Add pp_role OID to certificates

[bastelfreak]

Use Case

Often it's helpful to check in Puppet Code if it's running on a compiler/primary or to use trusted data in node group rules. Puppet even documents the official pp_role OID. PEADM doesn't configure this. Only two attributes are set:

from a compiler:

# cat /etc/puppetlabs/puppet/csr_attributes.yaml
---
extension_requests:
  1.3.6.1.4.1.34380.1.3.13: pe_compiler
  1.3.6.1.4.1.34380.1.1.9813: A

from a primary:

# cat /etc/puppetlabs/puppet/csr_attributes.yaml
---
extension_requests:
  1.3.6.1.4.1.34380.1.1.9812: puppet/server
  1.3.6.1.4.1.34380.1.1.9813: A

On compilers we've 1.3.6.1.4.1.34380.1.3.13 (which is pp_auth_role), but no equivalent on primaries.

Describe the Solution You Would Like

I would like to see one trusted fact with distinct values for primary,replica,compiler, maybe pp_role. The fact and value should be configureable.

Describe Alternatives You've Considered

Of course I can manage CSR attributes on my own, but I think it makes sense to have sane defaults in PEADM.

Additional Context

Add any other context or screenshots about the feature request here.