From 54cbed21dc4f8f817b4d513a07c20bc71b6ebcd2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Steffen=20=E2=80=9Csaz=E2=80=9D=20Zieger?= <github@saz.sh>
Date: Tue, 28 Oct 2025 17:34:51 +0100
Subject: [PATCH] Fix ssh hostkeys export after merging #423

Without the workaround, we should use the ssh key type stored in the
fact, as `ecdsa` isn't a valid key type.

See https://www.puppet.com/docs/puppet/7/core_facts.html#ssh for valid
names in the `ssh` fact
---
 manifests/hostkeys.pp         | 17 +++++++++++++----
 spec/classes/hostkeys_spec.rb |  6 +++---
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/manifests/hostkeys.pp b/manifests/hostkeys.pp
index 09c923f0..19d05cec 100644
--- a/manifests/hostkeys.pp
+++ b/manifests/hostkeys.pp
@@ -78,14 +78,23 @@
       @@sshkey { "${fqdn_real}_${key_type}":
         ensure       => present,
         host_aliases => $host_aliases,
-        type         => $key_type,
+        type         => $facts['ssh'][$key_type]['type'],
         key          => $facts['ssh'][$key_type]['key'],
         tag          => $_tags,
       }
     } else {
-      @@sshkey { "${fqdn_real}_${key_type}":
-        ensure => absent,
-        type   => $key_type,
+      if $key_type == 'ecdsa' {
+        ['ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521'].each |String[1] $kt| {
+          @@sshkey { "${fqdn_real}_${kt}":
+            ensure => absent,
+            type   => $kt,
+          }
+        }
+      } else {
+        @@sshkey { "${fqdn_real}_${key_type}":
+          ensure => absent,
+          type   => $key_type,
+        }
       }
     }
   }
diff --git a/spec/classes/hostkeys_spec.rb b/spec/classes/hostkeys_spec.rb
index cd42d61c..e341077d 100644
--- a/spec/classes/hostkeys_spec.rb
+++ b/spec/classes/hostkeys_spec.rb
@@ -19,7 +19,7 @@
         expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}").
           with(
             ensure: 'present',
-            type: %r{^#{key_type}},
+            type: %r{^ssh-#{key_type}},
             tag: %w[group1 group2]
           )
       }
@@ -38,7 +38,7 @@
         expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}").
           with(
             ensure: 'present',
-            type: %r{^#{key_type}},
+            type: %r{^ssh-#{key_type}},
             tag: %w[hostkey_all hostkey_server_group]
           )
       }
@@ -58,7 +58,7 @@
         expect(exported_resources).to contain_sshkey("foo.example.com_#{key_type}").
           with(
             ensure: 'present',
-            type: %r{^#{key_type}},
+            type: %r{^ssh-#{key_type}},
             tag: %w[hostkey_all hostkey_server_group group1 group2]
           )
       }