Add pp_role OID to certificates

[bastelfreak]

Use Case

Often it's helpful to check in Puppet Code if it's running on a compiler/primary or to use trusted data in node group rules. Puppet even documents the official pp_role OID. PEADM doesn't configure this. Only two attributes are set:

from a compiler:

# cat /etc/puppetlabs/puppet/csr_attributes.yaml
---
extension_requests:
  1.3.6.1.4.1.34380.1.3.13: pe_compiler
  1.3.6.1.4.1.34380.1.1.9813: A

from a primary:

# cat /etc/puppetlabs/puppet/csr_attributes.yaml
---
extension_requests:
  1.3.6.1.4.1.34380.1.1.9812: puppet/server
  1.3.6.1.4.1.34380.1.1.9813: A

On compilers we've 1.3.6.1.4.1.34380.1.3.13 (which is pp_auth_role), but no equivalent on primaries.

Describe the Solution You Would Like

I would like to see one trusted fact with distinct values for primary,replica,compiler, maybe pp_role. The fact and value should be configureable.

Describe Alternatives You've Considered

Of course I can manage CSR attributes on my own, but I think it makes sense to have sane defaults in PEADM.

Additional Context

Add any other context or screenshots about the feature request here.

[bastelfreak]

A bit of backstory: There is currently no reliable way that I am aware of to figure out if a node is a primary. The support once suggested the pe_status_check_role fact. The problem is that it parses the classes.txt. This is an issue for two reasons:

• it lives in a cache directory so we cannot always expect that the file exists
• This is a fact that an attacker could manipulate. Trusted data from the certificate cannot be manipulated in this way

[bastelfreak]

This is now raised as support ticket 01286050