Skip to main content

Create a trusted fact, verify it, and then reference it in Hiera in Puppet Enterprise 2016.4 to 2018.1

Elaine McCloskey
  • Updated

How do I create a trusted fact? How do I reference it in Hiera?

Version and installation information

PE version: 2016.4 to 2018.1
For later versions, use these steps.

Installation type: Any Unix

Solution

  • Create a trusted fact
  • Verify it in a manifest
  • Use dot notation to refer to it in Hiera

Note: Verification steps are included to help you learn each part of the process. You wouldn't necessarily verify each step every time you create or reference a trusted fact.

Create a trusted fact

Trusted facts are part of a node's certificate information. Add a trusted fact to a certificate by adding it as an extension to a certificate request. For our example, the fact is named pp_image_name and its value is storefront_production.

  1. On the agent, edit /etc/puppetlabs/puppet/csr_attributes.yaml. In a default installation, this file doesn't exist. You'll need to create it. Add the following:

    ---
  extension_requests:
   "pp_image_name": "storefront_production"

  2. Generate a certificate request. On the agent, run:

    puppet agent --test

  3. Verify the extension in the certificate request. Still on the agent, run:

    openssl req -noout -text -in $(puppet config print requestdir)/$(facter fqdn).pem

    Successful output includes the extension:

    
    Requested Extensions:
        1.3.6.1.4.1.34380.1.1.3:
            ..storefront_production
     ...

  4. If autosigning is disabled, sign the certificate request. On the master, run:

    puppet cert sign <certname of agent>

  5. Verify the extension in the signed certificate. Still on the master, run:

    puppet cert print <certname of agent>

    Successful output includes the cert with the added extension:

         ...
        X509v3 extensions:
            Netscape Comment:
                .(Puppet Ruby/OpenSSL Internal Certificate
            Puppet Node Image Name:
                ..storefront_production
     ...

Your trusted fact has been created. You can reference the trusted fact in manifests or Hiera.

Reference the trusted fact in a manifest

We'll reference the trusted fact using the default manifest /etc/puppetlabs/code/environments/production/manifests/site.pp, but you can use any manifest.

  1. On the master, edit /etc/puppetlabs/code/environments/production/manifests/site.pp. Reference the trusted fact using nested hashes with square brackets:

    ($trusted['extensions']['pp_image_name'])

    For example:

        class trusted_fact_test {
      $e = $trusted['extensions']['pp_image_name']
      notify { "pp_image_name = $e": }
      }
    node default {
      include trusted_fact_test
    }

  2. Verify that the trusted fact is referenced in the manifest. On the agent, run:

    puppet agent --test

    Successful output includes the trusted fact:

    ...
Info: Applying configuration version '327e12976bc82c6f6fff1c2e3d7e47270797da7e'
Notice: pp_image_name = storefront_production
Notice: /Stage[main]/Trusted_fact_test/Notify/message: defined 'message' as 'pp_image_name = storefront_production'
Notice: Applied catalog in 0.33 seconds

Reference data in Hiera associated with the trusted fact

  1. On the master, create a .yaml file containing data related to the trusted fact.

    For example, in /etc/puppetlabs/code/environments/production/hieradata/pp_images/storefront_production.yaml:

    ---
pp_image_name::description: 'Storefront Production Pool'

  2. Add the .yaml file to your hierarchy, using dot notation to reference the trusted fact: (%{::trusted.extensions.pp_image_name}) For example:

    /etc/puppetlabs/puppet/hiera.yaml

    ---
:backends:
  - yaml
:hierarchy:
  - "nodes/%{::trusted.certname}"
  - "pp_images/%{::trusted.extensions.pp_image_name}"
  - common
:yaml:
:datadir:

  3. In a manifest, reference data in Hiera associated with the trusted fact. For example:

    /etc/puppetlabs/code/environments/production/manifests/site.pp

    class trusted_fact_hiera_test {
  $h = hiera('pp_image_name::description')
  notify { "pp_image_name :: description = $h": }
}
node default {
  include trusted_fact_hiera_test
}

  4. Restart puppetserver to apply your changes to hiera.yaml. On the master run:

    puppet resource service pe-puppetserver ensure=stopped
puppet resource service pe-puppetserver ensure=running

  5. On the master, verify the data in Hiera associated with the trusted fact. Run:

    puppet lookup --node <certname of agent> pp_image_name::description --explain

    Successful output includes the data:

    --- Storefront Production Pool
...

  6. On the agent, verify the data in Hiera associated with the trusted fact. Run:

    puppet agent --test

    Successful output includes the data:

    ...
Notice: pp_image_name :: description = Storefront Production Pool
Notice: /Stage[main]/Trusted_fact_hiera_test/Notify[pp_image_name :: description = Storefront Production Pool]/message: defined 'message' as 'pp_image_name :: description = Storefront Production Pool'
Notice: Applied catalog in 0.33 seconds

    Note: You cannot use puppet apply to verify the trusted fact, since it applies a cached manifest using local authentication. When $trusted['authenticated'] = local $trusted['extensions']is an empty hash.

Additional resources:

Did this solve your problem?
2 out of 3 found this helpful

How can we improve this article?

0 comments

Please sign in to leave a comment.

Related articles