refactor hostkeys and knownhosts classes by moving and exposing their parameters in the relevant parents

REFERENCE.md

@@ -10,9 +10,9 @@
 
 * [`ssh`](#ssh): This class manages ssh client and server
 * [`ssh::client`](#ssh--client): This class add ssh client management
-* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys
-* [`ssh::knownhosts`](#ssh--knownhosts): This class manages knownhosts if collection is enabled.
-* [`ssh::server`](#ssh--server): This class managed ssh server
+* [`ssh::hostkeys`](#ssh--hostkeys): This class manages hostkeys. It is intended to be called from `ssh::server`,
+and directly accesses variables from there.
+* [`ssh::server`](#ssh--server): This class manages the ssh server and related resources, including host keys.
 
 #### Private Classes
 
@@ -337,6 +337,8 @@ The following parameters are available in the `ssh::client` class:
 * [`options_absent`](#-ssh--client--options_absent)
 * [`default_options`](#-ssh--client--default_options)
 * [`match_block`](#-ssh--client--match_block)
+* [`collect_enabled`](#-ssh--client--collect_enabled)
+* [`storeconfigs_group`](#-ssh--client--storeconfigs_group)
 
 ##### <a name="-ssh--client--ssh_config"></a>`ssh_config`
 
@@ -366,7 +368,7 @@ Data type: `Boolean`
 
 Collected host keys from servers will be written to known_hosts unless storeconfigs_enabled is false
 
-Default value: `true`
+Default value: `$collect_enabled`
 
 ##### <a name="-ssh--client--options"></a>`options`
 
@@ -406,117 +408,30 @@ Add ssh match_block (with concat)
 
 Default value: `{}`
 
-### <a name="ssh--hostkeys"></a>`ssh::hostkeys`
-
-This class manages hostkeys
-
-#### Parameters
-
-The following parameters are available in the `ssh::hostkeys` class:
-
-* [`export_ipaddresses`](#-ssh--hostkeys--export_ipaddresses)
-* [`storeconfigs_group`](#-ssh--hostkeys--storeconfigs_group)
-* [`extra_aliases`](#-ssh--hostkeys--extra_aliases)
-* [`exclude_interfaces`](#-ssh--hostkeys--exclude_interfaces)
-* [`exclude_interfaces_re`](#-ssh--hostkeys--exclude_interfaces_re)
-* [`exclude_ipaddresses`](#-ssh--hostkeys--exclude_ipaddresses)
-* [`use_trusted_facts`](#-ssh--hostkeys--use_trusted_facts)
-* [`tags`](#-ssh--hostkeys--tags)
-
-##### <a name="-ssh--hostkeys--export_ipaddresses"></a>`export_ipaddresses`
+##### <a name="-ssh--client--collect_enabled"></a>`collect_enabled`
 
 Data type: `Boolean`
 
-Whether ip addresses should be added as aliases
+Enable collection
 
 Default value: `true`
 
-##### <a name="-ssh--hostkeys--storeconfigs_group"></a>`storeconfigs_group`
+##### <a name="-ssh--client--storeconfigs_group"></a>`storeconfigs_group`
 
 Data type: `Optional[String[1]]`
 
-Tag hostkeys with this group to allow segregation
+Define the hostkeys tag to filter with
 
 Default value: `undef`
 
-##### <a name="-ssh--hostkeys--extra_aliases"></a>`extra_aliases`
-
-Data type: `Array`
-
-Additional aliases to set for host keys
-
-Default value: `[]`
-
-##### <a name="-ssh--hostkeys--exclude_interfaces"></a>`exclude_interfaces`
-
-Data type: `Array`
-
-List of interfaces to exclude
-
-Default value: `[]`
-
-##### <a name="-ssh--hostkeys--exclude_interfaces_re"></a>`exclude_interfaces_re`
-
-Data type: `Array`
-
-List of regular expressions to exclude interfaces
-
-Default value: `[]`
-
-##### <a name="-ssh--hostkeys--exclude_ipaddresses"></a>`exclude_ipaddresses`
-
-Data type: `Array`
-
-List of ip addresses to exclude
-
-Default value: `[]`
-
-##### <a name="-ssh--hostkeys--use_trusted_facts"></a>`use_trusted_facts`
-
-Data type: `Boolean`
-
-Whether to use trusted or normal facts
-
-Default value: `false`
-
-##### <a name="-ssh--hostkeys--tags"></a>`tags`
-
-Data type: `Optional[Array[String[1]]]`
-
-Array of custom tags
-
-Default value: `undef`
-
-### <a name="ssh--knownhosts"></a>`ssh::knownhosts`
-
-This class manages knownhosts if collection is enabled.
-
-#### Parameters
-
-The following parameters are available in the `ssh::knownhosts` class:
-
-* [`collect_enabled`](#-ssh--knownhosts--collect_enabled)
-* [`storeconfigs_group`](#-ssh--knownhosts--storeconfigs_group)
-
-##### <a name="-ssh--knownhosts--collect_enabled"></a>`collect_enabled`
-
-Data type: `Boolean`
-
-Enable collection
-
-Default value: `$ssh::knownhosts::collect_enabled`
-
-##### <a name="-ssh--knownhosts--storeconfigs_group"></a>`storeconfigs_group`
-
-Data type: `Optional[String[1]]`
-
-Define the hostkeys group storage
+### <a name="ssh--hostkeys"></a>`ssh::hostkeys`
 
-Default value: `undef`
+This class manages hostkeys. It is intended to be called from `ssh::server`,
+and directly accesses variables from there.
 
 ### <a name="ssh--server"></a>`ssh::server`
 
-This class managed ssh server
+This class manages the ssh server and related resources, including host keys.
 
 #### Examples
 
@@ -555,6 +470,14 @@ The following parameters are available in the `ssh::server` class:
 * [`use_issue_net`](#-ssh--server--use_issue_net)
 * [`sshd_environments_file`](#-ssh--server--sshd_environments_file)
 * [`server_package_name`](#-ssh--server--server_package_name)
+* [`export_ipaddresses`](#-ssh--server--export_ipaddresses)
+* [`storeconfigs_group`](#-ssh--server--storeconfigs_group)
+* [`extra_aliases`](#-ssh--server--extra_aliases)
+* [`exclude_interfaces`](#-ssh--server--exclude_interfaces)
+* [`exclude_interfaces_re`](#-ssh--server--exclude_interfaces_re)
+* [`exclude_ipaddresses`](#-ssh--server--exclude_ipaddresses)
+* [`use_trusted_facts`](#-ssh--server--use_trusted_facts)
+* [`tags`](#-ssh--server--tags)
 
 ##### <a name="-ssh--server--service_name"></a>`service_name`
 
@@ -710,6 +633,70 @@ Name of the server package to install
 
 Default value: `undef`
 
+##### <a name="-ssh--server--export_ipaddresses"></a>`export_ipaddresses`
+
+Data type: `Boolean`
+
+Whether IP addresses should be added as aliases for host keys
+
+Default value: `true`
+
+##### <a name="-ssh--server--storeconfigs_group"></a>`storeconfigs_group`
+
+Data type: `Optional[String[1]]`
+
+Tag host keys with this group to allow segregation
+
+Default value: `undef`
+
+##### <a name="-ssh--server--extra_aliases"></a>`extra_aliases`
+
+Data type: `Array`
+
+Additional aliases to set for host keys
+
+Default value: `[]`
+
+##### <a name="-ssh--server--exclude_interfaces"></a>`exclude_interfaces`
+
+Data type: `Array`
+
+List of interfaces to exclude when collecting IPs for host keys
+
+Default value: `[]`
+
+##### <a name="-ssh--server--exclude_interfaces_re"></a>`exclude_interfaces_re`
+
+Data type: `Array`
+
+List of regular expressions to exclude interfaces
+
+Default value: `[]`
+
+##### <a name="-ssh--server--exclude_ipaddresses"></a>`exclude_ipaddresses`
+
+Data type: `Array`
+
+List of IP addresses to exclude from host key aliases
+
+Default value: `[]`
+
+##### <a name="-ssh--server--use_trusted_facts"></a>`use_trusted_facts`
+
+Data type: `Boolean`
+
+Whether to use trusted facts instead of legacy facts
+
+Default value: `false`
+
+##### <a name="-ssh--server--tags"></a>`tags`
+
+Data type: `Optional[Array[String[1]]]`
+
+Array of custom tags to apply to exported host keys
+
+Default value: `undef`
+
 ## Defined types
 
 ### <a name="ssh--client--config--user"></a>`ssh::client::config::user`

data/common.yaml

@@ -25,7 +25,6 @@ ssh::server::host_priv_key_group: 0
 ssh::validate_sshd_file             : false
 ssh::collect_enabled                : true   # Collect sshkey resources
 ssh::server::issue_net              : '/etc/issue.net'
-ssh::knownhosts::collect_enabled    : true
 
 ssh::server::default_options:
   ChallengeResponseAuthentication: 'no'

manifests/client.pp

@@ -35,16 +35,24 @@
 # @param match_block
 #   Add ssh match_block (with concat)
 #
+# @param collect_enabled
+#   Enable collection
+#
+# @param storeconfigs_group
+#   Define the hostkeys tag to filter with
+#
 class ssh::client (
   Stdlib::Absolutepath $ssh_config,
   Hash                 $default_options,
   Optional[String[1]]  $client_package_name  = undef,
   String               $ensure               = present,
-  Boolean              $storeconfigs_enabled = true,
+  Boolean              $collect_enabled      = true,
+  Boolean              $storeconfigs_enabled = $collect_enabled,  # should we transition away from this variable?
   Hash                 $options              = {},
   Boolean              $use_augeas           = false,
   Array                $options_absent       = [],
   Hash                 $match_block          = {},
+  Optional[String[1]]  $storeconfigs_group   = undef,
 ) {
   if $use_augeas {
     $merged_options = sshclient_options_to_augeas_ssh_config($options, $options_absent, { 'target' => $ssh_config })
@@ -55,14 +63,16 @@
   contain ssh::client::install
   contain ssh::client::config
 
-  # Provide option to *not* use storeconfigs/puppetdb, which means not managing
-  #  hostkeys and knownhosts
+  # Provide option to *not* use storeconfigs/puppetdb, which means not collecting host keys into knownhosts
   if ($storeconfigs_enabled) {
-    contain ssh::knownhosts
-
     Class['ssh::client::install']
     -> Class['ssh::client::config']
-    -> Class['ssh::knownhosts']
+
+    if $storeconfigs_group {
+      Sshkey <<| tag == "hostkey_${ssh::client::storeconfigs_group}" |>>
+    } else {
+      Sshkey <<| |>>
+    }
   } else {
     Class['ssh::client::install']
     -> Class['ssh::client::config']

manifests/hostkeys.pp

@@ -1,74 +1,41 @@
 # @summary
-#   This class manages hostkeys
+#   This class manages hostkeys. It is intended to be called from `ssh::server`,
+#   and directly accesses variables from there.
 #
-# @param export_ipaddresses
-#   Whether ip addresses should be added as aliases
-#
-# @param storeconfigs_group
-#   Tag hostkeys with this group to allow segregation
-#
-# @param extra_aliases
-#   Additional aliases to set for host keys
-#
-# @param exclude_interfaces
-#   List of interfaces to exclude
-#
-# @param exclude_interfaces_re
-#   List of regular expressions to exclude interfaces
-#
-# @param exclude_ipaddresses
-#   List of ip addresses to exclude
-#
-# @param use_trusted_facts
-#   Whether to use trusted or normal facts
-#
-# @param tags
-#   Array of custom tags
-#
-class ssh::hostkeys (
-  Boolean                    $export_ipaddresses    = true,
-  Optional[String[1]]        $storeconfigs_group    = undef,
-  Array                      $extra_aliases         = [],
-  Array                      $exclude_interfaces    = [],
-  Array                      $exclude_interfaces_re = [],
-  Array                      $exclude_ipaddresses   = [],
-  Boolean                    $use_trusted_facts     = false,
-  Optional[Array[String[1]]] $tags                  = undef,
-) {
-  if $use_trusted_facts {
+class ssh::hostkeys {
+
+  if $ssh::server::use_trusted_facts {
     $fqdn_real = $trusted['certname']
     $hostname_real = $trusted['hostname']
   } else {
-    # stick to legacy facts for older versions of facter
+    # stick to normal facts
     $fqdn_real = $facts['networking']['fqdn']
     $hostname_real = $facts['networking']['hostname']
   }
 
-  if $export_ipaddresses == true {
-    $ipaddresses = ssh::ipaddresses($exclude_interfaces, $exclude_interfaces_re)
-    $ipaddresses_real = $ipaddresses - $exclude_ipaddresses
-    $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases, $ipaddresses_real])))
+  if $ssh::server::export_ipaddresses {
+    $ipaddresses = ssh::ipaddresses($ssh::server::exclude_interfaces, $ssh::server::exclude_interfaces_re)
+    $ipaddresses_real = $ipaddresses - $ssh::server::exclude_ipaddresses
+    $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $ssh::server::extra_aliases, $ipaddresses_real])))
   } else {
-    $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $extra_aliases])))
+    $host_aliases = sort(unique(flatten([$fqdn_real, $hostname_real, $ssh::server::extra_aliases])))
   }
 
-  $storeconfigs_groups = $storeconfigs_group ? {
+  $storeconfigs_groups = $ssh::server::storeconfigs_group ? {
     undef   => [],
-    default => ['hostkey_all', "hostkey_${storeconfigs_group}"],
+    default => ['hostkey_all', "hostkey_${ssh::server::storeconfigs_group}"],
   }
 
-  $_tags = $tags ? {
+  $_tags = $ssh::server::tags ? {
     undef   => $storeconfigs_groups,
-    default => $storeconfigs_groups + $tags,
+    default => $storeconfigs_groups + $ssh::server::tags,
   }
 
   ['dsa', 'rsa', 'ecdsa', 'ed25519'].each |String $key_type| {
-    # can be removed as soon as we drop support for puppet 4
-    # see https://tickets.puppetlabs.com/browse/FACT-1377?jql=project%20%3D%20FACT%20AND%20fixVersion%20%3D%20%22FACT%203.12.0%22
-    if $key_type == 'ecdsa' {
-      $key_type_real = 'ecdsa-sha2-nistp256'
-    } else {
-      $key_type_real = $key_type
+    # adjustment for ecdsa using a diff file name from key type
+    $key_type_real = $key_type ? {
+      'ecdsa' => 'ecdsa-sha2-nistp256',
+      default => $key_type,
     }
 
     if $key_type in $facts['ssh'] {