How do I create a trusted fact? How do I reference it in Hiera?
Version and installation information
PE version: 2016.4 to 2018.1
For later versions, use these steps.
Installation type: Any Unix
Solution
- Create a trusted fact
- Verify it in a manifest
- Use dot notation to refer to it in Hiera
Note: Verification steps are included to help you learn each part of the process. You wouldn't necessarily verify each step every time you create or reference a trusted fact.
Create a trusted fact
Trusted facts are part of a node's certificate information. Add a trusted fact to a certificate by adding it as an extension to a certificate request. For our example, the fact is named pp_image_name
and its value is storefront_production
.
-
On the agent, edit
/etc/puppetlabs/puppet/csr_attributes.yaml
. In a default installation, this file doesn't exist. You'll need to create it. Add the following:--- extension_requests: "pp_image_name": "storefront_production"
-
Generate a certificate request. On the agent, run:
puppet agent --test
-
Verify the extension in the certificate request. Still on the agent, run:
openssl req -noout -text -in $(puppet config print requestdir)/$(facter fqdn).pem
Successful output includes the extension:
Requested Extensions: 1.3.6.1.4.1.34380.1.1.3: ..storefront_production ...
-
If autosigning is disabled, sign the certificate request. On the master, run:
puppet cert sign <certname of agent>
-
Verify the extension in the signed certificate. Still on the master, run:
puppet cert print <certname of agent>
Successful output includes the cert with the added extension:
... X509v3 extensions: Netscape Comment: .(Puppet Ruby/OpenSSL Internal Certificate Puppet Node Image Name: ..storefront_production ...
Your trusted fact has been created. You can reference the trusted fact in manifests or Hiera.
Reference the trusted fact in a manifest
We'll reference the trusted fact using the default manifest /etc/puppetlabs/code/environments/production/manifests/site.pp
, but you can use any manifest.
-
On the master, edit
/etc/puppetlabs/code/environments/production/manifests/site.pp
. Reference the trusted fact using nested hashes with square brackets:
($trusted['extensions']['pp_image_name'])
For example:
class trusted_fact_test { $e = $trusted['extensions']['pp_image_name'] notify { "pp_image_name = $e": } } node default { include trusted_fact_test }
-
Verify that the trusted fact is referenced in the manifest. On the agent, run:
puppet agent --test
Successful output includes the trusted fact:
... Info: Applying configuration version '327e12976bc82c6f6fff1c2e3d7e47270797da7e' Notice: pp_image_name = storefront_production Notice: /Stage[main]/Trusted_fact_test/Notify/message: defined 'message' as 'pp_image_name = storefront_production' Notice: Applied catalog in 0.33 seconds
Reference data in Hiera associated with the trusted fact
-
On the master, create a .
yaml
file containing data related to the trusted fact.For example, in
/etc/puppetlabs/code/environments/production/hieradata/pp_images/storefront_production.yaml
:--- pp_image_name::description: 'Storefront Production Pool'
-
Add the
.yaml
file to your hierarchy, using dot notation to reference the trusted fact:(%{::trusted.extensions.pp_image_name})
For example:/etc/puppetlabs/puppet/hiera.yaml
--- :backends: - yaml :hierarchy: - "nodes/%{::trusted.certname}" - "pp_images/%{::trusted.extensions.pp_image_name}" - common :yaml: :datadir:
-
In a manifest, reference data in Hiera associated with the trusted fact. For example:
/etc/puppetlabs/code/environments/production/manifests/site.pp
class trusted_fact_hiera_test { $h = hiera('pp_image_name::description') notify { "pp_image_name :: description = $h": } } node default { include trusted_fact_hiera_test }
-
Restart
puppetserver
to apply your changes tohiera.yaml
. On the master run:puppet resource service pe-puppetserver ensure=stopped puppet resource service pe-puppetserver ensure=running
-
On the master, verify the data in Hiera associated with the trusted fact. Run:
puppet lookup --node <certname of agent> pp_image_name::description --explain
Successful output includes the data:
--- Storefront Production Pool ...
-
On the agent, verify the data in Hiera associated with the trusted fact. Run:
puppet agent --test
Successful output includes the data:
... Notice: pp_image_name :: description = Storefront Production Pool Notice: /Stage[main]/Trusted_fact_hiera_test/Notify[pp_image_name :: description = Storefront Production Pool]/message: defined 'message' as 'pp_image_name :: description = Storefront Production Pool' Notice: Applied catalog in 0.33 seconds
Note: You cannot use
puppet apply
to verify the trusted fact, since it applies a cached manifest using local authentication. When$trusted['authenticated'] = local
$trusted['extensions']
is an empty hash.
Additional resources:
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles