Support Puppet Catalog Diff

[alexjfisher]

Every time node_encrypt is called it produces a different value. This isn't great when trying to use Puppet Catalog Diff

The best thought I've had so far is the function returning a sha1 hash if it detects catalog compilation caused by catalog diff.

Certificate extensions are available in the trusted facts, so maybe we could check these? That would work for the /puppet/v3/catalog endpoint without modifications to catalog-diff. Dunno if there's anyway a function can determine if the puppet 6.2+ certless endpoint was used.

@raphink Any better ideas?

[raphink]

I don't use node_encrypt personally, but I don't think it's very elegant to make it aware of the existence of Catalog Diff (especially using extensions).

One thing you could do in Catalog Diff to exclude parameters that are affected. I can't really think of a better option at this point.

[alexjfisher]

Excluding the parameter would mean hiding when content has actually changed. I don't want or expect to see the old and new content, but I do need to know if the file's content has changed or not. Generating a trivial hash when being compiled for a diffing tool, (Catalog Diff/octocatalog-diff) does work pretty well for this.

Maybe using extensions is too magic. But I think this still requires something like a 'magic' cert name.

[binford2k]

@bastelfreak is working on this because the changing intermediate value also blows up PuppetDB in some pathological cases.