diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp index ff5d332d..42c3a08e 100644 --- a/manifests/dashboard.pp +++ b/manifests/dashboard.pp @@ -41,7 +41,9 @@ }, ], + $manage_certs = true, $manage_repos = false, # Change to true when manager is not present. + $use_system_ca = false, ) { if $manage_repos { include wazuh::repo @@ -69,33 +71,35 @@ name => $dashboard_package, } - require wazuh::certificates + if $manage_certs { + require wazuh::certificates - exec { "ensure full path of ${dashboard_path_certs}": - path => '/usr/bin:/bin', - command => "mkdir -p ${dashboard_path_certs}", - creates => $dashboard_path_certs, - require => Package['wazuh-dashboard'], - } - -> file { $dashboard_path_certs: - ensure => directory, - owner => $dashboard_fileuser, - group => $dashboard_filegroup, - mode => '0500', - } + exec { "ensure full path of ${dashboard_path_certs}": + path => '/usr/bin:/bin', + command => "mkdir -p ${dashboard_path_certs}", + creates => $dashboard_path_certs, + require => Package['wazuh-dashboard'], + } + -> file { $dashboard_path_certs: + ensure => directory, + owner => $dashboard_fileuser, + group => $dashboard_filegroup, + mode => '0500', + } - [ - 'dashboard.pem', - 'dashboard-key.pem', - 'root-ca.pem', - ].each |String $certfile| { - file { "${dashboard_path_certs}/${certfile}": - ensure => file, - owner => $dashboard_fileuser, - group => $dashboard_filegroup, - mode => '0400', - replace => false, # only copy content when file not exist - source => "/tmp/wazuh-certificates/${certfile}", + [ + 'dashboard.pem', + 'dashboard-key.pem', + 'root-ca.pem', + ].each |String $certfile| { + file { "${dashboard_path_certs}/${certfile}": + ensure => file, + owner => $dashboard_fileuser, + group => $dashboard_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile}", + } } } diff --git a/manifests/filebeat_oss.pp b/manifests/filebeat_oss.pp index 76a66eae..f98c1428 100644 --- a/manifests/filebeat_oss.pp +++ b/manifests/filebeat_oss.pp @@ -18,6 +18,9 @@ $filebeat_fileuser = 'root', $filebeat_filegroup = 'root', $filebeat_path_certs = '/etc/filebeat/certs', + + $manage_certs = true, + $use_system_ca = false, ) { include wazuh::repo_elastic_oss @@ -77,34 +80,36 @@ require => Package['filebeat'], } - require wazuh::certificates + if $manage_certs { + require wazuh::certificates - exec { "ensure full path of ${filebeat_path_certs}": - path => '/usr/bin:/bin', - command => "mkdir -p ${filebeat_path_certs}", - creates => $filebeat_path_certs, - require => Package['filebeat'], - } - -> file { $filebeat_path_certs: - ensure => directory, - owner => $filebeat_fileuser, - group => $filebeat_filegroup, - mode => '0500', - } + exec { "ensure full path of ${filebeat_path_certs}": + path => '/usr/bin:/bin', + command => "mkdir -p ${filebeat_path_certs}", + creates => $filebeat_path_certs, + require => Package['filebeat'], + } + -> file { $filebeat_path_certs: + ensure => directory, + owner => $filebeat_fileuser, + group => $filebeat_filegroup, + mode => '0500', + } - $_certfiles = { - 'server.pem' => 'filebeat.pem', - 'server-key.pem' => 'filebeat-key.pem', - 'root-ca.pem' => 'root-ca.pem', - } - $_certfiles.each |String $certfile_source, String $certfile_target| { - file { "${filebeat_path_certs}/${certfile_target}": - ensure => file, - owner => $filebeat_fileuser, - group => $filebeat_filegroup, - mode => '0400', - replace => false, # only copy content when file not exist - source => "/tmp/wazuh-certificates/${certfile_source}", + $_certfiles = { + 'server.pem' => 'filebeat.pem', + 'server-key.pem' => 'filebeat-key.pem', + 'root-ca.pem' => 'root-ca.pem', + } + $_certfiles.each |String $certfile_source, String $certfile_target| { + file { "${filebeat_path_certs}/${certfile_target}": + ensure => file, + owner => $filebeat_fileuser, + group => $filebeat_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile_source}", + } } } diff --git a/manifests/indexer.pp b/manifests/indexer.pp index 6705f538..3805cbff 100644 --- a/manifests/indexer.pp +++ b/manifests/indexer.pp @@ -22,6 +22,7 @@ $indexer_discovery_hosts = [], # Empty array for single-node configuration $indexer_cluster_initial_master_nodes = ['node-1'], + $manage_certs = true, $manage_repos = false, # Change to true when manager is not present. # JVM options @@ -45,35 +46,37 @@ name => $indexer_package, } - require wazuh::certificates + if $manage_certs { + require wazuh::certificates - exec { "ensure full path of ${indexer_path_certs}": - path => '/usr/bin:/bin', - command => "mkdir -p ${indexer_path_certs}", - creates => $indexer_path_certs, - require => Package['wazuh-indexer'], - } - -> file { $indexer_path_certs: - ensure => directory, - owner => $indexer_fileuser, - group => $indexer_filegroup, - mode => '0500', - } + exec { "ensure full path of ${indexer_path_certs}": + path => '/usr/bin:/bin', + command => "mkdir -p ${indexer_path_certs}", + creates => $indexer_path_certs, + require => Package['wazuh-indexer'], + } + -> file { $indexer_path_certs: + ensure => directory, + owner => $indexer_fileuser, + group => $indexer_filegroup, + mode => '0500', + } - [ - 'indexer.pem', - 'indexer-key.pem', - 'root-ca.pem', - 'admin.pem', - 'admin-key.pem', - ].each |String $certfile| { - file { "${indexer_path_certs}/${certfile}": - ensure => file, - owner => $indexer_fileuser, - group => $indexer_filegroup, - mode => '0400', - replace => false, # only copy content when file not exist - source => "/tmp/wazuh-certificates/${certfile}", + [ + 'indexer.pem', + 'indexer-key.pem', + 'root-ca.pem', + 'admin.pem', + 'admin-key.pem', + ].each |String $certfile| { + file { "${indexer_path_certs}/${certfile}": + ensure => file, + owner => $indexer_fileuser, + group => $indexer_filegroup, + mode => '0400', + replace => false, # only copy content when file not exist + source => "/tmp/wazuh-certificates/${certfile}", + } } } diff --git a/templates/filebeat_oss_yml.erb b/templates/filebeat_oss_yml.erb index 51771cbc..0fe7b496 100644 --- a/templates/filebeat_oss_yml.erb +++ b/templates/filebeat_oss_yml.erb @@ -17,8 +17,10 @@ output.elasticsearch: username: <%= @filebeat_oss_elastic_user %> password: <%= @filebeat_oss_elastic_password %> protocol: https +<% if not @use_system_ca -%> ssl.certificate_authorities: - /etc/filebeat/certs/root-ca.pem +<% end -%> ssl.certificate: "/etc/filebeat/certs/filebeat.pem" ssl.key: "/etc/filebeat/certs/filebeat-key.pem" diff --git a/templates/wazuh_dashboard_yml.erb b/templates/wazuh_dashboard_yml.erb index 8160974d..0e5d25ec 100644 --- a/templates/wazuh_dashboard_yml.erb +++ b/templates/wazuh_dashboard_yml.erb @@ -20,5 +20,7 @@ opensearch_security.openid.verify_hostnames: <%= @opensearch_security_openid_ver server.ssl.enabled: true server.ssl.key: "<%= @dashboard_path_certs %>/dashboard-key.pem" server.ssl.certificate: "<%= @dashboard_path_certs %>/dashboard.pem" +<% if not @use_system_ca -%> opensearch.ssl.certificateAuthorities: ["<%= @dashboard_path_certs %>/root-ca.pem"] +<% end -%> uiSettings.overrides.defaultRoute: /app/wazuh diff --git a/templates/wazuh_indexer_yml.erb b/templates/wazuh_indexer_yml.erb index 98e070dd..1d7790ed 100644 --- a/templates/wazuh_indexer_yml.erb +++ b/templates/wazuh_indexer_yml.erb @@ -31,7 +31,11 @@ plugins.security.check_snapshot_restore_write_privileges: true plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: <% @indexer_cluster_initial_master_nodes.each do |node| -%> +<% if @manage_certs -%> - "CN=<%= node %>,OU=Wazuh,O=Wazuh,L=California,C=US" +<% else -%> +- "CN=<%= node %>" +<% end -%> <% end -%> plugins.security.restapi.roles_enabled: - "all_access"