Chapter 24. Utilizing Advantages of a Puppet Server
A Puppet server provides several features above and beyond what’s possible in a puppet apply environment. Let’s review each of these server-based features.
Using Server Data in Your Manifests
When using a Puppet server you gain several data sources not available to you with puppet apply.
Trusted Facts
When a node connects to the server it transmits a list of facts about the node. Unfortunately, there is no way to validate that these facts are correct. If you have conditions in your code based on node information that provide access to security-related data, the data could be accessed by a compromised node that forged its facts.
There is a new hash available named $trusted[]. It contains facts that have been validated by the server, and can be trusted to be correct.
$trusted['authenticated']-
The possible values are:
remote- Confirms a successful validation of the remote client’s certificate
local- Indicates that
puppet applyis being used and validation is unavailable false- Warns that the auth.conf file is misconfigured to allow unauthenticated requests
$trusted['certname']- This contains the certificate name validated by the Puppet server if remote, or the value of
$certnamein the Puppet configuration if local. $trusted['hostname']and$trusted['domain']hostnamewill contain the part before the first period of the certificate name, anddomainwill contain the remainder. This is useful when you’re using FQDNcertnames, and ...
Get Learning Puppet 4 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
