add overlays

Author: toniiiik

README.md

@@ -46,16 +46,23 @@ To deploy a cluster on your local environment (like Minikube, Kind or Microk8s)
     ├── README.md
     ├── upgrade.md
     ├── VERSION.json
+    ├── overlays
+    |   ├── certmanager
+    |   ├── external-certs
+    |   └── local-certs
     └── wazuh
         ├── base
         │   ├── storage-class.yaml
-        │   └── wazuh-ns.yaml
+        │   ├── wazuh-ns.yaml
+        │   └── kustomization.yaml
         ├── certs
+        │   ├── kustomization.yaml
         │   ├── dashboard_http
         │   │   └── generate_certs.sh
         │   └── indexer_cluster
         │       └── generate_certs.sh
         ├── indexer_stack
+        │   ├── kustomization.yaml
         │   ├── wazuh-dashboard
         │   │   ├── dashboard_conf
         │   │   │   └── opensearch_dashboards.yml
@@ -75,8 +82,10 @@ To deploy a cluster on your local environment (like Minikube, Kind or Microk8s)
         │   ├── indexer-cred-secret.yaml
         │   ├── wazuh-api-cred-secret.yaml
         │   ├── wazuh-authd-pass-secret.yaml
-        │   └── wazuh-cluster-key-secret.yaml
+        │   ├── wazuh-cluster-key-secret.yaml
+        │   └── kustomization.yaml
         └── wazuh_managers
+            ├── kustomization.yaml
             ├── wazuh-cluster-svc.yaml
             ├── wazuh_conf
             │   ├── master.conf

instructions.md

@@ -110,6 +110,12 @@ $ git clone https://github.com/wazuh/wazuh-kubernetes.git
 $ cd wazuh-kubernetes
 ```
 
+there are three options how to deploy wazuh. 
+1. deploy using generated certificates. Follow instruction in 3.1
+2. deploy using certmanager. This requires certmanager is deployed in the cluster. To deploy cluster please follow [https://cert-manager.io/docs/installation/](https://cert-manager.io/docs/installation/)
+  2.1. deploy using certmanager overlay. `kustomize build overlays/certmanager | kubectl apply -f -`
+3. deploy using external certs (external secrets or other option). `kustomize build overlays/external-certs | kubectl apply -f -`
+
 ### Step 3.1: Setup SSL certificates
 
 You can generate self-signed certificates for the Wazuh indexer cluster using the script at `wazuh/certs/indexer_cluster/generate_certs.sh` or provide your own.

overlays/certmanager/certmanager/ca-certificate.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-ca
+  namespace: wazuh
+spec:
+  isCA: true
+  commonName: wazuh-ca
+  secretName: wazuh-ca
+  issuerRef:
+    name: selfsigned-bootstrap
+    kind: Issuer
+
+

overlays/certmanager/certmanager/certificates.yaml

@@ -0,0 +1,73 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-dashboard-cert
+  namespace: wazuh
+spec:
+  secretName: dashboard-certs
+  dnsNames:
+    - dashboard
+    - dashboard.wazuh
+    - dashboard.wazuh.svc
+  issuerRef:
+    name: wazuh-ca-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-indexer-node
+  namespace: wazuh
+spec:
+  secretName: indexer-node
+  commonName: indexer
+  subject:
+    organizations:
+      - Company
+    localities:
+      - California
+    countries:
+      - US
+  issuerRef:
+    name: wazuh-ca-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-indexer-admin
+  namespace: wazuh
+spec:
+  secretName: indexer-admin
+  commonName: admin
+  subject:
+    organizations:
+      - Company
+    localities:
+      - California
+    countries:
+      - US
+  issuerRef:
+    name: wazuh-ca-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wazuh-filebeat-client
+  namespace: wazuh
+spec:
+  secretName: filebeat-client
+  commonName: filebeat
+  subject:
+    organizations:
+      - Company
+    localities:
+      - California
+    countries:
+      - US
+  issuerRef:
+    name: wazuh-ca-issuer
+    kind: Issuer
+
+

overlays/certmanager/certmanager/issuer-selfsigned.yaml

@@ -0,0 +1,9 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-bootstrap
+  namespace: wazuh
+spec:
+  selfSigned: {}
+
+

overlays/certmanager/certmanager/issuer-wazuh-ca.yaml

@@ -0,0 +1,10 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: wazuh-ca-issuer
+  namespace: wazuh
+spec:
+  ca:
+    secretName: wazuh-ca
+
+

overlays/certmanager/kustomization.yaml

@@ -1,8 +1,23 @@
 kind: Kustomization
 apiVersion: kustomize.config.k8s.io/v1beta1
 
-bases:
-  - ../../wazuh
+namespace: wazuh
 
-# components:
-#   - ../../wazuh/certs
+resources:
+  - ../../wazuh/base
+  - ../../wazuh/secrets
+  - ../../wazuh/wazuh_managers
+  - ../../wazuh/indexer_stack
+  - certmanager/issuer-selfsigned.yaml
+  - certmanager/ca-certificate.yaml
+  - certmanager/issuer-wazuh-ca.yaml
+  - certmanager/certificates.yaml
+
+patches:
+  - path: patches/patch-dashboard-vol.yaml
+  - path: patches/patch-indexer-vol.yaml
+  - path: patches/patch-manager-master-vol.yaml
+  - path: patches/patch-manager-worker-vol.yaml
+
+
+  

overlays/certmanager/patches/patch-dashboard-vol.yaml

@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: wazuh-dashboard
+  namespace: wazuh
+spec:
+  template:
+    spec:
+      volumes:
+        - name: dashboard-certs
+          secret: null
+          projected:
+            sources:
+              - secret:
+                  name: dashboard-certs
+                  items:
+                    - key: tls.crt
+                      path: cert.pem
+                    - key: tls.key
+                      path: key.pem
+                    - key: ca.crt
+                      path: root-ca.pem
+
+

overlays/certmanager/patches/patch-indexer-vol.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: wazuh-indexer
+  namespace: wazuh
+spec:
+  template:
+    spec:
+      volumes:
+        - name: indexer-certs
+          secret: null
+          projected:
+            defaultMode: 0600
+            sources:
+              - secret:
+                  name: indexer-node
+                  items:
+                    - key: tls.crt
+                      path: node.pem
+                    - key: tls.key
+                      path: node-key.pem
+                    - key: ca.crt
+                      path: root-ca.pem
+              - secret:
+                  name: indexer-admin
+                  items:
+                    - key: tls.crt
+                      path: admin.pem
+                    - key: tls.key
+                      path: admin-key.pem
+        - name: indexer-conf
+          configMap:
+            name: indexer-conf
+            defaultMode: 0600
+
+

overlays/certmanager/patches/patch-manager-master-vol.yaml

@@ -0,0 +1,25 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: wazuh-manager-master
+  namespace: wazuh
+spec:
+  template:
+    spec:
+      volumes:
+        - name: filebeat-certs
+          secret: null
+          projected:
+            defaultMode: 0600
+            sources:
+              - secret:
+                  name: filebeat-client
+                  items:
+                    - key: tls.crt
+                      path: filebeat.pem
+                    - key: tls.key
+                      path: filebeat-key.pem
+                    - key: ca.crt
+                      path: root-ca.pem
+      
+