Showing with 2,382 additions and 9 deletions.
  1. +10 −5 CHANGELOG.md
  2. +185 −0 REFERENCE.md
  3. +8 −1 lib/puppet/provider/sensu_api.rb
  4. +108 −0 lib/puppet/provider/sensu_secret/sensu_api.rb
  5. +93 −0 lib/puppet/provider/sensu_secret/sensuctl.rb
  6. +130 −0 lib/puppet/provider/sensu_secrets_vault_provider/sensu_api.rb
  7. +137 −0 lib/puppet/provider/sensu_secrets_vault_provider/sensuctl.rb
  8. +5 −0 lib/puppet/type/sensu_check.rb
  9. +5 −0 lib/puppet/type/sensu_handler.rb
  10. +5 −0 lib/puppet/type/sensu_mutator.rb
  11. +93 −0 lib/puppet/type/sensu_secret.rb
  12. +153 −0 lib/puppet/type/sensu_secrets_vault_provider.rb
  13. +34 −0 lib/puppet_x/sensu/secrets_property.rb
  14. +9 −0 manifests/agent.pp
  15. +9 −0 manifests/backend.pp
  16. +6 −0 manifests/init.pp
  17. +16 −0 manifests/resources.pp
  18. +1 −1 metadata.json
  19. +10 −2 spec/acceptance/sensu_check_spec.rb
  20. +8 −0 spec/acceptance/sensu_handler_spec.rb
  21. +8 −0 spec/acceptance/sensu_mutator_spec.rb
  22. +294 −0 spec/acceptance/sensu_secrets_spec.rb
  23. +9 −0 spec/classes/agent_spec.rb
  24. +9 −0 spec/classes/backend_spec.rb
  25. +7 −0 spec/classes/init_spec.rb
  26. +30 −0 spec/classes/resources_spec.rb
  27. +14 −0 spec/fixtures/unit/provider/sensu_secret/sensu_api/list.json
  28. +11 −0 spec/fixtures/unit/provider/sensu_secret/sensuctl/list.json
  29. +84 −0 spec/fixtures/unit/provider/sensu_secrets_vault_provider/sensu_api/list.json
  30. +63 −0 spec/fixtures/unit/provider/sensu_secrets_vault_provider/sensuctl/dump.txt
  31. +26 −0 spec/shared_examples/secrets_property.rb
  32. +88 −0 spec/unit/provider/sensu_secret/sensu_api_spec.rb
  33. +72 −0 spec/unit/provider/sensu_secret/sensuctl_spec.rb
  34. +95 −0 spec/unit/provider/sensu_secrets_vault_provider/sensu_api_spec.rb
  35. +97 −0 spec/unit/provider/sensu_secrets_vault_provider/sensuctl_spec.rb
  36. +4 −0 spec/unit/sensu_check_spec.rb
  37. +4 −0 spec/unit/sensu_handler_spec.rb
  38. +4 −0 spec/unit/sensu_mutator_spec.rb
  39. +214 −0 spec/unit/sensu_secret_spec.rb
  40. +224 −0 spec/unit/sensu_secrets_vault_provider_spec.rb
15 changes: 10 additions & 5 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,14 @@
# Changelog

## [v4.3.0](https://github.com/sensu/sensu-puppet/tree/v4.3.0) (2020-01-29)

[Full Changelog](https://github.com/sensu/sensu-puppet/compare/v4.2.1...v4.3.0)

### Added

- Support Sensu Go secrets features [\#1203](https://github.com/sensu/sensu-puppet/pull/1203) ([treydock](https://github.com/treydock))
- Better support for Sensu Go upgrades [\#1201](https://github.com/sensu/sensu-puppet/pull/1201) ([treydock](https://github.com/treydock))

## [v4.2.1](https://github.com/sensu/sensu-puppet/tree/v4.2.1) (2020-01-29)

[Full Changelog](https://github.com/sensu/sensu-puppet/compare/v4.2.0...v4.2.1)
Expand Down Expand Up @@ -200,7 +209,6 @@

- Add headers property to sensu\_assets [\#1119](https://github.com/sensu/sensu-puppet/pull/1119) ([treydock](https://github.com/treydock))
- Add ability to run acceptance tests against Sensu-Go CI builds [\#1115](https://github.com/sensu/sensu-puppet/pull/1115) ([treydock](https://github.com/treydock))
- Support listing sensuctl resources using chunk-size [\#1114](https://github.com/sensu/sensu-puppet/pull/1114) ([treydock](https://github.com/treydock))

### Fixed

Expand All @@ -227,16 +235,13 @@

### Added

- Support listing sensuctl resources using chunk-size [\#1114](https://github.com/sensu/sensu-puppet/pull/1114) ([treydock](https://github.com/treydock))
- Support Sensu Go 5.6 [\#1105](https://github.com/sensu/sensu-puppet/pull/1105) ([treydock](https://github.com/treydock))

## [v3.1.0](https://github.com/sensu/sensu-puppet/tree/v3.1.0) (2019-04-19)

[Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.0.0...v3.1.0)

### Added

- Prep 3.1.0 release [\#1103](https://github.com/sensu/sensu-puppet/pull/1103) ([treydock](https://github.com/treydock))



\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
185 changes: 185 additions & 0 deletions REFERENCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,8 @@ _Public Resource types_
* [`sensu_resources`](#sensu_resources): Metatype for sensu resources
* [`sensu_role`](#sensu_role): Manages Sensu roles
* [`sensu_role_binding`](#sensu_role_binding): Manages Sensu role bindings
* [`sensu_secret`](#sensu_secret): Manages Sensu Secrets
* [`sensu_secrets_vault_provider`](#sensu_secrets_vault_provider): Manages Sensu Secrets provider
* [`sensu_user`](#sensu_user): Manages Sensu users

_Private Resource types_
Expand Down Expand Up @@ -1051,6 +1053,22 @@ Hash of sensu_role resources

Default value: {}

##### `secrets`

Data type: `Hash`

Hash of secrets

Default value: {}

##### `secrets_vault_providers`

Data type: `Hash`

Hash of sensu_secrets_vault_providers

Default value: {}

##### `users`

Data type: `Hash`
Expand Down Expand Up @@ -1638,6 +1656,10 @@ Valid values: `true`, `false`

Discard check output after extracting metrics.

##### `secrets`

List of Sensu secrets to set for the check execution environment.

##### `namespace`

The Sensu RBAC namespace that this check belongs to.
Expand Down Expand Up @@ -2395,6 +2417,10 @@ Valid values: /.*/, absent

An array of Sensu assets (names), required at runtime for the execution of the command

##### `secrets`

List of Sensu secrets to set for the handler execution environment.

##### `namespace`

The Sensu RBAC namespace that this handler belongs to.
Expand Down Expand Up @@ -2679,6 +2705,10 @@ Valid values: /.*/, absent

An array of environment variables to use with command execution.

##### `secrets`

List of Sensu secrets to set for the mutator execution environment.

##### `namespace`

The Sensu RBAC namespace that this mutator belongs to.
Expand Down Expand Up @@ -3163,6 +3193,161 @@ An example composite name to define resource named `test` in namespace `dev`: `t

The name of the role binding.

### sensu_secret

**Autorequires**:
* `Package[sensu-go-cli]`
* `Service[sensu-backend]`
* `Sensuctl_configure[puppet]`
* `Sensu_api_validator[sensu]`
* `sensu_namespace` - Puppet will autorequire `sensu_namespace` resource defined in `namespace` property.

#### Examples

##### Manage a secret in the default namespace

```puppet
sensu_secret { 'sensu-ansible-token in default':
ensure => 'present',
id => 'ANSIBLE_TOKEN',
secrets_provider => 'env',
}
```

#### Properties

The following properties are available in the `sensu_secret` type.

##### `ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

##### `id`

The identifying key for the provider to retrieve the secret.

##### `secrets_provider`

The name of the Sensu provider with the secret.

##### `namespace`

The Sensu RBAC namespace that this secret belongs to.

Default value: default

#### Parameters

The following parameters are available in the `sensu_secret` type.

##### `name`

namevar

The name of the secret.
The name supports composite names that can define the namespace.
An example composite name to define resource named `test` in namespace `dev`: `test in dev`

##### `resource_name`

The name of the secret.

### sensu_secrets_vault_provider

**NOTE** Property names map to the `client` hash in Sensu Go reference for a secrets VaultProvider

**Autorequires**:
* `Package[sensu-go-cli]`
* `Service[sensu-backend]`
* `Sensuctl_configure[puppet]`
* `Sensu_api_validator[sensu]`

#### Examples

##### Manage a secrets vault provider

```puppet
sensu_secrets_vault_provider { 'my_vault-api':
ensure => 'present',
address => "https://vaultserver.example.com:8200",
token => "VAULT_TOKEN",
version => "v1",
max_retries => 2,
timeout => "20s",
tls => {
"ca_cert" => "/etc/ssl/certs/ca-bundle.crt"
},
rate_limiter => {
"limit" => 10,
"burst" => 100
},
}
```

#### Properties

The following properties are available in the `sensu_secrets_vault_provider` type.

##### `ensure`

Valid values: present, absent

The basic property that the resource should be in.

Default value: present

##### `address`

Vault server address.

##### `token`

Vault token to use for authentication.

##### `version`

HashiCorp Vault HTTP API version

##### `max_retries`

Number of times to retry connecting to the vault provider.

Default value: 2

##### `timeout`

Provider connection timeout (hard stop).

Default value: 60s

##### `tls`

TLS object. Vault only works with TLS configured.

Default value: absent

##### `rate_limiter`

Keys:
* limit - Maximum number of secrets requests per second that can be transmitted to the backend with the secrets API.
* burst - Maximum amount of burst allowed in a rate interval for the secrets API.

Default value: absent

#### Parameters

The following parameters are available in the `sensu_secrets_vault_provider` type.

##### `name`

namevar

The name of the secrets provider.

### sensu_user

**Autorequires**:
Expand Down
9 changes: 8 additions & 1 deletion lib/puppet/provider/sensu_api.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,11 +140,18 @@ def self.api_request(path, data = nil, opts = {})
Puppet.debug("BODY: Not valid JSON")
return {}
end
rescue Exception => e
if failonfail
raise
else
Puppet.err "Unable to connect to #{uri.to_s}: #{e.message}"
return {}
end
rescue Puppet::Error => e
if failonfail
raise
else
Puppet.notice "Unable to connect to #{uri.to_s}: #{e.message}"
Puppet.err "Unable to connect to #{uri.to_s}: #{e.message}"
return {}
end
end
Expand Down
108 changes: 108 additions & 0 deletions lib/puppet/provider/sensu_secret/sensu_api.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
require File.expand_path(File.join(File.dirname(__FILE__), '..', 'sensu_api'))

Puppet::Type.type(:sensu_secret).provide(:sensu_api, :parent => Puppet::Provider::SensuAPI) do
desc "Provider sensu_secret using sensu API"

mk_resource_methods

def self.instances
secrets = []

namespaces.each do |namespace|
data = api_request('secrets', nil, {:namespace => namespace, :api_group => 'enterprise/secrets', :api_version => 'v1', :failonfail => false})
data.each do |d|
secret = {}
secret[:ensure] = :present
secret[:resource_name] = d['metadata']['name']
secret[:namespace] = d['metadata']['namespace']
secret[:name] = "#{secret[:resource_name]} in #{secret[:namespace]}"
secret[:id] = d['spec']['id']
secret[:secrets_provider] = d['spec']['provider']
secrets << new(secret)
end
end
secrets
end

def self.prefetch(resources)
secrets = instances
resources.keys.each do |name|
if provider = secrets.find { |c| c.resource_name == resources[name][:resource_name] && c.namespace == resources[name][:namespace] }
resources[name].provider = provider
end
end
end

def exists?
@property_hash[:ensure] == :present
end

def initialize(value = {})
super(value)
@property_flush = {}
end

type_properties.each do |prop|
define_method "#{prop}=".to_sym do |value|
@property_flush[prop] = value
end
end

def create
spec = {}
metadata = {}
metadata[:name] = resource[:resource_name]
metadata[:namespace] = resource[:namespace]
spec[:id] = resource[:id]
spec[:provider] = resource[:secrets_provider]
data = {}
data[:spec] = spec
data[:metadata] = metadata
data[:type] = 'Secret'
data[:api_version] = 'secrets/v1'
opts = {
:namespace => metadata[:namespace],
:api_group => 'enterprise/secrets',
:api_version => 'v1',
:method => 'put',
}
api_request("secrets/#{resource[:resource_name]}", data, opts)
@property_hash[:ensure] = :present
end

def flush
if !@property_flush.empty?
spec = {}
metadata = {}
metadata[:name] = resource[:resource_name]
metadata[:namespace] = resource[:namespace]
spec[:id] = @property_flush[:id] || resource[:id]
spec[:provider] = @property_flush[:secrets_provider] || resource[:secrets_provider]
data = {}
data[:spec] = spec
data[:metadata] = metadata
data[:type] = 'Secret'
data[:api_version] = 'secrets/v1'
opts = {
:namespace => metadata[:namespace],
:api_group => 'enterprise/secrets',
:api_version => 'v1',
:method => 'put',
}
api_request("secrets/#{resource[:resource_name]}", data, opts)
end
@property_hash = resource.to_hash
end

def destroy
opts = {
:namespace => resource[:namespace],
:api_group => 'enterprise/secrets',
:api_version => 'v1',
:method => 'delete',
}
api_request("secrets/#{resource[:resource_name]}", nil, opts)
@property_hash.clear
end
end

Loading