fix: Remove unnecessary container registry step

roles/vault_setup/tasks/main.yml

@@ -0,0 +1,51 @@
+---
+# Configures a running, initialized HashiCorp Vault instance.
+#
+# Expects Vault to already be initialized (run --tags vault_init first).
+# Unseals if sealed and vault_unseal_keys is defined.
+# Then configures OIDC authentication with Keycloak.
+
+- name: Validate required variables
+  ansible.builtin.assert:
+    that:
+      - vault_url | length > 0
+      - vault_vault_root_token | default('') | length > 0
+      - vault_oidc_issuer | default('') | length > 0
+      - vault_vault_oidc_client_secret | default('') | length > 0
+    fail_msg: >-
+      vault_vault_root_token, vault_oidc_issuer, and vault_vault_oidc_client_secret
+      are required. Run --tags vault_init first, save credentials to 1Password,
+      then run --tags vault_configure_keycloak,vault_configure_oidc or default play.
+
+- name: Check Vault status
+  ansible.builtin.uri:
+    url: "{{ vault_url }}/v1/sys/health"
+    method: GET
+    validate_certs: "{{ vault_validate_certs }}"
+    status_code: [200, 429, 472, 473, 501, 503]
+  register: __vault_health
+
+- name: Assert Vault is initialized
+  ansible.builtin.assert:
+    that:
+      - __vault_health.json.initialized | bool
+    fail_msg: >-
+      Vault is not initialized. Run:
+        ansible-navigator run playbooks/deploy_vault.yml --tags vault_init
+
+- name: Unseal Vault if sealed
+  ansible.builtin.include_tasks: unseal.yml
+  when:
+    - __vault_health.json.sealed | bool
+    - vault_unseal_keys | default([]) | length > 0
+
+- name: Assert Vault is unsealed
+  ansible.builtin.assert:
+    that:
+      - not __vault_health.json.sealed | bool or __vault_unsealed | default(false) | bool
+    fail_msg: >-
+      Vault is sealed. Provide vault_unseal_keys (list of unseal key strings) or
+      unseal manually via the Vault UI, then rerun.
+
+- name: Configure OIDC authentication
+  ansible.builtin.include_tasks: configure_oidc.yml