PoC of managing certificates with cert-manager bases on Docker Desktop

Signed-off-by: George Gaal <[email protected]>

envs/docker-desktop/indexer-resources.yaml

@@ -0,0 +1,25 @@
+# Copyright (C) 2019, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: wazuh-indexer
+  namespace: wazuh
+spec:
+  replicas: 1
+  template:
+    spec:
+      containers:
+        - name: wazuh-indexer
+          resources:
+            requests:
+              cpu: 500m
+              memory: 1Gi
+            limits:
+              cpu: 1
+              memory: 2Gi

envs/docker-desktop/kustomization.yml

@@ -0,0 +1,15 @@
+# Copyright (C) 2019, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../wazuh
+patches:
+- path: storage-class.yaml
+- path: indexer-resources.yaml
+- path: wazuh-resources.yaml

envs/docker-desktop/storage-class.yaml

@@ -0,0 +1,16 @@
+# Copyright (C) 2019, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+# Wazuh StorageClass
+
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: wazuh-storage
+
+provisioner: docker.io/hostpath
+

envs/docker-desktop/wazuh-resources.yaml

@@ -0,0 +1,14 @@
+# Copyright (C) 2019, Wazuh Inc.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: wazuh-manager-worker
+  namespace: wazuh
+spec:
+  replicas: 1

wazuh/certs/admin.yaml

@@ -0,0 +1,29 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: admin
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: admin-tls
+  commonName: admin
+  dnsNames:
+    - "admin"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always

wazuh/certs/dashboard.yaml

@@ -0,0 +1,30 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dashboard
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: dashboard-tls
+  commonName: dashboard
+  dnsNames:
+    - "dashboard"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+    - digital signature
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always

wazuh/certs/filebeat.yaml

@@ -0,0 +1,30 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: filebeat
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: filebeat-tls
+  commonName: filebeat
+  dnsNames:
+    - "filebeat"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+    - digital signature
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always

wazuh/certs/node.yaml

@@ -0,0 +1,30 @@
+---
+# Source: api/templates/virtual_service.yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: node
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: wazuh-issuer
+  secretName: node-tls
+  commonName: "*.wazuh-indexer"
+  dnsNames:
+    - "*.wazuh-indexer"
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "server auth"
+    - "client auth"
+    - digital signature
+  duration: 2160h
+  renewBefore: 360h
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+    rotationPolicy: Always

wazuh/certs/wazuh-ca.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigning-issuer
+  namespace: wazuh
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-pki-ca
+  namespace: wazuh
+spec:
+  issuerRef:
+    group: cert-manager.io
+    kind: Issuer
+    name: selfsigning-issuer
+  secretName: wazuh-pki-ca
+  commonName: "wazuh-ca"
+  subject:
+    organizations:
+      - "Wazuh, Inc."
+  usages:
+    - "signing"
+    - "key encipherment"
+    - "cert sign"
+  duration: 87600h # 3650d
+  renewBefore: 8760h # 365d
+  isCA: true
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: wazuh-issuer
+  namespace: wazuh
+spec:
+  ca:
+    secretName: "wazuh-pki-ca"

wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml

@@ -29,7 +29,7 @@ spec:
             name: dashboard-conf
         - name: dashboard-certs
           secret:
-            secretName: dashboard-certs
+            secretName: dashboard-tls
       containers:
         - name: wazuh-dashboard
           image: 'wazuh/wazuh-dashboard:4.9.0'
@@ -43,16 +43,16 @@ spec:
               subPath: opensearch_dashboards.yml
               readOnly: false
             - name: dashboard-certs
-              mountPath: /usr/share/wazuh-dashboard/certs/cert.pem
+              mountPath: /usr/share/wazuh-dashboard/certs/tls.crt
               readOnly: true
-              subPath: cert.pem
+              subPath: tls.crt
             - name: dashboard-certs
-              mountPath: /usr/share/wazuh-dashboard/certs/key.pem
+              mountPath: /usr/share/wazuh-dashboard/certs/tls.key
               readOnly: true
-              subPath: key.pem
+              subPath: tls.key
             - name: dashboard-certs
-              mountPath: /usr/share/wazuh-dashboard/certs/root-ca.pem
-              subPath: root-ca.pem
+              mountPath: /usr/share/wazuh-dashboard/certs/ca.crt
+              subPath: ca.crt
               readOnly: true
           ports:
             - containerPort: 5601

wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml

@@ -7,7 +7,7 @@ opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
 server.ssl.enabled: true
-server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem"
-server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem"
-opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
+server.ssl.key: "/usr/share/wazuh-dashboard/certs/tls.key"
+server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/tls.crt"
+opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/ca.crt"]
 uiSettings.overrides.defaultRoute: /app/wz-home