refactor hostkeys and knownhosts classes by moving and exposing their parameters in the relevant parents

REFERENCE.md

@@ -10,9 +10,8 @@
 
 * [`ssh`](#ssh): This class manages ssh client and server
 * [`ssh::client`](#ssh--client): This class add ssh client management
-* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys
-* [`ssh::knownhosts`](#ssh--knownhosts): This class manages knownhosts if collection is enabled.
-* [`ssh::server`](#ssh--server): This class managed ssh server
+* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys. It is intended to be called from `ssh::server`.
+* [`ssh::server`](#ssh--server): This class manages the ssh server and related resources, including host keys.
 
 #### Private Classes
 
@@ -337,6 +336,7 @@ The following parameters are available in the `ssh::client` class:
 * [`options_absent`](#-ssh--client--options_absent)
 * [`default_options`](#-ssh--client--default_options)
 * [`match_block`](#-ssh--client--match_block)
+* [`storeconfigs_group`](#-ssh--client--storeconfigs_group)
 
 ##### <a name="-ssh--client--ssh_config"></a>`ssh_config`
 
@@ -406,9 +406,17 @@ Add ssh match_block (with concat)
 
 Default value: `{}`
 
+##### <a name="-ssh--client--storeconfigs_group"></a>`storeconfigs_group`
+
+Data type: `Optional[String[1]]`
+
+Define the hostkeys tag to filter with
+
+Default value: `undef`
+
 ### <a name="ssh--hostkeys"></a>`ssh::hostkeys`
 
-This class manages hostkeys
+This class manages hostkeys. It is intended to be called from `ssh::server`.
 
 #### Parameters
 
@@ -429,94 +437,67 @@ Data type: `Boolean`
 
 Whether ip addresses should be added as aliases
 
-Default value: `true`
+Default value: `$ssh::server::export_ipaddresses`
 
 ##### <a name="-ssh--hostkeys--storeconfigs_group"></a>`storeconfigs_group`
 
 Data type: `Optional[String[1]]`
 
 Tag hostkeys with this group to allow segregation
 
-Default value: `undef`
+Default value: `$ssh::server::storeconfigs_group`
 
 ##### <a name="-ssh--hostkeys--extra_aliases"></a>`extra_aliases`
 
 Data type: `Array`
 
 Additional aliases to set for host keys
 
-Default value: `[]`
+Default value: `$ssh::server::extra_aliases`
 
 ##### <a name="-ssh--hostkeys--exclude_interfaces"></a>`exclude_interfaces`
 
 Data type: `Array`
 
 List of interfaces to exclude
 
-Default value: `[]`
+Default value: `$ssh::server::exclude_interfaces`
 
 ##### <a name="-ssh--hostkeys--exclude_interfaces_re"></a>`exclude_interfaces_re`
 
 Data type: `Array`
 
 List of regular expressions to exclude interfaces
 
-Default value: `[]`
+Default value: `$ssh::server::exclude_interfaces_re`
 
 ##### <a name="-ssh--hostkeys--exclude_ipaddresses"></a>`exclude_ipaddresses`
 
 Data type: `Array`
 
 List of ip addresses to exclude
 
-Default value: `[]`
+Default value: `$ssh::server::exclude_ipaddresses`
 
 ##### <a name="-ssh--hostkeys--use_trusted_facts"></a>`use_trusted_facts`
 
 Data type: `Boolean`
 
 Whether to use trusted or normal facts
 
-Default value: `false`
+Default value: `$ssh::server::use_trusted_facts`
 
 ##### <a name="-ssh--hostkeys--tags"></a>`tags`
 
 Data type: `Optional[Array[String[1]]]`
 
 Array of custom tags
 
-Default value: `undef`
-
-### <a name="ssh--knownhosts"></a>`ssh::knownhosts`
-
-This class manages knownhosts if collection is enabled.
-
-#### Parameters
-
-The following parameters are available in the `ssh::knownhosts` class:
-
-* [`collect_enabled`](#-ssh--knownhosts--collect_enabled)
-* [`storeconfigs_group`](#-ssh--knownhosts--storeconfigs_group)
-
-##### <a name="-ssh--knownhosts--collect_enabled"></a>`collect_enabled`
-
-Data type: `Boolean`
-
-Enable collection
-
-Default value: `$ssh::knownhosts::collect_enabled`
-
-##### <a name="-ssh--knownhosts--storeconfigs_group"></a>`storeconfigs_group`
-
-Data type: `Optional[String[1]]`
-
-Define the hostkeys group storage
-
-Default value: `undef`
+Default value: `$ssh::server::tags`
 
 ### <a name="ssh--server"></a>`ssh::server`
 
-This class managed ssh server
+This class manages the ssh server and related resources, including host keys.
 
 #### Examples
 
@@ -555,6 +536,14 @@ The following parameters are available in the `ssh::server` class:
 * [`use_issue_net`](#-ssh--server--use_issue_net)
 * [`sshd_environments_file`](#-ssh--server--sshd_environments_file)
 * [`server_package_name`](#-ssh--server--server_package_name)
+* [`export_ipaddresses`](#-ssh--server--export_ipaddresses)
+* [`storeconfigs_group`](#-ssh--server--storeconfigs_group)
+* [`extra_aliases`](#-ssh--server--extra_aliases)
+* [`exclude_interfaces`](#-ssh--server--exclude_interfaces)
+* [`exclude_interfaces_re`](#-ssh--server--exclude_interfaces_re)
+* [`exclude_ipaddresses`](#-ssh--server--exclude_ipaddresses)
+* [`use_trusted_facts`](#-ssh--server--use_trusted_facts)
+* [`tags`](#-ssh--server--tags)
 
 ##### <a name="-ssh--server--service_name"></a>`service_name`
 
@@ -710,6 +699,70 @@ Name of the server package to install
 
 Default value: `undef`
 
+##### <a name="-ssh--server--export_ipaddresses"></a>`export_ipaddresses`
+
+Data type: `Boolean`
+
+Whether IP addresses should be added as aliases for host keys
+
+Default value: `true`
+
+##### <a name="-ssh--server--storeconfigs_group"></a>`storeconfigs_group`
+
+Data type: `Optional[String[1]]`
+
+Tag host keys with this group to allow segregation
+
+Default value: `undef`
+
+##### <a name="-ssh--server--extra_aliases"></a>`extra_aliases`
+
+Data type: `Array`
+
+Additional aliases to set for host keys
+
+Default value: `[]`
+
+##### <a name="-ssh--server--exclude_interfaces"></a>`exclude_interfaces`
+
+Data type: `Array`
+
+List of interfaces to exclude when collecting IPs for host keys
+
+Default value: `[]`
+
+##### <a name="-ssh--server--exclude_interfaces_re"></a>`exclude_interfaces_re`
+
+Data type: `Array`
+
+List of regular expressions to exclude interfaces
+
+Default value: `[]`
+
+##### <a name="-ssh--server--exclude_ipaddresses"></a>`exclude_ipaddresses`
+
+Data type: `Array`
+
+List of IP addresses to exclude from host key aliases
+
+Default value: `[]`
+
+##### <a name="-ssh--server--use_trusted_facts"></a>`use_trusted_facts`
+
+Data type: `Boolean`
+
+Whether to use trusted facts instead of legacy facts
+
+Default value: `false`
+
+##### <a name="-ssh--server--tags"></a>`tags`
+
+Data type: `Optional[Array[String[1]]]`
+
+Array of custom tags to apply to exported host keys
+
+Default value: `undef`
+
 ## Defined types
 
 ### <a name="ssh--client--config--user"></a>`ssh::client::config::user`

data/common.yaml

@@ -23,9 +23,7 @@ ssh::server::service_name: 'svc:/network/ssh:default'
 ssh::sftp_server_path: 'internal-sftp'
 ssh::server::host_priv_key_group: 0
 ssh::validate_sshd_file             : false
-ssh::collect_enabled                : true   # Collect sshkey resources
 ssh::server::issue_net              : '/etc/issue.net'
-ssh::knownhosts::collect_enabled    : true
 
 ssh::server::default_options:
   ChallengeResponseAuthentication: 'no'

manifests/client.pp

@@ -35,6 +35,9 @@
 # @param match_block
 #   Add ssh match_block (with concat)
 #
+# @param storeconfigs_group
+#   Define the hostkeys tag to filter with
+#
 class ssh::client (
   Stdlib::Absolutepath $ssh_config,
   Hash                 $default_options,
@@ -45,6 +48,7 @@
   Boolean              $use_augeas           = false,
   Array                $options_absent       = [],
   Hash                 $match_block          = {},
+  Optional[String[1]]  $storeconfigs_group   = undef,
 ) {
   if $use_augeas {
     $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config })
@@ -55,14 +59,16 @@
   contain ssh::client::install
   contain ssh::client::config
 
-  # Provide option to *not* use storeconfigs/puppetdb, which means not managing
-  #  hostkeys and knownhosts
+  # Provide option to *not* use storeconfigs/puppetdb, which means not collecting host keys into knownhosts
   if ($storeconfigs_enabled) {
-    contain ssh::knownhosts
-
     Class['ssh::client::install']
     -> Class['ssh::client::config']
-    -> Class['ssh::knownhosts']
+
+    if $storeconfigs_group {
+      Sshkey <<| tag == "hostkey_${storeconfigs_group}" |>>
+    } else {
+      Sshkey <<| |>>
+    }
   } else {
     Class['ssh::client::install']
     -> Class['ssh::client::config']

manifests/hostkeys.pp

@@ -1,5 +1,5 @@
 # @summary
-#   This class manages hostkeys
+#   This class manages hostkeys. It is intended to be called from `ssh::server`.
 #
 # @param export_ipaddresses
 #   Whether ip addresses should be added as aliases
@@ -26,25 +26,25 @@
 #   Array of custom tags
 #
 class ssh::hostkeys (
-  Boolean                    $export_ipaddresses    = true,
-  Optional[String[1]]        $storeconfigs_group    = undef,
-  Array                      $extra_aliases         = [],
-  Array                      $exclude_interfaces    = [],
-  Array                      $exclude_interfaces_re = [],
-  Array                      $exclude_ipaddresses   = [],
-  Boolean                    $use_trusted_facts     = false,
-  Optional[Array[String[1]]] $tags                  = undef,
+  Boolean                    $export_ipaddresses    = $ssh::server::export_ipaddresses,
+  Optional[String[1]]        $storeconfigs_group    = $ssh::server::storeconfigs_group,
+  Array                      $extra_aliases         = $ssh::server::extra_aliases,
+  Array                      $exclude_interfaces    = $ssh::server::exclude_interfaces,
+  Array                      $exclude_interfaces_re = $ssh::server::exclude_interfaces_re,
+  Array                      $exclude_ipaddresses   = $ssh::server::exclude_ipaddresses,
+  Boolean                    $use_trusted_facts     = $ssh::server::use_trusted_facts,
+  Optional[Array[String[1]]] $tags                  = $ssh::server::tags,
 ) {
   if $use_trusted_facts {
     $fqdn_real = $trusted['certname']
     $hostname_real = $trusted['hostname']
   } else {
-    # stick to legacy facts for older versions of facter
+    # stick to normal facts
     $fqdn_real = $facts['networking']['fqdn']
     $hostname_real = $facts['networking']['hostname']
   }
 
-  if $export_ipaddresses == true {
+  if $export_ipaddresses {
     $ipaddresses = ssh::ipaddresses($exclude_interfaces, $exclude_interfaces_re)
     $ipaddresses_real = $ipaddresses - $exclude_ipaddresses
     $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real])))
@@ -63,12 +63,10 @@
   }
 
   ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| {
-    # can be removed as soon as we drop support for puppet 4
-    # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22
-    if $key_type == 'ecdsa' {
-      $key_type_real = 'ecdsa-sha2-nistp256'
-    } else {
-      $key_type_real = $key_type
+    # adjustment for ecdsa using a diff file name from key type
+    $key_type_real = $key_type ? {
+      'ecdsa' => 'ecdsa-sha2-nistp256',
+      default => $key_type,
     }
 
     if $key_type in $facts['ssh'] {