Add certificates configuration script

.github/workflows/eks-deployment-test.yml

@@ -165,7 +165,7 @@ jobs:
       - name: Create Wazuh certificates
         run: |
           cd wazuh/
-          bash wazuh-certs-tool.sh -A
+          sudo bash ../tools/utils/deployment/certificates-conf.sh --cert --copy --priv
 
       - name: Deploy Traefik ingress controller
         run: |

.github/workflows/local-deployment-test.yml

@@ -129,7 +129,7 @@ jobs:
       - name: Create Wazuh certificates
         run: |
           cd wazuh/
-          bash wazuh-certs-tool.sh -A
+          sudo bash ../tools/utils/deployment/certificates-conf.sh --cert --copy --priv
 
       - name: Change provisioner for minikube
         run: |

.gitignore

@@ -10,6 +10,8 @@ wazuh/wazuh-certs-tool*.sh
 wazuh/wazuh-certificates
 wazuh/wazuh-certificates/*
 wazuh/wazuh-certificates-tool.log
+wazuh/config
+wazuh/config/*
 tests/__pycache__/
 .pytest_cache/
 

CHANGELOG.md

@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Add certificates configuration script ([#1369](https://github.com/wazuh/wazuh-kubernetes/pull/1369))
 - Update artifact URLs file extension from .yml to .yaml ([#1363](https://github.com/wazuh/wazuh-kubernetes/pull/1363))
 - Updated wazuh-kubernetes documentation config and tooling versions to meet new standards. ([#1358](https://github.com/wazuh/wazuh-kubernetes/pull/1358))
 - Change config.yml configuration on test and deployment doc ([#1355](https://github.com/wazuh/wazuh-kubernetes/pull/1355))

docs/ref/getting-started/installation.md

@@ -189,7 +189,7 @@ nodes:
 **3.1.3 Run the Wazuh certificates tool script**:
 
 ```bash
-bash wazuh-certs-tool.sh -A
+sudo bash ../tools/utils/deployment/certificates-conf.sh --cert --copy --priv
 ```
 
 The required certificates are imported via secretGenerator on the `kustomization.yml` file:
@@ -198,20 +198,21 @@ The required certificates are imported via secretGenerator on the `kustomization
 secretGenerator:
   - name: indexer-certs
     files:
-      - wazuh-certificates/root-ca.pem
-      - wazuh-certificates/indexer.pem
-      - wazuh-certificates/indexer-key.pem
-      - wazuh-certificates/dashboard.pem
-      - wazuh-certificates/dashboard-key.pem
-      - wazuh-certificates/admin.pem
-      - wazuh-certificates/admin-key.pem
-      - wazuh-certificates/manager.pem
-      - wazuh-certificates/manager-key.pem
+      - config/indexer/certs/admin-key.pem
+      - config/indexer/certs/admin.pem
+      - config/indexer/certs/indexer-key.pem
+      - config/indexer/certs/indexer.pem
+      - config/indexer/certs/root-ca.pem
   - name: dashboard-certs
     files:
-      - wazuh-certificates/dashboard.pem
-      - wazuh-certificates/dashboard-key.pem
-      - wazuh-certificates/root-ca.pem
+      - config/dashboard/certs/dashboard-key.pem
+      - config/dashboard/certs/dashboard.pem
+      - config/dashboard/certs/root-ca.pem
+  - name: manager-certs
+    files:
+      - config/manager/certs/manager-key.pem
+      - config/manager/certs/manager.pem
+      - config/manager/certs/root-ca.pem
 ```
 
 #### Step 3.2: Apply Traefik ingress controller
@@ -414,7 +415,7 @@ nodes:
 Run `wazuh-certs-tool.sh` to create the certificates.
 
 ```bash
-bash wazuh-certs-tool.sh -A
+sudo bash ../tools/utils/deployment/certificates-conf.sh --cert --copy --priv
 ```
 
 Return to the root of the repository.
@@ -431,20 +432,21 @@ The required certificates are imported via secretGenerator on the `kustomization
 secretGenerator:
   - name: indexer-certs
     files:
-      - wazuh-certificates/root-ca.pem
-      - wazuh-certificates/indexer.pem
-      - wazuh-certificates/indexer-key.pem
-      - wazuh-certificates/dashboard.pem
-      - wazuh-certificates/dashboard-key.pem
-      - wazuh-certificates/admin.pem
-      - wazuh-certificates/admin-key.pem
-      - wazuh-certificates/manager.pem
-      - wazuh-certificates/manager-key.pem
+      - config/indexer/certs/admin-key.pem
+      - config/indexer/certs/admin.pem
+      - config/indexer/certs/indexer-key.pem
+      - config/indexer/certs/indexer.pem
+      - config/indexer/certs/root-ca.pem
   - name: dashboard-certs
     files:
-      - wazuh-certificates/dashboard.pem
-      - wazuh-certificates/dashboard-key.pem
-      - wazuh-certificates/root-ca.pem
+      - config/dashboard/certs/dashboard-key.pem
+      - config/dashboard/certs/dashboard.pem
+      - config/dashboard/certs/root-ca.pem
+  - name: manager-certs
+    files:
+      - config/manager/certs/manager-key.pem
+      - config/manager/certs/manager.pem
+      - config/manager/certs/root-ca.pem
 ```
 
 #### Tune storage class with custom provisioner

tools/utils/deployment/certificates-conf.sh

@@ -0,0 +1,159 @@
+#!/bin/bash
+
+# Path configuration (adjust according to your folder structure)
+CERT_TOOL="./wazuh-certs-tool.sh"
+CONFIG_FILE="./config.yml"
+OUTPUT_DIR="./wazuh-certificates" # Folder created by the script by default
+
+# Parse arguments
+DO_CERT=false
+DO_COPY=false
+DO_PRIV=false
+
+for arg in "$@"; do
+  case $arg in
+    --cert) DO_CERT=true ;;
+    --copy) DO_COPY=true ;;
+    --priv) DO_PRIV=true ;;
+    *)
+      echo "Unknown option: $arg"
+      echo "Usage: $0 [--cert] [--copy] [--priv]"
+      exit 1
+      ;;
+  esac
+done
+
+# If no flags provided, show usage
+if ! $DO_CERT && ! $DO_COPY && ! $DO_PRIV; then
+  echo "Usage: $0 [--cert] [--copy] [--priv]"
+  echo "  --cert  Generate certificates using wazuh-certs-tool.sh"
+  echo "  --copy  Copy certificates to the corresponding config directories"
+  echo "  --priv  Set ownership and permissions on the certificate files"
+  exit 1
+fi
+
+# ---------------------------------------------------------------------------
+# Parse config.yml to extract node names per section (indexer, manager, dashboard)
+# ---------------------------------------------------------------------------
+parse_config() {
+  local section=""
+  INDEXER_NODES=()
+  MANAGER_NODES=()
+  DASHBOARD_NODES=()
+
+  while IFS= read -r line; do
+    # Detect section headers (e.g., "  indexer:", "  manager:", "  dashboard:")
+    if echo "$line" | grep -qE '^\s+indexer:\s*$'; then
+      section="indexer"
+      continue
+    elif echo "$line" | grep -qE '^\s+manager:\s*$'; then
+      section="manager"
+      continue
+    elif echo "$line" | grep -qE '^\s+dashboard:\s*$'; then
+      section="dashboard"
+      continue
+    fi
+
+    # Extract node name from "- name: <value>" lines
+    if echo "$line" | grep -qE '^\s+-\s+name:'; then
+      local name
+      name=$(echo "$line" | sed 's/.*name:\s*//' | tr -d ' "'\''')
+      case $section in
+        indexer)   INDEXER_NODES+=("$name") ;;
+        manager)   MANAGER_NODES+=("$name") ;;
+        dashboard) DASHBOARD_NODES+=("$name") ;;
+      esac
+    fi
+  done < "$CONFIG_FILE"
+}
+
+# Convert node name to directory name (replace . with _)
+node_to_dir() {
+  echo "$1" | tr '.' '_'
+}
+
+# ---------------------------------------------------------------------------
+# Main logic
+# ---------------------------------------------------------------------------
+
+# Parse config.yml
+if $DO_COPY || $DO_PRIV; then
+  if [ ! -f "$CONFIG_FILE" ]; then
+    echo "Error: Configuration file $CONFIG_FILE not found."
+    exit 1
+  fi
+  parse_config
+  echo "Detected indexer nodes:   ${INDEXER_NODES[*]}"
+  echo "Detected manager nodes:   ${MANAGER_NODES[*]}"
+  echo "Detected dashboard nodes: ${DASHBOARD_NODES[*]}"
+fi
+
+# 1. Generate certificates
+if $DO_CERT; then
+  # Ensure required files exist before proceeding
+  if [[ ! -f "$CERT_TOOL" ]]; then
+    echo "Error: Certificate tool '$CERT_TOOL' not found or not executable." >&2
+    exit 1
+  fi
+  if [[ ! -f "$CONFIG_FILE" ]]; then
+    echo "Error: Configuration file '$CONFIG_FILE' not found." >&2
+    exit 1
+  fi
+  echo "Generating certificates"
+  bash $CERT_TOOL -A
+fi
+
+# 2. Copy certificates to config directories
+if $DO_COPY; then
+  FIRST_INDEXER=true
+  for node in "${INDEXER_NODES[@]}"; do
+    dir_name=$(node_to_dir "$node")
+    echo "Copying certificates for indexer: $node -> config/$dir_name/certs/"
+    mkdir -p "./config/$dir_name/certs"
+    cp "$OUTPUT_DIR/${node}"* "./config/$dir_name/certs/"
+    cp "$OUTPUT_DIR"/root-ca.pem "./config/$dir_name/certs/"
+    if $FIRST_INDEXER; then
+      cp "$OUTPUT_DIR"/admin* "./config/$dir_name/certs/"
+      FIRST_INDEXER=false
+    fi
+  done
+
+  for node in "${MANAGER_NODES[@]}"; do
+    dir_name=$(node_to_dir "$node")
+    echo "Copying certificates for manager: $node -> config/$dir_name/certs/"
+    mkdir -p "./config/$dir_name/certs"
+    cp "$OUTPUT_DIR/${node}"* "./config/$dir_name/certs/"
+    cp "$OUTPUT_DIR"/root-ca.pem "./config/$dir_name/certs/"
+  done
+
+  for node in "${DASHBOARD_NODES[@]}"; do
+    dir_name=$(node_to_dir "$node")
+    echo "Copying certificates for dashboard: $node -> config/$dir_name/certs/"
+    mkdir -p "./config/$dir_name/certs"
+    cp "$OUTPUT_DIR/${node}"* "./config/$dir_name/certs/"
+    cp "$OUTPUT_DIR"/root-ca.pem "./config/$dir_name/certs/"
+  done
+fi
+
+# 3. Set ownership and permissions
+if $DO_PRIV; then
+  for node in "${INDEXER_NODES[@]}"; do
+    dir_name=$(node_to_dir "$node")
+    echo "Setting permissions for indexer $node (1000:1000)"
+    chown -R 1000:1000 "./config/$dir_name/certs"
+  done
+
+  for node in "${MANAGER_NODES[@]}"; do
+    dir_name=$(node_to_dir "$node")
+    echo "Setting permissions for manager $node (999:999)"
+    chown -R 999:999 "./config/$dir_name/certs"
+  done
+
+  for node in "${DASHBOARD_NODES[@]}"; do
+    dir_name=$(node_to_dir "$node")
+    echo "Setting permissions for dashboard $node (1000:1000)"
+    chown -R 1000:1000 "./config/$dir_name/certs"
+  done
+fi
+
+echo "Process completed."

wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml

@@ -30,6 +30,10 @@ spec:
         - name: dashboard-certs
           secret:
             secretName: dashboard-certs
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
+        runAsGroup: 1000
       containers:
         - name: wazuh-dashboard
           image: 'wazuh/wazuh-dashboard:5.0.0'

wazuh/kustomization.yml

@@ -14,20 +14,21 @@ namespace: wazuh
 secretGenerator:
   - name: indexer-certs
     files:
-      - wazuh-certificates/root-ca.pem
-      - wazuh-certificates/indexer.pem
-      - wazuh-certificates/indexer-key.pem
-      - wazuh-certificates/dashboard.pem
-      - wazuh-certificates/dashboard-key.pem
-      - wazuh-certificates/admin.pem
-      - wazuh-certificates/admin-key.pem
-      - wazuh-certificates/manager.pem
-      - wazuh-certificates/manager-key.pem
+      - config/indexer/certs/admin-key.pem
+      - config/indexer/certs/admin.pem
+      - config/indexer/certs/indexer-key.pem
+      - config/indexer/certs/indexer.pem
+      - config/indexer/certs/root-ca.pem
   - name: dashboard-certs
     files:
-      - wazuh-certificates/dashboard.pem
-      - wazuh-certificates/dashboard-key.pem
-      - wazuh-certificates/root-ca.pem
+      - config/dashboard/certs/dashboard-key.pem
+      - config/dashboard/certs/dashboard.pem
+      - config/dashboard/certs/root-ca.pem
+  - name: manager-certs
+    files:
+      - config/manager/certs/manager-key.pem
+      - config/manager/certs/manager.pem
+      - config/manager/certs/root-ca.pem
 
 resources:
   - base/wazuh-ns.yaml

wazuh/wazuh_managers/wazuh-master-sts.yaml

@@ -28,14 +28,17 @@ spec:
       name: wazuh-manager-master
     spec:
       volumes:
-        - name: wazuh-manager-certs
+        - name: wazuh-manager-certs-raw
           secret:
-            secretName: indexer-certs
+            secretName: manager-certs
+            defaultMode: 0400
+        - name: wazuh-manager-certs
+          emptyDir: {}
         - name: wazuh-authd-pass
           secret:
             secretName: wazuh-authd-pass
       securityContext:
-        fsGroup: 101
+        fsGroup: 999
       initContainers:
         - name: init-wazuh-etc
           image: 'wazuh/wazuh-manager:5.0.0'
@@ -46,10 +49,17 @@ spec:
               if [ -z "$(ls -A /pvc-etc)" ]; then
                 cp -a /var/wazuh-manager/etc/* /pvc-etc/
               fi
+              cp /tmp/certs-raw/* /etc/wazuh-certs-final/
+              chown -R 999:999 /etc/wazuh-certs-final/
+              chmod 500 /etc/wazuh-certs-final/*.pem
           volumeMounts:
             - name: wazuh-manager-master
               mountPath: /pvc-etc
               subPath: wazuh/var/wazuh-manager/etc
+            - name: wazuh-manager-certs-raw
+              mountPath: /tmp/certs-raw
+            - name: wazuh-manager-certs
+              mountPath: /etc/wazuh-certs-final
       containers:
         - name: wazuh-manager
           image: 'wazuh/wazuh-manager:5.0.0'
@@ -73,16 +83,13 @@ spec:
               subPath: wazuh/var/wazuh-manager/etc
             - name: wazuh-manager-certs
               mountPath: /var/wazuh-manager/etc/certs/root-ca.pem
-              readOnly: true
               subPath: root-ca.pem
             - name: wazuh-manager-certs
               mountPath: /var/wazuh-manager/etc/certs/manager.pem
               subPath: manager.pem
-              readOnly: true
             - name: wazuh-manager-certs
               mountPath: /var/wazuh-manager/etc/certs/manager-key.pem
               subPath: manager-key.pem
-              readOnly: true
             - name: wazuh-manager-master
               mountPath: /var/wazuh-manager/logs
               subPath: wazuh/var/wazuh-manager/logs