Allow trusted facts to be derived from node name

When using the certless API, Puppet will use trusted facts from PuppetDB unless provided in the request. If the PuppetDB facts were uploaded by the catalog_diff host, the trusted facts in PuppetDB will be for the catalog_diff host rather than the node being evaluated. This allows the trusted facts to be derived from the node name instead of using values from PuppetDB.
voxpupuli · Feb 23, 2024 · e686db4 · e686db4
1 parent 260323c
commit e686db4
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 9 deletions.
diff --git a/lib/puppet/catalog-diff/compilecatalog.rb b/lib/puppet/catalog-diff/compilecatalog.rb
@@ -12,12 +12,12 @@ class CompileCatalog
 
     attr_reader :node_name
 
-    def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
+    def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
       @node_name = node_name
       catalog = if catalog_from_puppetdb
                   get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca)
                 else
-                  catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
+                  catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
                   clean_sensitive_parameters!(catalog)
                   clean_nested_sensitive_parameters!(catalog)
                   catalog
@@ -68,7 +68,7 @@ def get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, pu
       convert_pdb(catalog)
     end
 
-    def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
+    def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca, derive_trusted_facts)
       Puppet.debug("Compiling catalog for #{node_name}")
       server, environment = server.split('/')
       environment ||= lookup_environment(node_name)
@@ -92,6 +92,18 @@ def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
             prefer_requested_environment: true,
           },
         }
+        if derive_trusted_facts
+          body['trusted_facts'] = {
+            values: {
+              domain: node_name.split('.')[1..],
+              certname: node_name,
+              external: {},
+              hostname: node_name.split('.')[0],
+              extensions: {},
+              authenticated: 'remote',
+            },
+          }
+        end
       else
         endpoint = "/puppet/v3/catalog/#{node_name}?environment=#{environment}"
       end

diff --git a/lib/puppet/face/catalog/diff.rb b/lib/puppet/face/catalog/diff.rb
@@ -123,6 +123,10 @@
       default_to { puppetdb_url }
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       Prints the differences between catalogs compiled by different puppet master to help
       during migrating to a new Puppet version.
@@ -226,7 +230,8 @@
           old_puppetserver_tls_key: options[:old_puppetserver_tls_key],
           old_puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
           new_puppetdb: options[:new_puppetdb],
-          node_list: options[:node_list]
+          node_list: options[:node_list],
+          derive_trusted_facts: options[:derive_trusted_facts]
         )
         diff_output = Puppet::Face[:catalog, '0.0.1'].diff(old_catalogs, new_catalogs, options)
         nodes = diff_output

diff --git a/lib/puppet/face/catalog/pull.rb b/lib/puppet/face/catalog/pull.rb
@@ -93,6 +93,10 @@
       summary 'A manual list of nodes to run catalog diffs against'
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       This action is used to seed a series of catalogs from two servers
     EOT
@@ -147,22 +151,25 @@
                   puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
                   puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
                   puppetserver_tls_key: options[:old_puppetserver_tls_key],
-                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
+                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
                 new_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog2, node_name,
                   master_server: options[:new_server],
                   certless: options[:certless],
                   catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
-                  puppetdb: options[:new_puppetdb]
+                  puppetdb: options[:new_puppetdb],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
               else
                 new_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog2, node_name,
                   master_server: options[:new_server],
                   certless: options[:certless],
                   catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
-                  puppetdb: options[:new_puppetdb]
+                  puppetdb: options[:new_puppetdb],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
                 old_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog1, node_name,
@@ -175,7 +182,8 @@
                   puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
                   puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
                   puppetserver_tls_key: options[:old_puppetserver_tls_key],
-                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
+                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
               end
               mutex.synchronize { compiled_nodes + old_server[:compiled_nodes] }

diff --git a/lib/puppet/face/catalog/seed.rb b/lib/puppet/face/catalog/seed.rb
@@ -58,6 +58,10 @@
       default_to { localcacert }
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       This action is used to seed a series of catalogs to then be compared with diff
     EOT
@@ -109,7 +113,8 @@
                 options[:puppetdb_tls_ca],
                 options[:puppetserver_tls_cert],
                 options[:puppetserver_tls_key],
-                options[:puppetserver_tls_ca]
+                options[:puppetserver_tls_ca],
+                options[:derive_trusted_facts]
               )
               mutex.synchronize { compiled_nodes << node_name }
             rescue Exception => e