From ebeeb91297fb806fa1265e38df43af44117586ec Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 28 Jan 2026 15:23:38 -0600
Subject: [PATCH] run fleet ssl state in fleet.config to ensure all required
 certs are created before so-elastic-fleet-setup runs

---
 salt/elasticfleet/config.sls                                 | 1 +
 salt/elasticfleet/enabled.sls                                | 1 -
 .../tools/sbin_jinja/so-kafka-fleet-output-policy            | 5 +++++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls
index abe7b7cbc..9c79dfab6 100644
--- a/salt/elasticfleet/config.sls
+++ b/salt/elasticfleet/config.sls
@@ -11,6 +11,7 @@
 
 include:
   - elasticfleet.artifact_registry
+  - elasticfleet.ssl
 
 # Add EA Group
 elasticfleetgroup:
diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls
index 25212bbce..040d15fca 100644
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -15,7 +15,6 @@
 include:
   - ca
   - logstash.ssl
-  - elasticfleet.ssl
   - elasticfleet.config
   - elasticfleet.sostatus
 
diff --git a/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy b/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy
index b44b467bc..2e44a4a36 100644
--- a/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy
+++ b/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy
@@ -34,6 +34,11 @@ if [[ "$RETURN_CODE" != "0" ]]; then
   exit 1
 fi
 
+if [[ ! -f /etc/pki/elasticfleet-kafka.crt || ! -f /etc/pki/elasticfleet-kafka.key ]]; then
+  echo -e "\nKafka certificates not found, can't setup Elastic Fleet output policy for Kafka...\n"
+  exit 1
+fi
+
 KAFKACRT=$(openssl x509 -in /etc/pki/elasticfleet-kafka.crt)
 KAFKAKEY=$(openssl rsa -in  /etc/pki/elasticfleet-kafka.key)
 KAFKACA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)