From 9b1241f6839272345ffcbf39e4126f0d0dedffff Mon Sep 17 00:00:00 2001
From: rvasikarla <rvasikarla@splunk.com>
Date: Sun, 5 Apr 2026 18:51:21 -0500
Subject: [PATCH] fix: do not treat clientcert as a legacy network fact in
 puppet lookup

Remove clientcert from TRUSTED_INFORMATION_FACTS so that its presence
in a --facts file does not require hostname, domain, and fqdn to also
be present.

clientcert is not a facter fact but is set by puppet agent. In puppet 8,
legacy facts (hostname, domain, fqdn) are no longer calculated by
default, but clientcert is still present in cached facts. This caused
puppet lookup to fail with 'they must all be overridden' when using
cached facts.

Fixes #9564
---
 lib/puppet/application/lookup.rb     |  2 +-
 spec/unit/application/lookup_spec.rb | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/puppet/application/lookup.rb b/lib/puppet/application/lookup.rb
index e250725ed18..9a2d1586797 100644
--- a/lib/puppet/application/lookup.rb
+++ b/lib/puppet/application/lookup.rb
@@ -9,7 +9,7 @@
 class Puppet::Application::Lookup < Puppet::Application
   RUN_HELP = _("Run 'puppet lookup --help' for more details").freeze
   DEEP_MERGE_OPTIONS = '--knock-out-prefix, --sort-merged-arrays, and --merge-hash-arrays'
-  TRUSTED_INFORMATION_FACTS = %w[hostname domain fqdn clientcert].freeze
+  TRUSTED_INFORMATION_FACTS = %w[hostname domain fqdn].freeze
 
   run_mode :server
 
diff --git a/spec/unit/application/lookup_spec.rb b/spec/unit/application/lookup_spec.rb
index 1a1cd54169e..eae598c6135 100644
--- a/spec/unit/application/lookup_spec.rb
+++ b/spec/unit/application/lookup_spec.rb
@@ -659,7 +659,7 @@ def run_lookup(lookup)
 
           expect {
             lookup.run_command
-          }.to raise_error(/When overriding any of the hostname,domain,fqdn,clientcert facts with #{file_path} given via the --facts flag, they must all be overridden./)
+          }.to raise_error(/When overriding any of the hostname,domain,fqdn facts with #{file_path} given via the --facts flag, they must all be overridden./)
         end
 
         it 'does not fail when all trusted information facts are provided via --facts file' do
@@ -668,6 +668,18 @@ def run_lookup(lookup)
             fqdn: some.fqdn.com
             hostname: some.hostname
             domain: some.domain
+          CONTENT
+          lookup.options[:fact_file] = file_path
+
+          expect {
+            lookup.run_command
+          }.to exit_with(0)
+           .and output(/This is in facts hash/).to_stdout
+        end
+
+        it 'does not fail when clientcert is provided without other trusted facts' do
+          file_path = file_containing('facts.yaml', <<~CONTENT)
+            ---
             clientcert: some.clientcert
           CONTENT
           lookup.options[:fact_file] = file_path