Move wazuh certificates

Wazuh certificates were stored in etc/kayobe/ansible/wazuh/certificates
or etc/kayobe/ansible/wazuh/custom_certificates.  There are a few issues
with these locations:

- they are in the base configuration, so not scoped
to a Kayobe environment. This means that multiple environments could
have duplicate certificates

- it’s under the ansible directory, but isn’t
really Ansible code - it’s configuration

@jackhodgkiss pointed out that we can use the same directory for custom
certificates and auto-generated certificates

.gitignore

@@ -45,8 +45,6 @@ etc/kolla
 
 # Ignore wazuh
 etc/kayobe/ansible/roles/wazuh-ansible/
-etc/kayobe/ansible/wazuh/certificates/*
-etc/kayobe/ansible/wazuh/certificates/custom_certificates/*
 
 # Ignore ceph generated config in AUFN env
 etc/kayobe/environments/aufn-ceph/kolla/config/glance/ceph.conf

doc/source/configuration/wazuh.rst

@@ -260,8 +260,8 @@ By default, Wazuh Ansible uses `wazuh-cert-tool.sh <https://documentation.wazuh.
 to automatically
 generate certificates for wazuh-indexer (previously Elasticsearch and opendistro)
 and wazuh-dashbooard (previously Kibana) using a local CA.
-If the certificates directory ``etc/kayobe/ansible/wazuh/certificates``
-does not exist, it will generate the following certificates in ``etc/kayobe/ansible/wazuh/certificates/certs/``
+If the certificates directory ``{{ kayobe_env_path }}/wazuh-certificates``
+does not exist, it will generate the following certificates in ``{{ kayobe_env_path }}/wazuh-certificates/certs/``
 (here os-wazuh is set as ``elasticsearch_node_name`` and ``kibana_node_name``:
 
 
@@ -276,9 +276,8 @@ does not exist, it will generate the following certificates in ``etc/kayobe/ansi
 
 
 It is also possible to use externally generated certificates for wazuh-dashboard. root-ca.pem should contain the CA chain.
-Those certificates can be uploaded to ``etc/kayobe/ansible/wazuh/custom_certificates``,
-and will replace certificates generated by wazuh.
-Certificates should have the same name scheme as those generated by wazuh (typicaly <node-name>.pem)
+Those certificates can be placed in ``{{ kayobe_env_path }}/wazuh-certificates``. Certificates should have the
+same name scheme as those generated by wazuh (typicaly <node-name>.pem)
 The key for the external certificate should be in PKCS#8 format
 (in its header it may have BEGIN PRIVATE KEY instead of BEGIN RSA PRIVATE KEY or BEGIN OPENSSH PRIVATE KEY).
 

etc/kayobe/ansible/wazuh-manager.yml

@@ -1,4 +1,33 @@
 ---
+- name: Pre-checks
+  gather_facts: false
+  hosts: localhost
+  tags:
+    - prechecks
+  tasks:
+    - name: Fail if using old path for Wazuh certificates
+      fail:
+        msg: >-
+          The path used for Wazuh SSL certificates was changed in a previous release. The certificates
+          were found in the wrong location. Please move them from {{ playbook_dir }}/wazuh/certificates
+          to {{ kayobe_env_config_path }}/wazuh/certificates, e.g git mv {{ playbook_dir }}/wazuh/certificates
+          {{ kayobe_env_config_path }}/wazuh/certificates
+      when: (playbook_dir ~ '/wazuh/certificates') is exists
+
+    - name: Fail if using old path for custom certificates
+      fail:
+        msg: >-
+          Wazuh custom SSL certificates have been merged with regular certificates. The certificates
+          were found in the wrong location. Please move them from {{ playbook_dir }}/wazuh/custom-certificates
+          to {{ kayobe_env_config_path }}/wazuh/certificates/certs ,e.g git mv {{ playbook_dir }}/wazuh/custom-certificates/*
+          {{ kayobe_env_config_path }}/wazuh/certificates/certs.
+      when: (playbook_dir ~ '/wazuh/custom-certificates)' is exists
+
+    - name:
+      assert:
+        that: local_custom_certs_path is not defined
+        fail_msg: "The variable, `local_custom_certs_path`, is no longer used. Please remove this variable."
+
 # Certificates generation
 - hosts: localhost
   roles:
@@ -31,27 +60,6 @@
       notify:
         - Restart wazuh
 
-    - name: Check if custom certificates exists
-      stat:
-        path: "{{ local_custom_certs_path }}"
-      register: custom_certificates_folder
-      delegate_to: localhost
-      become: no
-
-    - name: Copy the node & admin certificates to Wazuh dashboard
-      copy:
-        src: "{{ local_custom_certs_path }}/{{ item }}"
-        dest: /etc/wazuh-dashboard/certs/
-        owner: wazuh-dashboard
-        group: wazuh-dashboard
-        mode: 0400
-      with_items:
-        - "{{ indexer_node_name }}-key.pem"
-        - "{{ indexer_node_name }}.pem"
-      when: custom_certificates_folder.stat.exists
-      notify:
-        - Restart wazuh-dashboard
-
     - name: Perform health check against filebeat
       command: filebeat test output
       changed_when: false

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -19,10 +19,7 @@ minimum_master_nodes: 1
 indexer_node_master: true
 
 # Ansible control host certificate directory
-local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
-
-# Ansible control host custom certificates directory
-local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
+local_certs_path: "{{ kayobe_env_config_path }}/wazuh/certificates"
 
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"

releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml

@@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    The path used for Wazuh certificates has changed. They are now stored in
+    environment directory e.g
+    ``$KAYOBE_CONFIG_PATH/etc/kayobe/environments/<environment>/wazuh-certificates``
+    or ``$KAYOBE_CONFIG_PATH/etc/kayobe/wazuh-certificates`` if not using
+    environments. The certificates should be moved from
+    ``$KAYOBE_CONFIG_PATH/etc/kayobe/ansible/wazuh/certificates`` to the new
+    location.
+  - |
+    The ``local_custom_certs_path`` variable has been removed. Custom wazuh
+    certificates should be moved to
+    ``$KAYOBE_CONFIG_PATH/etc/kayobe/environments/<environment>/wazuh-certificates/certs``
+    if using environments, or
+    ``$KAYOBE_CONFIG_PATH/etc/kayobe/wazuh-certificates/certs`` if not.