diff --git a/lib/puppet/catalog-diff/compilecatalog.rb b/lib/puppet/catalog-diff/compilecatalog.rb index 7266b76..16f6d5b 100644 --- a/lib/puppet/catalog-diff/compilecatalog.rb +++ b/lib/puppet/catalog-diff/compilecatalog.rb @@ -12,12 +12,12 @@ class CompileCatalog attr_reader :node_name - def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca) + def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts) @node_name = node_name catalog = if catalog_from_puppetdb get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca) else - catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca) + catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts) clean_sensitive_parameters!(catalog) clean_nested_sensitive_parameters!(catalog) catalog @@ -68,7 +68,7 @@ def get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, pu convert_pdb(catalog) end - def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca) + def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca, derive_trusted_facts) Puppet.debug("Compiling catalog for #{node_name}") server, environment = server.split('/') environment ||= lookup_environment(node_name) @@ -92,6 +92,18 @@ def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca) prefer_requested_environment: true, }, } + if derive_trusted_facts + body['trusted_facts'] = { + values: { + domain: node_name.split('.')[1..-1], + certname: node_name, + external: {}, + hostname: node_name.split('.')[0], + extensions: {}, + authenticated: 'remote', + }, + } + end else endpoint = "/puppet/v3/catalog/#{node_name}?environment=#{environment}" end diff --git a/lib/puppet/face/catalog/diff.rb b/lib/puppet/face/catalog/diff.rb index d25ab61..e20d4cd 100644 --- a/lib/puppet/face/catalog/diff.rb +++ b/lib/puppet/face/catalog/diff.rb @@ -123,6 +123,10 @@ default_to { puppetdb_url } end + option '--derive_trusted_facts' do + summary "Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB." + end + description <<-EOT Prints the differences between catalogs compiled by different puppet master to help during migrating to a new Puppet version. @@ -226,7 +230,8 @@ old_puppetserver_tls_key: options[:old_puppetserver_tls_key], old_puppetserver_tls_ca: options[:old_puppetserver_tls_ca], new_puppetdb: options[:new_puppetdb], - node_list: options[:node_list] + node_list: options[:node_list], + derive_trusted_facts: options[:derive_trusted_facts] ) diff_output = Puppet::Face[:catalog, '0.0.1'].diff(old_catalogs, new_catalogs, options) nodes = diff_output diff --git a/lib/puppet/face/catalog/pull.rb b/lib/puppet/face/catalog/pull.rb index 5b10b71..297cf45 100644 --- a/lib/puppet/face/catalog/pull.rb +++ b/lib/puppet/face/catalog/pull.rb @@ -93,6 +93,10 @@ summary 'A manual list of nodes to run catalog diffs against' end + option '--derive_trusted_facts' do + summary "Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB." + end + description <<-EOT This action is used to seed a series of catalogs from two servers EOT @@ -147,14 +151,16 @@ puppetdb_tls_ca: options[:old_puppetdb_tls_ca], puppetserver_tls_cert: options[:old_puppetserver_tls_cert], puppetserver_tls_key: options[:old_puppetserver_tls_key], - puppetserver_tls_ca: options[:old_puppetserver_tls_ca] + puppetserver_tls_ca: options[:old_puppetserver_tls_ca], + derive_trusted_facts: options[:derive_trusted_facts] ) new_server = Puppet::Face[:catalog, '0.0.1'].seed( catalog2, node_name, master_server: options[:new_server], certless: options[:certless], catalog_from_puppetdb: options[:new_catalog_from_puppetdb], - puppetdb: options[:new_puppetdb] + puppetdb: options[:new_puppetdb], + derive_trusted_facts: options[:derive_trusted_facts] ) else new_server = Puppet::Face[:catalog, '0.0.1'].seed( @@ -162,7 +168,8 @@ master_server: options[:new_server], certless: options[:certless], catalog_from_puppetdb: options[:new_catalog_from_puppetdb], - puppetdb: options[:new_puppetdb] + puppetdb: options[:new_puppetdb], + derive_trusted_facts: options[:derive_trusted_facts] ) old_server = Puppet::Face[:catalog, '0.0.1'].seed( catalog1, node_name, @@ -175,7 +182,8 @@ puppetdb_tls_ca: options[:old_puppetdb_tls_ca], puppetserver_tls_cert: options[:old_puppetserver_tls_cert], puppetserver_tls_key: options[:old_puppetserver_tls_key], - puppetserver_tls_ca: options[:old_puppetserver_tls_ca] + puppetserver_tls_ca: options[:old_puppetserver_tls_ca], + derive_trusted_facts: options[:derive_trusted_facts] ) end mutex.synchronize { compiled_nodes + old_server[:compiled_nodes] } diff --git a/lib/puppet/face/catalog/seed.rb b/lib/puppet/face/catalog/seed.rb index db49c1f..2aad157 100644 --- a/lib/puppet/face/catalog/seed.rb +++ b/lib/puppet/face/catalog/seed.rb @@ -58,6 +58,10 @@ default_to { localcacert } end + option '--derive_trusted_facts' do + summary "Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB." + end + description <<-EOT This action is used to seed a series of catalogs to then be compared with diff EOT @@ -109,7 +113,8 @@ options[:puppetdb_tls_ca], options[:puppetserver_tls_cert], options[:puppetserver_tls_key], - options[:puppetserver_tls_ca] + options[:puppetserver_tls_ca], + options[:derive_trusted_facts] ) mutex.synchronize { compiled_nodes << node_name } rescue Exception => e