift_dns_ready_timeout: 60
+
+# Prepended to PATH for non-interactive SSH (login shells often add ~/.crc/bin; Ansible does not).
+cifmw_openshift_dns_ready_path_prefix: "{{ ansible_user_dir }}/.crc/bin:{{ ansible_user_dir }}/bin:{{ ansible_user_dir }}/.local/bin"

roles/openshift_dns_ready/meta/main.yml

@@ -0,0 +1,30 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+galaxy_info:
+  author: CI Framework
+  description: CI Framework Role -- openshift_dns_ready
+  company: Red Hat
+  license: Apache-2.0
+  min_ansible_version: "2.14"
+  namespace: cifmw
+  galaxy_tags:
+    - cifmw
+
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+dependencies: []

roles/openshift_dns_ready/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+# Copyright Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Wait for DNS operator to be ready
+  ansible.builtin.command:
+    cmd: >-
+      oc wait dns.operator.openshift.io/default
+      --for=condition=Available=true
+      --timeout={{ cifmw_openshift_dns_ready_timeout }}s
+  environment: "{{ _cifmw_dns_ready_env }}"
+  vars:
+    _cifmw_dns_ready_path: >-
+      {{
+        cifmw_path
+        | default(
+            cifmw_openshift_dns_ready_path_prefix ~ ':' ~ ansible_env.PATH,
+            true
+          )
+      }}
+    _cifmw_dns_ready_env: >-
+      {{
+        {'PATH': _cifmw_dns_ready_path}
+        | combine({'KUBECONFIG': cifmw_openshift_kubeconfig} if cifmw_openshift_kubeconfig is defined else {})
+      }}
+  delegate_to: "{{ cifmw_openshift_dns_ready_delegate_to | default(cifmw_target_host | default(inventory_hostname)) }}"
+  changed_when: false