应用管理 REST API 需要指向集群的接入点地址, 并通过自签名证书的 HTTPS 请求和集群进行交互。

获取集群 Endpoint 和证书

控制台方式

  1. 登录 容器服务管理控制台
  2. 在 Swarm 菜单下,单击左侧导航栏中的 集群
  3. 选择需要查看的集群并单击 管理


  4. 您可以查看集群的 endpoint 并单击 下载证书 下载集群证书。


通过 API 访问,您需要将截图里命令中的 tcp 相应改为 https。

编程方式获取

您需要先通过集群管理的 API 获取:

  1. 获取集群的 master_url 字段值。更多详细信息,参见 查看集群信息
  2. 获取集群的证书。更多详细信息,参见 查看集群证书

API 返回结果:

{
    "ca": "string",   ##认证机构证书,ca.pem
    "cert": "string", ##用户公钥证书,cert.pem
    "key": "string"   ##用户私钥证书,key.pem
}

推荐将返回结果的三个 string 的内容保存为一个目录下的三个文件 ca.pemcert.pemkey.pem。大部分的工具或编程框架都是以文件的方式加载 https 证书.

调用应用管理的 API

假设您的集群名称为 ClusterName,并且已经将上面三个证书存储到 ~/.docker/aliyun/ClusterName 目录下。上面获得的 master_url 地址为 https://123.123.123.123:1234

应用 API 列表

详见 应用API列表

下面以查看应用列表接口为例 (context path/projects/)。

curl 方式

# 提示: 请注意你的 curl 版本,您可能需要升级你的 curl.
curl --insecure --cert ~/.docker/aliyun/ClusterName/cert.pem --key ~/.docker/aliyun/ClusterName/key.pem https://123.123.123.123:1234/projects/

PHP 方式

<?php
     $ch = curl_init();
     curl_setopt($ch, CURLOPT_URL, "https://123.123.123.123:1234/projects/");
     curl_setopt($ch, CURLOPT_SSLKEY, "~/.docker/aliyun/ClusterName/key.pem");
     curl_setopt($ch, CURLOPT_CAINFO, "~/.docker/aliyun/ClusterName/ca.pem");
     curl_setopt($ch, CURLOPT_SSLCERT, "~/.docker/aliyun/ClusterName/cert.pem");
     $result=curl_exec($ch);
     echo $result;
     curl_close($ch);
?>

Python 方式

import requests
res = requests.get('https://123.123.123.123:1234/projects/', verify='~/.docker/aliyun/ClusterName/ca.pem', cert=('~/.docker/aliyun/ClusterName/cert.pem', '~/.docker/aliyun/ClusterName/key.pem'))
print res.content

JAVA 方式

添加 Maven 依赖:

<dependency>
            <groupId>org.apache.httpcomponents</groupId>
            <artifactId>httpclient</artifactId>
            <version>4.5.1</version>
        </dependency>
        <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcpkix-jdk15on</artifactId>
            <version>1.52</version>
        </dependency>

代码示例:

import java.nio.file.Path;
        import java.nio.charset.Charset;
        import java.nio.file.Files;
        import java.nio.file.Paths;
        import java.security.KeyFactory;
        import java.security.KeyStore;
        import java.security.PrivateKey;
        import java.security.cert.Certificate;
        import java.security.cert.CertificateFactory;
        import java.security.spec.PKCS8EncodedKeySpec;
        import javax.net.ssl.SSLContext;
        import org.bouncycastle.openssl.PEMKeyPair;
        import org.bouncycastle.openssl.PEMParser;
        import org.apache.http.client.methods.CloseableHttpResponse;
        import org.apache.http.client.methods.HttpGet;
        import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
        import org.apache.http.impl.client.CloseableHttpClient;
        import org.apache.http.impl.client.HttpClients;
        import org.apache.http.ssl.SSLContexts;
        import org.apache.http.util.EntityUtils;
        public class Test {
            public static void main(String[] argc) throws Exception {
                final char[] KEY_STORE_PASSWORD = "".toCharArray();
                //获取证书地址
                Path caCertPath = Paths.get("~/.docker/aliyun/ClusterName/ca.pem");
                Path clientCertPath = Paths.get("~/.docker/aliyun/ClusterName/cert.pem");
                Path clientKeyPath = Paths.get("~/.docker/aliyun/ClusterName/key.pem");
                final CertificateFactory cf = CertificateFactory.getInstance("X.509");
                final Certificate caCert = cf.generateCertificate(Files.newInputStream(caCertPath));
                final Certificate clientCert = cf.generateCertificate(
                        Files.newInputStream(clientCertPath));
                final PEMKeyPair clientKeyPair = (PEMKeyPair) new PEMParser(
                        Files.newBufferedReader(clientKeyPath,
                                Charset.defaultCharset()))
                        .readObject();
                final PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(
                        clientKeyPair.getPrivateKeyInfo().getEncoded());
                final KeyFactory kf = KeyFactory.getInstance("RSA");
                final PrivateKey clientKey = kf.generatePrivate(spec);
                //设置信任的证书
                final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
                trustStore.load(null, null);
                trustStore.setEntry("ca", new KeyStore.TrustedCertificateEntry(caCert), null);
                //设置私钥
                final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, null);
                keyStore.setCertificateEntry("client", clientCert);
                keyStore.setKeyEntry("key", clientKey, KEY_STORE_PASSWORD, new Certificate[]{clientCert});
                SSLContext sslContext = SSLContexts.custom()
                        .loadTrustMaterial(trustStore, null)
                        .loadKeyMaterial(keyStore, KEY_STORE_PASSWORD)
                        .build();
                SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
                        sslContext,
                        SSLConnectionSocketFactory.getDefaultHostnameVerifier());
                //httpclient连接
                CloseableHttpClient httpclient = HttpClients.custom()
                        .setSSLSocketFactory(sslsf)
                        .build();
                try {
                    HttpGet httpget = new HttpGet("https://123.123.123.123:1234/projects/");
                    CloseableHttpResponse response = httpclient.execute(httpget);
                    try {
                        System.out.println("----------------------------------------");
                        String bodyAsString = EntityUtils.toString(response.getEntity());
                        System.out.println(bodyAsString);
                    } finally {
                        response.close();
                    }
                } finally {
                    httpclient.close();
                }
            }
        }