How to automate adding a Node to a Group?

Question

I have just switched to Puppet Enterprise 3.8 from PE 3.3. I use to use the rake api to create my groups, classes and nodes. This no longer works in PE 3.8 and there does not appear to be any documented way, other than using the dashboard (https://docs.puppetlabs.com/pe/latest/console_classes_groups.html#adding-nodes-to-a-node-group), to add nodes to a given group.

Can someone point me to some documentation of how one automates the adding of nodes to a group?

steveax · Accepted Answer

You can use the Node Classifier API to add groups, or add nodes to a group. You'll need to run these curl commands on the master and include the correct certs with the requests. In the commands below, replace "fqdn" with the fully qualified domain name of your master.

Create a Group named "foo" that is a child of the default group

curl -X POST -H 'Content-Type: application/json' \
  --cert /etc/puppetlabs/puppet/ssl/certs/fqdn.pem \
  --key /etc/puppetlabs/puppet/ssl/private_keys/fqdn.pem \
  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
  -d '{ "name": "foo",
        "parent": "00000000-0000-4000-8000-000000000000",
        "environment": "production",
        "classes": {}
      }' \
  https://fqdn:4433/classifier-api/v1/groups

Get all groups so we can get the ID of the newly created group

curl 'https://fqdn:4433/classifier-api/v1/groups' \
   -H "Content-Type: application/json" \
   --cert /etc/puppetlabs/puppet/ssl/certs/fqdn.pem \
   --key /etc/puppetlabs/puppet/ssl/private_keys/fqdn.pem \
   --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem

The response to that request will contain the newly created group:

{
  "environment_trumps": false,
  "parent": "00000000-0000-4000-8000-000000000000",
  "name": "foo",
  "variables": {},
  "id": "085e2797-32f3-4920-9412-8e9decf4ef65",
  "environment": "production",
  "classes": {}
},

Modify the new group to "pin" a node

curl -X POST -H 'Content-Type: application/json' \
  --cert /etc/puppetlabs/puppet/ssl/certs/fqdn.pem \
  --key /etc/puppetlabs/puppet/ssl/private_keys/fqdn.pem \
  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
  -d '{ "rule": ["or", ["=", "name", "u38a.vm"]] }' \
  https://fqdn:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65

Modify the new group to "pin" another node (you must supply the complete new rule)

curl -X POST -H 'Content-Type: application/json' \
  --cert /etc/puppetlabs/puppet/ssl/certs/fqdn.pem \
  --key /etc/puppetlabs/puppet/ssl/private_keys/fqdn.pem \
  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
  -d '{ "rule": ["or", ["=", "name", "u38a.vm"], ["=", "name", "u38.vm"]] }' \
  https://fqdn:4433/classifier-api/v1/groups/085e2797-32f3-4920-9412-8e9decf4ef65

Update 2016-04-12

As of Puppet Enterprise 2016.1.1 you can use the new pin/unpin endpoints of the classifier API to do this much more easily:

To pin nodes

curl -X POST -H 'Content-Type: application/json' \
  --cert $(puppet config print hostcert) \
  --key $(puppet config print hostprivkey) \
  --cacert $(puppet config print localcacert) \
-d '{"nodes": ["foo.tld", "bar.tld", "baz.tld"]}' \
  https://$HOSTNAME:4433/classifier-api/v1/groups//pin

To unpin nodes

curl -X POST -H 'Content-Type: application/json' \
  --cert $(puppet config print hostcert) \
  --key $(puppet config print hostprivkey) \
  --cacert $(puppet config print localcacert) \
-d '{"nodes": ["foo.tld", "bar.tld", "baz.tld"]}' \
  https://$HOSTNAME:4433/classifier-api/v1/groups//unpin

To unpin nodes from all groups

Use the new (tech preview) commands/unpin-from-all endpoint:

curl -X POST -H 'Content-Type: application/json' \
  --cert $(puppet config print hostcert) \
  --key $(puppet config print hostprivkey) \
  --cacert $(puppet config print localcacert) \
-d '{"nodes": ["foo.tld", "bar.tld", "baz.tld"]}' \
  https://$HOSTNAME:4433/classifier-api/v1/commands/unpin-from-all

With all of these endpoints, you can also generate a token and supply that rather than using cert-based auth.