Chapter 24. Utilizing Advantages of a Puppet Server

A Puppet server provides several features above and beyond what’s possible in a puppet apply environment. Let’s review each of these server-based features.

Using Server Data in Your Manifests

When using a Puppet server you gain several data sources not available to you with puppet apply.

Trusted Facts

When a node connects to the server it transmits a list of facts about the node. Unfortunately, there is no way to validate that these facts are correct. If you have conditions in your code based on node information that provide access to security-related data, the data could be accessed by a compromised node that forged its facts.

There is a new hash available named $trusted[]. It contains facts that have been validated by the server, and can be trusted to be correct.

$trusted['authenticated']

The possible values are:

remote
Confirms a successful validation of the remote client’s certificate
local
Indicates that puppet apply is being used and validation is unavailable
false
Warns that the auth.conf file is misconfigured to allow unauthenticated requests
$trusted['certname']
This contains the certificate name validated by the Puppet server if remote, or the value of $certname in the Puppet configuration if local.
$trusted['hostname'] and $trusted['domain']
hostname will contain the part before the first period of the certificate name, and domain will contain the remainder. This is useful when you’re using FQDN certnames, and ...

Get Learning Puppet 4 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.