Puppet Community

I highly recommend setting as much as possible via hiera, and not via node groups

```$git_env = $::server_facts[environment]
 if (($git_env == 'development') or ($git_env == 'dev_puppet')) {
    $activation_key = 'centosdevkey'
  }
  elsif ($git_env == 'test') {
    $activation_key = 'centostestkey'
  }
  elsif ($git_env == 'acceptance') {
    $activation_key = 'centosacpkey'
  }
  elsif ($git_env == 'production') {
    $activation_key = 'centosprdkey'
  }```


So what I'm in the process of doing is removing the different `server_facts[environment]`  settings, and switching to a single environment.

But I need to still assign different `$activation_keys`

if possible I would turn `$activation_key` into a class parameter and configure it in hiera

so do that rather than determine the activiation key by the hostname? Because I can do that.  I have a naming standard that allows me to determine that.

But statically doing it with hiera is better?

if you can set it via hostname, maybe put the logic in the class that uses the variable and don't use hiera at all

then you're calculating the value, you don't set it statically

I usually prefer such patterns because that makes it (sometimes) more future proof, but that always depends on the infrastructure

If you don't want to use hiera, you can set the parameter in the console per node group.  Hiera is infinitely better, though.

I am not sure if certname is a fact, but you can always make some
for example, lets assume all your nodes format xxxYYY where YYY is tier
```Facter.add(:certname) do
  setcode do
    Puppet.settings[:certname]
  end
end
Facter.add(:tier) do
  setcode do
    certname = Facter.value(:certname)
    if certname =~ /^\w{3}(\w{3})/i
      $1
    else
      nil
    end
  end
end```

I have this code for ages, not sure what was wrong with it in version 3, I guess
```# Provide backup value for clientcert
Facter.add(:clientcert) do
  has_weight 10
  setcode do
    Puppet.settings[:certname]
  end
end```

that does get the certname from puppet.conf and if that's not configured the default? Or does it actually check what's in the certificate as common name?

but for some reasons it was empty in some cases, so we added that

bunch of old code no one has time  to rewrite

and, if I am not mistaken, $trusted is not correct for puppet apply

as far as I know it works if the node has a cert (which often isn't the case)

then in your hiera.yaml you would do
```    paths:
      - "tiers/%{facts.tier}.yaml"```

of facts that are used to assign data/classes I highly recommend using trusted facts/server side facts instead. An agent can manipulate their own facts and potentially request code that's not meant for it

hence suggestion to use cert extension before

if you don't have a `tier` entry in your certificate it's quite easy to update the csr_attributes and create a new cert

<https://github.com/voxpupuli/puppet-puppet_certificate>

wait `%{facts.tier}.yaml` - that would interpolate a _fact_ called `tier`?

(keep in mind that this is hiera code/logic)