check current fleet policy cert against cert on disk

Co-authored-by: Copilot <copilot@github.com>

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update

@@ -235,6 +235,16 @@ function update_kafka_outputs() {
 
 {% endif %}
 
+# Compare the current Elastic Fleet certificate against what is on disk
+POLICY_CERT_SHA=$(jq -r '.item.ssl.certificate' <<< $RAW_JSON | openssl x509 -noout -sha256 -fingerprint)
+DISK_CERT_SHA=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -noout -sha256 -fingerprint)
+
+if [[ "$POLICY_CERT_SHA" != "$DISK_CERT_SHA" ]]; then
+    printf "Certificate on disk doesn't match certificate in policy - forcing update\n"
+    UPDATE_CERTS=true
+    FORCE_UPDATE=true
+fi
+
 # Sort & hash the new list of Logstash Outputs
 NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
 NEW_HASH=$(sha256sum <<< "$NEW_LIST_JSON" | awk '{print $1}')

setup/so-functions

@@ -1701,24 +1701,6 @@ remove_package() {
 	fi
 }
 
-ensure_pyyaml() {
-	title "Ensuring python3-pyyaml is installed"
-	if rpm -q python3-pyyaml >/dev/null 2>&1; then
-		info "python3-pyyaml already installed"
-		return 0
-	fi
-	info "python3-pyyaml not found, attempting to install"
-	set -o pipefail
-	dnf -y install python3-pyyaml 2>&1 | tee -a "$setup_log"
-	local result=$?
-	set +o pipefail
-	if [[ $result -ne 0 ]] || ! rpm -q python3-pyyaml >/dev/null 2>&1; then
-		error "Failed to install python3-pyyaml (exit=$result)"
-		fail_setup
-	fi
-	info "python3-pyyaml installed successfully"
-}
-
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml
 # CAUTION! SALT VERSION UDDATES - READ BELOW
 # When updating the salt version, also update the version in:

setup/so-setup

@@ -66,9 +66,6 @@ set_timezone
 # Let's see what OS we are dealing with here
 detect_os
 
-# Ensure python3-pyyaml is available before any code that may need so-yaml/PyYAML
-ensure_pyyaml
-
 
 # Check to see if this is the setup type of "desktop".
 is_desktop=