the node, and nothing guarantees their accuracy. • Trusted facts are extracted from the node’s certificate, which can prove that the CA checked and approved them. • The variable name $trusted is reserved, so local scopes cannot re-use it. • Useful for deciding whether a given node should receive sensitive data in its catalogue.
trusted_node_data immutable_node_data --section master trusted_node_data = true immutable_node_data = true Example; if $trusted['extensions']['pp_image_name'] == 'storefront_production' { include private::storefront::private_keys } (*) If trusted facts are enabled, any cert extensions can be accessed in manifests as $trusted[extensions][<EXTENSION OID>]. (*) OID / name mapping can be found here - https://docs.puppetlabs.com/ puppet/latest/reference/config_file_csr_attributes.html
read from the csr_attributes.yaml file in Puppet Agent’s $confdir. • YAML hash containing one or both of the following keys: • custom_attributes • extension_requests • e.g. --- extension_requests: pp_preshared_key: banana
reading in any additional attributes from the csr_attributes.yaml file in the Puppet agent’s $confdir, and submits CSR. • Puppet master / CA signs the cert with the option for (*)auto-signing policy, and the catalog is served. • Uses cert for auth ongoing, and reads trusted facts when communicating with the PM
= OpenSSL::X509::Request.new $stdin.read atts = csr.attributes() if atts.empty? exit 1 end key = nil atts.each do |a| if (a.oid=="extReq") val = a.value.value.first.value.first.value if val[0].value == "1.3.6.1.4.1.34380.1.1.4" key = val[1].value key = key.chomp end end end if key == "banana" print "Match\n" exit 0 else puts "The key in the CSR is #{key}, no match." print "No match\n" exit 1 end