Final Commit after adding ca and ssl

Signed-off-by: paragchak-sumo <[email protected]>

Author: paragchak-sumo

.pdkignore

@@ -25,7 +25,6 @@
 .project
 .envrc
 /inventory.yaml
-/appveyor.yml
 /.fixtures.yml
 /Gemfile
 /.gitattributes

.sync.yml

@@ -27,7 +27,5 @@ spec/spec_helper.rb:
   paths: *ignorepaths
 Gemfile:
   unmanaged: true
-appveyor.yml:
-  unmanaged: true
 .rspec:
   unmanaged: true

REFERENCE.md

@@ -4799,7 +4799,7 @@ Default value: `/etc/sensu/ssl/ca.crt`
 
 URL to use with 'sensuctl configure'
 
-Default value: `http://127.0.0.1:8080`
+Default value: `https://127.0.0.1:8080`
 
 ##### <a name="-sensu_user--name"></a>`name`
 
@@ -5172,6 +5172,12 @@ Data type: `Optional[String[1]]`
 
 The namespace for the agent, default is 'default'
 
+##### `use_ssl`
+
+Data type: `Optional[Boolean]`
+
+Whether to use SSL for backend API connections, default is true
+
 ##### `output`
 
 Data type: `Optional[Boolean]`

appveyor.yml

@@ -1,58 +1,74 @@
 $password = 'sensu'
 
+class { 'sensu':
+  use_ssl       => true,
+  ssl_ca_source => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+  api_host      => 'sensu-backend',
+}
+
 class { 'sensu::agent':
-  backends => ['sensu-backend:8081'],
+  backends    => ['sensu-backend:8081'],
+  config_hash => {
+    'keepalive-interval' => 5,
+  },
 }
 
 class { 'postgresql::globals':
-  manage_package_repo => true,
-  version             => '11',
+  manage_package_repo => false,
+}
+
+# Ensure data directory is ready for initdb
+exec { 'clean_postgres_datadir_if_incomplete':
+  command => '/bin/rm -rf /var/lib/pgsql/data/*',
+  onlyif  => '/bin/bash -c "[ -d /var/lib/pgsql/data ] && [ ! -f /var/lib/pgsql/data/PG_VERSION ]"',
+  require => Class['postgresql::server::install'],
+  before  => Class['postgresql::server::initdb'],
 }
 
 class { 'postgresql::server':
   listen_addresses => '*',
 }
 
+# Copy SSL key for PostgreSQL to use with the default name
+# Must be created AFTER initdb but BEFORE service starts
 file { 'postgresql_ssl_key_file':
-  ensure => 'file',
-  path   => "${postgresql::server::datadir}/${trusted['certname']}.pem",
-  source => "/etc/puppetlabs/puppet/ssl/private_keys/${trusted['certname']}.pem",
-  owner  => 'postgres',
-  group  => 'postgres',
-  mode   => '0600',
-}
-
-postgresql::server::db { 'sensu':
-  user     => 'sensu',
-  password => postgresql::postgresql_password('sensu', $password),
-}
-
-postgresql::server::pg_hba_rule { 'allow access to sensu database':
-  description => 'Open up postgresql for access to sensu from 0.0.0.0/0',
-  type        => 'host',
-  database    => 'sensu',
-  user        => 'sensu',
-  address     => '0.0.0.0/0',
-  auth_method => 'password',
+  ensure  => 'file',
+  path    => "${postgresql::server::datadir}/server.key",
+  source  => '/etc/puppetlabs/puppet/ssl/private_keys/sensu-agent_key.pem',
+  owner   => 'postgres',
+  group   => 'postgres',
+  mode    => '0600',
+  require => Class['postgresql::server::initdb'],
+  before  => Class['postgresql::server::service'],
 }
 
 postgresql::server::config_entry { 'ssl':
   value => 'on',
 }
 
 postgresql::server::config_entry { 'ssl_cert_file':
-  value => "/etc/puppetlabs/puppet/ssl/certs/${trusted['certname']}.pem",
+  value => '/etc/puppetlabs/puppet/ssl/ca/signed/sensu-agent.pem',
 }
 
 postgresql::server::config_entry { 'ssl_key_file':
-  value   => "${trusted['certname']}.pem",
+  value   => 'server.key',
   require => File['postgresql_ssl_key_file'],
 }
 
 postgresql::server::config_entry { 'ssl_ca_file':
-  value => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
+  value => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+}
+
+postgresql::server::db { 'sensu':
+  user     => 'sensu',
+  password => postgresql::postgresql_password('sensu', $password),
 }
 
-postgresql::server::config_entry { 'ssl_crl_file':
-  value => '/etc/puppetlabs/puppet/ssl/crl.pem',
+postgresql::server::pg_hba_rule { 'allow access to sensu database':
+  description => 'Open up postgresql for access to sensu from 0.0.0.0/0',
+  type        => 'host',
+  database    => 'sensu',
+  user        => 'sensu',
+  address     => '0.0.0.0/0',
+  auth_method => 'password',
 }

examples/postgresql-ssl/postgresql.pp

@@ -1,19 +1,19 @@
 $password = 'sensu'
 
 class { 'sensu':
-  use_ssl => false,
+  use_ssl       => true,
+  ssl_ca_source => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+  api_host      => 'sensu-backend',
 }
 include sensu::cli
 class { 'sensu::agent':
   backends => ['sensu-backend:8081'],
 }
 class { 'sensu::backend':
-  datastore                  => 'postgresql',
-  manage_postgresql_db       => false,
-  postgresql_host            => 'sensu-agent',
-  postgresql_password        => $password,
-  postgresql_ssl_ca_source   => $sensu::ssl_ca_source,
-  postgresql_ssl_crl_source  => $facts['puppet_hostcrl'],
-  postgresql_ssl_cert_source => $facts['puppet_hostcert'],
-  postgresql_ssl_key_source  => $facts['puppet_hostprivkey'],
+  ssl_cert_source      => '/etc/puppetlabs/puppet/ssl/ca/signed/sensu-backend.pem',
+  ssl_key_source       => '/etc/puppetlabs/puppet/ssl/private_keys/sensu-backend_key.pem',
+  datastore            => 'postgresql',
+  manage_postgresql_db => false,
+  postgresql_host      => 'sensu-agent',
+  postgresql_password  => $password,
 }

examples/postgresql-ssl/sensu-backend.pp

@@ -0,0 +1,17 @@
+# Example of Sensu backend with SSL enabled
+#
+# This example demonstrates how to configure a Sensu backend with SSL/TLS
+# using the test certificates from /etc/puppetlabs/puppet/ssl/
+
+class { 'sensu':
+  use_ssl       => true,
+  ssl_ca_source => '/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem',
+  api_host      => 'sensu-backend',
+}
+
+class { 'sensu::backend':
+  ssl_cert_source => '/etc/puppetlabs/puppet/ssl/ca/signed/sensu-backend.pem',
+  ssl_key_source  => '/etc/puppetlabs/puppet/ssl/private_keys/sensu-backend_key.pem',
+}
+
+include sensu::cli

examples/ssl-backend.pp

@@ -83,7 +83,7 @@ def asset_add(version)
       opts[:custom_environment]['no_proxy'] = resource[:bonsai_no_proxy] if resource[:bonsai_no_proxy]
     end
     begin
-      sensuctl(cmd, opts)
+      sensuctl(cmd, **opts)
     rescue Exception => e
       raise Puppet::Error, "#{cmd.join(' ')} failed\nError message: #{e.message}"
     end

lib/puppet/provider/sensu_bonsai_asset/sensuctl.rb

@@ -65,7 +65,7 @@ def convert_boolean_property_value(value)
     self.class.convert_boolean_property_value(value)
   end
 
-  def self.sensuctl(args, failonfail: nil, combine: nil, **_kwargs)
+  def self.sensuctl(args, failonfail: nil, combine: nil, custom_environment: nil, **_kwargs)
     sensuctl_cmd = which('sensuctl')
     if ! path.nil?
       cmd = [path] + args
@@ -75,6 +75,9 @@ def self.sensuctl(args, failonfail: nil, combine: nil, **_kwargs)
     opts = {}
     opts[:failonfail] = failonfail.nil? ? true : failonfail
     opts[:combine] = combine.nil? ? true : combine
+    if custom_environment
+      opts[:custom_environment] = custom_environment
+    end
     execute(cmd, opts)
   end
   def sensuctl(cmd_args, **opts)

lib/puppet/provider/sensuctl.rb

@@ -99,7 +99,7 @@ def should_to_s(newvalue)
 
   newparam(:configure_url) do
     desc "URL to use with 'sensuctl configure'"
-    defaultto 'http://127.0.0.1:8080'
+    defaultto 'https://127.0.0.1:8080'
   end
 
   newparam(:configure_trusted_ca_file) do