Merge pull request #552 from stackhpc/multinode-wazuh

Support wazuh in the ci-multinode environment

Author: Alex-Welsh

doc/source/configuration/wazuh.rst

@@ -2,6 +2,21 @@
 Wazuh
 =====
 
+The short version
+=================
+
+#. Create an infrastructure VM for the Wazuh manager, and add it to the wazuh-manager group
+#. Configure the infrastructure VM with kayobe: ``kayobe infra vm host configure``
+#. Edit your config under
+   ``etc/kayobe/inventory/group_vars/wazuh-manager/wazuh-manager``, in
+   particular the defaults assume that the ``provision_oc_net`` network will be
+   used.
+#. Generate secrets: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-secrets.yml``
+#. Encrypt the secrets: ``ansible-vault encrypt --vault-password-file ~/vault.password  $KAYOBE_CONFIG_PATH/environments/ci-multinode/wazuh-secrets.yml``
+#. Deploy the Wazuh manager: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-manager.yml``
+#. Deploy the Wazuh agents: ``kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-agent.yml``
+
+
 Wazuh Manager
 =============
 
@@ -74,8 +89,8 @@ Define network interfaces ``etc/kayobe/inventory/group_vars/wazuh-manager/networ
 
 
 The Wazuh manager may need to be exposed externally, in which case it may require another interface.
-This can be done as follows in ``etc/kayobe/inventory/group_vars/wazuh-manager/network-interfaces`` ,
-with the network defined in network.yml as usual.
+This can be done as follows in ``etc/kayobe/inventory/group_vars/wazuh-manager/network-interfaces``,
+with the network defined in ``networks.yml`` as usual.
 
 .. code-block:: console
 
@@ -128,18 +143,18 @@ Several services are used for the communication of Wazuh components. Below is th
 Manually provisioned VM
 -----------------------
 
-In case where you can’t use infra-vms to deploy your wazuh-manager VM but you want to configure
-host using kayobe, there are some tips (note that depending on your setup this don’t have to always apply):
+In cases where you can’t use infra-vms to deploy your wazuh-manager VM but you want to configure
+the host using kayobe, here are some tips (note that depending on your setup this doesn't have to always apply):
 
-* Depending on preferences host have to be part of some group in inventory. ``infra-vms`` group still seems as best choice
+* Depending on preferences, hosts have to be part of some group in inventory. ``infra-vms`` group still seems like the best choice.
   You can use ``kayobe infra vm host configure`` to configure host in this case.
-  Bellow tips are based on assumption that infra-vm will be used.
-* user ``stack`` with password less sudo and accessible with ssh keys needs to be present on host.
+  The tips below are based on the assumption that infra-vm will be used.
+* user ``stack`` with passwordless sudo and access with ssh keys needs to be present on the host.
   It can be achieved in many different ways, depending on your setup.
 * lvm configuration should be placed in ``host_vars/<host_name>``
-* wazuh-manager host have to be part of ``infra-vms`` group (directly or as child)
-* network used on host needs to be defined in ``networks.yml`` and
-  if you have pre-alocated IP, it should be added to ``network-allocation.yml``.
+* wazuh-manager hosts have to be part of ``infra-vms`` group (directly or as child)
+* The network used on the host needs to be defined in ``networks.yml`` and
+  if you have pre-alocated an IP, it should be added to ``network-allocation.yml``.
   For example, if using host with IP 10.10.224.5 in network 10.10.224.0/24 one have to add:
 
 
@@ -169,18 +184,18 @@ Deploying Wazuh Manager services
 Setup
 -----
 
-To install specific version modify wazuh-ansible entry in ``etc/kayobe/ansible/requirements.yml``:
+To install a specific version modify the wazuh-ansible entry in ``etc/kayobe/ansible/requirements.yml``:
 
 .. code-block:: console
 
   roles:
     - name: wazuh-ansible
       src: https://github.com/stackhpc/wazuh-ansible
-      version: stackhpc
+      version: custom-branch
 
-Version above was tested and verified, but there is no reason to use not different one.
+The default version has been tested and verified, but there is no reason not to use a different one.
 
-Install the role:
+Reinstall the role if required:
 
 ``kayobe control host bootstrap``
 
@@ -210,9 +225,10 @@ You may need to modify some of the variables, including:
 .. note::
 
     NOTE:
-    If you are using multiple environments, and you need to customise Wazuh in each environement, create override files in an appropriate directory,
+    If you are using multiple environments, and you need to customise Wazuh in
+    each environment, create override files in an appropriate directory,
     for example `etc/kayobe/environments/production/inventory/group_vars/`
-    Files which values can be overridden (in context of Wazuh):
+    Files which values can be overridden (in the context of Wazuh):
     - etc/kayobe/inventory/group_vars/wazuh/wazuh-manager/wazuh-manager
     - etc/kayobe/wazuh-manager.yml
     - etc/kayobe/inventory/group_vars/wazuh/wazuh-agent/wazuh-agent
@@ -259,7 +275,6 @@ does not exist, it will generate the following certificates in ``etc/kayobe/ansi
    * root-ca.key  root-ca.pem
 
 
-
 It is also possible to use externally generated certificates for wazuh-dashboard. root-ca.pem should contain the CA chain.
 Those certificates can be uploaded to ``etc/kayobe/ansible/wazuh/custom_certificates``,
 and will replace certificates generated by wazuh.

doc/source/contributor/environments/ci-multinode.rst

@@ -324,3 +324,77 @@ with:
 
 There are various other options for sonobuoy, see the `documentation
 <https://sonobuoy.io/docs/>`_ for more details.
+
+Wazuh
+======
+
+Adding Wazuh to a new deployment
+--------------------------------
+
+Wazuh is supported but not deployed by default. If you are using the standard
+[StackHPC multinode
+terraform](https://github.com/stackhpc/terraform-kayobe-multinode), there is a
+``deploy_wazuh`` terraform variable that will add it to the automated setup.
+
+Adding Wazuh to an existing deployment
+--------------------------------------
+
+Create an additional VM with the same basic configuration (key, image, flavour
+etc.) as the existing deployment.
+
+Add the IP and hostname to ``/etc/hosts`` on the ansible control host.
+
+Add the hostname to the ``[wazuh-manager]`` group in
+``$KAYOBE_CONFIG_PATH/environments/ci-multinode/inventory/hosts``.
+
+Add the host to the ``[infra-vms]`` group, either directly or by making the
+``wazuh-manager`` group a child group of ``infra-vms``.
+
+Create the following directory structure:
+``$KAYOBE_CONFIG_PATH/hooks/infra-vm-host-configure/pre.d/``
+
+Either copy or symlink in the growroot, networking, and vxlan playbooks as
+shown in ``$KAYOBE_CONFIG_PATH/hooks/seed-host-configure/pre.d/``.
+
+Configure the Wazuh manager VM:
+
+.. code-block:: bash
+
+      kayobe infra vm host configure
+
+Create and encrypt the Wazuh secrets
+
+.. code-block:: bash
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-secrets.yml
+      ansible-vault encrypt --vault-password-file ~/vault.password  $KAYOBE_CONFIG_PATH/environments/ci-multinode/wazuh-secrets.yml
+
+Run the Wazuh manager and agent deployment playbooks:
+
+.. code-block:: bash
+
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-manager.yml
+      kayobe playbook run $KAYOBE_CONFIG_PATH/ansible/wazuh-agent.yml
+
+Wazuh should now be fully deployed. To test the service, you can use sshuttle
+or some other forwarding protocol to access the Wazuh dashboard.
+
+.. code-block:: bash
+
+      sshuttle -r <wazuh-manager-hostname> <wazuh-manager-ip>
+
+The above example assumes an SSH configuration that allows access with
+``ssh <wazuh-manager-hostname>``.
+
+Open ``https://<wazuh-manager-ip>/`` in a web browser, and you should see a
+login screen.
+
+The default username is ``admin`` and the password is the
+``opendistro_admin_password`` which can be found in ``wazuh-secrets.yml`` e.g.
+
+.. code-block:: bash
+
+      ansible-vault view $KAYOBE_CONFIG_PATH/environments/ci-multinode/wazuh-secrets.yml --vault-password-file ~/vault.password | grep opendistro_admin_password
+
+If the deployment has been successful, you should be able to see a Wazuh agent
+for each host in your deployment (aside from the Wazuh manager itself).

etc/kayobe/ansible/configure-vxlan.yml

@@ -1,6 +1,6 @@
 ---
 - name: Configure VXLAN
-  hosts: controllers,compute,seed,storage
+  hosts: controllers,compute,infra-vms,seed,storage
   gather_facts: true
   vars:
     ansible_user: "{{ bootstrap_user }}"

etc/kayobe/ansible/fix-networking.yml

@@ -1,6 +1,6 @@
 ---
 - name: Fix networking
-  hosts: seed,compute,controllers,storage
+  hosts: controllers,compute,infra-vms,seed,storage
   gather_facts: false
   vars:
     ansible_user: "{{ bootstrap_user }}"

etc/kayobe/environments/ci-multinode/growroot.yml

@@ -1,2 +1,2 @@
 ---
-growroot_group: "seed:overcloud"
+growroot_group: "seed:overcloud:infra-vms"

etc/kayobe/environments/ci-multinode/infra-vms.yml

@@ -0,0 +1,6 @@
+---
+infra_vm_bootstrap_user: "{{ os_distribution if os_distribution == 'ubuntu' else 'cloud-user' }}"
+# List of storage volume groups. See mrlesmithjr.manage-lvm role for
+# format.
+infra_vm_lvm_groups:
+  - "{{ stackhpc_lvm_group_rootvg }}"

etc/kayobe/environments/ci-multinode/inventory/group_vars/seed/network-interfaces

@@ -2,7 +2,7 @@
 ###############################################################################
 # Network interface definitions for the seed group.
 
-admin_oc_interface: "{{ 'ens2' if (os_distribution == 'ubuntu' and ansible_facts['distribution_release'] != 'jammy') else 'ens3' }}"
+admin_oc_interface: "{{ ansible_facts.default_ipv4.interface }}"
 
 provision_oc_interface: "{{ vxlan_interfaces[0].device}}.{{ provision_oc_vlan }}"
 

etc/kayobe/environments/ci-multinode/inventory/group_vars/storage/network-interfaces

@@ -2,7 +2,7 @@
 ###############################################################################
 # Network interface definitions for the storage group.
 
-admin_oc_interface: "ens3"
+admin_oc_interface: "{{ ansible_facts.default_ipv4.interface }}"
 
 internal_interface: "{{ vxlan_interfaces[0].device }}.{{ internal_vlan }}"
 

etc/kayobe/environments/ci-multinode/inventory/group_vars/wazuh-manager/lvm.yml

@@ -0,0 +1,34 @@
+---
+# List of extra LVs to include in the rootvg VG.
+stackhpc_lvm_group_rootvg_lvs_extra:
+  - "{{ stackhpc_lvm_lv_docker }}"
+
+###############################################################################
+# StackHPC LVM Logical Volume (LV) configuration.
+
+# StackHPC LVM lv_swap LV size.
+stackhpc_lvm_lv_swap_size: 1g
+
+# StackHPC LVM lv_root LV size.
+stackhpc_lvm_lv_root_size: 10g
+
+# StackHPC LVM lv_tmp LV size.
+stackhpc_lvm_lv_tmp_size: 10g
+
+# StackHPC LVM lv_var LV size.
+stackhpc_lvm_lv_var_size: 20g
+
+# StackHPC LVM lv_var_tmp LV size.
+stackhpc_lvm_lv_var_tmp_size: 5g
+
+# StackHPC LVM lv_log LV size.
+stackhpc_lvm_lv_log_size: 10g
+
+# StackHPC LVM lv_audit LV size.
+stackhpc_lvm_lv_audit_size: 5g
+
+# StackHPC LVM lv_home LV size.
+stackhpc_lvm_lv_home_size: 5g
+
+# StackHPC LVM lv_docker LV size.
+stackhpc_lvm_lv_docker_size: 75%FREE

etc/kayobe/environments/ci-multinode/inventory/group_vars/wazuh-manager/network-interfaces

@@ -0,0 +1,9 @@
+---
+###############################################################################
+# Network interface definitions for the wazuh-manager group.
+
+admin_oc_interface: "{{ ansible_facts.default_ipv4.interface }}"
+
+###############################################################################
+# Dummy variable to allow Ansible to accept this file.
+workaround_ansible_issue_8743: yes