diff --git a/.gitignore b/.gitignore index 6bdc17df2..5ac417a39 100644 --- a/.gitignore +++ b/.gitignore @@ -45,8 +45,6 @@ etc/kolla # Ignore wazuh etc/kayobe/ansible/roles/wazuh-ansible/ -etc/kayobe/ansible/wazuh/certificates/* -etc/kayobe/ansible/wazuh/certificates/custom_certificates/* # Ignore ceph generated config in AUFN env etc/kayobe/environments/aufn-ceph/kolla/config/glance/ceph.conf diff --git a/doc/source/configuration/wazuh.rst b/doc/source/configuration/wazuh.rst index ee8999339..492f8b3e4 100644 --- a/doc/source/configuration/wazuh.rst +++ b/doc/source/configuration/wazuh.rst @@ -260,8 +260,8 @@ By default, Wazuh Ansible uses `wazuh-cert-tool.sh .pem) -The key for the external certificate should be in PKCS#8 format -(in its header it may have BEGIN PRIVATE KEY instead of BEGIN RSA PRIVATE KEY or BEGIN OPENSSH PRIVATE KEY). +It is also possible to use externally generated certificates for +wazuh-dashboard. Customise the ``dashboard_node_name`` variable so that you can +use a separate certificate and key for this service e.g: + +.. code-block:: yaml + :caption: $KAYOBE_CONFIG_PATH/inventory/group_vars/wazuh-manager/wazuh-manager + + dashboard_node_name: "wazuh-dashboard" + +You will need to create two files matching the following pattern: + +- ``{{ dashboard_node_name }}-key.pem`` for the private key +- ``{{ dashboard_node_name }}.pem`` for the certificate + +Drop these files into ``$KAYOBE_CONFIG_PATH/environments//wazuh/wazuh-certificates/`` if +using the kayobe environments feature, or ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates/`` if not. +The key for the external certificate should be in PKCS#8 format (in its header it may have BEGIN +PRIVATE KEY instead of BEGIN RSA PRIVATE KEY or BEGIN OPENSSH PRIVATE KEY). Example OpenSSL rune to convert to PKCS#8: diff --git a/etc/kayobe/ansible/wazuh-manager.yml b/etc/kayobe/ansible/wazuh-manager.yml index 1e669fbb6..4905aa4ee 100644 --- a/etc/kayobe/ansible/wazuh-manager.yml +++ b/etc/kayobe/ansible/wazuh-manager.yml @@ -1,4 +1,37 @@ --- +- name: Pre-checks + gather_facts: false + hosts: localhost + tags: + - prechecks + tasks: + - block: + - name: Fail if using old path for Wazuh certificates + fail: + msg: >- + The path used for Wazuh SSL certificates was changed in a previous release. The certificates + were found in the wrong location. Please move all files and directories in + {{ playbook_dir }}/wazuh/certificates to {{ kayobe_env_config_path }}/wazuh/ and remove the + empty directory. + when: + - (playbook_dir ~ '/wazuh/certificates') is exists + + - name: Fail if using old path for custom certificates + fail: + msg: >- + Wazuh custom SSL certificates have been merged with regular certificates. The certificates + were found in the wrong location. Please move them from {{ playbook_dir }}/wazuh/custom_certificates + to {{ kayobe_env_config_path }}/wazuh/wazuh-certificates and remove the empty directory. + when: + - (playbook_dir ~ '/wazuh/custom_certificates') is exists + + - name: Check that removed variable, local_custom_certs_path, is not set + assert: + that: local_custom_certs_path is not defined + fail_msg: "The variable, `local_custom_certs_path`, is no longer used. Please remove this variable." + when: + - groups["wazuh-manager"] | length > 0 + # Certificates generation - hosts: localhost roles: @@ -31,27 +64,6 @@ notify: - Restart wazuh - - name: Check if custom certificates exists - stat: - path: "{{ local_custom_certs_path }}" - register: custom_certificates_folder - delegate_to: localhost - become: no - - - name: Copy the node & admin certificates to Wazuh dashboard - copy: - src: "{{ local_custom_certs_path }}/{{ item }}" - dest: /etc/wazuh-dashboard/certs/ - owner: wazuh-dashboard - group: wazuh-dashboard - mode: 0400 - with_items: - - "{{ indexer_node_name }}-key.pem" - - "{{ indexer_node_name }}.pem" - when: custom_certificates_folder.stat.exists - notify: - - Restart wazuh-dashboard - - name: Perform health check against filebeat command: filebeat test output changed_when: false @@ -63,8 +75,3 @@ service: name: wazuh-manager state: restarted - - - name: Restart wazuh-dashboard - service: - name: wazuh-dashboard - state: restarted diff --git a/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager b/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager index 2fb16b23d..d758aa235 100644 --- a/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager +++ b/etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager @@ -19,10 +19,7 @@ minimum_master_nodes: 1 indexer_node_master: true # Ansible control host certificate directory -local_certs_path: "{{ playbook_dir }}/wazuh/certificates" - -# Ansible control host custom certificates directory -local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates" +local_certs_path: "{{ kayobe_env_config_path }}/wazuh" # Indexer variables indexer_node_name: "{{ inventory_hostname }}" diff --git a/releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml b/releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml new file mode 100644 index 000000000..340a7ac68 --- /dev/null +++ b/releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml @@ -0,0 +1,15 @@ +--- +upgrade: + - | + The path used to store Wazuh certificates has changed. ``local_certs_path`` is + now set to the environment directory e.g + ``$KAYOBE_CONFIG_PATH/environments//wazuh`` or + ``$KAYOBE_CONFIG_PATH/wazuh/`` if not using environments. The contents of + ``$KAYOBE_CONFIG_PATH/ansible/wazuh/certificates`` should be moved to the + new location and the empty directory should be removed. + - | + The ``local_custom_certs_path`` variable has been removed. Custom wazuh + certificates should be moved to + ``$KAYOBE_CONFIG_PATH/environments//wazuh/wazuh-certificates/`` + if using environments, or + ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates`` if not.