Certificate deployment not ideal with 4.8.0

[Hedius]

Hello,

with 4.8.0 it seems like the cert deployment was heavily modified:

wazuh-puppet/manifests/certificates.pp

Lines 37 to 45 in 0a3aa36

	file { 'Copy all certificates into module':
	ensure => 'directory',
	source => '/tmp/wazuh-certificates/',
	recurse => 'remote',
	path => '/etc/puppetlabs/code/environments/production/modules/archive/files/',
	owner => 'root',
	group => 'root',
	mode => '0755',
	}

Especially this block.

Few things or ideas?:

• You hardcoded the environment in the repo. (Not everyone has a env called production)
• You generate the certs on the puppet master, but with large multi puppet master setups this won't work?
• It seems like the files are being tried to saved in the files folder of another puppet module.? (puppet-archive)
• Would not be the correct way to share certs between nodes, etc. to use puppetdb and exported resources?
  i can add more information if needed.

[Hedius]

https://documentation.wazuh.com/current/deployment-options/deploying-with-puppet/wazuh-puppet-module/index.html

Still exported resources would be cleaner. The setup does not work like this if you have a multi puppet master/server environment.

please do not hijack other modules... and do not hardcode environments (puppet-archive in this case). :(

[6uhrmittag]

IMHO the whole certificates.pp should be refactored - it's a collection of bad practices :(

• The version is hardcoded and isn't updated on new releases(4.9 and v4.10.0-alpha3):

wazuh-puppet/manifests/certificates.pp

Line 5 in 89f6fa8

$wazuh_version = '4.8',

• The script isn't packaged with the puppet-module but is pulled from packages.wazuh.com without any (hashsum-)verification and than executed by the Puppet Agent and its privileges on the Puppet Master(!):

wazuh-puppet/manifests/certificates.pp

Line 22 in 89f6fa8

source => "https://${wazuh_repository}/${wazuh_version}/wazuh-certs-tool.sh",