Jeremy Adams and Lizzi Lindboe delivered this talk at PuppetConf 2015. You'll learn some REST / HTTP API basics, hear about some useful CLI tools, and get some useful examples that you can try on the Puppet Learning VM or any Puppet Enterprise install.
26. Where do I get one?
Default agent
certs
SSL dir:
/etc/puppetlabs/puppet/ssl/
Certificate: certs/<agent_name>.pem
Key: private_keys/<agent_name>.pem
CA cert: certs/ca.pem
27. Where do I get one?
Make your own:
#demo
3
`puppet cert generate lizzi`
28. Components of an HTTP request
Verb
GET, PUT, POST, DELETE
URL
protocol, host, port, and route
Data
headers, body, or query params
Auth
HTTPS, certificate, key, CA certificate
29. cd /etc/puppetlabs/puppet/ssl
curl -X GET
--cert ./certs/lizzi.pem
--key ./private_keys/lizzi.pem
--cacert ./certs/ca.pem
https://learning...vm:4433/status/v1/services
Let’s request status with SSL now
#demo
4
32. Certificate whitelist determines if certificate holder has access to
an endpoint.
Status API doesn’t use a whitelist, but many other routes will,
including PuppetDB routes.
Authorization
34. Console
status RBAC NC Activity
PuppetDB
API
Puppet Server
Puppet CA
Can be configured for HTTP
Must use HTTPS
rbac-certificate-whitelist
Services Overview
certificate-whitelist
ca.conf
pe-puppet-server.conf
#demo
5
:4433:8123:8140:8081
:4433
:8080
35. Components of an HTTP request
Verb
GET, PUT, POST, DELETE
URL
protocol, host, port, and route
Data
headers, body, or query params
Auth
HTTPS, certificate, key, CA certificate,
cert whitelisting
37. Components of an HTTP request
Verb
choose: GET, PUT, POST, DELETE
URL
need: protocol, host, port, and route
Data
might need: headers, body, or query
params
Auth
can use: HTTPS and cert whitelisting
38. API-only LDAP StartTLS feature
https://learning...vm:4433/rbac-api
GET /v1/ds > ds.json
PUT /v1/ds --data @ds.json
Let’s access some new features
#demo
7,8
docs
1
41. All the APIs and their documentation
API Features Auth Docs
Puppet Server Master,
certificate
authority
ca.conf,
auth.conf
Puppet HTTP API Guide
Console Node groups,
access control,
activity logging
Certificate
whitelist,
cookies (UI)
Node Classifier API Endpoints
RBAC Service API Endpoints
Activity Service API Endpoints
PuppetDB Query data,
reports
Certificate
whitelist
PuppetDB API Overview
42. • No cert whitelist management required
• Uses access control - configurable permissions
• Doesn’t require root access to nodes like certs
• Only available for some APIs, rolling out for more
Making it easier: tokens coming soon!
100010
101011
010
111100
111010
111