Jira (PUP-8539) Hiera trusted fact lookup

Change By:	Henrik Lindberg
Fix Version/s:	HI 3.3.2
Affects Version/s:	HI 3.3.2
Component/s:	CLI
Component/s:	CLI
Key:	HI PUP - 590 8539
Project:	Hiera Puppet

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

Henrik Lindberg (JIRA)

unread,

Mar 9, 2018, 9:41:03 PM3/9/18

to puppe...@googlegroups.com

Henrik Lindberg updated an issue

Puppet /

Change By:	Henrik Lindberg
Component/s:	CLI
Component/s:	Hiera & Lookup

Henrik Lindberg (JIRA)

unread,

Mar 9, 2018, 9:42:03 PM3/9/18

to puppe...@googlegroups.com

Henrik Lindberg assigned an issue to Thomas Hallgren

Puppet /

Change By:	Henrik Lindberg
Assignee:	Thomas Hallgren

Josh Cooper (JIRA)

unread,

Mar 20, 2018, 7:59:02 PM3/20/18

to puppe...@googlegroups.com

Josh Cooper updated an issue

Puppet /

Change By:	Josh Cooper
Team:	Platform Core

Josh Cooper (JIRA)

unread,

Mar 20, 2018, 7:59:03 PM3/20/18

to puppe...@googlegroups.com

Josh Cooper updated an issue

Puppet /

Change By:	Josh Cooper
Sub-team:	Language

Thomas Hallgren (JIRA)

unread,

Mar 22, 2018, 5:48:02 AM3/22/18

to puppe...@googlegroups.com

Thomas Hallgren commented on

Where does "trusted.extension.pp_role" stem from? Does a lookup --compile yield the same result? Some initialization that may affect facts doesn't take place unless a proper compile is performed (ENC initialization is one example).

Hendrik (JIRA)

unread,

Mar 22, 2018, 6:00:02 AM3/22/18

to puppe...@googlegroups.com

Hendrik commented on

I don't really understand what you mean with "stem from". But trusted.extension.pp_role is extracted from the signed ssl certificate.
Also I cannot try the '–compile' options because I've changed job. I don't work there anymore...

Henrik Lindberg (JIRA)

unread,

Mar 22, 2018, 6:07:02 AM3/22/18

to puppe...@googlegroups.com

Henrik Lindberg commented on

Hendrik Can you show how you did the "manual lookup" ? Did you specify a node? Have that node called in to your server so that facts/parameters are available (thus storing the cert extensions)?

Henrik Lindberg (JIRA)

unread,

Mar 22, 2018, 6:12:03 AM3/22/18

to puppe...@googlegroups.com

Henrik Lindberg commented on

As verification that the input string is understood by puppet:

irb

2.3.1 :001 > require 'puppet'

 => true

2.3.1 :002 > x = Puppet::Pops::Lookup::LookupKey.new("trusted.extensions.'pp_role'")

 => #<Puppet::Pops::Lookup::LookupKey:0x00000004e128b0 @key="trusted.extensions.'pp_role'", @module_name=nil, @root_key="trusted", @segments=["extensions", "pp_role"]>

Henrik Lindberg (JIRA)

unread,

Mar 22, 2018, 6:16:03 AM3/22/18

to puppe...@googlegroups.com

Henrik Lindberg commented on

Hendrik Suggest verifying that a node with a cert with the extension `pp_role` when compiling a catalog for that node has the expected information available in `$trusted`. A simple manifest with something like:

notify { "have extension '${trusted.extensions.pp_role}'": }

Josh Cooper (Jira)

unread,

Mar 1, 2021, 3:12:02 PM3/1/21

to puppe...@googlegroups.com

Josh Cooper commented on

It doesn't appear interpolation of trusted data is working ... Note the missing hostname in .../nodes/.yaml when looking up lookup_options and the value of foo:

Using hiera.yaml:

---

version: 5

defaults:

  datadir: "data"

hierarchy:

  - name: "Yaml backend"

    data_hash: yaml_data

    paths:

      - "nodes/%{trusted.certname}.yaml"

      - "common.yaml"

[root@pe2021 ~]# puppet --version

7.3.0

[root@pe2021 ~]# puppet lookup foo --explain

Searching for "lookup_options"

  Global Data Provider (hiera configuration version 5)

    Using configuration "/etc/puppetlabs/puppet/hiera.yaml"

    Hierarchy entry "Classifier Configuration Data"

      No such key: "lookup_options"

  Environment Data Provider (hiera configuration version 5)

    Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"

    Hierarchy entry "Yaml backend"

      Merge strategy hash

        Path "/etc/puppetlabs/code/environments/production/data/nodes/.yaml"

          Original path: "nodes/%{trusted.certname}.yaml"

          Path not found

        Path "/etc/puppetlabs/code/environments/production/data/common.yaml"

          Original path: "common.yaml"

          No such key: "lookup_options"

Searching for "foo"

  Global Data Provider (hiera configuration version 5)

    Using configuration "/etc/puppetlabs/puppet/hiera.yaml"

    Hierarchy entry "Classifier Configuration Data"

      No such key: "foo"

  Environment Data Provider (hiera configuration version 5)

    Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"

    Hierarchy entry "Yaml backend"

      Path "/etc/puppetlabs/code/environments/production/data/nodes/.yaml"

        Original path: "nodes/%{trusted.certname}.yaml"

        Path not found

      Path "/etc/puppetlabs/code/environments/production/data/common.yaml"

        Original path: "common.yaml"

        No such key: "foo"

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

Josh Cooper (Jira)

unread,

Mar 1, 2021, 3:13:02 PM3/1/21

to puppe...@googlegroups.com

Josh Cooper updated an issue

Puppet /

Change By:	Josh Cooper
Epic Link:	PUP-6870

Henrik Lindberg (Jira)

unread,

Mar 2, 2021, 7:28:56 PM3/2/21

to puppe...@googlegroups.com

Henrik Lindberg commented on

Josh Cooper Does it make a difference if you add --compile to the lookup command? It may be that trusted is only set when doing a compile.

Maggie Dreyer (Jira)

unread,

Apr 14, 2021, 1:27:01 PM4/14/21

to puppe...@googlegroups.com

Maggie Dreyer commented on

Josh Cooper Mihai Buzgau does this need more investigation? Is that something y'all can look into, or should Froyo take this into our backlog?

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

Josh Cooper (Jira)

unread,

May 3, 2021, 3:46:04 PM5/3/21

to puppe...@googlegroups.com

Josh Cooper commented on

Maggie Dreyer I'm lining up an epic for trusted facts/lookup work, so we can take this one.

Henrik Lindberg Ignore my earlier comment about trusted.certname. That part is working correctly.

Hendrik it's not possible to reference puppet OIDs for two reasons.

The first is that the client cert (for the node we're looking up) needs to be explicitly pushed onto the context. Otherwise you'll end up with a "remote" cert that has no extensions. That part will be fixed in PUP-8094.

The second part is the puppet OIDS need to be registered in order for Puppet::SSL::Certificate.custom_extensions to return them. So for this ticket, we need to make sure Puppet::SSL::Oids.register_puppet_oids is called. We've had this issue for other CLIs like puppet device and puppet ssl.

Once those are fixed, then the interpolated path contains the value of the trusted extension as expected. Here I'm using pp_role => "web"):

# cat  /etc/puppetlabs/puppet/hiera.yaml

---

version: 5

defaults:

  datadir: "data"

hierarchy:

  - name: "Yaml backend"

    data_hash: yaml_data

    paths:

      - "common.yaml"

      - "env/%{environment}/%{trusted.extensions.'pp_role'}.yaml"

# puppet ssl show --certname www | grep -A1 "Puppet Node Role"

            Puppet Node Role Name:

                ..web

# puppet lookup foo --node www --explain

Searching for "lookup_options"

  Global Data Provider (hiera configuration version 5)

    Using configuration "/etc/puppetlabs/puppet/hiera.yaml"

    Hierarchy entry "Yaml backend"

      Merge strategy hash

        Path "/etc/puppetlabs/puppet/data/common.yaml"

          Original path: "common.yaml"

          Path not found

        Path "/etc/puppetlabs/puppet/data/env/production/web.yaml"

          Original path: "env/%{environment}/%{trusted.extensions.'pp_role'}.yaml"

          Path not found

Josh Cooper (Jira)

unread,

May 3, 2021, 3:46:04 PM5/3/21

to puppe...@googlegroups.com

Josh Cooper updated an issue

Puppet /

Change By:	Josh Cooper
Epic Link:	PUP- 6870 11052

Maggie Dreyer (Jira)

unread,

May 12, 2021, 12:16:03 PM5/12/21

to puppe...@googlegroups.com

Maggie Dreyer updated an issue

Puppet /

Change By:	Maggie Dreyer
Sub-team:	Language

Maggie Dreyer (Jira)

unread,

May 12, 2021, 12:16:04 PM5/12/21

to puppe...@googlegroups.com

Maggie Dreyer updated an issue

Puppet /

Change By:	Maggie Dreyer
Team:	Froyo Coremunity

Ciprian Badescu (Jira)

unread,

Oct 6, 2021, 4:32:02 AM10/6/21

to puppe...@googlegroups.com

Ciprian Badescu updated an issue

Puppet /

Change By:	Ciprian Badescu
Story Points:	22

Ciprian Badescu (Jira)

unread,

Oct 6, 2021, 4:32:02 AM10/6/21

to puppe...@googlegroups.com

Ciprian Badescu updated an issue

Puppet /

Change By:	Ciprian Badescu
Story Points:	22 2

Victor Bobosila (Jira)

unread,

Oct 11, 2021, 3:59:02 AM10/11/21

to puppe...@googlegroups.com

Victor Bobosila commented on

I wasn't able to reproduce this on puppet 6.23.0. Here are the steps:

Created the csr_attributes.yaml on my agent node and filled it with the following contents:

extension_requests:

    pp_role: "victor"

Signed the agent certificate from the puppetserver
Added the trusted fact to my hiera.yaml file:

---

version: 5

defaults:

  datadir: data

  data_hash: yaml_datahierarchy:

  - name: "Per-node data"

    path: "nodes/%{trusted.extensions.'pp_role'}.yaml"  - name: "common"

    path: "common.yaml"

Ran lookup from the server with the target being the agent node:

# puppet lookup group  --node my_agent_node --explain --compile

Searching for "group"

  Global Data Provider (hiera configuration version 5)

    No such key: "group"

  Environment Data Provider (hiera configuration version 5)

    Using configuration "/etc/puppetlabs/code/environments/production/hiera.yaml"

    Hierarchy entry "Per-node data"

      Path "/etc/puppetlabs/code/environments/production/data/nodes/victor.yaml"

        Original path: "nodes/%{trusted.extensions.pp_role}.yaml"

        Path not found

    Hierarchy entry "common"

      Path "/etc/puppetlabs/code/environments/production/data/common.yaml"

        Original path: "common.yaml"

        Found key: "group" value: "Compute Nodes