From 788e709f674c775fb679a3a4a8ed5fe1019db0ba Mon Sep 17 00:00:00 2001 From: Will Szumski Date: Fri, 15 Sep 2023 18:34:26 +0100 Subject: [PATCH] Move wazuh certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wazuh certificates were stored in etc/kayobe/ansible/wazuh/certificates or etc/kayobe/ansible/wazuh/custom_certificates. There are a few issues with these locations: - they are in the base configuration, so not scoped to a Kayobe environment. This means that multiple environments could have duplicate certificates - it’s under the ansible directory, but isn’t really Ansible code - it’s configuration @jackhodgkiss pointed out that we can use the same directory for custom certificates and auto-generated certificates --- .gitignore | 2 - doc/source/configuration/wazuh.rst | 9 ++-- etc/kayobe/ansible/wazuh-manager.yml | 50 +++++++++++-------- .../group_vars/wazuh-manager/wazuh-manager | 5 +- .../moved-wazuh-certs-b5173d264f543b14.yaml | 16 ++++++ 5 files changed, 50 insertions(+), 32 deletions(-) create mode 100644 releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml diff --git a/.gitignore b/.gitignore index 6bdc17df2..5ac417a39 100644 --- a/.gitignore +++ b/.gitignore @@ -45,8 +45,6 @@ etc/kolla # Ignore wazuh etc/kayobe/ansible/roles/wazuh-ansible/ -etc/kayobe/ansible/wazuh/certificates/* -etc/kayobe/ansible/wazuh/certificates/custom_certificates/* # Ignore ceph generated config in AUFN env etc/kayobe/environments/aufn-ceph/kolla/config/glance/ceph.conf diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst index ee8999339..6557920fa 100644 --- a/doc/source/configuration/wazuh.rst +++ b/doc/source/configuration/wazuh.rst @@ -260,8 +260,8 @@ By default, Wazuh Ansible uses `wazuh-cert-tool.sh .pem) +Those certificates can be placed in ``{{ kayobe_env_path }}/wazuh-certificates``. Certificates should have the +same name scheme as those generated by wazuh (typicaly .pem) The key for the external certificate should be in PKCS#8 format (in its header it may have BEGIN PRIVATE KEY instead of BEGIN RSA PRIVATE KEY or BEGIN OPENSSH PRIVATE KEY). diff --git a/etc/kayobe/ansible/wazuh-manager.yml b/etc/kayobe/ansible/wazuh-manager.yml index 1e669fbb6..5c24929cf 100644 --- a/etc/kayobe/ansible/wazuh-manager.yml +++ b/etc/kayobe/ansible/wazuh-manager.yml @@ -1,4 +1,33 @@ --- +- name: Pre-checks + gather_facts: false + hosts: localhost + tags: + - prechecks + tasks: + - name: Fail if using old path for Wazuh certificates + fail: + msg: >- + The path used for Wazuh SSL certificates was changed in a previous release. The certificates + were found in the wrong location. Please move them from {{ playbook_dir }}/wazuh/certificates + to {{ kayobe_env_config_path }}/wazuh/certificates, e.g git mv {{ playbook_dir }}/wazuh/certificates + {{ kayobe_env_config_path }}/wazuh/certificates + when: (playbook_dir ~ '/wazuh/certificates') is exists + + - name: Fail if using old path for custom certificates + fail: + msg: >- + Wazuh custom SSL certificates have been merged with regular certificates. The certificates + were found in the wrong location. Please move them from {{ playbook_dir }}/wazuh/custom-certificates + to {{ kayobe_env_config_path }}/wazuh/certificates/certs ,e.g git mv {{ playbook_dir }}/wazuh/custom-certificates/* + {{ kayobe_env_config_path }}/wazuh/certificates/certs. + when: (playbook_dir ~ '/wazuh/custom-certificates)' is exists + + - name: + assert: + that: local_custom_certs_path is not defined + fail_msg: "The variable, `local_custom_certs_path`, is no longer used. Please remove this variable." + # Certificates generation - hosts: localhost roles: @@ -31,27 +60,6 @@ notify: - Restart wazuh - - name: Check if custom certificates exists - stat: - path: "{{ local_custom_certs_path }}" - register: custom_certificates_folder - delegate_to: localhost - become: no - - - name: Copy the node & admin certificates to Wazuh dashboard - copy: - src: "{{ local_custom_certs_path }}/{{ item }}" - dest: /etc/wazuh-dashboard/certs/ - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 0400 - with_items: - - "{{ indexer_node_name }}-key.pem" - - "{{ indexer_node_name }}.pem" - when: custom_certificates_folder.stat.exists - notify: - - Restart wazuh-dashboard - - name: Perform health check against filebeat command: filebeat test output changed_when: false diff --git a/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager b/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager index 2fb16b23d..5849d6985 100644 --- a/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager +++ b/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager @@ -19,10 +19,7 @@ minimum_master_nodes: 1 indexer_node_master: true # Ansible control host certificate directory -local_certs_path: "{{ playbook_dir }}/wazuh/certificates" - -# Ansible control host custom certificates directory -local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates" +local_certs_path: "{{ kayobe_env_config_path }}/wazuh/certificates" # Indexer variables indexer_node_name: "{{ inventory_hostname }}" diff --git a/releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml b/releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml new file mode 100644 index 000000000..c52e9fd9c --- /dev/null +++ b/releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + The path used for Wazuh certificates has changed. They are now stored in + environment directory e.g + ``$KAYOBE_CONFIG_PATH/etc/kayobe/environments//wazuh-certificates`` + or ``$KAYOBE_CONFIG_PATH/etc/kayobe/wazuh-certificates`` if not using + environments. The certificates should be moved from + ``$KAYOBE_CONFIG_PATH/etc/kayobe/ansible/wazuh/certificates`` to the new + location. + - | + The ``local_custom_certs_path`` variable has been removed. Custom wazuh + certificates should be moved to + ``$KAYOBE_CONFIG_PATH/etc/kayobe/environments//wazuh-certificates/certs`` + if using environments, or + ``$KAYOBE_CONFIG_PATH/etc/kayobe/wazuh-certificates/certs`` if not.