Allow trusted facts to be derived from node name

When using the certless API, Puppet will use trusted facts from PuppetDB
unless provided in the request. If the PuppetDB facts were uploaded by the
catalog_diff host, the trusted facts in PuppetDB will be for the
catalog_diff host rather than the node being evaluated. This allows the
trusted facts to be derived from the node name instead of using values
from PuppetDB.

Author: nabertrand

lib/puppet/catalog-diff/compilecatalog.rb

@@ -12,12 +12,12 @@ class CompileCatalog
 
     attr_reader :node_name
 
-    def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
+    def initialize(node_name, save_directory, server, certless, catalog_from_puppetdb, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
       @node_name = node_name
       catalog = if catalog_from_puppetdb
                   get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, puppetdb_tls_key, puppetdb_tls_ca)
                 else
-                  catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca)
+                  catalog = compile_catalog(node_name, server, certless, puppetserver_tls_cert, puppetserver_tls_key, puppetserver_tls_ca, derive_trusted_facts)
                   clean_sensitive_parameters!(catalog)
                   clean_nested_sensitive_parameters!(catalog)
                   catalog
@@ -68,7 +68,7 @@ def get_catalog_from_puppetdb(node_name, server, puppetdb, puppetdb_tls_cert, pu
       convert_pdb(catalog)
     end
 
-    def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
+    def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca, derive_trusted_facts)
       Puppet.debug("Compiling catalog for #{node_name}")
       server, environment = server.split('/')
       environment ||= lookup_environment(node_name)
@@ -92,6 +92,18 @@ def compile_catalog(node_name, server, certless, tls_cert, tls_key, tls_ca)
             prefer_requested_environment: true,
           },
         }
+        if derive_trusted_facts
+          body['trusted_facts'] = {
+            values: {
+              domain: node_name.split('.')[1..],
+              certname: node_name,
+              external: {},
+              hostname: node_name.split('.')[0],
+              extensions: {},
+              authenticated: 'remote',
+            },
+          }
+        end
       else
         endpoint = "/puppet/v3/catalog/#{node_name}?environment=#{environment}"
       end

lib/puppet/face/catalog/diff.rb

@@ -123,6 +123,10 @@
       default_to { puppetdb_url }
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       Prints the differences between catalogs compiled by different puppet master to help
       during migrating to a new Puppet version.
@@ -226,7 +230,8 @@
           old_puppetserver_tls_key: options[:old_puppetserver_tls_key],
           old_puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
           new_puppetdb: options[:new_puppetdb],
-          node_list: options[:node_list]
+          node_list: options[:node_list],
+          derive_trusted_facts: options[:derive_trusted_facts]
         )
         diff_output = Puppet::Face[:catalog, '0.0.1'].diff(old_catalogs, new_catalogs, options)
         nodes = diff_output

lib/puppet/face/catalog/pull.rb

@@ -93,6 +93,10 @@
       summary 'A manual list of nodes to run catalog diffs against'
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       This action is used to seed a series of catalogs from two servers
     EOT
@@ -147,22 +151,25 @@
                   puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
                   puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
                   puppetserver_tls_key: options[:old_puppetserver_tls_key],
-                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
+                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
                 new_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog2, node_name,
                   master_server: options[:new_server],
                   certless: options[:certless],
                   catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
-                  puppetdb: options[:new_puppetdb]
+                  puppetdb: options[:new_puppetdb],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
               else
                 new_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog2, node_name,
                   master_server: options[:new_server],
                   certless: options[:certless],
                   catalog_from_puppetdb: options[:new_catalog_from_puppetdb],
-                  puppetdb: options[:new_puppetdb]
+                  puppetdb: options[:new_puppetdb],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
                 old_server = Puppet::Face[:catalog, '0.0.1'].seed(
                   catalog1, node_name,
@@ -175,7 +182,8 @@
                   puppetdb_tls_ca: options[:old_puppetdb_tls_ca],
                   puppetserver_tls_cert: options[:old_puppetserver_tls_cert],
                   puppetserver_tls_key: options[:old_puppetserver_tls_key],
-                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca]
+                  puppetserver_tls_ca: options[:old_puppetserver_tls_ca],
+                  derive_trusted_facts: options[:derive_trusted_facts]
                 )
               end
               mutex.synchronize { compiled_nodes + old_server[:compiled_nodes] }

lib/puppet/face/catalog/seed.rb

@@ -58,6 +58,10 @@
       default_to { localcacert }
     end
 
+    option '--derive_trusted_facts' do
+      summary 'Derive trusted facts from node name when using certless API. When disabled, Puppet will use trusted facts from PuppetDB.'
+    end
+
     description <<-EOT
       This action is used to seed a series of catalogs to then be compared with diff
     EOT
@@ -109,7 +113,8 @@
                 options[:puppetdb_tls_ca],
                 options[:puppetserver_tls_cert],
                 options[:puppetserver_tls_key],
-                options[:puppetserver_tls_ca]
+                options[:puppetserver_tls_ca],
+                options[:derive_trusted_facts]
               )
               mutex.synchronize { compiled_nodes << node_name }
             rescue Exception => e