## mark a section (Learn more)

require 'net/http' # Query db to fetch latest ssh known hosts, and store locally for 24 hours. module Puppet::Parser::Functions newfunction(:sshkeyfromdb, :type => :rvalue) do |args| #local cache file on each puppetmaster ssh_keys_file = "/tmp/sshkeys" #URL to query host = "puppet" url = "/setting/ssh_keys" #Time to keep cache - e.g. 24 hours. ttl = (60 * 60 * 24) # create a cache file if not File.exist?(ssh_keys_file) or File.mtime(ssh_keys_file) < (Time.now - ttl) # file is older than 24hours. keys = Net::HTTP.get host,url File.new(ssh_keys_file,"w", 0600).write(keys) # convert Marshal to hash keys = Marshal.load keys else keys = Marshal.load File.open(ssh_keys_file).read end case args[0].downcase when nil warn "Must supply key type - RSA or DSA" exit 1 when "hosts" # return an array of all hosts has a ssh public key hosts = Array.new keys.each_key do |fqdn| # return an array of all hosts ipaddress = keys[fqdn]["ipaddress"] hosts << [fqdn, ipaddress, 'ssh-rsa', keys[fqdn]["rsa"]] if keys[fqdn].has_key?('rsa') hosts << [fqdn, ipaddress, 'ssh-dss', keys[fqdn]["dsa"]] if keys[fqdn].has_key?('dsa') end return hosts end end end USAGE: class ssh::knownhosts { $ssh_hosts = sshkeyfromdb(hosts) # Generate known_hosts out of a template file{"/etc/ssh/ssh_known_hosts": owner => root, group => root, mode => 644, content => template("ssh/known_hosts.erb"), schedule => "maint", require => Schedule["maint"] } } template: <%# generate ssh keys from sshkeyfromdb function, not using native sshkey type do to performance difference %> <% ssh_hosts.each do |host| fqdn, ipaddress, key_type, key = host[0], host[1], host[2], host[3] hostname = fqdn.split('.')[0] -%> <%="#{hostname},#{fqdn},#{ipaddress} #{key_type} #{key}"%> <%end -%>

This paste will be private.