阶段性学习puppet rest的api接口

虽然很是喜欢saltstack,但是公司还是存在大量的puppet做资源统一,在一定程度上puppet做资源的统一话管理要比saltstack优秀的。  saltstack优秀是实时命令,以及各种模块的二次开发。

这两天抽出时间,把puppet的api都实践一下,最好能自己开发点puppet的模块,在lvs平台中,不用非要安装同步saltstack了,毕竟不是谁都愿意系统中跑着两个集群的工具。

puppet提供了http的接口,可以实现配置的下发,状态的获取,文件的推送,状态推送等等。 利用这些接口,我们还是可以用python来urllib2模块,来操作这些了。不知道这样算不算puppet 二次开发了。 应该算是扩展性的puppet开发吧。。。 呵呵 ,不多说了,开始学习吧 !

但是看归看,我的心还是在saltstack !

官方的文档:

http://docs.puppetlabs.com/guides/rest_api.html

HTTP API

Both puppet master and puppet agent have pseudo-RESTful HTTP API’s that they use to communicate. The basic structure of the url to access this API is

Details about what resources are available and the formats they return are below.

HTTP API Security

Puppet usually takes care of security and SSL certificate management for you, but if you want to use the HTTP API outside of that you’ll need to manage certificates yourself when you connect. This can be done by using a pre-existing signed agent certificate, by generating and signing a certificate on the puppet master and manually distributing it to the connecting host, or by re-implementing puppet agent’s generate / submit signing request / received signed certificate behavior in your custom app.

The security policy for the HTTP API can be controlled through the rest_authconfig file. For testing purposes, it is also possible to permit unauthenticated connections from all hosts or a subset of hosts; see the rest_authconfigdocumentation for more details.

Testing the HTTP API using curl

An example of how you can use the HTTP API to retrieve the catalog for a node can be seen using curl.

Most of this command consists of pointing curl to the appropriate SSL certificates, which will be different depending on your ssldir location and your node’s certname. For simplicity and brevity, future invocations of curl will be provided in insecure mode, which is specified with the -k or –insecure flag. Insecure connections can be enabled for one or more nodes in the rest_authconfig file. The above curl invocation without certificates would be as follows:

Basically we just send a header specifying the format or formats we want back, and the HTTP URI for getting a catalog for mymachine in the production environment. Here’s a snippet of the output you might get back:

Another example to get back the CA Certificate of the puppetmaster doesn’t require you to be authenticated with your own signed SSL Certificates, since that’s something you would need before you authenticate.

The master and agent shared API

Resources

Returns a list of resources, like executing puppet resource (ralsh) on the command line.

GET /{environment}/resource/{resource_type}/{resource_name}

GET /{environment}/resources/{resource_type}

Example:

Certificate

Get a certficate or the master’s CA certificate.

GET /certificate/{ca, other}

Example:

The master HTTP API

A valid and signed certificate is required to retrieve these resources.

Catalogs

Get a catalog from the node.

GET /{environment}/catalog/{node certificate name}

Example:

Certificate Revocation List

Get the certificate revocation list.

GET {environment}/certificate_revocation_list/ca

Example:

Certificate Request

Retrieve or save certificate requests.

GET /{environment}/certificate_requests/no_key

GET /{environment}/certificate_request/{node certificate name}

PUT /{environment}/certificate_request/no_key

Example:

To manually generate a CSR from an existing private key:

The subject can only include a /CN=, nothing else. Puppet master will determine the certname from the body of the cert, so the request can be pointed to any key for this endpoint.

Certificate Status

Puppet 2.7.0 and later.

Read or alter the status of a certificate or pending certificate request. This endpoint is roughly equivalent to the puppet cert command; rather than returning complete certificates, signing requests, or revocation lists, this endpoint returns information about the various certificates (and potential and former certificates) known to the CA.

GET /{environment}/certificate_status/{certname}

Retrieve a PSON hash containing information about the specified host’s certificate. Similar to puppet cert –list {certname}.

GET /{environment}/certificate_statuses/no_key

Retrieve a list of PSON hashes containing information about all known certificates. Similar to puppet cert –list –all.

PUT /{environment}/certificate_status/{certname}

Change the status of the specified host’s certificate. The desired state is sent in the body of the PUT request as a one-item PSON hash; the two allowed complete hashes are {“desired_state”:”signed”} (for signing a certificate signing request; similar to puppet cert –sign) and {“desired_state”:”revoked”} (for revoking a certificate; similar to puppet cert –revoke); see examples below for details.

When revoking certificates, you may wish to use a DELETE request instead, which will also clean up other info about the host.

DELETE /{environment}/certificate_status/{hostname}

Cause the certificate authority to discard all SSL information regarding a host (including any certificates, certificate requests, and keys). This does not revoke the certificate if one is present; if you wish to emulate the behavior ofpuppet cert –clean, you must PUT a desired_state of revoked before deleting the host’s SSL information.

Examples:

Reports

Submit a report.

PUT /{environment}/report/{node certificate name}

Example:

Resource Types

Return a list of resources from the master

GET /{environment}/resource_type/{hostclass,definition,node}

GET /{environment}/resource_types/*

Example:

File Bucket

Get or put a file into the file bucket.

GET /{environment}/file_bucket_file/md5/{checksum}

PUT /{environment}/file_bucket_file/md5/{checksum}

GET /{environment}/file_bucket_file/md5/{checksum}?diff_with={checksum} (diff 2 files; Puppet 2.6.5 and later)

HEAD /{environment}/file_bucket_file/md5/{checksum} (determine if a file is present; Puppet 2.6.5 and later)

Examples:

File Server

Get a file from the file server.

GET /file_{metadata, content}/{file}

File serving is covered in more depth in the fileserver configuration documentation

Node

Returns the Puppet::Node information (including facts) for the specified node

GET /{environment}/node/{node certificate name}

Example:

Status

Just used for testing

GET /{environment}/status/no_key

Example:

Facts

GET /{environment}/facts/{node certname}

PUT /{environment}/facts/{node certname}

GET /{environment}/facts_search/search?{facts search string}

Facts search strings are constructed as a series of terms separated by &; if there is more than one term, the search combines the terms with boolean AND. There is currently no API for searching with boolean OR. Each term is composed as follows:

If you leave off the .{comparison type}, the comparison will default to simple equality. The following comparison types are available:

String/general comparison

  • eq — == (default)
  • ne — !=

Numeric comparison

  • lt — <
  • le — <=
  • gt — >
  • ge — >=

The agent HTTP API

By default, puppet agent is set not to listen to HTTP requests. To enable this you must set listen = true in the puppet.conf or pass –listen true to puppet agent when starting. Due to a known bug in the 2.6.x releases of Puppet, puppet agent will not start with listen = true unless a namespaceauth.conf file exists, even though this file is not consulted. The node’s rest_authconfig file must also allow access to the agent’s resources, which isn’t permitted by default.

Facts

GET /{environment}/facts/no_key

Example:

Run

Cause the client to update like puppetrun or puppet kick

PUT /{environment}/run/no_key

Example:


对Golang感兴趣的朋友可以加群: 278517979 !!!
另外如果大家觉得文章对你有些作用! 如果想赏钱,可以用微信扫描下面的二维码, 感谢!
另外再次标注博客原地址  xiaorui.cc

发表评论

电子邮件地址不会被公开。 必填项已用*标注

您可以使用这些HTML标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">