diff --git a/roles/finalizer/defaults/main.yml b/roles/finalizer/defaults/main.yml
index 6bf1bc52..ed97d539 100644
--- a/roles/finalizer/defaults/main.yml
+++ b/roles/finalizer/defaults/main.yml
@@ -1,21 +1 @@
 ---
-# Whether secrets should be garbage collected
-# on teardown
-#
-tower_garbage_collect_secrets: false
-
-# Secret to lookup that provide the admin password
-#
-tower_admin_password_secret: ''
-
-# Secret to lookup that provide the secret key
-#
-tower_secret_key_secret: ''
-
-# Secret to lookup that provide the PostgreSQL configuration
-#
-tower_postgres_configuration_secret: ''
-
-# Secret to lookup that provide the broadcast websocket key
-#
-tower_broadcast_websocket_secret: ''
diff --git a/roles/finalizer/tasks/main.yml b/roles/finalizer/tasks/main.yml
index 9f6fdc86..ed97d539 100644
--- a/roles/finalizer/tasks/main.yml
+++ b/roles/finalizer/tasks/main.yml
@@ -1,27 +1 @@
 ---
-- block:
-    - name: Define secrets name
-      set_fact:
-        _admin_password: '{{ tower_admin_password_secret | length | ternary(tower_admin_password_secret, meta.name + "-admin-password") }}'
-        _secret_key: '{{ tower_secret_key_secret | length | ternary(tower_secret_key_secret, meta.name + "-secret-key") }}'
-        # yamllint disable-line rule:line-length
-        _broadcast_websocket_secret: '{{ tower_broadcast_websocket_secret | length | ternary(tower_broadcast_websocket_secret, meta.name + "-broadcast-websocket") }}'  # noqa 204
-        # yamllint disable-line rule:line-length
-        _postgres_configuration: '{{ tower_postgres_configuration_secret | length | ternary(tower_postgres_configuration_secret, meta.name + "-postgres-configuration") }}'  # noqa 204
-
-    - name: Remove ownerReferences reference
-      k8s:
-        definition:
-          apiVersion: v1
-          kind: Secret
-          metadata:
-            name: '{{ item }}'
-            namespace: '{{ meta.namespace }}'
-            ownerReferences: null
-      loop:
-        - '{{ _admin_password }}'
-        - '{{ _secret_key }}'
-        - '{{ _postgres_configuration }}'
-        - '{{ _broadcast_websocket_secret }}'
-
-  when: not tower_garbage_collect_secrets | bool
diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml
index f5225614..9e9b0a20 100644
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -71,6 +71,10 @@ tower_broadcast_websocket_secret: ''
 #
 tower_secret_key_secret: ''
 
+# Secret to lookup that provide the PostgreSQL configuration
+#
+tower_postgres_configuration_secret: ''
+
 # Secret to lookup that provides old database credentials (for migration)
 
 tower_old_postgres_configuration_secret: ''
@@ -172,14 +176,15 @@ tower_projects_storage_class: ''
 tower_projects_storage_size: 8Gi
 tower_projects_storage_access_mode: ReadWriteMany
 
-# Secret to lookup that provide the PostgreSQL configuration
-#
-tower_postgres_configuration_secret: ''
-
 ca_trust_bundle: "/etc/pki/tls/certs/ca-bundle.crt"
 
 # Secret to lookup that provides the LDAP CACert trusted bundle
 #
 ldap_cacert_secret: ''
 
+# Whether secrets should be garbage collected
+# on teardown
+#
+tower_garbage_collect_secrets: false
+
 development_mode: false
diff --git a/roles/installer/tasks/cleanup.yml b/roles/installer/tasks/cleanup.yml
new file mode 100644
index 00000000..9f6fdc86
--- /dev/null
+++ b/roles/installer/tasks/cleanup.yml
@@ -0,0 +1,27 @@
+---
+- block:
+    - name: Define secrets name
+      set_fact:
+        _admin_password: '{{ tower_admin_password_secret | length | ternary(tower_admin_password_secret, meta.name + "-admin-password") }}'
+        _secret_key: '{{ tower_secret_key_secret | length | ternary(tower_secret_key_secret, meta.name + "-secret-key") }}'
+        # yamllint disable-line rule:line-length
+        _broadcast_websocket_secret: '{{ tower_broadcast_websocket_secret | length | ternary(tower_broadcast_websocket_secret, meta.name + "-broadcast-websocket") }}'  # noqa 204
+        # yamllint disable-line rule:line-length
+        _postgres_configuration: '{{ tower_postgres_configuration_secret | length | ternary(tower_postgres_configuration_secret, meta.name + "-postgres-configuration") }}'  # noqa 204
+
+    - name: Remove ownerReferences reference
+      k8s:
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: '{{ item }}'
+            namespace: '{{ meta.namespace }}'
+            ownerReferences: null
+      loop:
+        - '{{ _admin_password }}'
+        - '{{ _secret_key }}'
+        - '{{ _postgres_configuration }}'
+        - '{{ _broadcast_websocket_secret }}'
+
+  when: not tower_garbage_collect_secrets | bool
diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml
index b7ff9627..b23703ba 100644
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -69,3 +69,6 @@
 
 - name: Update status variables
   include_tasks: update_status.yml
+
+- name: Cleanup & Set garbage collection refs
+  include_tasks: cleanup.yml