Merge pull request #110 from umnmsi/trusted_facts

Allow trusted facts to be derived from node name

Author: bastelfreak

lib/puppet/catalog-diff/compilecatalog.rb

@@ -12,12 +12,12 @@ class CompileCatalog
 
     attr_reader :node_name
 
-    def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
+    def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
       @node_name = node_name
       catalog = if catalog_from_puppetdb
                   get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca)
                 else
-                  catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
+                  catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
                   clean_sensitive_parameters!(catalog)
                   clean_nested_sensitive_parameters!(catalog)
                   catalog
@@ -68,7 +68,7 @@ def get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, pu
       convert_pdb(catalog)
     end
 
-    def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
+    def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca, derive_trusted_facts)
       Puppet.debug("Compiling catalog for #{node_name}")
       server, environment = server.split('/')
       environment ||= lookup_environment(node_name)
@@ -92,6 +92,18 @@ def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
             prefer_requested_environment: true,
           },
         }
+        if derive_trusted_facts
+          body['trusted_facts'] = {
+            values: {
+              domain: node_name.split('.')[1..],
+              certname: node_name,
+              external: {},
+              hostname: node_name.split('.')[0],
+              extensions: {},
+              authenticated: 'remote',
+            },
+          }
+        end
       else
         endpoint = "/puppet/v3/catalog/#{node_name}?environment=#{environment}"
       end

lib/puppet/face/catalog/diff.rb

@@ -123,6 +123,10 @@
       default_to { puppetdb_url }
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       Prints the differences between catalogs compiled by different puppet master to help
       during migrating to a new Puppet version.
@@ -226,7 +230,8 @@
           old_puppetserver_tls_key: options[:old_puppetserver_tls_key],
           old_puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
           new_puppetdb: options[:new_puppetdb],
-          node_list: options[:node_list]
+          node_list: options[:node_list],
+          derive_trusted_facts: options[:derive_trusted_facts]
         )
         diff_output = Puppet::Face[:catalog, '0.0.1'].diff(old_catalogs, new_catalogs, options)
         nodes = diff_output

lib/puppet/face/catalog/pull.rb

@@ -93,6 +93,10 @@
       summary 'A manual list of nodes to run catalog diffs against'
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       This action is used to seed a series of catalogs from two servers
     EOT
@@ -147,22 +151,25 @@
                   puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
                   puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
                   puppetserver_tls_key: options[:old_puppetserver_tls_key],
-                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
+                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
                 new_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog2, node_name,
                   master_server: options[:new_server],
                   certless: options[:certless],
                   catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
-                  puppetdb: options[:new_puppetdb]
+                  puppetdb: options[:new_puppetdb],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
               else
                 new_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog2, node_name,
                   master_server: options[:new_server],
                   certless: options[:certless],
                   catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
-                  puppetdb: options[:new_puppetdb]
+                  puppetdb: options[:new_puppetdb],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
                 old_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog1, node_name,
@@ -175,7 +182,8 @@
                   puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
                   puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
                   puppetserver_tls_key: options[:old_puppetserver_tls_key],
-                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
+                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
               end
               mutex.synchronize { compiled_nodes + old_server[:compiled_nodes] }

lib/puppet/face/catalog/seed.rb

@@ -58,6 +58,10 @@
       default_to { localcacert }
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       This action is used to seed a series of catalogs to then be compared with diff
     EOT
@@ -109,7 +113,8 @@
                 options[:puppetdb_tls_ca],
                 options[:puppetserver_tls_cert],
                 options[:puppetserver_tls_key],
-                options[:puppetserver_tls_ca]
+                options[:puppetserver_tls_ca],
+                options[:derive_trusted_facts]
               )
               mutex.synchronize { compiled_nodes << node_name }
             rescue Exception => e