Release Wazuh version 2.3.0 (#92)

* [wazuh]: update OpenSearch configuration to use dynamic SECURITY_NODES_DN variable in indexer templates

Signed-off-by: Mohamad Berjawi <[email protected]>

* [wazuh]: update manager and worker service templates to support external traffic policy and annotations

Signed-off-by: Mohamad Berjawi <[email protected]>

* [wazuh]: bump chart version to 2.3.0 and add nodesDN configuration for certificate management

Signed-off-by: Mohamad Berjawi <[email protected]>

* [wazuh](wazuh-service.yaml): fix missing newline

Signed-off-by: Mohamad Berjawi <[email protected]>

---------

Signed-off-by: Mohamad Berjawi <[email protected]>

Author: thread-koder

charts/wazuh/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.2.1
+version: 2.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/wazuh/configs/indexer_conf/opensearch.yml

@@ -22,7 +22,7 @@ plugins.security.authcz.admin_dn:
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.nodes_dn:
-  - CN=*.wazuh-indexer,O=Company,L=California,C=US
+  - CN=${SECURITY_NODES_DN}
 plugins.security.restapi.roles_enabled:
   - "all_access"
   - "security_rest_api_access"

charts/wazuh/templates/indexer/indexer-sts.yaml

@@ -81,6 +81,8 @@ spec:
               value: {{ include "wazuh.fullname" . }}-indexer
             - name: SECURITY_AUTHCZ_ADMIN_DN
               value: {{ .Values.tls.certManager.commonName }}
+            - name: SECURITY_NODES_DN
+              value: {{ .Values.indexer.config.nodesDN | default (printf "*.%s" (include "wazuh.fullname" .)) }}
             - name: KUBERNETES_NAMESPACE
               valueFrom:
                 fieldRef:
@@ -246,6 +248,8 @@ spec:
               value: {{ include "wazuh.fullname" . }}-indexer
             - name: SECURITY_AUTHCZ_ADMIN_DN
               value: {{ .Values.tls.certManager.commonName }}
+            - name: SECURITY_NODES_DN
+              value: {{ .Values.indexer.config.nodesDN | default (printf "*.%s" (include "wazuh.fullname" .)) }}
             - name: KUBERNETES_NAMESPACE
               valueFrom:
                 fieldRef:

charts/wazuh/templates/manager/wazuh-master-sts.yaml

@@ -15,6 +15,7 @@ spec:
       {{- include "wazuh.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      name: {{ include "wazuh.fullname" . }}-manager-master
       {{- with .Values.manager.master.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -114,26 +115,6 @@ spec:
               mountPath: /wazuh-config-mount/etc/authd.pass
               subPath: authd.pass
               readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.cert
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.key
-              subPath: server.key
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.crt
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.key
-              subPath: server.key
-              readOnly: true
-            - name: filebeat-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/ca.crt
-              subPath: root-ca.pem
-              readOnly: true
             - name: wazuh-manager-master
               mountPath: /var/ossec/api/configuration
               subPath: wazuh/var/ossec/api/configuration

charts/wazuh/templates/manager/wazuh-master-svc.yaml

@@ -1,12 +1,20 @@
+{{- if .Values.manager.master.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "wazuh.fullname" . }}-master
   labels:
     app: {{ include "wazuh.fullname" . }}-manager
     {{- include "wazuh.labels" . | nindent 4 }}
+  {{- with .Values.manager.master.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  type: ClusterIP
+  type: {{ .Values.manager.master.service.type }}
+  {{- if .Values.manager.master.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.manager.master.service.externalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: 1515
       targetPort: 1515
@@ -20,3 +28,4 @@ spec:
     app: {{ include "wazuh.fullname" . }}-manager
     node-type: master
     {{- include "wazuh.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/wazuh/templates/manager/wazuh-service.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.manager.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -11,6 +12,9 @@ metadata:
   {{- end }}
 spec:
   type: {{ .Values.manager.service.type }}
+  {{- if .Values.manager.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.manager.service.externalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: 1515
       targetPort: 1515
@@ -26,4 +30,5 @@ spec:
       name: api
   selector:
     app: {{ include "wazuh.fullname" . }}-manager
-    {{- include "wazuh.selectorLabels" . | nindent 4 }}
+    {{- include "wazuh.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/wazuh/templates/manager/wazuh-worker-sts.yaml

@@ -15,6 +15,7 @@ spec:
       {{- include "wazuh.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      name: {{ include "wazuh.fullname" . }}-manager-worker
       {{- with .Values.manager.workers.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -107,26 +108,6 @@ spec:
               mountPath: /wazuh-config-mount/etc/ossec.conf
               subPath: worker.conf
               readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.cert
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.key
-              subPath: server.key
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.crt
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.key
-              subPath: server.key
-              readOnly: true
-            - name: filebeat-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/ca.crt
-              subPath: root-ca.pem
-              readOnly: true
             - name: wazuh-manager-worker
               mountPath: /var/ossec/api/configuration
               subPath: wazuh/var/ossec/api/configuration

charts/wazuh/templates/manager/wazuh-workers-svc.yaml

@@ -1,12 +1,20 @@
+{{- if .Values.manager.workers.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "wazuh.fullname" . }}-workers
   labels:
     app: {{ include "wazuh.fullname" . }}-manager
     {{- include "wazuh.labels" . | nindent 4 }}
+  {{- with .Values.manager.workers.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  type: ClusterIP
+  type: {{ .Values.manager.workers.service.type }}
+  {{- if .Values.manager.workers.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.manager.workers.service.externalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: 1514
       targetPort: 1514
@@ -16,3 +24,4 @@ spec:
     app: {{ include "wazuh.fullname" . }}-manager
     node-type: worker
     {{- include "wazuh.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/wazuh/values.yaml

@@ -115,6 +115,14 @@ indexer:
     # Must have the key "internal_users.yml"
     # Please read https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#change-the-password-of-wazuh-users
     indexerInternalUsersSecretName: ""
+    # Distinguished Name (DN) pattern for node certificates in plugins.security.nodes_dn
+    # This whitelist controls which certificates are trusted for node-to-node communication.
+    # Must match the CN (Common Name) in your node certificates issued by cert-manager.
+    # Default: "*.{release-name}" (e.g., "*.wazuh" for release "wazuh")
+    # Example: If your cert-manager issues certs with CN=wazuh, set this to "wazuh"
+    # Example: If your cert-manager issues certs with CN=*.wazuh-indexer, set this to "*.wazuh-indexer"
+    # Leave empty to auto-generate based on release name
+    nodesDN: ""
 
   imagePullSecrets: []
 
@@ -234,11 +242,14 @@ manager:
       # authd.pass
       existingSecretName: ""
 
-  ## The manager service that is going to be responsible for the agent registration
-  ## and the agent events
+  ## Exposes the whole manager stack (master and workers) to agents and users under a single service.
+  ## Port 1515 registers agents (master pods), port 55000 serves the Wazuh API (master pods)
+  ## and port 1514 receives agent events (worker pods)
   service:
+    enabled: true
     type: LoadBalancer
     annotations: {}
+    externalTrafficPolicy: Cluster
 
   master:
     podSecurityContext:
@@ -308,6 +319,12 @@ manager:
       size: "25Gi"
       existingClaim: ""
 
+    service:
+      enabled: true
+      type: ClusterIP
+      annotations: {}
+      externalTrafficPolicy: ""
+
   workers:
     replicaCount: 1
 
@@ -378,6 +395,12 @@ manager:
       size: "25Gi"
       existingClaim: ""
 
+    service:
+      enabled: true
+      type: ClusterIP
+      annotations: {}
+      externalTrafficPolicy: ""
+
 dashboard:
   replicaCount: 1