From a2845bb1f091a1af41b741f5735c9e518880fc38 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Tue, 7 Nov 2023 13:17:00 +0100
Subject: [PATCH 1/3] Use the correct ssl_build_dir variable

It's a class variable, so that should be used consistently.
---
 manifests/ca.pp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/manifests/ca.pp b/manifests/ca.pp
index 8b77a5ab..0dc04414 100644
--- a/manifests/ca.pp
+++ b/manifests/ca.pp
@@ -47,7 +47,7 @@
     generate      => $generate,
     deploy        => false,
     password_file => $ca_key_password_file,
-    build_dir     => $certs::ssl_build_dir,
+    build_dir     => $ssl_build_dir,
   }
   $default_ca = Ca[$default_ca_name]
 
@@ -57,15 +57,15 @@
       generate      => $generate,
       deploy        => false,
       custom_pubkey => $certs::server_ca_cert,
-      build_dir     => $certs::ssl_build_dir,
+      build_dir     => $ssl_build_dir,
     }
   } else {
     ca { $server_ca_name:
       ensure        => present,
       generate      => $generate,
       deploy        => false,
-      custom_pubkey => "${certs::ssl_build_dir}/${default_ca_name}.crt",
-      build_dir     => $certs::ssl_build_dir,
+      custom_pubkey => "${ssl_build_dir}/${default_ca_name}.crt",
+      build_dir     => $ssl_build_dir,
     }
   }
 
@@ -86,7 +86,7 @@
 
     file { $certs::katello_default_ca_cert:
       ensure => file,
-      source => "${certs::ssl_build_dir}/${default_ca_name}.crt",
+      source => "${ssl_build_dir}/${default_ca_name}.crt",
       owner  => 'root',
       group  => 'root',
       mode   => '0644',
@@ -94,7 +94,7 @@
 
     file { $katello_server_ca_cert:
       ensure => file,
-      source => "${certs::ssl_build_dir}/${server_ca_name}.crt",
+      source => "${ssl_build_dir}/${server_ca_name}.crt",
       owner  => $owner,
       group  => $group,
       mode   => '0644',

From fdb54ea1bcf7351982fafb2f7a61b4775307fc84 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Tue, 7 Nov 2023 13:17:30 +0100
Subject: [PATCH 2/3] Create the ssl build directory as part of the CA

---
 manifests/ca.pp     | 7 +++++++
 manifests/config.pp | 7 -------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/manifests/ca.pp b/manifests/ca.pp
index 0dc04414..7d7e12f4 100644
--- a/manifests/ca.pp
+++ b/manifests/ca.pp
@@ -27,6 +27,13 @@
     ensure => absent,
   }
 
+  file { $ssl_build_dir:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0700',
+  }
+
   file { $ca_key_password_file:
     ensure    => file,
     content   => $ca_key_password,
diff --git a/manifests/config.pp b/manifests/config.pp
index eb462e6a..b6f9ae75 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -4,13 +4,6 @@
   Stdlib::Absolutepath $pki_dir = $certs::pki_dir,
   String $group = $certs::group,
 ) {
-  file { $certs::ssl_build_dir:
-    ensure => directory,
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0700',
-  }
-
   file { $pki_dir:
     ensure => directory,
     owner  => 'root',

From f3070bccd8e768b3652575ca95789ebd083d059a Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Tue, 7 Nov 2023 13:17:45 +0100
Subject: [PATCH 3/3] Only deploy the pki dir if needed

---
 manifests/ca.pp      | 2 ++
 manifests/init.pp    | 2 --
 manifests/keypair.pp | 2 ++
 manifests/qpid.pp    | 2 ++
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/manifests/ca.pp b/manifests/ca.pp
index 7d7e12f4..dc05217e 100644
--- a/manifests/ca.pp
+++ b/manifests/ca.pp
@@ -85,6 +85,8 @@
   }
 
   if $deploy {
+    include certs::config
+
     # Ensure CA key deployed to /etc/pki/katello/private no longer exists
     # The CA key is not used by anything from this directory and does not need to be deployed
     file { $ca_key:
diff --git a/manifests/init.pp b/manifests/init.pp
index 372dff1f..b3344b3e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -116,11 +116,9 @@
   }
 
   contain certs::install
-  contain certs::config
   contain certs::ca
 
   Class['certs::install'] ->
-  Class['certs::config'] ->
   Class['certs::ca']
 
   $default_ca = $certs::ca::default_ca
diff --git a/manifests/keypair.pp b/manifests/keypair.pp
index 4503d554..b5f2017b 100644
--- a/manifests/keypair.pp
+++ b/manifests/keypair.pp
@@ -15,6 +15,8 @@
   Boolean $key_decrypt = false,
   Optional[Stdlib::Absolutepath] $key_password_file = undef,
 ) {
+  include certs::config
+
   private_key { $key_file:
     ensure        => $key_ensure,
     source        => "${source_dir}/${title}.key",
diff --git a/manifests/qpid.pp b/manifests/qpid.pp
index 9832245a..166c2876 100644
--- a/manifests/qpid.pp
+++ b/manifests/qpid.pp
@@ -41,6 +41,8 @@
     $nss_db_dir = $certs::ssltools::nssdb::nss_db_dir
     $nss_db_password_file = $certs::ssltools::nssdb::nss_db_password_file
 
+    include certs::config
+
     $client_cert            = "${pki_dir}/certs/${qpid_cert_name}.crt"
     $client_key             = "${pki_dir}/private/${qpid_cert_name}.key"