oidc: only remove keycloak resources after switching back from OIDC authn type

so that the console operator does not enter a degraded state
because we moved the CA for the keycloak deployment

Signed-off-by: Bryce Palmer <[email protected]>

Author: everettraven

test/extended/authentication/oidc.go

@@ -364,16 +364,16 @@ var _ = g.Describe("[sig-auth][Suite:openshift/auth/external-oidc][Serial][Slow]
 	})
 
 	g.AfterAll(func() {
-		err := removeResources(ctx, cleanups...)
-		o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error cleaning up keycloak resources")
-
 		err, modified := resetAuthentication(ctx, oc, originalAuth)
 		o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error reverting authentication to original state")
 
 		// Only if we modified the Authentication resource during the reset should we wait for a rollout
 		if modified {
 			waitForRollout(ctx, oc)
 		}
+
+		err = removeResources(ctx, cleanups...)
+		o.Expect(err).NotTo(o.HaveOccurred(), "should not encounter an error cleaning up keycloak resources")
 	})
 })