Merge pull request #728 from stackhpc/merge-yoga-zed

Merge yoga zed

Author: markgoddard

doc/source/configuration/monitoring.rst

@@ -136,3 +136,39 @@ mgrs group and list them as the endpoints for prometheus. Additionally,
 depending on your configuration, you may need set the
 ``kolla_enable_prometheus_ceph_mgr_exporter`` variable to ``true`` in order to
 enable the ceph mgr exporter.
+
+OpenStack Capacity
+==================
+
+OpenStack Capacity allows you to see how much space you have avaliable
+in your cloud. StackHPC Kayobe Config includes this exporter by default
+and it's necessary that some variables are set to allow deployment.
+
+To successfully deploy OpenStack Capacity, you are required to specify
+the OpenStack application credentials in ``kayobe/secrets.yml`` as:
+
+.. code-block:: yaml
+
+    secrets_os_exporter_auth_url: <some_auth_url>
+    secrets_os_exporter_credential_id: <some_credential_id>
+    secrets_os_exporter_credential_secret: <some_credential_secret>
+
+After defining your credentials, You may deploy OpenStack Capacity
+using the ``ansible/deploy-os-capacity-exporter.yml`` Ansible playbook
+via Kayobe.
+
+.. code-block:: console
+
+    kayobe playbook run ansible/deploy-os-capacity-exporter.yml
+
+It is required that you re-configure the Prometheus, Grafana and HAProxy
+services following deployment, to do this run the following Kayobe command.
+
+.. code-block:: console
+
+    kayobe overcloud service reconfigure -kt grafana,prometheus,haproxy
+
+If you notice ``HaproxyServerDown`` or ``HaproxyBackendDown`` prometheus
+alerts after deployment it's likely the os_exporter secrets have not been
+set correctly, double check you have entered the correct authentication
+information appropiate to your cloud and re-deploy.

doc/source/configuration/vault.rst

@@ -296,6 +296,7 @@ Configure Barbican
       [vault_plugin]
       vault_url = https://{{ kolla_internal_vip_address }}:8200
       use_ssl = True
+      ssl_ca_crt_file = {% raw %}{{ openstack_cacert }}{% endraw %}
       approle_role_id = {{ secrets_barbican_approle_role_id }}
       approle_secret_id = {{ secrets_barbican_approle_secret_id }}
       kv_mountpoint = barbican

doc/source/configuration/wazuh.rst

@@ -57,7 +57,9 @@ Define VM sizing in ``etc/kayobe/inventory/group_vars/wazuh-manager/infra-vms``:
   infra_vm_data_capacity: "200G"
 
 
-Optional: define LVM volumes ``etc/kayobe/inventory/group_vars/wazuh-manager/lvm``:
+Optional: define LVM volumes in ``etc/kayobe/inventory/group_vars/wazuh-manager/lvm``.
+``/var/ossec`` often requires greater storage space, and ``/var/lib/wazuh-indexer``
+may be beneficial too.
 
 .. code-block:: console
 
@@ -73,7 +75,7 @@ Optional: define LVM volumes ``etc/kayobe/inventory/group_vars/wazuh-manager/lvm
           size: "100%VG"
           filesystem: "ext4"
           mount: true
-          mntp: “/var/lib/elasticsearch”
+          mntp: "/var/ossec"
           create: true
 
 
@@ -249,7 +251,7 @@ It will be used by wazuh secrets playbook to generate wazuh secrets vault file.
 .. code-block:: console
 
   kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-secrets.yml
-  ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/inventory/group_vars/wazuh/wazuh-manager/wazuh-secrets
+  ansible-vault encrypt --vault-password-file ~/vault.pass $KAYOBE_CONFIG_PATH/wazuh-secrets.yml
 
 
 TLS (optional)
@@ -288,6 +290,21 @@ Example OpenSSL rune to convert to PKCS#8:
 
 TODO: document how to use a local certificate. Do we need to override all certificates?
 
+Custom SCA Policies (optional)
+------------------------------
+
+Wazuh ships with a large selection of Security Configuration Assessment
+rulesets. However, you may find you want to add more. This can be achieved via
+`custom policies <https://documentation.wazuh.com/current/user-manual/capabilities/sec-config-assessment/how-to-configure.html>`_.
+
+SKC supports this automatically, just add the policy file from this PR to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies``.
+
+Currently, Wazuh does not ship with a CIS benchmark for Rocky 9. You can find
+the in-development policy here: https://github.com/wazuh/wazuh/pull/17810 To
+include this in your deployment, simply copy it to
+``{{ kayobe_env_config_path }}/wazuh/custom_sca_policies/cis_rocky_linux_9.yml``.
+
 Deploy
 ------
 

etc/kayobe/ansible/deploy-os-capacity-exporter.yml

@@ -0,0 +1,29 @@
+---
+- hosts: monitoring
+  gather_facts: false
+
+  tasks:
+    - name: Create os-capacity directory
+      ansible.builtin.file:
+        path: /opt/kayobe/os-capacity/
+        state: directory
+
+    - name: Template clouds.yml
+      ansible.builtin.template:
+        src: templates/os_capacity-clouds.yml.j2
+        dest: /opt/kayobe/os-capacity/clouds.yaml
+
+    - name: Ensure os_capacity container is running
+      docker_container:
+        name: os_capacity
+        image: ghcr.io/stackhpc/os-capacity:master
+        env:
+          OS_CLOUD: openstack
+          OS_CLIENT_CONFIG_FILE: /etc/openstack/clouds.yaml
+        mounts:
+          - type: bind
+            source: /opt/kayobe/os-capacity/
+            target: /etc/openstack/
+        network_mode: host
+        restart_policy: unless-stopped
+      become: true

etc/kayobe/ansible/templates/os_capacity-clouds.yml.j2

@@ -0,0 +1,10 @@
+clouds:
+  openstack:
+    auth:
+      auth_url: "{{ secrets_os_exporter_auth_url }}"
+      application_credential_id: "{{ secrets_os_exporter_credential_id }}"
+      application_credential_secret: "{{ secrets_os_exporter_credential_secret }}"
+    region_name: "RegionOne"
+    interface: "internal"
+    identity_api_version: 3
+    auth_type: "v3applicationcredential"

etc/kayobe/ansible/vault-deploy-barbican.yml

@@ -82,15 +82,16 @@
       copy:
         content: "{{ barbican_role_id.id }}"
         dest: "{{ stackhpc_barbican_role_id_file_path | default('~/barbican-role-id') }}"
-      when: stackhpc_write_barbican_role_id_to_file | bool | default(false)
+      when: stackhpc_write_barbican_role_id_to_file | default(false) | bool
 
     - name: Check if barbican Approle Secret ID is defined
-      hashivault_approle_role_secret_list:
+      hashivault_approle_role_secret_get:
         url: "{{ vault_api_addr }}"
         ca_cert: "{{ vault_ca_cert }}"
         token: "{{ vault_keys.root_token }}"
+        secret: "{{ secrets_barbican_approle_secret_id }}"
         name: barbican
-      register: barbican_approle_secret_list
+      register: barbican_approle_secret_get
 
     - name: Ensure barbican AppRole Secret ID is defined
       hashivault_approle_role_secret:
@@ -99,4 +100,4 @@
         token: "{{ vault_keys.root_token }}"
         secret: "{{ secrets_barbican_approle_secret_id }}"
         name: barbican
-      when: barbican_approle_secret_list.secrets is match(secrets_barbican_approle_secret_id)
+      when: barbican_approle_secret_get.status == "absent"

etc/kayobe/ansible/wazuh-manager.yml

@@ -17,6 +17,63 @@
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/ansible-filebeat-oss"
     - role: "{{ playbook_dir }}/roles/wazuh-ansible/wazuh-ansible/roles/wazuh/wazuh-dashboard"
   post_tasks:
+    - block:
+        - name: Check if custom SCA policies directory exists
+          stat:
+            path: "{{ local_custom_sca_policies_path }}"
+          register: custom_sca_policies_folder
+          delegate_to: localhost
+          become: no
+
+        - name: Gather list of custom SCA policies
+          find:
+            paths: "{{ local_custom_sca_policies_path }}"
+            patterns: '*.yml'
+          delegate_to: localhost
+          register: custom_sca_policies
+          when: custom_sca_policies_folder.stat.exists
+
+        - name: Allow Wazuh agents to execute commands in SCA policies sent from the Wazuh manager
+          blockinfile:
+            path: "/var/ossec/etc/local_internal_options.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            block: |
+              sca.remote_commands=1
+          when: custom_sca_policies.files | length > 0
+
+        - name: Copy custom SCA policy files to Wazuh manager
+          copy:
+            # Note the trailing slash to copy directory contents
+            src: "{{ local_custom_sca_policies_path }}/"
+            dest: "/var/ossec/etc/shared/default/"
+            owner: wazuh
+            group: wazuh
+          when: custom_sca_policies.files | length > 0
+
+        - name: Add custom policy definition(s) to the shared Agent config
+          blockinfile:
+            path: "/var/ossec/etc/shared/default/agent.conf"
+            state: present
+            owner: wazuh
+            group: wazuh
+            marker: "{mark} ANSIBLE MANAGED BLOCK Custom SCA Policies"
+            insertafter: "<!-- Shared agent configuration here -->"
+            block: |
+              {% filter indent(width=2, first=true) %}
+              <sca>
+                <policies>
+              {% for item in custom_sca_policies.files %}
+                  <policy>etc/shared/{{ item.path | basename }}</policy>
+              {% endfor %}
+                </policies>
+              </sca>
+              {% endfilter %}
+          when: custom_sca_policies.files | length > 0
+      notify:
+        - Restart wazuh
+
     - name: Set http/s_proxy vars in ossec-init.conf for vulnerability detector
       blockinfile:
         path: "/var/ossec/etc/ossec.conf"

etc/kayobe/environments/ci-aio/automated-setup.sh

@@ -6,7 +6,7 @@ cat << EOF | sudo tee -a /etc/hosts
 10.205.3.187 pulp-server pulp-server.internal.sms-cloud
 EOF
 
-if [ sudo vgdisplay | grep -q lvm2 ]; then
+if sudo vgdisplay | grep -q lvm2; then
    sudo lvextend -L 4G /dev/rootvg/lv_home -r || true
    sudo lvextend -L 4G /dev/rootvg/lv_tmp -r || true
 fi

etc/kayobe/environments/ci-multinode/kolla/config/barbican.conf

@@ -7,6 +7,7 @@ enabled_secretstore_plugins=vault_plugin
 [vault_plugin]
 vault_url = https://{{ kolla_internal_vip_address }}:8200
 use_ssl = True
+ssl_ca_crt_file = {% raw %}{{ openstack_cacert }}{% endraw %}
 approle_role_id = {{ secrets_barbican_approle_role_id }}
 approle_secret_id = {{ secrets_barbican_approle_secret_id }}
 kv_mountpoint = barbican

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -24,6 +24,9 @@ local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
 # Ansible control host custom certificates directory
 local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
 
+# Ansible custom SCA policies directory
+local_custom_sca_policies_path: "{{ kayobe_env_config_path }}/wazuh/custom_sca_policies"
+
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"