puppet - 如何在 puppet 提供程序中创建 ssh_authorized_key 资源？（我要强制冲洗吗？）

Question

完整代码在https://gist.github.com/c9815c1b19a36ed07ca5

在nodes.pp我有

node 'random.brighterplanet.com' {
  $deploy_user = 'www-data'
  include secured_by_authorized_keys
  include logs_in_as_deploy
}

在modules/logs_in_as_deploy/manifests/logs_in_as_deploy.pp我有

class logs_in_as_deploy {
  access_via_authorized_key { $deploy_user:
    ensure => present
  }
}

在modules/secured_by_authorized_keys/lib/puppet/provider/authorized_keys.rb我有

# [...]
def to_ssh_authorized_key(name, ensure_status)
  k = Puppet::Type.type(:ssh_authorized_key).new :name => id(name), :ensure => ensure_status, :key => public_key, :type => 'ssh-rsa', :user => name
  k.provider.create
  k
end
# [...]
Puppet::Type.type(:access_via_authorized_key).provide(:authorized_keys) do
# [...]
  def create
    ks = AuthorizedParty.all.map do |authorized_party|
      authorized_party.to_ssh_authorized_key resource[:name], :present
    end
  end
# [...]

我懂了

# puppet --debug  /etc/puppet/manifests/site.pp 
[...]
notice: /Stage[main]/Logs_in_as_deploy/Access_via_authorized_key[www-data]/ensure: created
debug: Finishing transaction -611364608
debug: Storing state
debug: Stored state in 0.01 seconds
notice: Finished catalog run in 2221.41 seconds

但是没有任何东西写入authorized_keys文件。我想我要么必须

• 以某种方式将内置ssh_authorized_key资源添加到节点目录
• 以某种方式调用它

我究竟做错了什么？

Answer 1

我评论了你的要点。

我相信这个自定义类型代码对于使用本机 ssh_authorized_key 类型有点过于乐观了。将资源硬编码到类型代码中并忽略目录内容是边缘滥用。

谨慎的做法是在清单中实现这一点

$keys = { 'rimuhosting' => { 'id' => ... }, ... }

define my_authorized_key($ensure = present) {
  $data = $keys[$title]
  $key_name = $data['email'] + "-" + $data['public_key_version'] + "-" + $data['user']
  ssh_authorized_key {
    "$key_name":
      ensure => $ensure,
      type => 'ssh-rsa',
      ...
  }
}

而且因为全有或全无似乎是目标

class authorized_keys($ensure = present) {
  $names = keys($keys)   # <- function from puppetlabs-stdlib module
  my_authorized_key { $names: ensure => $ensure }
}

参数化的类可能很难用，如果你想走这条路，我强烈建议将它与Hiera结合使用。