2

On my systems I use the exported resources, and resource collection to manage the /etc/ssh/known_hosts ref of my systems. This works great for all my SSH hosts that are managed via puppet. But I also have systems that are not managed by puppet (switches, routers, etc), and I don't have any immediate plans to start managing them.

Is there any elegant ways to get the host keys for those unmanaged systems into puppet? Right now I just have all of them in a single big ugly class, but there must be a better way. I have thought about somehow trying to move the keys for these hosts in to hiera, or something else, but I haven't found a solution that isn't ugly.

Does anyone have a good method/pattern I can follow here?

Community
  • 1
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Oh, I just use `telnet`. – ewwhite Jun 16 '14 at 22:24
  • how did you go with this? – Drew Khoury Jul 06 '14 at 07:06
  • @DrewKhoury For right now, I went with something that basically looked like what you have in your answer. But I am not entirely happy with it, but I am not sure why. I am still hoping someone will post an answer with something that is better. – Zoredache Jul 07 '14 at 05:26
  • Going to star this to see if anyone comes up with something better. if you're able to figure out why you don't like 'that' solution I might be able to give it a crack. – Drew Khoury Jul 07 '14 at 06:42

2 Answers2

4

I have thought about somehow trying to move the keys for these hosts in to hiera, or something else, but I haven't found a solution that isn't ugly.

There are a number of ways to achieve this. I try to keep my classes generic, with all my configuration data in hiera. When I'm dealing with collections of data I try to use a hiera hash, that way I never have to change my class or define code.

1: Use a hiera hash to store a collection of keys.

hiera_key_hash:
    key-1:
        name: cisco500
        type: router
        key: xxx
    key-2:
        name: cisco100
        type: switch
        key: xxx

2: Create a class that calls a create_resource for each key (it will call the define 'key').

class keys {
  create_resources( "key", hiera('hiera_key_hash') )
}

3: Create a define that does the work for each key.

define key($name, $type, $key) {
  // code goes here
}

Note: At some stage you might end up storing sensitive information in your hiera. You may want to consider encrypting some of your hiera sensitive values.

Drew Khoury
  • 4,637
  • 8
  • 27
  • 28
1

Hmm... maybe in Hiera, with a hiera_array collecting the data, feeding that array into resources through a defined type? Since you need hostname and key, you'll either need to put them both in a string and split() it in the defined type, or have the array have something more complex in it (probably a hash).

Still a headache to manage populating it and keeping it up to date; maybe a little script with a list of nodes to connect to, collect the keys from, and generate the hiera data?

Shane Madden
  • 114,520
  • 13
  • 181
  • 251