Modify cert generation process

2025-12-10 00:38:27 -06:00 · 2025-11-11 20:24:45 +07:00 · 2025-11-11 20:24:45 +07:00 · cd8253845f
commit cd8253845f
parent e104803267
8 changed files with 59 additions and 83 deletions
--- a/.github/workflows/Procedure_push_docker_images.yml
+++ b/.github/workflows/Procedure_push_docker_images.yml
@ -146,6 +146,8 @@ jobs:
          wazuh_agent_url_i386_msi: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.i386.msi --expires-in 3600 --region us-west-1)"
          wazuh_agent_url_intel64_pkg: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.intel64.pkg --expires-in 3600 --region us-west-1)"
          wazuh_agent_url_arm64_pkg: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.arm64.pkg --expires-in 3600 --region us-west-1)"
+          wazuh_cert_tool: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/secondary/installation-assistant/5.0.0/wazuh-certs-tool.sh --expires-in 3600 --region us-west-1)"
+          wazuh_config_yml: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/secondary/installation-assistant/5.0.0/config.yml --expires-in 3600 --region us-west-1)"
          EOF
      working-directory: ./build-docker-images

--- a/build-docker-images/build-images.yml
+++ b/build-docker-images/build-images.yml
@ -8,6 +8,8 @@ services:
        WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
        wazuh_manager_url_amd64_rpm: ${wazuh_manager_url_x86_64_rpm}
        wazuh_manager_url_arm64_rpm: ${wazuh_manager_url_aarch64_rpm}
+        wazuh_cert_tool: ${wazuh_cert_tool}
+        wazuh_config_yml: ${wazuh_config_yml}
    image: ${WAZUH_REGISTRY}/wazuh/wazuh-manager:${IMAGE_TAG}
    hostname: wazuh.manager
    restart: always
@ -49,6 +51,8 @@ services:
        WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
        wazuh_indexer_url_amd64_rpm: ${wazuh_indexer_url_x86_64_rpm}
        wazuh_indexer_url_arm64_rpm: ${wazuh_indexer_url_aarch64_rpm}
+        wazuh_cert_tool: ${wazuh_cert_tool}
+        wazuh_config_yml: ${wazuh_config_yml}
    image: ${WAZUH_REGISTRY}/wazuh/wazuh-indexer:${IMAGE_TAG}
    hostname: wazuh.indexer
    restart: always
@ -73,6 +77,8 @@ services:
        WAZUH_UI_REVISION: ${WAZUH_UI_REVISION}
        wazuh_dashboard_url_amd64_rpm: ${wazuh_dashboard_url_x86_64_rpm}
        wazuh_dashboard_url_arm64_rpm: ${wazuh_dashboard_url_aarch64_rpm}
+        wazuh_cert_tool: ${wazuh_cert_tool}
+        wazuh_config_yml: ${wazuh_config_yml}
    image: ${WAZUH_REGISTRY}/wazuh/wazuh-dashboard:${IMAGE_TAG}
    hostname: wazuh.dashboard
    restart: always
--- a/build-docker-images/wazuh-dashboard/Dockerfile
+++ b/build-docker-images/wazuh-dashboard/Dockerfile
@ -8,6 +8,8 @@ ARG INSTALL_DIR=/usr/share/wazuh-dashboard
 ARG TARGETARCH
 ARG wazuh_dashboard_url_amd64_rpm
 ARG wazuh_dashboard_url_arm64_rpm
+ARG wazuh_cert_tool
+ARG wazuh_config_yml

 # Update and install dependencies
 RUN URL_VAR="wazuh_dashboard_url_${TARGETARCH}_rpm" && \
--- a/build-docker-images/wazuh-dashboard/config/config.sh
+++ b/build-docker-images/wazuh-dashboard/config/config.sh
@ -7,51 +7,18 @@ export TARGET_DIR=${CURDIR}/debian/${NAME}
 export INSTALLATION_DIR=/usr/share/${NAME}
 export CONFIG_DIR=${INSTALLATION_DIR}/config

-## Variables
-CERT_TOOL=wazuh-certs-tool.sh
-CERT_CONFIG_FILE=config.yml
-CERT_TOOL_VERSION=5.0 #"${WAZUH_VERSION%.*}"
-PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/
-
-download_package() {
-    local url=$1
-    local package=$2
-    local output=$2
-    echo "Checking $url$package ..."
-    if curl -fsL "$url$package" -o "$output"; then
-        echo "Downloaded $package from $url"
-        return 0
-    else
-        return 1
-    fi
-}
-
+##############################################################################
+# Downloading Cert Gen Tool
+##############################################################################
+# Variables for certificate generation
+CERT_TOOL="wazuh-certs-tool.sh"
+CERT_CONFIG_FILE="config.yml"
 # Download the tool to create the certificates
 echo "Downloading the tool to create the certificates..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_TOOL"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then
-    :
-else
-    echo "The tool to create the certificates does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
-
+curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL
 # Download the config file for the certificate tool
 echo "Downloading the config file for the certificate tool..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then
-    :
-else
-    echo "The config file for the certificate tool does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
+curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE

 # Modify the config file to set the IP to localhost
 sed -i 's/  ip:.*/  ip: "127.0.0.1"/' $CERT_CONFIG_FILE
--- a/build-docker-images/wazuh-indexer/Dockerfile
+++ b/build-docker-images/wazuh-indexer/Dockerfile
@ -6,6 +6,8 @@ ARG WAZUH_TAG_REVISION
 ARG TARGETARCH
 ARG wazuh_indexer_url_amd64_rpm
 ARG wazuh_indexer_url_arm64_rpm
+ARG wazuh_cert_tool
+ARG wazuh_config_yml

 COPY config/config.sh .

--- a/build-docker-images/wazuh-indexer/config/config.sh
+++ b/build-docker-images/wazuh-indexer/config/config.sh
@ -18,52 +18,15 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config
 ##############################################################################
 # Downloading Cert Gen Tool
 ##############################################################################
-
-## Variables
-CERT_TOOL=wazuh-certs-tool.sh
-CERT_CONFIG_FILE=config.yml
-CERT_TOOL_VERSION=5.0 #"${WAZUH_VERSION%.*}"
-PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/
-
-download_package() {
-    local url=$1
-    local package=$2
-    local output=$2
-    echo "Checking $url$package ..."
-    if curl -fsL "$url$package" -o "$output"; then
-        echo "Downloaded $package from $url"
-        return 0
-    else
-        return 1
-    fi
-}
-
+# Variables for certificate generation
+CERT_TOOL="wazuh-certs-tool.sh"
+CERT_CONFIG_FILE="config.yml"
 # Download the tool to create the certificates
 echo "Downloading the tool to create the certificates..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_TOOL"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then
-    :
-else
-    echo "The tool to create the certificates does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
-
+curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL
 # Download the config file for the certificate tool
 echo "Downloading the config file for the certificate tool..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then
-    :
-else
-    echo "The config file for the certificate tool does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
+curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE

 # Modify the config file to set the IP to localhost
 sed -i 's/  ip:.*/  ip: "127.0.0.1"/' $CERT_CONFIG_FILE
--- a/build-docker-images/wazuh-manager/Dockerfile
+++ b/build-docker-images/wazuh-manager/Dockerfile
@ -9,6 +9,10 @@ ARG S6_VERSION="v2.2.0.3"
 ARG TARGETARCH
 ARG wazuh_manager_url_amd64_rpm
 ARG wazuh_manager_url_arm64_rpm
+ARG wazuh_cert_tool
+ARG wazuh_config_yml
+
+COPY config/config.sh .

 RUN URL_VAR="wazuh_manager_url_${TARGETARCH}_rpm" && \
    manager_url="${!URL_VAR}" && \
@ -18,6 +22,8 @@ RUN URL_VAR="wazuh_manager_url_${TARGETARCH}_rpm" && \
    dnf install /wazuh-manager.rpm -y && \
    rm -rf /wazuh-manager.rpm && \
    dnf clean all && \
+    chmod 755 /config.sh && \
+    /config.sh && \
    curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
    -o /tmp/s6-overlay-amd64.tar.gz && \
    tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \
--- a/build-docker-images/wazuh-manager/config/config.sh
+++ b/build-docker-images/wazuh-manager/config/config.sh
@ -0,0 +1,28 @@
+##############################################################################
+# Downloading Cert Gen Tool
+##############################################################################
+# Variables for certificate generation
+CERT_TOOL="wazuh-certs-tool.sh"
+CERT_CONFIG_FILE="config.yml"
+CERT_DIR=/var/ossec/etc/certs/
+# Download the tool to create the certificates
+echo "Downloading the tool to create the certificates..."
+curl -fsL "$wazuh_cert_tool" -o $CERT_TOOL
+# Download the config file for the certificate tool
+echo "Downloading the config file for the certificate tool..."
+curl -fsL "$wazuh_config_yml" -o $CERT_CONFIG_FILE
+
+# Modify the config file to set the IP to localhost
+sed -i 's/  ip:.*/  ip: "127.0.0.1"/' $CERT_CONFIG_FILE
+
+chmod 700 "$CERT_CONFIG_FILE"
+# Create the certificates
+chmod 755 "$CERT_TOOL" && bash "$CERT_TOOL" -A
+
+# Copy Wazuh manager certs
+cp -pr /wazuh-certificates/wazuh-1.pem ${CERT_DIR}/wazuh-1.pem
+cp -pr /wazuh-certificates/wazuh-1-key.pem ${CERT_DIR}/wazuh-1-key.pem
+cp -pr /wazuh-certificates/root-ca.key ${CERT_DIR}/root-ca.key
+cp -pr /wazuh-certificates/root-ca.pem ${CERT_DIR}/root-ca.pem
+cp -pr /wazuh-certificates/admin.pem ${CERT_DIR}/admin.pem
+cp -pr /wazuh-certificates/admin-key.pem ${CERT_DIR}/admin-key.pem