diff --git a/.travis.yml b/.travis.yml
@@ -64,52 +64,82 @@ matrix:
     stage: acceptance
   - rvm: 2.4.9
     services: docker
-    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_full=yes
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_mode=full
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.5.7
     services: docker
-    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_full=yes
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=full
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.5.7
     services: docker
-    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_full=yes
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=full
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.4.9
     services: docker
-    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_full=yes BEAKER_sensu_use_agent=yes
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_mode=examples
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.5.7
     services: docker
-    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_full=yes BEAKER_sensu_use_agent=yes
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=examples
+    script: bundle exec rake beaker
+    stage: acceptance
+  - rvm: 2.5.7
+    services: docker
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=examples
+    script: bundle exec rake beaker
+    stage: acceptance
+  - rvm: 2.4.9
+    services: docker
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_mode=types
+    script: bundle exec rake beaker
+    stage: acceptance
+  - rvm: 2.5.7
+    services: docker
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=types
+    script: bundle exec rake beaker
+    stage: acceptance
+  - rvm: 2.5.7
+    services: docker
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=types
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.4.9
     services: docker
-    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_cluster=yes
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_mode=types BEAKER_sensu_use_agent=yes
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.5.7
     services: docker
-    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_cluster=yes
+    env: BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=types BEAKER_sensu_use_agent=yes
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.4.9
     services: docker
-    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_cluster=yes BEAKER_sensu_use_agent=yes
+    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_mode=cluster
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.5.7
     services: docker
-    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_cluster=yes BEAKER_sensu_use_agent=yes
+    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=cluster
+    script: bundle exec rake beaker
+    stage: acceptance
+  - rvm: 2.4.9
+    services: docker
+    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet5 BEAKER_sensu_mode=cluster BEAKER_sensu_use_agent=yes
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.5.7
     services: docker
-    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_cluster=yes
+    env: BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=cluster BEAKER_sensu_use_agent=yes
+    script: bundle exec rake beaker
+    stage: acceptance
+  - rvm: 2.5.7
+    services: docker
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=cluster
     script: bundle exec rake beaker
     stage: acceptance
   - rvm: 2.4.9
@@ -242,9 +272,13 @@ matrix:
   - rvm: 2.5.7
     env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-6" BEAKER_PUPPET_COLLECTION=puppet6
   - rvm: 2.5.7
-    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_full=yes
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=full
+  - rvm: 2.5.7
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=examples
+  - rvm: 2.5.7
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=types
   - rvm: 2.5.7
-    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_cluster=yes
+    env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-7-cluster" BEAKER_PUPPET_COLLECTION=puppet6 BEAKER_sensu_mode=cluster
   - rvm: 2.5.7
     env: BEAKER_sensu_ci_build=yes BEAKER_set="centos-8" BEAKER_PUPPET_COLLECTION=puppet6
   - rvm: 2.5.7

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,23 @@
 # Changelog
 
+## [v4.10.0](https://github.com/sensu/sensu-puppet/tree/v4.10.0) (2020-04-19)
+
+[Full Changelog](https://github.com/sensu/sensu-puppet/compare/v4.8.0...v4.10.0)
+
+### Added
+
+- Improved validations around labels and annotations [\#1245](https://github.com/sensu/sensu-puppet/pull/1245) ([treydock](https://github.com/treydock))
+- Better support for agent redact [\#1241](https://github.com/sensu/sensu-puppet/pull/1241) ([treydock](https://github.com/treydock))
+
+### Fixed
+
+- Fix sensu\_license error handling [\#1244](https://github.com/sensu/sensu-puppet/pull/1244) ([treydock](https://github.com/treydock))
+
+### Merged Pull Requests
+
+- Change how it's determined when to run specific acceptance tests [\#1243](https://github.com/sensu/sensu-puppet/pull/1243) ([treydock](https://github.com/treydock))
+- Attempt to speed up acceptance tests [\#1242](https://github.com/sensu/sensu-puppet/pull/1242) ([treydock](https://github.com/treydock))
+
 ## [v4.8.0](https://github.com/sensu/sensu-puppet/tree/v4.8.0) (2020-04-13)
 
 [Full Changelog](https://github.com/sensu/sensu-puppet/compare/v4.7.1...v4.8.0)
@@ -44,7 +62,6 @@
 - Allow agents to have subscriptions defined as a resource [\#1227](https://github.com/sensu/sensu-puppet/pull/1227) ([treydock](https://github.com/treydock))
 - Support bonsai version with v prefix [\#1223](https://github.com/sensu/sensu-puppet/pull/1223) ([treydock](https://github.com/treydock))
 - Manage license through sensu\_license type [\#1218](https://github.com/sensu/sensu-puppet/pull/1218) ([treydock](https://github.com/treydock))
-- Add more examples [\#1214](https://github.com/sensu/sensu-puppet/pull/1214) ([treydock](https://github.com/treydock))
 
 ### Fixed
 
@@ -61,6 +78,7 @@
 
 ### Added
 
+- Add more examples [\#1214](https://github.com/sensu/sensu-puppet/pull/1214) ([treydock](https://github.com/treydock))
 - Better organization of class variables [\#1213](https://github.com/sensu/sensu-puppet/pull/1213) ([treydock](https://github.com/treydock))
 - Better documentation of private types [\#1212](https://github.com/sensu/sensu-puppet/pull/1212) ([treydock](https://github.com/treydock))
 
@@ -147,8 +165,6 @@
 - Document upcoming breaking changes [\#1167](https://github.com/sensu/sensu-puppet/pull/1167) ([treydock](https://github.com/treydock))
 - BREAKING: Move cli resources to sensu::cli class [\#1164](https://github.com/sensu/sensu-puppet/pull/1164) ([treydock](https://github.com/treydock))
 - BREAKING: Update type properties to map to Sensu Go specifications [\#1154](https://github.com/sensu/sensu-puppet/pull/1154) ([treydock](https://github.com/treydock))
-- BREAKING: Refactor how sensu\_ldap\_auth and sensu\_ad\_auth define servers [\#1142](https://github.com/sensu/sensu-puppet/pull/1142) ([treydock](https://github.com/treydock))
-- BREAKING: Remove sensu\_event and sensu\_silenced types [\#1141](https://github.com/sensu/sensu-puppet/pull/1141) ([treydock](https://github.com/treydock))
 
 ### Added
 
@@ -233,7 +249,6 @@
 - Add sensu\_gem package provider [\#1156](https://github.com/sensu/sensu-puppet/pull/1156) ([treydock](https://github.com/treydock))
 - Install Windows agent via chocolatey [\#1152](https://github.com/sensu/sensu-puppet/pull/1152) ([treydock](https://github.com/treydock))
 - Add sensu\_bonsai\_asset type [\#1149](https://github.com/sensu/sensu-puppet/pull/1149) ([treydock](https://github.com/treydock))
-- Replace unit test instance variables with let [\#1143](https://github.com/sensu/sensu-puppet/pull/1143) ([treydock](https://github.com/treydock))
 
 ### Fixed
 

diff --git a/DESIGN.md b/DESIGN.md
@@ -82,6 +82,15 @@ The class tests are ordered with numeric prefixes to control the order they run.
 
 The type of `sensu_check` will have its tests in `sensu_check_spec.rb`. The tests to run are adding resources, updating resources, and deleting resources. Some extra test cases should be added based on any complexities of a given type.
 
+The resources `sensu_cluster_role`, `sensu_cluster_role_binding`, `sensu_role`, and `sensu_role_binding` are grouped into `sensu_rbac_resources_spec.rb` with the goal of speeding up testing times.
+
+By default only tests for class resources run which is the same as setting the enviornment variable `BEAKER_sensu_mode=base`.  The other possible modes are the following:
+
+* `BEAKER_sensu_mode=types` - Run tests for all types
+* `BEAKER_sensu_mode=full` - Run same tests as base but also runs more complex tests like PostgreSQL and Bolt integrations
+* `BEAKER_sensu_mode=cluster` - Run cluster tests
+* `BEAKER_sensu_mode=examples` - Run the test around examples in the `examples` directory
+
 Technologies for acceptance testing:
 
 * Docker - provides running system where configurations can be made and tests can be executed

diff --git a/README.md b/README.md
@@ -351,18 +351,36 @@ If you wish to change the `agent` password you must provide the new and old pass
 It is advisable to set `show_diff` to `false` to avoid exposing the agent password.
 
 ```puppet
-class { 'sensu::backend':
+class { 'sensu':
   agent_password     => 'supersecret',
   agent_old_password => 'P@ssw0rd!',
 }
+class { 'sensu::agent':
+  show_diff => false,
+}
+```
+
+The `config_hash` parameter allows custom configuration for `agent.yml` outside the `sensu::agent` class parameters.
+
+```puppet
 class { 'sensu::agent':
   config_hash => {
-    'password' => 'supersecret',
+    'log-level' => 'debug',
   },
-  show_diff   => false,
 }
 ```
 
+The following parameters in `sensu::agent` class are used to populate `agent.yml`:
+
+* entity_name - Passed to `name` key in `agent.yml`
+* subscriptions
+* annotations
+* labels
+* namespace
+* redact
+
+Agent configurations can also be set via `sensu::agent::config_entry`. See [Advanced agent - Custom config entries](#advanced-agent---custom-config-entries).
+
 ### Advanced agent - Subscriptions
 
 It is possible to define subscriptions in many locations and the values merged into `agent.yml`:
@@ -418,6 +436,19 @@ annotations:
 
 **NOTE** `sensu::agent::annotation` and `sensu::agent::label` take precedence over values set by the class `sensu::agent`
 
+If you wish to redact a label or annotation you can use the `redact` parameter and the key will be added to the `redact` list in `agent.yml`:
+
+```puppet
+sensu::agent::label { 'secret':
+  value  => 'mysecret',
+  redact => true,
+}
+sensu::agent::annotation { 'ec2_access_key':
+  value  => 'some-key',
+  redact => true,
+}
+```
+
 ### Advanced agent - Custom config entries
 
 It is possible to define config entries for `agent.yml` in many locations in Puppet:

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -374,7 +374,7 @@ Default value: `undef`
 
 ##### `entity_name`
 
-Data type: `Optional[String]`
+Data type: `Optional[String[1]]`
 
 The value for agent.yml `name`.
 Passing `name` as part of `config_hash` takes precedence
@@ -383,7 +383,7 @@ Default value: `undef`
 
 ##### `subscriptions`
 
-Data type: `Optional[Array]`
+Data type: `Optional[Array[String[1]]]`
 
 The agent subscriptions to define in agent.yml
 Passing `subscriptions` as part of `config_hash` takes precedence
@@ -392,7 +392,7 @@ Default value: `undef`
 
 ##### `annotations`
 
-Data type: `Optional[Hash]`
+Data type: `Optional[Hash[String[1],String]]`
 
 The agent annotations value for agent.yml
 Passing `annotations` as part of `config_hash` takes precedence
@@ -401,7 +401,7 @@ Default value: `undef`
 
 ##### `labels`
 
-Data type: `Optional[Hash]`
+Data type: `Optional[Hash[String[1],String]]`
 
 The agent labels value for agent.yml
 Passing `labels` as part of `config_hash` takes precedence
@@ -410,13 +410,24 @@ Default value: `undef`
 
 ##### `namespace`
 
-Data type: `Optional[String]`
+Data type: `Optional[String[1]]`
 
 The agent namespace
 Passing `namespace` as part of `config_hash` takes precedence
 
 Default value: `undef`
 
+##### `redact`
+
+Data type: `Array[String[1]]`
+
+The agent entity redact list
+Passing `redact` as part of `config_hash` takes precedence
+Defaults come from Sensu documentation:
+https://docs.sensu.io/sensu-go/latest/reference/agent/#security-configuration-flags
+
+Default value: ['password','passwd','pass','api_key','api_token','access_key','secret_key','private_key','secret']
+
 ##### `show_diff`
 
 Data type: `Boolean`
@@ -1127,10 +1138,18 @@ Default value: $name
 
 ##### `value`
 
-Data type: `String[1]`
+Data type: `String`
 
 Label value to add to agent.yml
 
+##### `redact`
+
+Data type: `Boolean`
+
+Boolean that sets if this entry should be added to redact list
+
+Default value: `false`
+
 ##### `order`
 
 Data type: `String[1]`
@@ -1203,10 +1222,18 @@ Default value: $name
 
 ##### `value`
 
-Data type: `String[1]`
+Data type: `String`
 
 Label value to add to agent.yml
 
+##### `redact`
+
+Data type: `Boolean`
+
+Boolean that sets if this entry should be added to redact list
+
+Default value: `false`
+
 ##### `order`
 
 Data type: `String[1]`

diff --git a/lib/puppet/provider/sensu_license/sensuctl.rb b/lib/puppet/provider/sensu_license/sensuctl.rb
@@ -17,15 +17,15 @@ def initialize(value = {})
 
   def create
     begin
-      sensuctl(['create','-f',resource[:file]])
+      output = sensuctl(['create','-f',resource[:file]])
     rescue Puppet::ExecutionFailure => e
       raise Puppet::Error, "sensuctl create failed\nOutput: #{output}\nError message: #{e.message}"
     end
   end
 
   def destroy
     begin
-      sensuctl(['delete','-f',resource[:file]])
+      output = sensuctl(['delete','-f',resource[:file]])
     rescue Puppet::ExecutionFailure => e
       raise Puppet::Error, "sensuctl create failed\nOutput: #{output}\nError message: #{e.message}"
     end

diff --git a/lib/puppet/type/sensu_asset.rb b/lib/puppet/type/sensu_asset.rb
@@ -2,6 +2,7 @@
 require_relative '../../puppet_x/sensu/array_property'
 require_relative '../../puppet_x/sensu/array_of_hashes_property'
 require_relative '../../puppet_x/sensu/hash_property'
+require_relative '../../puppet_x/sensu/hash_of_strings_property'
 require_relative '../../puppet_x/sensu/integer_property'
 
 Puppet::Type.newtype(:sensu_asset) do
@@ -163,11 +164,11 @@ def insync?(is)
     end
   end
 
-  newproperty(:labels, :parent => PuppetX::Sensu::HashProperty) do
+  newproperty(:labels, :parent => PuppetX::Sensu::HashOfStringsProperty) do
     desc "Custom attributes to include with event data, which can be queried like regular attributes."
   end
 
-  newproperty(:annotations, :parent => PuppetX::Sensu::HashProperty) do
+  newproperty(:annotations, :parent => PuppetX::Sensu::HashOfStringsProperty) do
     desc "Arbitrary, non-identifying metadata to include with event data."
   end