puppet-prod/modules/libs/lib/facter/vault_cert_fingerprint.rb

# frozen_string_literal: true

# lib/facter/vault_cert_fingerprint.rb

Facter.add(:vault_cert_fingerprint) do
  confine kernel: 'Linux'
  setcode do
    require 'openssl'
    require 'digest'

    cert_path = '/etc/pki/tls/vault/certificate.crt'
    if File.exist?(cert_path) && File.readable?(cert_path)
      begin
        cert_content = File.read(cert_path)
        cert = OpenSSL::X509::Certificate.new(cert_content)
        # Calculate SHA256 fingerprint like incus does
        Digest::SHA256.hexdigest(cert.to_der)
      rescue StandardError
        nil
      end
    end
  end
end