PoC of managing certificates with cert-manager

Signed-off-by: George Gaal <[email protected]>
wazuh · Feb 1, 2024 · 685b231 · 685b231
1 parent 8427897
commit 685b231
Show file tree

Hide file tree

Showing 14 changed files with 233 additions and 162 deletions.
diff --git a/wazuh/certs/admin.yaml b/wazuh/certs/admin.yaml
@@ -0,0 +1,29 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: admin
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: admin-tls
+  commonName: admin
+  dnsNames:
+    - "admin"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always
diff --git a/wazuh/certs/dashboard.yaml b/wazuh/certs/dashboard.yaml
@@ -0,0 +1,30 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dashboard
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: dashboard-tls
+  commonName: dashboard
+  dnsNames:
+    - "dashboard"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+    - digital signature
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always
diff --git a/wazuh/certs/dashboard_http/generate_certs.sh b/wazuh/certs/dashboard_http/generate_certs.sh
diff --git a/wazuh/certs/filebeat.yaml b/wazuh/certs/filebeat.yaml
@@ -0,0 +1,30 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: filebeat
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: filebeat-tls
+  commonName: filebeat
+  dnsNames:
+    - "filebeat"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+    - digital signature
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always
diff --git a/wazuh/certs/indexer_cluster/generate_certs.sh b/wazuh/certs/indexer_cluster/generate_certs.sh
diff --git a/wazuh/certs/node.yaml b/wazuh/certs/node.yaml
@@ -0,0 +1,30 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: node
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: node-tls
+  commonName: "*.wazuh-indexer"
+  dnsNames:
+    - "*.wazuh-indexer"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+    - digital signature
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always
diff --git a/wazuh/certs/wazuh-ca.yaml b/wazuh/certs/wazuh-ca.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigning-issuer
+  namespace: wazuh
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-pki-ca
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: selfsigning-issuer
+  secretName: wazuh-pki-ca
+  commonName: "wazuh-ca"
+  subject:
+    organizations:
+      - "Wazuh, Inc."
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "cert sign"
+  duration: 87600h # 3650d
+  renewBefore: 8760h # 365d
+  isCA: true
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: wazuh-issuer
+  namespace: wazuh
+spec:
+  ca:
+    secretName: "wazuh-pki-ca"
diff --git a/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml b/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml
@@ -29,7 +29,7 @@ spec:
             name: dashboard-conf
         - name: dashboard-certs
           secret:
-            secretName: dashboard-certs
+            secretName: dashboard-tls
       containers:
         - name: wazuh-dashboard
           image: 'wazuh/wazuh-dashboard:4.9.0'
@@ -43,16 +43,16 @@ spec:
               subPath: opensearch_dashboards.yml
               readOnly: false
             - name: dashboard-certs
-              mountPath: /usr/share/wazuh-dashboard/certs/cert.pem
+              mountPath: /usr/share/wazuh-dashboard/certs/tls.crt
               readOnly: true
-              subPath: cert.pem
+              subPath: tls.crt
             - name: dashboard-certs
-              mountPath: /usr/share/wazuh-dashboard/certs/key.pem
+              mountPath: /usr/share/wazuh-dashboard/certs/tls.key
               readOnly: true
-              subPath: key.pem
+              subPath: tls.key
             - name: dashboard-certs
-              mountPath: /usr/share/wazuh-dashboard/certs/root-ca.pem
-              subPath: root-ca.pem
+              mountPath: /usr/share/wazuh-dashboard/certs/ca.crt
+              subPath: ca.crt
               readOnly: true
           ports:
             - containerPort: 5601

diff --git a/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml b/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml
@@ -7,7 +7,7 @@ opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
 server.ssl.enabled: true
-server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem"
-server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem"
-opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/tls.key"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/tls.crt"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/ca.crt"]
 uiSettings.overrides.defaultRoute: /app/wz-home
diff --git a/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml b/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml
@@ -26,9 +26,12 @@ spec:
     spec:
       # Set the wazuh-indexer volume permissions so the wazuh-indexer user can use it
       volumes:
-        - name: indexer-certs
+        - name: node-certs
           secret:
-            secretName: indexer-certs
+            secretName: node-tls
+        - name: admin-certs
+          secret:
+            secretName: admin-tls
         - name: indexer-conf
           configMap:
             name: indexer-conf
@@ -94,25 +97,29 @@ spec:
           volumeMounts:
             - name: wazuh-indexer
               mountPath: /var/lib/wazuh-indexer
-            - name: indexer-certs
-              mountPath: /usr/share/wazuh-indexer/certs/node-key.pem
-              subPath: node-key.pem
+            - name: node-certs
+              mountPath: /usr/share/wazuh-indexer/certs/node/ca.crt
+              subPath: ca.crt
+              readOnly: true
+            - name: node-certs
+              mountPath: /usr/share/wazuh-indexer/certs/node/tls.key
+              subPath: tls.key
               readOnly: true
-            - name: indexer-certs
-              mountPath: /usr/share/wazuh-indexer/certs/node.pem
-              subPath: node.pem
+            - name: node-certs
+              mountPath: /usr/share/wazuh-indexer/certs/node/tls.crt
+              subPath: tls.crt
               readOnly: true
-            - name: indexer-certs
-              mountPath: /usr/share/wazuh-indexer/certs/root-ca.pem
-              subPath: root-ca.pem
+            - name: admin-certs
+              mountPath: /usr/share/wazuh-indexer/certs/admin/ca.crt
+              subPath: ca.crt
               readOnly: true
-            - name: indexer-certs
-              mountPath: /usr/share/wazuh-indexer/certs/admin.pem
-              subPath: admin.pem
+            - name: admin-certs
+              mountPath: /usr/share/wazuh-indexer/certs/admin/tls.crt
+              subPath: tls.crt
               readOnly: true
-            - name: indexer-certs
-              mountPath: /usr/share/wazuh-indexer/certs/admin-key.pem
-              subPath: admin-key.pem
+            - name: admin-certs
+              mountPath: /usr/share/wazuh-indexer/certs/admin/tls.key
+              subPath: tls.key
               readOnly: true
             - name: indexer-conf
               mountPath: /usr/share/wazuh-indexer/opensearch.yml
@@ -122,6 +129,14 @@ spec:
               mountPath: /usr/share/wazuh-indexer/opensearch-security/internal_users.yml
               subPath: internal_users.yml
               readOnly: true
+            - name: indexer-conf
+              mountPath: /usr/share/wazuh-indexer/opensearch-security/config.yml
+              subPath: config.yml
+              readOnly: true
+            - name: indexer-conf
+              mountPath: /usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml
+              subPath: roles_mapping.yml
+              readOnly: true
           ports:
             - containerPort: 9200
               name: indexer-rest

diff --git a/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml b/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
@@ -8,12 +8,12 @@ cluster.initial_master_nodes:
 node.max_local_storage_nodes: "3"
 path.data: /var/lib/wazuh-indexer
 path.logs: /var/log/wazuh-indexer
-plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem
-plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem
-plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
-plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem
-plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem
-plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/node/tls.crt
+plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/node/tls.key
+plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/node/ca.crt
+plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/admin/tls.crt
+plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/admin/tls.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/admin/ca.crt
 plugins.security.ssl.http.enabled: true
 plugins.security.ssl.transport.enforce_hostname_verification: false
 plugins.security.ssl.transport.resolve_hostname: false