Add a trusted fact to a certificate by adding it as an extension to a certificate request. Trusted facts are part of a node’s certificate information, and they are immutable once the certificate is signed by the CA. Therefore, they can be helpful for additional control over which nodes receive sensitive information in their catalogs. This article provides an example of how to create a trusted fact and reference it in manifests and Hiera.
Version and installation information
PE version: All supported
For earlier versions, use these steps.
Installation type: Any Unix
Solution
- Part one: Create a trusted fact
- Part two: Reference the trusted fact in a manifest
- Part three: Reference data associated with the trusted fact in Hiera
Verification steps are included in each part of the process to help you learn. It is not necessary to verify each step every time you create a trusted fact.
Part one: Create a trusted fact
Add a trusted fact to a certificate by adding it as an extension to a certificate request. For this example, the fact is named pp_image_name and its value is storefront_production.
-
On the agent node, create and edit
/etc/puppetlabs/puppet/csr_attributes.yaml. In a default Puppet agent installation, this file doesn’t exist. Then, add your trusted fact(s). For example::--- extension_requests: "pp_image_name": "storefront_production" -
Generate a certificate request. On the agent node, run:
puppet agent -t -
Verify the extension in the certificate request. Still on the agent, run:
/opt/puppetlabs/puppet/bin/openssl req -noout -text -in $(puppet config print requestdir)/$(facter fqdn).pemSuccessful output includes the extension:
Requested Extensions: 1.3.6.1.4.1.34380.1.1.3: ..storefront_production … -
If autosigning is disabled, sign the certificate request. On the primary server, run:
puppetserver ca sign --certname <CERTNAME OF AGENT> -
Verify the extension in the signed certificate. Still on the primary server, run:
/opt/puppetlabs/puppet/bin/openssl x509 -noout -text -in $(puppet config print signeddir)/<CERTNAME OF AGENT>.pemSuccessful output includes the cert with the added extension:
... X509v3 extensions: Netscape Comment: .(Puppet Ruby/OpenSSL Internal Certificate Puppet Node Image Name: ..storefront_production …
The trusted fact has been created and can be referenced in manifests or Hiera.
Part two: Reference the trusted fact in a manifest
In this example, the trusted fact is referenced in the default manifest /etc/puppetlabs/code/environments/production/manifests/site.pp, but you can reference a fact in any manifest.
-
On the primary server, edit
/etc/puppetlabs/code/environments/<ENVIRONMENT>/manifests/site.pp. Reference the trusted fact using nested hashes with square brackets:($trusted['extensions']['pp_image_name'])For example:
class trusted_fact_test { $e = $trusted['extensions']['pp_image_name'] notify { "pp_image_name = $e": } } node default { include trusted_fact_test } -
Verify that the trusted fact is referenced in the manifest. On the agent, run:
puppet agent -tSuccessful output includes the trusted fact:
... Info: Applying configuration version '327e12976bc82c6f6fff1c2e3d7e47270797da7e' Notice: pp_image_name = storefront_production Notice: /Stage[main]/Trusted_fact_test/Notify/message: defined 'message'as 'pp_image_name = storefront_production' Notice: Applied catalog in 0.33 seconds
Part three: Reference data associated with the trusted fact in Hiera
-
On the primary server, create a .
yamlfile containing data related to the trusted fact.For example, in
/etc/puppetlabs/code/environments/<ENVIRONMENT>/hieradata/pp_images/:storefront_production.yaml --- pp_image_name::description: 'Storefront Production Pool' -
Add the
.yamlfile to your hierarchy, using dot notation to reference the trusted fact:(%{::trusted.extensions.pp_image_name})For example:/etc/puppetlabs/puppet/hiera.yaml--- :backends: - yaml :hierarchy: - "nodes/%{::trusted.certname}" - "pp_images/%{::trusted.extensions.pp_image_name}" - common :yaml: :datadir: -
In a manifest, reference data in Hiera associated with the trusted fact. For example:
/etc/puppetlabs/code/environments/production/manifests/site.ppclass trusted_fact_hiera_test { $h = lookup('pp_image_name::description') notify { "pp_image_name :: description = $h": } } node default { include trusted_fact_hiera_test } -
Restart
pe-puppetserverto apply your changes tohiera.yaml. On the primary server run:puppet resource service pe-puppetserver ensure=stopped puppet resource service pe-puppetserver ensure=running -
On the primary server, verify the data in Hiera associated with the trusted fact. Run:
puppet lookup --node <CERTNAME OF AGENT> --environment <AGENT ENVIRONMENT> pp_image_name::description --explainSuccessful output includes the data:
--- Storefront Production Pool … -
Verify the data in Hiera associated with the trusted fact on the agent. Run:
puppet agent -tSuccessful output includes the data:
... Notice: pp_image_name :: description = Storefront Production Pool Notice: /Stage[main]/Trusted_fact_hiera_test/Notify[pp_image_name :: description =Storefront Production Pool]/message: defined 'message' as 'pp_image_name :: description = Storefront Production Pool' Notice: Applied catalog in 0.33 seconds Note: You cannot use
puppet applyto verify the trusted fact, since it applies a cached manifest using local authentication. When$trusted['authenticated'] = local$trusted['extensions']is an empty hash.
Additional resources:
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles