Exported keys with multiple algorithms overwrite each other

[raybellis]

I'm using the following code on each system to generate an exported resource of SSH host keys for selected algorithms (pulled from facter) with the intention to build a fully populated /etc/ssh/ssh_known_hosts file on my bastion hosts:

  $fqdn = $facts['networking']['fqdn']
  $keys = $facts['ssh']

  unless empty($keys) {
    ['ecdsa', 'ed25519', 'rsa'].each |$type| {

      $t = $keys[$type]['type']
      $k = $keys[$type]['key']

      unless empty($keys[$type]) {
        @@sshkey { "${fqdn}_${t}":
          name => $fqdn,
          type => $t,
          key  => $k,
        }
      }
    }
  }

When I collect these resources with:

    Sshkey <<| |>>

the (up to) three resources per system overwrite each other, and only one of the keys ends up in the ssh_known_hosts file.

Curiously the key type is seen by Puppet, yet the file parsing doesn't seem to allow for it (keys elided):

/Stage[main]/myclass/Sshkey[myhost@ssh-ed25519]/key: key changed A to B
/Stage[main]/myclass/Sshkey[myhost@ssh-rsa]/key: key changed B to C
/Stage[main]/myclass/Sshkey[myhost@ecdsa-sha2-nistp256]/key: key changed C to A

A further side effect is that the three key change messages appear on every puppet run.

This seems to be a bug, unless I'm doing something wrong myself?

The systems are Puppet 8.10.0, Puppet Server 8.7.0, PuppetDB 8.8.1, all running on FreeBSD 14.2. I've tested with the latest release 2.5.1 of this module.