Use Puppet SSL by default

By default the backend will be configured to use SSL and agents will communicate using SSL.  The certificates and CA used are from Puppet.

Update acceptance tests to properly use sensu_backend role

.fixtures-latest.yml

@@ -10,5 +10,8 @@ fixtures:
       repo: git://github.com/puppetlabs/puppetlabs-yumrepo_core
       ref: 1.0.1
       puppet_version: ">= 6.0.0"
+    trusted_ca:
+      repo: git://github.com/voxpupuli/puppet-trusted_ca.git
+      ref: v2.0.0
   symlinks:
     sensu: "#{source_dir}"

.fixtures.yml

@@ -10,5 +10,8 @@ fixtures:
       repo: git://github.com/puppetlabs/puppetlabs-yumrepo_core
       ref: 1.0.1
       puppet_version: ">= 6.0.0"
+    trusted_ca:
+      repo: git://github.com/voxpupuli/puppet-trusted_ca.git
+      ref: v2.0.0
   symlinks:
     sensu: "#{source_dir}"

README.md

@@ -10,6 +10,7 @@
 3. [Usage - Configuration options and additional functionality](#usage)
     * [Basic Sensu backend](#basic-sensu-backend)
     * [Basic Sensu agent](#basic-sensu-agent)
+    * [Advanced SSL](#advanced-ssl)
     * [Exported resources](#exported-resources)
     * [Resource purging](#resource-purging)
     * [Sensu backend cluster](#sensu-backend-cluster)
@@ -73,7 +74,7 @@ vagrant ssh sensu-backend
 
 #### Beginning with a Sensu cluster
 
-Multiple Vagrant boxes are available for testing a sensu-backend cluster
+Multiple Vagrant boxes are available for testing a sensu-backend cluster.
 
 ```bash
 vagrant up sensu-backend-peer1 sensu-backend-peer2
@@ -85,6 +86,7 @@ vagrant provision sensu-backend-peer1 sensu-backend-peer2
 ### Basic Sensu backend
 
 The following example will configure sensu-backend, sensu-agent on backend and add a check.
+By default this module will configure the backend to use Puppet's SSL certificate and CA.
 
 ```puppet
   include sensu::backend
@@ -104,13 +106,74 @@ associated to `linux` and `apache-servers` subscriptions.
 
 ```puppet
   class { 'sensu::agent':
+    backends    => ['sensu-backend.example.com:8081'],
     config_hash => {
-      'backend-url'  => 'ws://sensu-backend.example.com:8081',
       'subscriptions => ['linux', 'apache-servers'],
     },
   }
 ```
 
+### Advanced SSL
+
+By default this module uses Puppet's SSL certificates and CA.
+If you would prefer to use different certificates override the `ssl_ca_source`, `ssl_cert_source` and `ssl_key_source` parameters.
+The value for `url_host` must be valid for the provided certificate and the value used for agent's `backends` must also match the certificate used by the specified backend.
+If the certificates and keys are already installed then define the source parameters as filesystem paths.
+
+```puppet
+class { 'sensu':
+  ssl_ca_source => 'puppet:///modules/site_sensu/ca.pem',
+}
+class { 'sensu::backend':
+  url_host        => 'sensu-backend.example.com',
+  ssl_cert_source => 'puppet:///modules/site_sensu/cert.pem',
+  ssl_key_source  => 'puppet:///modules/site_sensu/key.pem',
+}
+```
+```puppet
+class { 'sensu':
+  ssl_ca_source => 'puppet:///modules/site_sensu/ca.pem',
+}
+class { 'sensu::agent':
+  backends    => ['sensu-backend.example.com:8081'],
+  config_hash => {
+    'subscriptions => ['linux', 'apache-servers'],
+  },
+}
+```
+
+If the certificate is already trusted by your operating system's trust store then you can disable adding the CA to system's trust.
+
+```puppet
+class { 'sensu':
+  ssl_add_ca_trust => false,
+}
+class { 'sensu::backend':
+  url_host        => 'sensu-backend.example.com',
+  ssl_cert_source => 'puppet:///modules/site_sensu/cert.pem',
+  ssl_key_source  => 'puppet:///modules/site_sensu/key.pem',
+}
+```
+```puppet
+class { 'sensu':
+  ssl_add_ca_trust => false,
+}
+class { 'sensu::agent':
+  backends    => ['sensu-backend.example.com:8081'],
+  config_hash => {
+    'subscriptions => ['linux', 'apache-servers'],
+  },
+}
+```
+
+To disable SSL support:
+
+```puppet
+class { 'sensu':
+  use_ssl => false,
+}
+```
+
 ### Exported resources
 
 One possible approach to defining checks is having agents export their checks to the sensu-backend using [Exported Resources](https://puppet.com/docs/puppet/latest/lang_exported.html).

lib/facter/sensu_puppet_facts.rb

@@ -0,0 +1,33 @@
+require 'puppet'
+
+module SensuPuppetFacts
+  def self.add_facts
+    SensuPuppetFacts.init_settings
+    Facter.add(:puppet_hostcert) do
+      setcode do
+        ::Puppet[:hostcert].to_s
+      end
+    end
+
+    Facter.add(:puppet_hostprivkey) do
+      setcode do
+        ::Puppet[:hostprivkey].to_s
+      end
+    end
+
+    Facter.add(:puppet_localcacert) do
+      setcode do
+        ::Puppet[:localcacert].to_s
+      end
+    end
+  end
+
+  def self.init_settings
+    if ! ::Puppet.settings.global_defaults_initialized?
+      ::Puppet.initialize_settings
+    end
+  end
+end
+
+SensuPuppetFacts.add_facts
+

manifests/agent.pp

@@ -4,9 +4,10 @@
 #
 # @example
 #   class { 'sensu::agent':
+#     backends    => ['sensu-backend.example.com:8081'],
 #     config_hash => {
-#       'backend-url' => 'ws://sensu-backend.example.com:8081',
-#     }
+#       'subscriptions => ['linux', 'apache-servers'],
+#     },
 #   }
 #
 # @param version
@@ -22,6 +23,11 @@
 #   Sensu agent service enable value.
 # @param config_hash
 #   Sensu agent configuration hash used to define agent.yml.
+# @param backends
+#   Array of sensu backends to pass to `backend-url` config option.
+#   The protocol prefix of `ws://` or `wss://` are optional and will be determined
+#   based on `sensu::use_ssl` parameter by default.
+#   Passing `backend-url` as part of `config_hash` takes precedence.
 #
 class sensu::agent (
   Optional[String] $version = undef,
@@ -30,17 +36,34 @@
   String $service_ensure = 'running',
   Boolean $service_enable = true,
   Hash $config_hash = {},
+  Array[Sensu::Backend_URL] $backends = ['localhost:8081'],
 ) {
 
   include ::sensu
 
   $etc_dir = $::sensu::etc_dir
+  $use_ssl = $::sensu::use_ssl
+  $_version = pick($version, $::sensu::version)
 
-  if $version == undef {
-    $_version= $::sensu::version
-  } else {
-    $_version= $version
+  if $use_ssl {
+    $backend_protocol = 'wss'
+    $service_subscribe = Class['::sensu::ssl']
   }
+  else {
+    $backend_protocol = 'ws'
+    $service_subscribe = undef
+  }
+  $backend_urls = $backends.map |$backend| {
+    if 'ws://' in $backend or 'wss://' in $backend {
+      $backend
+    } else {
+      "${backend_protocol}://${backend}"
+    }
+  }
+  $default_config = {
+    'backend-url' => $backend_urls,
+  }
+  $config = $default_config + $config_hash
 
   package { 'sensu-go-agent':
     ensure  => $_version,
@@ -52,14 +75,15 @@
   file { 'sensu_agent_config':
     ensure  => 'file',
     path    => "${etc_dir}/agent.yml",
-    content => to_yaml($config_hash),
+    content => to_yaml($config),
     require => Package['sensu-go-agent'],
     notify  => Service['sensu-agent'],
   }
 
   service { 'sensu-agent':
-    ensure => $service_ensure,
-    enable => $service_enable,
-    name   => $service_name,
+    ensure    => $service_ensure,
+    enable    => $service_enable,
+    name      => $service_name,
+    subscribe => $service_subscribe,
   }
 }

manifests/backend.pp

@@ -28,8 +28,10 @@
 #   Sensu backend host used to configure sensuctl and verify API access.
 # @param url_port
 #   Sensu backend port used to configure sensuctl and verify API access.
-# @param use_ssl
-#   Sensu backend service uses SSL
+# @param ssl_cert_source
+#   The SSL certificate source
+# @param ssl_key_source
+#   The SSL private key source
 # @param password
 #   Sensu admin password. Does not change admin password but is used when
 #   running `sensuctl configure` after initial bootstrap.
@@ -43,35 +45,41 @@
   Boolean $service_enable = true,
   Stdlib::Absolutepath $state_dir = '/var/lib/sensu/sensu-backend',
   Hash $config_hash = {},
-  String $url_host = '127.0.0.1',
+  String $url_host = $trusted['certname'],
   Stdlib::Port $url_port = 8080,
-  Boolean $use_ssl = false,
+  String $ssl_cert_source = $facts['puppet_hostcert'],
+  String $ssl_key_source = $facts['puppet_hostprivkey'],
   String $password = 'P@ssw0rd!',
 ) {
 
   include ::sensu
 
   $etc_dir = $::sensu::etc_dir
-
-  $default_config = {
-    'state-dir' => $state_dir,
-  }
-  $config = $default_config + $config_hash
+  $ssl_dir = $::sensu::ssl_dir
+  $use_ssl = $::sensu::use_ssl
+  $_version = pick($version, $::sensu::version)
 
   if $use_ssl {
     $url_protocol = 'https'
-  }
-  else {
+    $ssl_config = {
+      'cert-file'       => "${ssl_dir}/cert.pem",
+      'key-file'        => "${ssl_dir}/key.pem",
+      'trusted-ca-file' => "${ssl_dir}/ca.crt",
+    }
+    $service_subscribe = Class['::sensu::ssl']
+    Class['::sensu::ssl'] -> Sensu_configure['puppet']
+  } else {
     $url_protocol = 'http'
+    $ssl_config = {}
+    $service_subscribe = undef
   }
 
-  $url = "${url_protocol}://${url_host}:${url_port}"
-
-  if $version == undef {
-    $_version = $::sensu::version
-  } else {
-    $_version = $version
+  $default_config = {
+    'state-dir' => $state_dir,
   }
+  $config = $default_config + $ssl_config + $config_hash
+
+  $url = "${url_protocol}://${url_host}:${url_port}"
 
   package { 'sensu-go-cli':
     ensure  => $_version,
@@ -93,6 +101,29 @@
     bootstrap_password => 'P@ssw0rd!',
   }
 
+  if $use_ssl {
+    file { 'sensu_ssl_cert':
+      ensure    => 'file',
+      path      => "${ssl_dir}/cert.pem",
+      source    => $ssl_cert_source,
+      owner     => $::sensu::user,
+      group     => $::sensu::group,
+      mode      => '0644',
+      show_diff => false,
+      notify    => Service['sensu-backend'],
+    }
+    file { 'sensu_ssl_key':
+      ensure    => 'file',
+      path      => "${ssl_dir}/key.pem",
+      source    => $ssl_key_source,
+      owner     => $::sensu::user,
+      group     => $::sensu::group,
+      mode      => '0600',
+      show_diff => false,
+      notify    => Service['sensu-backend'],
+    }
+  }
+
   package { 'sensu-go-backend':
     ensure  => $_version,
     name    => $package_name,
@@ -119,8 +150,9 @@
   }
 
   service { 'sensu-backend':
-    ensure => $service_ensure,
-    enable => $service_enable,
-    name   => $service_name,
+    ensure    => $service_ensure,
+    enable    => $service_enable,
+    name      => $service_name,
+    subscribe => $service_subscribe,
   }
 }