add states to remove ca and ssl keys and certs and call them during reinstall.

salt/ca/remove.sls

@@ -0,0 +1,22 @@
+{% if grains.role in ['so-helix', 'so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import' ] %}
+
+pki_private_key:
+  file.absent:
+    - name: /etc/pki/ca.key
+
+pki_public_ca_crt:
+  file.absent:
+    - name: /etc/pki/ca.crt
+
+{% else %}
+
+not_a_ca:
+  test.succeed_without_changes:
+    - name: no_ca
+    - comment: "Not a CA, so no CA to remove."
+
+{% endif %}
+
+remove_ca-certificates.crt:
+  file.absent:
+    - name: /etc/ssl/certs/ca-certificates.crt

salt/influxdb/init.sls

@@ -84,6 +84,8 @@ wait_for_influxdb:
     - retry:
         attempts: 5
         interval: 60
+    - require:
+      - docker_container: so-influxdb
 
 telegraf_database:
   influxdb_database.present:

salt/ssl/remove.sls

@@ -0,0 +1,134 @@
+# Trust the CA
+trusttheca:
+  file.absent:
+    - name: /etc/ssl/certs/intca.crt
+
+removefbcertdir:
+  file.absent:
+    - name: /etc/pki/filebeat.crt 
+    - onlyif: "[ -d /etc/pki/filebeat.crt ]"
+
+removefbp8dir:
+  file.absent:
+    - name: /etc/pki/filebeat.p8 
+    - onlyif: "[ -d /etc/pki/filebeat.p8 ]"
+
+removeesp12dir:
+  file.absent:
+    - name: /etc/pki/elasticsearch.p12
+    - onlyif: "[ -d /etc/pki/elasticsearch.p12 ]"
+    
+influxdb_key:
+  file.absent:
+    - name: /etc/pki/influxdb.key
+
+influxdb_crt:
+  file.absent:
+    - name: /etc/pki/influxdb.crt
+
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet', 'so-receiver'] %}
+redis_key:
+  file.absent:
+    - name: /etc/pki/redis.key
+
+redis_crt:
+  file.absent:
+    - name: /etc/pki/redis.crt
+{% endif %}
+
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %}
+etc_filebeat_key:
+  file.absent:
+    - name: /etc/pki/filebeat.key
+
+etc_filebeat_crt:
+  file.absent:
+    - name: /etc/pki/filebeat.crt
+
+  {% if grains.role not in ['so-heavynode', 'so-receiver'] %}
+filebeatdir:
+  file.absent:
+    - name: /opt/so/saltstack/local/salt/filebeat/files
+
+registry_key:
+  file.absent:
+    - name: /etc/pki/registry.key
+
+registry_crt:
+  file.absent:
+    - name: /etc/pki/registry.crt
+
+  {% endif %}
+
+  {% if grains.role not in ['so-receiver'] %}
+/etc/pki/elasticsearch.key:
+  file.absent: []
+
+/etc/pki/elasticsearch.crt:
+  file.absent: []
+
+remove_elasticsearch.p12:
+  file.absent:
+    - name: /etc/pki/elasticsearch.p12
+
+managerssl_key:
+  file.absent:
+    - name: /etc/pki/managerssl.key
+
+managerssl_crt:
+  file.absent:
+    - name: /etc/pki/managerssl.crt
+
+  {% endif %}
+
+fleet_key:
+  file.absent:
+    - name: /etc/pki/fleet.key
+
+fleet_crt:
+  file.absent:
+    - name: /etc/pki/fleet.crt
+
+{% endif %}
+
+{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import', 'so-receiver'] %}
+   
+fbcertdir:
+  file.absent:
+    - name: /opt/so/conf/filebeat/etc/pki
+    
+{% endif %}
+
+{% if grains['role'] == 'so-fleet' %}
+
+managerssl_key:
+  file.absent:
+    - name: /etc/pki/managerssl.key
+
+managerssl_crt:
+  file.absent:
+    - name: /etc/pki/managerssl.crt
+
+fleet_key:
+  file.absent:
+    - name: /etc/pki/fleet.key
+
+fleet_crt:
+  file.absent:
+    - name: /etc/pki/fleet.crt
+
+{% endif %}
+
+{% if grains['role'] == 'so-node' %}
+
+/etc/pki/elasticsearch.key:
+  file.absent: []
+
+/etc/pki/elasticsearch.crt:
+  file.absent: []
+
+remove_elastic.p12:
+  file.absent:
+    - name: /etc/pki/elasticsearch.p12
+
+{%- endif %}

setup/so-functions

@@ -2060,7 +2060,7 @@ reinstall_init() {
 
 	{
 		# remove all of root's cronjobs
-		crontab -r -u root
+		logCmd "crontab -r -u root"
 
 		if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then
 			# Disable schedule so highstate doesn't start running during the install
@@ -2091,6 +2091,9 @@ reinstall_init() {
 			done
 		done
 
+		logCmd "salt-call state.apply ca.remove -linfo --local"
+		logCmd "salt-call state.apply ssl.remove -linfo --local"
+
 		# Remove all salt configs
 		rm -rf /etc/salt/engines/* /etc/salt/grains /etc/salt/master /etc/salt/master.d/* /etc/salt/minion /etc/salt/minion.d/* /etc/salt/pki/* /etc/salt/proxy /etc/salt/proxy.d/* /var/cache/salt/
 
@@ -2122,10 +2125,13 @@ reinstall_init() {
 		remove_package launcher-final
 
 		if [[ $OS == 'ubuntu' ]]; then
+			info "Unholding previously held packages."
 			apt-mark unhold $(apt-mark showhold)
 		fi
 
 	} >> "$setup_log" 2>&1
+
+	info "System reinstall init has been completed."
 }
 
 reset_proxy() {