diff --git a/wazuh/certs/admin.yaml b/wazuh/certs/admin.yaml new file mode 100644 index 00000000..9fba997d --- /dev/null +++ b/wazuh/certs/admin.yaml @@ -0,0 +1,29 @@ +--- +# Source: api/templates/virtual_service.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: admin + namespace: wazuh +spec: + issuerRef: + group: cert-manager.io + kind: Issuer + name: wazuh-issuer + secretName: admin-tls + commonName: admin + dnsNames: + - "admin" + usages: + - "signing" + - "key encipherment" + - "server auth" + - "client auth" + duration: 2160h + renewBefore: 360h + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always \ No newline at end of file diff --git a/wazuh/certs/dashboard.yaml b/wazuh/certs/dashboard.yaml new file mode 100644 index 00000000..5d0592bb --- /dev/null +++ b/wazuh/certs/dashboard.yaml @@ -0,0 +1,30 @@ +--- +# Source: api/templates/virtual_service.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: dashboard + namespace: wazuh +spec: + issuerRef: + group: cert-manager.io + kind: Issuer + name: wazuh-issuer + secretName: dashboard-tls + commonName: dashboard + dnsNames: + - "dashboard" + usages: + - "signing" + - "key encipherment" + - "server auth" + - "client auth" + - digital signature + duration: 2160h + renewBefore: 360h + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always \ No newline at end of file diff --git a/wazuh/certs/dashboard_http/generate_certs.sh b/wazuh/certs/dashboard_http/generate_certs.sh deleted file mode 100755 index 6e847249..00000000 --- a/wazuh/certs/dashboard_http/generate_certs.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -cd $DIR - -openssl req -x509 -batch -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem diff --git a/wazuh/certs/filebeat.yaml b/wazuh/certs/filebeat.yaml new file mode 100644 index 00000000..41ea744a --- /dev/null +++ b/wazuh/certs/filebeat.yaml @@ -0,0 +1,30 @@ +--- +# Source: api/templates/virtual_service.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: filebeat + namespace: wazuh +spec: + issuerRef: + group: cert-manager.io + kind: Issuer + name: wazuh-issuer + secretName: filebeat-tls + commonName: filebeat + dnsNames: + - "filebeat" + usages: + - "signing" + - "key encipherment" + - "server auth" + - "client auth" + - digital signature + duration: 2160h + renewBefore: 360h + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always \ No newline at end of file diff --git a/wazuh/certs/indexer_cluster/generate_certs.sh b/wazuh/certs/indexer_cluster/generate_certs.sh deleted file mode 100755 index 84175ce5..00000000 --- a/wazuh/certs/indexer_cluster/generate_certs.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash - -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -cd $DIR - -echo "Root CA" - -openssl genrsa -out root-ca-key.pem 2048 - -openssl req -days 3650 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj "/C=US/L=California/O=Company/CN=root-ca" - -echo "Admin cert" - -echo "create: admin-key-temp.pem" - -openssl genrsa -out admin-key-temp.pem 2048 - -echo "create: admin-key.pem" - -openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem - -echo "create: admin.csr" - -openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj "/C=US/L=California/O=Company/CN=admin" - -echo "create: admin.pem" - -openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem - - -echo "* Node cert" - -echo "create: node-key-temp.pem" - -openssl genrsa -out node-key-temp.pem 2048 - -echo "create: node-key.pem" - -openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem - -echo "create: node.csr" - -openssl req -days 3650 -new -key node-key.pem -out node.csr -subj "/C=US/L=California/O=Company/CN=*.wazuh-indexer" - -echo "create: node.pem" - -openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem - -echo "* dashboard cert" - -echo "create: dashboard-key-temp.pem" - -openssl genrsa -out dashboard-key-temp.pem 2048 - -echo "create: dashboard-key.pem" - -openssl pkcs8 -inform PEM -outform PEM -in dashboard-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out dashboard-key.pem - -echo "create: dashboard.csr" - -openssl req -days 3650 -new -key dashboard-key.pem -out dashboard.csr -subj "/C=US/L=California/O=Company/CN=dashboard" - -echo "create: dashboard.pem" - -openssl x509 -req -days 3650 -in dashboard.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out dashboard.pem - - - -echo "* Filebeat cert" - -echo "create: filebeat-key-temp.pem" - -openssl genrsa -out filebeat-key-temp.pem 2048 - -echo "create: filebeat-key.pem" - -openssl pkcs8 -inform PEM -outform PEM -in filebeat-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out filebeat-key.pem - -echo "create: filebeat.csr" - -openssl req -days 3650 -new -key filebeat-key.pem -out filebeat.csr -subj "/C=US/L=California/O=Company/CN=filebeat" - -echo "create: filebeat.pem" - -openssl x509 -req -days 3650 -in filebeat.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out filebeat.pem diff --git a/wazuh/certs/node.yaml b/wazuh/certs/node.yaml new file mode 100644 index 00000000..1bddd3a0 --- /dev/null +++ b/wazuh/certs/node.yaml @@ -0,0 +1,30 @@ +--- +# Source: api/templates/virtual_service.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: node + namespace: wazuh +spec: + issuerRef: + group: cert-manager.io + kind: Issuer + name: wazuh-issuer + secretName: node-tls + commonName: "*.wazuh-indexer" + dnsNames: + - "*.wazuh-indexer" + usages: + - "signing" + - "key encipherment" + - "server auth" + - "client auth" + - digital signature + duration: 2160h + renewBefore: 360h + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + rotationPolicy: Always \ No newline at end of file diff --git a/wazuh/certs/wazuh-ca.yaml b/wazuh/certs/wazuh-ca.yaml new file mode 100644 index 00000000..8efa2c39 --- /dev/null +++ b/wazuh/certs/wazuh-ca.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigning-issuer + namespace: wazuh +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wazuh-pki-ca + namespace: wazuh +spec: + issuerRef: + group: cert-manager.io + kind: Issuer + name: selfsigning-issuer + secretName: wazuh-pki-ca + commonName: "wazuh-ca" + subject: + organizations: + - "Wazuh, Inc." + usages: + - "signing" + - "key encipherment" + - "cert sign" + duration: 87600h # 3650d + renewBefore: 8760h # 365d + isCA: true +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: wazuh-issuer + namespace: wazuh +spec: + ca: + secretName: "wazuh-pki-ca" diff --git a/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml b/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml index f5093ef5..4e3464f1 100644 --- a/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml +++ b/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml @@ -29,7 +29,7 @@ spec: name: dashboard-conf - name: dashboard-certs secret: - secretName: dashboard-certs + secretName: dashboard-tls containers: - name: wazuh-dashboard image: 'wazuh/wazuh-dashboard:4.9.0' @@ -43,16 +43,16 @@ spec: subPath: opensearch_dashboards.yml readOnly: false - name: dashboard-certs - mountPath: /usr/share/wazuh-dashboard/certs/cert.pem + mountPath: /usr/share/wazuh-dashboard/certs/tls.crt readOnly: true - subPath: cert.pem + subPath: tls.crt - name: dashboard-certs - mountPath: /usr/share/wazuh-dashboard/certs/key.pem + mountPath: /usr/share/wazuh-dashboard/certs/tls.key readOnly: true - subPath: key.pem + subPath: tls.key - name: dashboard-certs - mountPath: /usr/share/wazuh-dashboard/certs/root-ca.pem - subPath: root-ca.pem + mountPath: /usr/share/wazuh-dashboard/certs/ca.crt + subPath: ca.crt readOnly: true ports: - containerPort: 5601 diff --git a/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml b/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml index a1449893..f562a01e 100644 --- a/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml +++ b/wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml @@ -7,7 +7,7 @@ opensearch.requestHeadersWhitelist: [ authorization,securitytenant ] opensearch_security.multitenancy.enabled: false opensearch_security.readonly_mode.roles: ["kibana_read_only"] server.ssl.enabled: true -server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem" -server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem" -opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"] +server.ssl.key: "/usr/share/wazuh-dashboard/certs/tls.key" +server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/tls.crt" +opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/ca.crt"] uiSettings.overrides.defaultRoute: /app/wz-home \ No newline at end of file diff --git a/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml b/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml index 7ec0038f..25567991 100644 --- a/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml +++ b/wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml @@ -26,9 +26,12 @@ spec: spec: # Set the wazuh-indexer volume permissions so the wazuh-indexer user can use it volumes: - - name: indexer-certs + - name: node-certs secret: - secretName: indexer-certs + secretName: node-tls + - name: admin-certs + secret: + secretName: admin-tls - name: indexer-conf configMap: name: indexer-conf @@ -94,25 +97,29 @@ spec: volumeMounts: - name: wazuh-indexer mountPath: /var/lib/wazuh-indexer - - name: indexer-certs - mountPath: /usr/share/wazuh-indexer/certs/node-key.pem - subPath: node-key.pem + - name: node-certs + mountPath: /usr/share/wazuh-indexer/certs/node/ca.crt + subPath: ca.crt + readOnly: true + - name: node-certs + mountPath: /usr/share/wazuh-indexer/certs/node/tls.key + subPath: tls.key readOnly: true - - name: indexer-certs - mountPath: /usr/share/wazuh-indexer/certs/node.pem - subPath: node.pem + - name: node-certs + mountPath: /usr/share/wazuh-indexer/certs/node/tls.crt + subPath: tls.crt readOnly: true - - name: indexer-certs - mountPath: /usr/share/wazuh-indexer/certs/root-ca.pem - subPath: root-ca.pem + - name: admin-certs + mountPath: /usr/share/wazuh-indexer/certs/admin/ca.crt + subPath: ca.crt readOnly: true - - name: indexer-certs - mountPath: /usr/share/wazuh-indexer/certs/admin.pem - subPath: admin.pem + - name: admin-certs + mountPath: /usr/share/wazuh-indexer/certs/admin/tls.crt + subPath: tls.crt readOnly: true - - name: indexer-certs - mountPath: /usr/share/wazuh-indexer/certs/admin-key.pem - subPath: admin-key.pem + - name: admin-certs + mountPath: /usr/share/wazuh-indexer/certs/admin/tls.key + subPath: tls.key readOnly: true - name: indexer-conf mountPath: /usr/share/wazuh-indexer/opensearch.yml @@ -122,6 +129,14 @@ spec: mountPath: /usr/share/wazuh-indexer/opensearch-security/internal_users.yml subPath: internal_users.yml readOnly: true + - name: indexer-conf + mountPath: /usr/share/wazuh-indexer/opensearch-security/config.yml + subPath: config.yml + readOnly: true + - name: indexer-conf + mountPath: /usr/share/wazuh-indexer/opensearch-security/roles_mapping.yml + subPath: roles_mapping.yml + readOnly: true ports: - containerPort: 9200 name: indexer-rest diff --git a/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml b/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml index 2685be22..6d7e5e42 100644 --- a/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml +++ b/wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml @@ -8,12 +8,12 @@ cluster.initial_master_nodes: node.max_local_storage_nodes: "3" path.data: /var/lib/wazuh-indexer path.logs: /var/log/wazuh-indexer -plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem -plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem -plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/node.pem -plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/node-key.pem -plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/node/tls.crt +plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/node/tls.key +plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/node/ca.crt +plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/admin/tls.crt +plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/admin/tls.key +plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/admin/ca.crt plugins.security.ssl.http.enabled: true plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.resolve_hostname: false diff --git a/wazuh/kustomization.yml b/wazuh/kustomization.yml index 27347c39..909d4f58 100644 --- a/wazuh/kustomization.yml +++ b/wazuh/kustomization.yml @@ -11,24 +11,6 @@ kind: Kustomization # Adds wazuh namespace to all resources. namespace: wazuh -secretGenerator: - - name: indexer-certs - files: - - certs/indexer_cluster/root-ca.pem - - certs/indexer_cluster/node.pem - - certs/indexer_cluster/node-key.pem - - certs/indexer_cluster/dashboard.pem - - certs/indexer_cluster/dashboard-key.pem - - certs/indexer_cluster/admin.pem - - certs/indexer_cluster/admin-key.pem - - certs/indexer_cluster/filebeat.pem - - certs/indexer_cluster/filebeat-key.pem - - name: dashboard-certs - files: - - certs/dashboard_http/cert.pem - - certs/dashboard_http/key.pem - - certs/indexer_cluster/root-ca.pem - configMapGenerator: - name: indexer-conf files: @@ -46,6 +28,12 @@ resources: - base/wazuh-ns.yaml - base/storage-class.yaml + - certs/admin.yaml + - certs/dashboard.yaml + - certs/filebeat.yaml + - certs/node.yaml + - certs/wazuh-ca.yaml + - secrets/wazuh-api-cred-secret.yaml - secrets/wazuh-authd-pass-secret.yaml - secrets/wazuh-cluster-key-secret.yaml diff --git a/wazuh/wazuh_managers/wazuh-master-sts.yaml b/wazuh/wazuh_managers/wazuh-master-sts.yaml index f1b358c2..7c5f9372 100644 --- a/wazuh/wazuh_managers/wazuh-master-sts.yaml +++ b/wazuh/wazuh_managers/wazuh-master-sts.yaml @@ -33,7 +33,7 @@ spec: name: wazuh-conf - name: filebeat-certs secret: - secretName: indexer-certs + secretName: filebeat-tls - name: wazuh-authd-pass secret: secretName: wazuh-authd-pass @@ -55,16 +55,16 @@ spec: subPath: master.conf readOnly: true - name: filebeat-certs - mountPath: /etc/ssl/root-ca.pem + mountPath: /etc/ssl/ca.crt readOnly: true - subPath: root-ca.pem + subPath: ca.crt - name: filebeat-certs - mountPath: /etc/ssl/filebeat.pem - subPath: filebeat.pem + mountPath: /etc/ssl/tls.crt + subPath: tls.crt readOnly: true - name: filebeat-certs - mountPath: /etc/ssl/filebeat.key - subPath: filebeat-key.pem + mountPath: /etc/ssl/tls.key + subPath: tls.key readOnly: true - name: wazuh-authd-pass mountPath: /wazuh-config-mount/etc/authd.pass @@ -126,11 +126,11 @@ spec: - name: FILEBEAT_SSL_VERIFICATION_MODE value: 'full' - name: SSL_CERTIFICATE_AUTHORITIES - value: /etc/ssl/root-ca.pem + value: /etc/ssl/ca.crt - name: SSL_CERTIFICATE - value: /etc/ssl/filebeat.pem + value: /etc/ssl/tls.crt - name: SSL_KEY - value: /etc/ssl/filebeat.key + value: /etc/ssl/tls.key - name: API_USERNAME valueFrom: secretKeyRef: diff --git a/wazuh/wazuh_managers/wazuh-worker-sts.yaml b/wazuh/wazuh_managers/wazuh-worker-sts.yaml index f0785fab..b9a3db34 100644 --- a/wazuh/wazuh_managers/wazuh-worker-sts.yaml +++ b/wazuh/wazuh_managers/wazuh-worker-sts.yaml @@ -39,7 +39,7 @@ spec: name: wazuh-conf - name: filebeat-certs secret: - secretName: indexer-certs + secretName: fliebeat-tls securityContext: fsGroup: 101 containers: @@ -58,16 +58,16 @@ spec: subPath: worker.conf readOnly: true - name: filebeat-certs - mountPath: /etc/ssl/root-ca.pem + mountPath: /etc/ssl/ca.crt readOnly: true - subPath: root-ca.pem + subPath: ca.crt - name: filebeat-certs - mountPath: /etc/ssl/filebeat.pem - subPath: filebeat.pem + mountPath: /etc/ssl/tls.crt + subPath: tls.crt readOnly: true - name: filebeat-certs - mountPath: /etc/ssl/filebeat.key - subPath: filebeat-key.pem + mountPath: /etc/ssl/tls.key + subPath: tls.key readOnly: true - name: wazuh-manager-worker mountPath: /var/ossec/api/configuration @@ -123,11 +123,11 @@ spec: - name: FILEBEAT_SSL_VERIFICATION_MODE value: 'full' - name: SSL_CERTIFICATE_AUTHORITIES - value: /etc/ssl/root-ca.pem + value: /etc/ssl/ca.crt - name: SSL_CERTIFICATE - value: /etc/ssl/filebeat.pem + value: /etc/ssl/tls.crt - name: SSL_KEY - value: /etc/ssl/filebeat.key + value: /etc/ssl/tls.key - name: WAZUH_CLUSTER_KEY valueFrom: secretKeyRef: