require 'net/http'

# Query db to fetch latest ssh known hosts, and store locally for 24 hours.
module Puppet::Parser::Functions
 newfunction(:sshkeyfromdb, :type => :rvalue) do |args|
   #local cache file on each puppetmaster
  ssh_keys_file = "/tmp/sshkeys"
  #URL to query
  host = "puppet"
  url = "/setting/ssh_keys"
  #Time to keep cache - e.g. 24 hours.
  ttl = (60 * 60 * 24)

  # create a cache file
  if not File.exist?(ssh_keys_file) or File.mtime(ssh_keys_file) < (Time.now - ttl) # file is older than 24hours.
    keys = Net::HTTP.get host,url
    File.new(ssh_keys_file,"w", 0600).write(keys)
    # convert Marshal to hash
    keys = Marshal.load keys
  else
    keys = Marshal.load File.open(ssh_keys_file).read
  end
  case args[0].downcase
    when nil
      warn "Must supply key type - RSA or DSA"
      exit 1 
    when "hosts" # return an array of all hosts has a ssh public key
      hosts = Array.new
      keys.each_key do |fqdn| # return an array of all hosts
        ipaddress = keys[fqdn]["ipaddress"]  
        hosts << [fqdn, ipaddress, 'ssh-rsa', keys[fqdn]["rsa"]] if keys[fqdn].has_key?('rsa') 
        hosts << [fqdn, ipaddress, 'ssh-dss', keys[fqdn]["dsa"]] if keys[fqdn].has_key?('dsa') 
      end
      return hosts
    end
  end
 end





USAGE:

class ssh::knownhosts {
  $ssh_hosts = sshkeyfromdb(hosts)

  # Generate known_hosts out of a template
  file{"/etc/ssh/ssh_known_hosts":
    owner   => root, 
    group   => root, 
    mode    => 644, 
    content => template("ssh/known_hosts.erb"), 
    schedule => "maint",
    require  => Schedule["maint"]
  }
}

template:
<%# generate ssh keys from sshkeyfromdb function, not using native sshkey type do to performance difference %>
<% ssh_hosts.each do |host| 
  fqdn, ipaddress, key_type, key = host[0], host[1], host[2], host[3] 
  hostname = fqdn.split('.')[0] -%>
<%="#{hostname},#{fqdn},#{ipaddress} #{key_type} #{key}"%>
<%end -%>