Move wazuh certificates

[jovial]

Wazuh certificates were stored in etc/kayobe/ansible/wazuh/certificates or etc/kayobe/ansible/wazuh/custom_certificates. There are a few issues with these locations:

• they are in the base configuration, so not scoped to a Kayobe environment. This means that multiple environments could have duplicate certificates

• it’s under the ansible directory, but isn’t really Ansible code - it’s configuration

@jackhodgkiss pointed out that we can use the same directory for custom certificates and auto-generated certificates

[markgoddard]

I think at this point someone needs to do some testing.

[jovial]

This is what the help text looks like:

TASK [Fail if using old path for Wazuh certificates] ************************************************************************************************************************
Thursday 28 September 2023  11:03:27 +0000 (0:00:00.071)       0:00:00.071 **** 
fatal: [localhost]: FAILED! => changed=false 
  msg: The path used for Wazuh SSL certificates was changed in a previous release. The certificates were found in the wrong location. Please move all files and directories in /home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/ansible/wazuh/certificates to /home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/environments/test/wazuh/ and remove the empty directory.

PLAY RECAP ******************************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Thursday 28 September 2023  11:03:27 +0000 (0:00:00.107)       0:00:00.179 **** 
=============================================================================== 
Fail if using old path for Wazuh certificates ------------------------------------------------------------------------------------------------------------------------ 0.11s
Kayobe playbook(s) etc/kayobe/ansible/wazuh-manager.yml exited 2
(venv-kayobe2) [cloud-user@kayobe-aio kayobe-config]$ tree /home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/ansible/wazuh/certificates
/home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/ansible/wazuh/certificates
├── config.yml
├── wazuh-certificates
│   ├── admin-key.pem
│   ├── admin.pem
│   ├── localhost-key.pem
│   ├── localhost.pem
│   ├── root-ca.key
│   └── root-ca.pem
└── wazuh-certs-tool.sh

1 directory, 8 files

For which you do:

  249  mkdir /home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/environments/test/wazuh/
  250  mv /home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/ansible/wazuh/certificates/* /home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/environments/test/wazuh/
  251  rmdir /home/cloud-user/kayobe/kayobe/config/src/kayobe-config/etc/kayobe/ansible/wazuh/certificates

[jovial]

I think at this point someone needs to do some testing.

done

[markgoddard]

Great stuff, thanks!

[markgoddard]

Just noticed this went into antelope. Shouldn't it have gone into yoga?

[jovial]

Just noticed this went into antelope. Shouldn't it have gone into yoga?

Possibly. Isn't it a breaking change though?

[markgoddard]

Just noticed this went into antelope. Shouldn't it have gone into yoga?

Possibly. Isn't it a breaking change though?

I'd call it an unbreaking change, but potato potato...

[markgoddard]

Just noticed this went into antelope. Shouldn't it have gone into yoga?

Possibly. Isn't it a breaking change though?

I'd call it an unbreaking change, but potato potato...

It's worth a discussion, but I'd suggest squashing and cherry picking to yoga, then announcing in Slack about the change. Your nice prechecks should catch any issues.