Certificate workflow overhaul (legacy workflow preserved + default)

[griggi-ws]

Hey folks, was looking to set up Wazuh with Puppet and found the official module to be incompatible with my environment (largely due to the certificates workflow), and so I decided to refactor it to make it be significantly more dynamic and allow for the use of the Puppet CA via a custom Puppet fileserver rather than shimming files generated by a script into the code path.

Currently a draft because I started writing this before remembering that I didn't sufficiently test the agent class yet, on the docket for next week though.

The major functionality improvements are:

• Permitting arbitrary certificate management via the Variant[Hash, Array] $certfiles and String $cert_source_basepath
  • These are defaulted to match the current (henceforth legacy) cert workflow, but the parameterization of the source basepath makes it incredibly flexible for bring-your-own-CA.
• Replacing the wazuh-certs-tool.sh functionality with Puppet exported resources, using the Puppet CA
  • This depends on a recent change to the openssl module that hasn't made it into a release yet for defining keyUsage.
• Enabling agent/manager validation through the use of Puppet node certs and the Puppet CA

Locally I have some degree of rspec tests written up, as the existing tests in the spec/ dir all failed. I've loosely followed the OpenVox model for those, and can include them in the PR if desired, but they'll need some work to be thorough enough.

There are several linting fixups as well in the files I was working on, but should have no effect on functionality (unless maybe you're on Puppet 3.x). I did not look to make sweeping formatting updates (though they are much needed).

Examples

With the changes, here's my example config for a single-node setup:

Puppet CA profile:

    class { 'wazuh::certificates':
      filebucket_path     => 'puppet:///wazuh',
      use_legacy_workflow => false,
    }

Puppet compiler profile

(note that this is only necessary to include in the case of a separate CA and compiler server, which would also need syncing of the files between them via some method)

    class { 'wazuh::certificates':
      filebucket_path     => 'puppet:///wazuh',
      use_legacy_workflow => false,
      manage_certs        => false, # Don't try to generate certs on the compiler
    }

Wazuh profile

This is using the stdlib stages, grouping in such a way that there's no relationship between the cert-generating classes so all of the exported resources can be stored in a single puppet run. If they were configured all at once with chaining arrows, you'd need to interleave several Puppet runs (along with the Puppet CA) in order to allow one class to complete so the next can reach the export step.

class profile::mgmt::wazuh (
  String $repo_version = '4.x',
  String $release_version = '4.12.0',
  String $cert_bucket_basepath = 'puppet:///wazuh', # lint:ignore:puppet_url_without_modules
) {
  class { 'wazuh::repo':
    repo_version => $repo_version,
    #stage        => setup_infra,
  } # chain if not staged
  class { 'wazuh::indexer':
    indexer_version      => $release_version,
    generate_certs       => true,
    cert_source_basepath => $cert_bucket_basepath,
    #stage                => deploy_infra,
  } # always chain
  -> class { 'wazuh::securityadmin':
    #stage => deploy_infra,
  } # chain if not staged
  class { 'wazuh::filebeat_oss':
    module_version           => $repo_version,
    wazuh_extensions_version => "v${release_version}",
    cert_source_basepath     => $cert_bucket_basepath,
    generate_certs           => true,
    #stage                    => setup_app,
  } # always chain
  -> class { 'wazuh::manager':
    server_package_version => $release_version,
    use_puppet_certs       => true,
    #stage                  => setup_app,
  } # chain if not staged
  -> class { 'wazuh::dashboard':
    dashboard_version    => $release_version,
    cert_source_basepath => $cert_bucket_basepath,
    generate_certs       => true,
    #stage                => deploy_app,
  }
}