Allow overriding hostprivkey

reverson · reverson · commit 1aedf72a351b · 2025-09-24T23:24:23.000Z
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -18,6 +18,7 @@
   $use_srv_records       = $puppet::use_srv_records,
   $additional_settings   = $puppet::additional_settings,
   $client_certname       = $puppet::client_certname,
+  $hostprivkey           = $puppet::hostprivkey,
   # lint:endignore
 ) {
   puppet::config::main {
@@ -26,7 +27,6 @@
     'rundir': value => $puppet::rundir;
     'ssldir': value => $puppet::ssldir;
     'privatekeydir': value => '$ssldir/private_keys { group = service }';
-    'hostprivkey': value => '$privatekeydir/$certname.pem { mode = 640 }';
     'show_diff': value => $puppet::show_diff;
     'codedir': value => $puppet::codedir;
   }
@@ -73,6 +73,15 @@
       'certname': value => $client_certname;
     }
   }
+  if $hostprivkey {
+    puppet::config::main {
+      'hostprivkey': value => $hostprivkey;
+    }
+  } else {
+    puppet::config::main {
+      'hostprivkey': value => '$privatekeydir/$certname.pem { mode = 640 }';
+    }
+  }
 
   $additional_settings.each |$key,$value| {
     puppet::config::main { $key: value => $value }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -626,6 +626,7 @@
   Optional[Variant[Boolean, Enum['chain', 'leaf']]] $certificate_revocation = $puppet::params::certificate_revocation,
   Optional[String] $prerun_command = $puppet::params::prerun_command,
   Optional[String] $postrun_command = $puppet::params::postrun_command,
+  String $hostprivkey = $puppet::params::hostprivkey,
   Array[String] $dns_alt_names = $puppet::params::dns_alt_names,
   Boolean $use_srv_records = $puppet::params::use_srv_records,
   Optional[String] $srv_domain = $puppet::params::srv_domain,
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -31,6 +31,7 @@
   $prerun_command      = undef
   $postrun_command     = undef
   $server_compile_mode = undef
+  $hostprivkey         = undef
   $dns_alt_names       = []
   $use_srv_records     = false
   $agent_default_schedules = false
diff --git a/spec/classes/puppet_config_spec.rb b/spec/classes/puppet_config_spec.rb
@@ -163,6 +163,14 @@
         end
       end
 
+      describe 'with custom hostprivkey set' do
+        let :params do
+          super().merge(hostprivkey: 'hostprivkey = $privatekeydir/$certname.pem { mode = 660 }'])
+        end
+
+        it { is_expected.to contain_puppet__config__main('hostprivkey').with_value('$privatekeydir/$certname.pem { mode = 660 }') }
+      end
+
       describe 'with additional settings' do
         let :params do
           super().merge(additional_settings: { disable_warnings: 'deprecations' })
