salt: Do not overwrite private key for nginx-ingress

In nginx-ingress we generate several private key for certificates,
those private key are only needed to generate these certificates and we
do not really care about the length of the key, so if the key already
exists do not generate a new one and take this one even if it's not the
expected key length

salt/metalk8s/addons/nginx-ingress-control-plane/certs/server.sls

@@ -1,11 +1,13 @@
 {%- from "metalk8s/map.jinja" import nginx_ingress with context %}
 
+{%- set private_key_path = "/etc/metalk8s/pki/nginx-ingress/control-plane-server.key" %}
+
 include:
   - metalk8s.internal.m2crypto
 
 Create Control-Plane Ingress server private key:
   x509.private_key_managed:
-    - name: /etc/metalk8s/pki/nginx-ingress/control-plane-server.key
+    - name: {{ private_key_path }}
     - bits: 4096
     - verbose: False
     - user: root
@@ -15,6 +17,8 @@ Create Control-Plane Ingress server private key:
     - dir_mode: 755
     - require:
       - metalk8s_package_manager: Install m2crypto
+    - unless:
+      - test -f "{{ private_key_path }}"
 
 {# TODO: add Ingress Service IP once stable (LoadBalancer probably) #}
 {%- set certSANs = [
@@ -31,7 +35,7 @@ Create Control-Plane Ingress server private key:
 Generate Control-Plane Ingress server certificate:
   x509.certificate_managed:
     - name: /etc/metalk8s/pki/nginx-ingress/control-plane-server.crt
-    - public_key: /etc/metalk8s/pki/nginx-ingress/control-plane-server.key
+    - public_key: {{ private_key_path }}
     - ca_server: {{ pillar.metalk8s.ca.minion }}
     - signing_policy: {{ nginx_ingress.cert.server_signing_policy }}
     - CN: nginx-ingress-control-plane-server

salt/metalk8s/addons/nginx-ingress/ca/installed.sls

@@ -1,11 +1,13 @@
 {%- from "metalk8s/map.jinja" import nginx_ingress with context %}
 
+{%- set private_key_path = "/etc/metalk8s/pki/nginx-ingress/ca.key" %}
+
 include:
   - metalk8s.internal.m2crypto
 
 Create Ingress CA private key:
   x509.private_key_managed:
-    - name: /etc/metalk8s/pki/nginx-ingress/ca.key
+    - name: {{ private_key_path }}
     - bits: 4096
     - verbose: False
     - user: root
@@ -15,11 +17,13 @@ Create Ingress CA private key:
     - dir_mode: 755
     - require:
       - metalk8s_package_manager: Install m2crypto
+    - unless:
+      - test -f "{{ private_key_path }}"
 
 Generate Ingress CA certificate:
   x509.certificate_managed:
     - name: /etc/metalk8s/pki/nginx-ingress/ca.crt
-    - signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
+    - signing_private_key: {{ private_key_path }}
     - CN: ingress-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"

salt/metalk8s/addons/nginx-ingress/certs/server.sls

@@ -1,11 +1,13 @@
 {%- from "metalk8s/map.jinja" import nginx_ingress with context %}
 
+{%- set private_key_path = "/etc/metalk8s/pki/nginx-ingress/workload-plane-server.key" %}
+
 include:
   - metalk8s.internal.m2crypto
 
 Create Workload-Plane Ingress server private key:
   x509.private_key_managed:
-    - name: /etc/metalk8s/pki/nginx-ingress/workload-plane-server.key
+    - name: {{ private_key_path }}
     - bits: 4096
     - verbose: False
     - user: root
@@ -15,6 +17,8 @@ Create Workload-Plane Ingress server private key:
     - dir_mode: 755
     - require:
       - metalk8s_package_manager: Install m2crypto
+    - unless:
+      - test -f "{{ private_key_path }}"
 
 {# TODO: add Ingress Service IP once stable (LoadBalancer probably) #}
 {%- set certSANs = [
@@ -31,7 +35,7 @@ Create Workload-Plane Ingress server private key:
 Generate Workload-Plane Ingress server certificate:
   x509.certificate_managed:
     - name: /etc/metalk8s/pki/nginx-ingress/workload-plane-server.crt
-    - public_key: /etc/metalk8s/pki/nginx-ingress/workload-plane-server.key
+    - public_key: {{ private_key_path }}
     - ca_server: {{ pillar.metalk8s.ca.minion }}
     - signing_policy: {{ nginx_ingress.cert.server_signing_policy }}
     - CN: nginx-ingress-workload-plane-server