Puppet 简明教程

Puppet - RESTful API

Puppet 使用 RESTful API 作为 Puppet 主机和 Puppet 代理之间的通信通道。以下是访问此 RESTful API 的基本 URL。

Puppet uses RESTful API’s as the communication channel between both Puppet master and Puppet agents. Following is the basic URL to access this RESTful API.

https://brcleprod001:8140/{environment}/{resource}/{key}
https://brcleprod001:8139/{environment}/{resource}/{key}

REST API Security

Puppet 通常负责安全和 SSL 证书管理。但是，如果希望在群集外部使用 RESTful API，则在尝试连接到计算机时需要自行管理证书。可以通过 rest authconfig 文件配置 Puppet 的安全策略。

Puppet usually takes care of security and SSL certificate management. However, if one wishes to use the RESTful API outside the cluster one needs to manage the certificate on their own, when trying to connect to a machine. The security policy for Puppet can be configured through the rest authconfig file.

Testing REST API

Curl 实用程序可用作基本实用程序来建立 RESTful API 连接。以下是使用 REST API curl 命令检索节点目录的示例。

Curl utility can be used as a basic utility to rest RESTful API connectivity. Following is an example of how we can retrieve the catalog of node using REST API curl command.

curl --cert /etc/puppet/ssl/certs/brcleprod001.pem --key
   /etc/puppet/ssl/private_keys/brcleprod001.pem

在以下命令集中，我们只是设置 SSL 证书，该证书会因 SSL 目录位置和正在使用的节点名称的不同而不同。例如，我们来看一下以下命令。

In the following set of commands we are just setting the SSL certificate, which will be different depending on where the SSL directory is and the name of the node being used. For example, let’s look at the following command.

curl --insecure -H 'Accept: yaml'
https://brcleprod002:8140/production/catalog/brcleprod001

在上一个命令中，我们只是发送一个标题，指定我们希望返回的格式或格式和一个 RESTful URL，用于生成 brcleprod001 在生产环境中的目录，将生成以下输出。

In the above command, we just send a header specifying the format or formats we want back and a RESTful URL for generating a catalog of brcleprod001 in production environment, will generate a the following output.

--- &id001 !ruby/object:Puppet::Resource::Catalog
aliases: {}
applying: false
classes: []
...

让我们假设另一个示例，我们希望从 Puppet 主机获取 CA 证书。它不需要使用自己签名的 SSL 证书进行身份验证，因为这是在认证之前需要的东西。

Let’s assume another example, where we want to get the CA certificate back from Puppet master. It doesn’t require to be authenticated with own signed SSL certificate since that is something which is required before being authenticated.

curl --insecure -H 'Accept: s' https://brcleprod001:8140/production/certificate/ca

-----BEGIN CERTIFICATE-----
MIICHTCCAYagAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAxwdXBw

Puppet Master and Agent Shared API Reference

GET /certificate/{ca, other}

curl -k -H "Accept: s" https://brcelprod001:8140/production/certificate/ca
curl -k -H "Accept: s" https://brcleprod002:8139/production/certificate/brcleprod002

Puppet Master API Reference

经过身份验证的资源（有效的已签名证书是必需的）。

Authenticated Resources (Valid, signed certificate required).

Catalogs

GET /{environment}/catalog/{node certificate name}

curl -k -H "Accept: pson" https://brcelprod001:8140/production/catalog/myclient

Certificate Revocation List

GET /certificate_revocation_list/ca

curl -k -H "Accept: s" https://brcleprod001:8140/production/certificate/ca

Certificate Request

GET /{environment}/certificate_requests/{anything} GET
/{environment}/certificate_request/{node certificate name}

curl -k -H "Accept: yaml" https://brcelprod001:8140/production/certificate_requests/all
curl -k -H "Accept: yaml" https://brcleprod001:8140/production/certificate_request/puppetclient

Reports Submit a Report

PUT /{environment}/report/{node certificate name}
curl -k -X PUT -H "Content-Type: text/yaml" -d "{key:value}" https://brcleprod002:8139/production

Node − Facts Regarding a Specific Node

GET /{environment}/node/{node certificate name}

curl -k -H "Accept: yaml" https://brcleprod002:8140/production/node/puppetclient

Status − Used for Testing

GET /{environment}/status/{anything}

curl -k -H "Accept: pson" https://brcleprod002:8140/production/certificate_request/puppetclient

Puppet Agent API Reference

当在任何计算机上设置一个新代理时，默认情况下，Puppet 代理不会侦听 HTTP 请求。需要在 Puppet 中通过在 puppet.conf 文件中添加“listen=true”来启用它。这样可以在启动 Puppet 代理时启用 Puppet 代理侦听 HTTP 请求。

When a new agent is set up on any machine, by default Puppet agent does not listen to HTTP request. It needs to be enabled in Puppet by adding “listen=true” in puppet.conf file. This will enable Puppet agents to listen to HTTP request when the Puppet agent is starting up.

Facts

GET /{environment}/facts/{anything}

curl -k -H "Accept: yaml" https://brcelprod002:8139/production/facts/{anything}

Run − 使客户机像 puppetturn 或 puppet kick 一样进行更新。

Run − Causes the client to update like puppetturn or puppet kick.

PUT  /{environment}/run/{node certificate name}

curl -k -X PUT -H "Content-Type: text/pson" -d "{}"
https://brcleprod002:8139/production/run/{anything}