Merge pull request #647 from stackhpc/feature/environment-aware-wazuh-certificates

Move wazuh certificates

Author: markgoddard

.gitignore

@@ -45,8 +45,6 @@ etc/kolla
 
 # Ignore wazuh
 etc/kayobe/ansible/roles/wazuh-ansible/
-etc/kayobe/ansible/wazuh/certificates/*
-etc/kayobe/ansible/wazuh/certificates/custom_certificates/*
 
 # Ignore ceph generated config in AUFN env
 etc/kayobe/environments/aufn-ceph/kolla/config/glance/ceph.conf

doc/source/configuration/wazuh.rst

@@ -260,8 +260,8 @@ By default, Wazuh Ansible uses `wazuh-cert-tool.sh <https://documentation.wazuh.
 to automatically
 generate certificates for wazuh-indexer (previously Elasticsearch and opendistro)
 and wazuh-dashbooard (previously Kibana) using a local CA.
-If the certificates directory ``etc/kayobe/ansible/wazuh/certificates``
-does not exist, it will generate the following certificates in ``etc/kayobe/ansible/wazuh/certificates/certs/``
+If the certificates directory ``{{ kayobe_env_config_path }}/wazuh``
+does not exist, it will generate the following certificates in ``{{ kayobe_env_config_path }}/wazuh/wazuh-certificates/``
 (here os-wazuh is set as ``elasticsearch_node_name`` and ``kibana_node_name``:
 
 
@@ -275,12 +275,24 @@ does not exist, it will generate the following certificates in ``etc/kayobe/ansi
    * root-ca.key  root-ca.pem
 
 
-It is also possible to use externally generated certificates for wazuh-dashboard. root-ca.pem should contain the CA chain.
-Those certificates can be uploaded to ``etc/kayobe/ansible/wazuh/custom_certificates``,
-and will replace certificates generated by wazuh.
-Certificates should have the same name scheme as those generated by wazuh (typicaly <node-name>.pem)
-The key for the external certificate should be in PKCS#8 format
-(in its header it may have BEGIN PRIVATE KEY instead of BEGIN RSA PRIVATE KEY or BEGIN OPENSSH PRIVATE KEY).
+It is also possible to use externally generated certificates for
+wazuh-dashboard. Customise the ``dashboard_node_name`` variable so that you can
+use a separate certificate and key for this service e.g:
+
+.. code-block:: yaml
+   :caption: $KAYOBE_CONFIG_PATH/inventory/group_vars/wazuh-manager/wazuh-manager
+
+    dashboard_node_name: "wazuh-dashboard"
+
+You will need to create two files matching the following pattern:
+
+- ``{{ dashboard_node_name }}-key.pem`` for the private key
+- ``{{ dashboard_node_name }}.pem`` for the certificate
+
+Drop these files into ``$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/`` if
+using the kayobe environments feature, or ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates/`` if not.
+The key for the external certificate should be in PKCS#8 format (in its header it may have BEGIN
+PRIVATE KEY instead of BEGIN RSA PRIVATE KEY or BEGIN OPENSSH PRIVATE KEY).
 
 Example OpenSSL rune to convert to PKCS#8:
 

etc/kayobe/ansible/wazuh-manager.yml

@@ -1,4 +1,37 @@
 ---
+- name: Pre-checks
+  gather_facts: false
+  hosts: localhost
+  tags:
+    - prechecks
+  tasks:
+    - block:
+        - name: Fail if using old path for Wazuh certificates
+          fail:
+            msg: >-
+              The path used for Wazuh SSL certificates was changed in a previous release. The certificates
+              were found in the wrong location. Please move all files and directories in
+              {{ playbook_dir }}/wazuh/certificates to {{ kayobe_env_config_path }}/wazuh/ and remove the
+              empty directory.
+          when:
+            - (playbook_dir ~ '/wazuh/certificates') is exists
+
+        - name: Fail if using old path for custom certificates
+          fail:
+            msg: >-
+              Wazuh custom SSL certificates have been merged with regular certificates. The certificates
+              were found in the wrong location. Please move them from {{ playbook_dir }}/wazuh/custom_certificates
+              to {{ kayobe_env_config_path }}/wazuh/wazuh-certificates and remove the empty directory.
+          when:
+            - (playbook_dir ~ '/wazuh/custom_certificates') is exists
+
+        - name: Check that removed variable, local_custom_certs_path, is not set
+          assert:
+            that: local_custom_certs_path is not defined
+            fail_msg: "The variable, `local_custom_certs_path`, is no longer used. Please remove this variable."
+      when:
+        - groups["wazuh-manager"] | length > 0
+
 # Certificates generation
 - hosts: localhost
   roles:
@@ -31,27 +64,6 @@
       notify:
         - Restart wazuh
 
-    - name: Check if custom certificates exists
-      stat:
-        path: "{{ local_custom_certs_path }}"
-      register: custom_certificates_folder
-      delegate_to: localhost
-      become: no
-
-    - name: Copy the node & admin certificates to Wazuh dashboard
-      copy:
-        src: "{{ local_custom_certs_path }}/{{ item }}"
-        dest: /etc/wazuh-dashboard/certs/
-        owner: wazuh-dashboard
-        group: wazuh-dashboard
-        mode: 0400
-      with_items:
-        - "{{ indexer_node_name }}-key.pem"
-        - "{{ indexer_node_name }}.pem"
-      when: custom_certificates_folder.stat.exists
-      notify:
-        - Restart wazuh-dashboard
-
     - name: Perform health check against filebeat
       command: filebeat test output
       changed_when: false
@@ -63,8 +75,3 @@
       service:
         name: wazuh-manager
         state: restarted
-
-    - name: Restart wazuh-dashboard
-      service:
-        name: wazuh-dashboard
-        state: restarted

etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager

@@ -19,10 +19,7 @@ minimum_master_nodes: 1
 indexer_node_master: true
 
 # Ansible control host certificate directory
-local_certs_path: "{{ playbook_dir }}/wazuh/certificates"
-
-# Ansible control host custom certificates directory
-local_custom_certs_path: "{{ playbook_dir }}/wazuh/custom_certificates"
+local_certs_path: "{{ kayobe_env_config_path }}/wazuh"
 
 # Indexer variables
 indexer_node_name: "{{ inventory_hostname }}"

releasenotes/notes/moved-wazuh-certs-b5173d264f543b14.yaml

@@ -0,0 +1,15 @@
+---
+upgrade:
+  - |
+    The path used to store Wazuh certificates has changed. ``local_certs_path`` is
+    now set to the environment directory e.g
+    ``$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh`` or
+    ``$KAYOBE_CONFIG_PATH/wazuh/`` if not using environments. The contents of
+    ``$KAYOBE_CONFIG_PATH/ansible/wazuh/certificates`` should be moved to the
+    new location and the empty directory should be removed.
+  - |
+    The ``local_custom_certs_path`` variable has been removed. Custom wazuh
+    certificates should be moved to
+    ``$KAYOBE_CONFIG_PATH/environments/<environment>/wazuh/wazuh-certificates/``
+    if using environments, or
+    ``$KAYOBE_CONFIG_PATH/wazuh/wazuh-certificates`` if not.