Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow trusted facts to be derived from node name #110

Merged
merged 1 commit into from
Oct 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions lib/puppet/catalog-diff/compilecatalog.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ class CompileCatalog

attr_reader :node_name

def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
@node_name = node_name
catalog = if catalog_from_puppetdb
get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca)
else
catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
clean_sensitive_parameters!(catalog)
clean_nested_sensitive_parameters!(catalog)
catalog
Expand Down Expand Up @@ -68,7 +68,7 @@ def get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, pu
convert_pdb(catalog)
end

def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca, derive_trusted_facts)
Puppet.debug("Compiling catalog for #{node_name}")
server, environment = server.split('/')
environment ||= lookup_environment(node_name)
Expand All @@ -92,6 +92,18 @@ def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
prefer_requested_environment: true,
},
}
if derive_trusted_facts
body['trusted_facts'] = {
values: {
domain: node_name.split('.')[1..],
certname: node_name,
external: {},
hostname: node_name.split('.')[0],
extensions: {},
authenticated: 'remote',
},
}
end
else
endpoint = "/puppet/v3/catalog/#{node_name}?environment=#{environment}"
end
Expand Down
7 changes: 6 additions & 1 deletion lib/puppet/face/catalog/diff.rb
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,10 @@
default_to { puppetdb_url }
end

option '--derive_trusted_facts' do
summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
end

description <<-EOT
Prints the differences between catalogs compiled by different puppet master to help
during migrating to a new Puppet version.
Expand Down Expand Up @@ -226,7 +230,8 @@
old_puppetserver_tls_key: options[:old_puppetserver_tls_key],
old_puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
new_puppetdb: options[:new_puppetdb],
node_list: options[:node_list]
node_list: options[:node_list],
derive_trusted_facts: options[:derive_trusted_facts]
)
diff_output = Puppet::Face[:catalog, '0.0.1'].diff(old_catalogs, new_catalogs, options)
nodes = diff_output
Expand Down
16 changes: 12 additions & 4 deletions lib/puppet/face/catalog/pull.rb
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,10 @@
summary 'A manual list of nodes to run catalog diffs against'
end

option '--derive_trusted_facts' do
summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
end

description <<-EOT
This action is used to seed a series of catalogs from two servers
EOT
Expand Down Expand Up @@ -147,22 +151,25 @@
puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
puppetserver_tls_key: options[:old_puppetserver_tls_key],
puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
derive_trusted_facts: options[:derive_trusted_facts]
)
new_server = Puppet::Face[:catalog, '0.0.1'].seed(
catalog2, node_name,
master_server: options[:new_server],
certless: options[:certless],
catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
puppetdb: options[:new_puppetdb]
puppetdb: options[:new_puppetdb],
derive_trusted_facts: options[:derive_trusted_facts]
)
else
new_server = Puppet::Face[:catalog, '0.0.1'].seed(
catalog2, node_name,
master_server: options[:new_server],
certless: options[:certless],
catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
puppetdb: options[:new_puppetdb]
puppetdb: options[:new_puppetdb],
derive_trusted_facts: options[:derive_trusted_facts]
)
old_server = Puppet::Face[:catalog, '0.0.1'].seed(
catalog1, node_name,
Expand All @@ -175,7 +182,8 @@
puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
puppetserver_tls_key: options[:old_puppetserver_tls_key],
puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
derive_trusted_facts: options[:derive_trusted_facts]
)
end
mutex.synchronize { compiled_nodes + old_server[:compiled_nodes] }
Expand Down
7 changes: 6 additions & 1 deletion lib/puppet/face/catalog/seed.rb
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,10 @@
default_to { localcacert }
end

option '--derive_trusted_facts' do
summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
end

description <<-EOT
This action is used to seed a series of catalogs to then be compared with diff
EOT
Expand Down Expand Up @@ -109,7 +113,8 @@
options[:puppetdb_tls_ca],
options[:puppetserver_tls_cert],
options[:puppetserver_tls_key],
options[:puppetserver_tls_ca]
options[:puppetserver_tls_ca],
options[:derive_trusted_facts]
)
mutex.synchronize { compiled_nodes << node_name }
rescue Exception => e
Expand Down