Does anyone setup custom facts at provision time?

Hello all,

I’m curious if anyone is doing some fancy stuff like asserting Puppet Facts (such as Role, Org, Location) at provision time.

I find myself asking about how to tackle the chicken/egg problem of wanting to use Hiera data based on Roles (in a role/profile pattern). The only way Hiera can see a system’s role is if there’s a role fact established. The only way to establish a role fact is to have puppet run once, which deploys the fact and populates it, then have puppet run again and process based on the presence of that fact.

Some ppl in the Puppet Slack Channel have suggested using the pp_role OID as a trusted fact. But this does not solve the chicken+egg initiation problem.

My thought is that using a provisioning template which uses ERB to add Foreman Param Data to some custom fact yaml files into /etc/puppetlabs/facter/facts.d. A hostgroup could have a role class inclusion and a param set to define the role, new hosts provisioned inside that group would have that role param value inserted into a /etc/puppetlabs/facter/facts.d/role.yaml file.

I know there are some Foreman folks using role/profile patterns. What do you think about this or how do you handle the initiation issue?


1 Like


possibly only half-helpfull comment here, since we actually do not set custom facts during provisioning time.
Right of my mind, I could imagine three possible way to tackle this:

  • The one you already mentioned, using a template to read variables from the hostgroup and set them in facts.d. That would probably be the way I would tackle this, since it is straight-forward and does not have a lot of tripping stones.
  • The other way would also include a template reading variables from Foreman, but this time writing them out to be included in the puppet agents client certificate as trusted facts (what I think is what the Puppet folks wanted to tell you to). That way the fact would also be accessible at first run. The upside and downside of this aproach (depending on how you look at this), is that the fact can not be changed afterwards without generating a new client certificate.
  • The third way I can think of is just getting the required information from Foreman ENC directly. This of course requires Foreman beeing your Puppet ENC.