* http check: add setting to skip ssl certificate verification * update http check documentation * fix typo in documentation * Add TLSSkipVerify to agent api
20 KiB
layout | page_title | sidebar_current | description |
---|---|---|---|
docs | Agent (HTTP) | docs-agent-http-agent | The Agent endpoints are used to interact with the local Consul agent. |
Agent HTTP Endpoint
The Agent endpoints are used to interact with the local Consul agent. Usually, services and checks are registered with an agent which then takes on the burden of keeping that data synchronized with the cluster. For example, the agent registers services and checks with the Catalog and performs anti-entropy to recover from outages.
The following endpoints are supported:
/v1/agent/checks
: Returns the checks the local agent is managing/v1/agent/services
: Returns the services the local agent is managing/v1/agent/members
: Returns the members as seen by the local serf agent/v1/agent/self
: Returns the local node configuration/v1/agent/maintenance
: Manages node maintenance mode/v1/agent/join/<address>
: Triggers the local agent to join a node/v1/agent/force-leave/<node>
>: Forces removal of a node/v1/agent/check/register
: Registers a new local check/v1/agent/check/deregister/<checkID>
: Deregisters a local check/v1/agent/check/pass/<checkID>
: Marks a local check as passing/v1/agent/check/warn/<checkID>
: Marks a local check as warning/v1/agent/check/fail/<checkID>
: Marks a local check as critical/v1/agent/check/update/<checkID>
: Updates a local check/v1/agent/service/register
: Registers a new local service/v1/agent/service/deregister/<serviceID>
: Deregisters a local service/v1/agent/service/maintenance/<serviceID>
: Manages service maintenance mode
/v1/agent/checks
This endpoint is used to return all the checks that are registered with the local agent. These checks were either provided through configuration files or added dynamically using the HTTP API. It is important to note that the checks known by the agent may be different from those reported by the Catalog. This is usually due to changes being made while there is no leader elected. The agent performs active anti-entropy, so in most situations everything will be in sync within a few seconds.
This endpoint is hit with a GET and returns a JSON body like this:
{
"service:redis": {
"Node": "foobar",
"CheckID": "service:redis",
"Name": "Service 'redis' check",
"Status": "passing",
"Notes": "",
"Output": "",
"ServiceID": "redis",
"ServiceName": "redis"
}
}
/v1/agent/services
This endpoint is used to return all the services that are registered with the local agent. These services were either provided through configuration files or added dynamically using the HTTP API. It is important to note that the services known by the agent may be different from those reported by the Catalog. This is usually due to changes being made while there is no leader elected. The agent performs active anti-entropy, so in most situations everything will be in sync within a few seconds.
This endpoint is hit with a GET and returns a JSON body like this:
{
"redis": {
"ID": "redis",
"Service": "redis",
"Tags": null,
"Address": "",
"Port": 8000
}
}
/v1/agent/members
This endpoint is used to return the members the agent sees in the cluster gossip pool. Due to the nature of gossip, this is eventually consistent: the results may differ by agent. The strongly consistent view of nodes is instead provided by "/v1/catalog/nodes".
For agents running in server mode, providing a "?wan=1" query parameter returns the list of WAN members instead of the LAN members returned by default.
This endpoint is hit with a GET and returns a JSON body like:
[
{
"Name": "foobar",
"Addr": "10.1.10.12",
"Port": 8301,
"Tags": {
"bootstrap": "1",
"dc": "dc1",
"port": "8300",
"role": "consul"
},
"Status": 1,
"ProtocolMin": 1,
"ProtocolMax": 2,
"ProtocolCur": 2,
"DelegateMin": 1,
"DelegateMax": 3,
"DelegateCur": 3
}
]
/v1/agent/self
This endpoint is used to return the configuration and member information of the local agent under the Config
key.
Consul 0.7.0 and later also includes a snapshot of various operating statistics under the Stats
key. These statistics are intended to help human operators for debugging and may change over time, so this part of the interface should not be consumed programatically.
It returns a JSON body like this:
{
"Config": {
"Bootstrap": true,
"Server": true,
"Datacenter": "dc1",
"DataDir": "/tmp/consul",
"DNSRecursor": "",
"DNSRecursors": [],
"Domain": "consul.",
"LogLevel": "INFO",
"NodeName": "foobar",
"ClientAddr": "127.0.0.1",
"BindAddr": "0.0.0.0",
"AdvertiseAddr": "10.1.10.12",
"Ports": {
"DNS": 8600,
"HTTP": 8500,
"RPC": 8400,
"SerfLan": 8301,
"SerfWan": 8302,
"Server": 8300
},
"LeaveOnTerm": false,
"SkipLeaveOnInt": false,
"StatsiteAddr": "",
"Protocol": 1,
"EnableDebug": false,
"VerifyIncoming": false,
"VerifyOutgoing": false,
"CAFile": "",
"CertFile": "",
"KeyFile": "",
"StartJoin": [],
"UiDir": "",
"PidFile": "",
"EnableSyslog": false,
"RejoinAfterLeave": false
},
"Coord": {
"Adjustment": 0,
"Error": 1.5,
"Vec": [0,0,0,0,0,0,0,0]
},
"Member": {
"Name": "foobar",
"Addr": "10.1.10.12",
"Port": 8301,
"Tags": {
"bootstrap": "1",
"dc": "dc1",
"port": "8300",
"role": "consul",
"vsn": "1",
"vsn_max": "1",
"vsn_min": "1"
},
"Status": 1,
"ProtocolMin": 1,
"ProtocolMax": 2,
"ProtocolCur": 2,
"DelegateMin": 2,
"DelegateMax": 4,
"DelegateCur": 4
}
}
/v1/agent/maintenance
The node maintenance endpoint can place the agent into "maintenance mode". During maintenance mode, the node will be marked as unavailable and will not be present in DNS or API queries. This API call is idempotent. Maintenance mode is persistent and will be automatically restored on agent restart.
The ?enable
flag is required. Acceptable values are either true
(to enter
maintenance mode) or false
(to resume normal operation).
The ?reason
flag is optional. If provided, its value should be a text string
explaining the reason for placing the node into maintenance mode. This is simply
to aid human operators. If no reason is provided, a default value will be used instead.
The return code is 200 on success.
/v1/agent/join/<address>
This endpoint is hit with a GET and is used to instruct the agent to attempt to connect to a given address. For agents running in server mode, providing a "?wan=1" query parameter causes the agent to attempt to join using the WAN pool.
The return code is 200 on success.
/v1/agent/force-leave/<node>
This endpoint is hit with a GET and is used to instruct the agent to force a node into the left
state.
If a node fails unexpectedly, then it will be in a failed
state. Once in the failed
state, Consul will
attempt to reconnect, and the services and checks belonging to that node will not be
cleaned up. Forcing a node into the left
state allows its old entries to be removed.
The endpoint always returns 200.
/v1/agent/check/register
The register endpoint is used to add a new check to the local agent. There is more documentation on checks here. Checks may be of script, HTTP, TCP, or TTL type. The agent is responsible for managing the status of the check and keeping the Catalog in sync.
The register endpoint expects a JSON request body to be PUT. The request body must look like:
{
"ID": "mem",
"Name": "Memory utilization",
"Notes": "Ensure we don't oversubscribe memory",
"DeregisterCriticalServiceAfter": "90m",
"Script": "/usr/local/bin/check_mem.py",
"DockerContainerID": "f972c95ebf0e",
"Shell": "/bin/bash",
"HTTP": "http://example.com",
"TCP": "example.com:22",
"Interval": "10s",
"TTL": "15s",
"TLSSkipVerify": true
}
The Name
field is mandatory, as is one of Script
, HTTP
, TCP
or TTL
.
Script
, TCP
and HTTP
also require that Interval
be set.
If an ID
is not provided, it is set to Name
. You cannot have duplicate
ID
entries per agent, so it may be necessary to provide an ID
.
The Notes
field is not used internally by Consul and is meant to be human-readable.
In Consul 0.7 and later, checks that are associated with a service may also contain
an optional DeregisterCriticalServiceAfter
field, which is a timeout in the same Go
time format as Interval
and TTL
. If a check is in the critical state for more than
this configured value, then its associated service (and all of its associated checks)
will automatically be deregistered. The minimum timeout is 1 minute, and the
process that reaps critical services runs every 30 seconds, so it may take slightly
longer than the configured timeout to trigger the deregistration. This should
generally be configured with a timeout that's much, much longer than any expected
recoverable outage for the given service.
If a Script
is provided, the check type is a script, and Consul will
evaluate the script every Interval
to update the status.
If a DockerContainerID
is provided, the check is a Docker check, and Consul will
evaluate the script every Interval
in the given container using the specified
Shell
. Note that Shell
is currently only supported for Docker checks.
An HTTP
check will perform an HTTP GET request against the value of HTTP
(expected to
be a URL) every Interval
. If the response is any 2xx
code, the check is passing
.
If the response is 429 Too Many Requests
, the check is warning
. Otherwise, the check
is critical
. HTTP checks also support SSL. By default, a valid SSL certificate is expected.
Certificate verification can be controlled using the TLSSkipVerify
.
If TLSSkipVerify
is set to true
, certificate verification will be disabled. By default,
certificate verification is enabled.
A TCP
check will perform an TCP connection attempt against the value of TCP
(expected to be an IP/hostname and port combination) every Interval
. If the
connection attempt is successful, the check is passing
. If the connection
attempt is unsuccessful, the check is critical
. In the case of a hostname
that resolves to both IPv4 and IPv6 addresses, an attempt will be made to both
addresses, and the first successful connection attempt will result in a
successful check.
If a TTL
type is used, then the TTL update endpoint must be used periodically to update
the state of the check.
The ServiceID
field can be provided to associate the registered check with an
existing service provided by the agent.
The Status
field can be provided to specify the initial state of the health
check.
This endpoint supports ACL tokens. If the query
string includes a ?token=<token-id>
, the registration will use the provided
token to authorize the request. The token is also persisted in the agent's
local configuration to enable periodic
anti-entropy syncs and seamless agent
restarts.
The return code is 200 on success.
/v1/agent/check/deregister/<checkId>
This endpoint is used to remove a check from the local agent.
The CheckID
must be passed on the path. The agent will take care
of deregistering the check from the Catalog.
The return code is 200 on success.
/v1/agent/check/pass/<checkId>
This endpoint is used with a check that is of the TTL type.
When this endpoint is accessed via a GET, the status of the check is set to passing
and the TTL clock is reset.
The optional "?note=" query parameter can be used to associate a human-readable message
with the status of the check. This will be passed through to the check's Output
field
in the check endpoints.
The return code is 200 on success.
/v1/agent/check/warn/<checkId>
This endpoint is used with a check that is of the TTL type.
When this endpoint is accessed via a GET, the status of the check is set to warning
,
and the TTL clock is reset.
The optional "?note=" query parameter can be used to associate a human-readable message
with the status of the check. This will be passed through to the check's Output
field
in the check endpoints.
The return code is 200 on success.
/v1/agent/check/fail/<checkId>
This endpoint is used with a check that is of the TTL type.
When this endpoint is accessed via a GET, the status of the check is set to critical
,
and the TTL clock is reset.
The optional "?note=" query parameter can be used to associate a human-readable message
with the status of the check. This will be passed through to the check's Output
field
in the check endpoints.
The return code is 200 on success.
/v1/agent/check/update/<checkId>
This endpoint is used with a check that is of the TTL type. When this endpoint is accessed with a PUT, the status and output of the check are updated and the TTL clock is reset.
This endpoint expects a JSON request body to be put. The request body must look like:
{
"Status": "passing",
"Output": "curl reported a failure:\n\n..."
}
The Status
field is mandatory, and must be set to "passing", "warning", or "critical".
Output
is an optional field that will associate a human-readable message with the status
of the check, such as the output of the checking script or process. This will be truncated
if it exceeds 4KB in size. This will be passed through to the check's Output
field in the
check endpoints.
The return code is 200 on success.
/v1/agent/service/register
The register endpoint is used to add a new service, with an optional health check, to the local agent. There is more documentation on services here. The agent is responsible for managing the status of its local services, and for sending updates about its local services to the servers to keep the global Catalog in sync.
The register endpoint expects a JSON request body to be PUT. The request body must look like:
{
"ID": "redis1",
"Name": "redis",
"Tags": [
"master",
"v1"
],
"Address": "127.0.0.1",
"Port": 8000,
"EnableTagOverride": false,
"Check": {
"DeregisterCriticalServiceAfter": "90m",
"Script": "/usr/local/bin/check_redis.py",
"HTTP": "http://localhost:5000/health",
"Interval": "10s",
"TTL": "15s"
}
}
The Name
field is mandatory. If an ID
is not provided, it is set to Name
.
You cannot have duplicate ID
entries per agent, so it may be necessary to provide an ID
in the case of a collision.
Tags
, Address
, Port
, Check
and EnableTagOverride
are optional.
If Address
is not provided or left empty, then the agent's address will be used
as the address for the service during DNS queries. When querying for services using
HTTP endpoints such as service health
or service catalog and encountering
an empty Address
field for a service, use the Address
field of the agent node
associated with that instance of the service, which is returned alongside the service
information.
If Check
is provided, only one of Script
, HTTP
, TCP
or TTL
should be specified.
Script
and HTTP
also require Interval
. The created check will be named "service:<ServiceId>".
In Consul 0.7 and later, checks that are associated with a service may also contain
an optional DeregisterCriticalServiceAfter
field, which is a timeout in the same Go time
format as Interval
and TTL
. If a check is in the critical state for more than this
configured value, then its associated service (and all of its associated checks)
will automatically be deregistered. The minimum timeout is 1 minute, and the
process that reaps critical services runs every 30 seconds, so it may take slightly
longer than the configured timeout to trigger the deregistration. This should
generally be configured with a timeout that's much, much longer than any expected
recoverable outage for the given service.
There is more information about checks here.
EnableTagOverride
can optionally be specified to disable the anti-entropy
feature for this service's tags. If EnableTagOverride
is set to true
then external
agents can update this service in the catalog and modify the tags. Subsequent
local sync operations by this agent will ignore the updated tags. For instance, if an external agent
modified both the tags and the port for this service and EnableTagOverride
was set to true
then after the next sync cycle the service's port would revert
to the original value but the tags would maintain the updated value. As a
counter example, if an external agent modified both the tags and port for this
service and EnableTagOverride
was set to false
then after the next sync
cycle the service's port and the tags would revert to the original value and
all modifications would be lost. It's important to note that this applies only
to the locally registered service. If you have multiple nodes all registering
the same service their EnableTagOverride
configuration and all other service
configuration items are independent of one another. Updating the tags for
the service registered on one node is independent of the same service (by name)
registered on another node. If EnableTagOverride
is not specified the default
value is false
. See anti-entropy syncs
for more info.
This endpoint supports ACL tokens. If the query
string includes a ?token=<token-id>
, the registration will use the provided
token to authorize the request. The token is also persisted in the agent's
local configuration to enable periodic
anti-entropy syncs and seamless agent
restarts.
The return code is 200 on success.
/v1/agent/service/deregister/<serviceId>
The deregister endpoint is used to remove a service from the local agent. The ServiceID must be passed after the slash. The agent will take care of deregistering the service with the Catalog. If there is an associated check, that is also deregistered.
The return code is 200 on success.
/v1/agent/service/maintenance/<serviceId>
The service maintenance endpoint allows placing a given service into "maintenance mode". During maintenance mode, the service will be marked as unavailable and will not be present in DNS or API queries. This API call is idempotent. Maintenance mode is persistent and will be automatically restored on agent restart. The maintenance endpoint expects a PUT request.
The ?enable
flag is required. Acceptable values are either true
(to enter
maintenance mode) or false
(to resume normal operation).
The ?reason
flag is optional. If provided, its value should be a text string
explaining the reason for placing the service into maintenance mode. This is simply
to aid human operators. If no reason is provided, a default value will be used instead.
The return code is 200 on success.