eyaml: manage /etc/eyaml/config.yaml when creating keys

kenyon · kenyon · commit 0e53e94edff6 · 2025-08-25T15:20:35.000-07:00
If $create_keys is true, then this class now manages the systemwide eyaml configuration file. https://github.com/voxpupuli/hiera-eyaml/?tab=readme-ov-file#configuration-file-for-eyaml
diff --git a/manifests/eyaml.pp b/manifests/eyaml.pp
@@ -77,5 +77,28 @@
       mode    => '0644',
       require => Exec['createkeys'],
     }
+
+    file { '/etc/eyaml':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+
+    file { '/etc/eyaml/config.yaml':
+      ensure  => file,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      # https://github.com/voxpupuli/puppet-lint-strict_indent-check/issues/20
+      # lint:ignore:strict_indent
+      content => @("CONF"),
+        ---
+        # This file is managed by puppet.
+        pkcs7_private_key: ${privkey}
+        pkcs7_public_key: ${pubkey}
+        | CONF
+      # lint:endignore
+    }
   }
 }
diff --git a/spec/classes/hiera_spec.rb b/spec/classes/hiera_spec.rb
@@ -84,6 +84,13 @@
           it { is_expected.to contain_exec('createkeys').that_requires('Hiera::Install[eyaml]') }
           it { is_expected.to contain_file('/dev/null/keys/private_key.pkcs7.pem').with_ensure('file').with_mode('0600').that_requires('Exec[createkeys]') }
           it { is_expected.to contain_file('/dev/null/keys/public_key.pkcs7.pem').with_ensure('file').with_mode('0644').that_requires('Exec[createkeys]') }
+
+          it do
+            is_expected.to contain_file('/etc/eyaml/config.yaml').
+              with_ensure('file').
+              with_content(%r{pkcs7_private_key: /dev/null/keys/private_key.pkcs7.pem}).
+              with_content(%r{pkcs7_public_key: /dev/null/keys/public_key.pkcs7.pem})
+          end
         end
 
         describe 'other_backends' do
