Create a GHA workflow to build Wazuh assistant for packages-dev.internal.wazuh.com

[c-bordon]

Objective
wazuh/wazuh-packages#2904

Description

Because of the Wazuh packages redesign tier 2 objective we need to migrate the Wazuh installation assistant-related files from the wazuh-packages repository to this one.
The Wazuh installation assistant, Wazuh password tool, and Wazuh certificates tool are created in pre-release with the publish_unattended pipeline.

Tasks

• Request permission to upload files to the packages-dev.internal.wazuh.com
• Ask the QA team for the location/folder to upload the files.
• Modify the oidc-wazuh-installation-assistant-repository role to only allow performing actions within the packages-dev.internal.wazuh.com in the previously defined folder
• Remove the WAZUH_INSTALLATION_ASSISTANT_VERSION input from the Build Installation Assistant workflow as it will be obtained from the workflow branch in the workflow form or call (using the API)
• Create a new GHA workflow for Builder to Wazuh installation assistant, Wazuh password tool, and Wazuh certificates tool
• This workflow must upload the artifacts to packages-dev.internal.wazuh.com/development/wazuh/4.x/secondary/installation-assistant/4.x.x
• Change the builder.sh to be able to add the commit to the script file name
• Test the Wazuh installation assistant script
• Test the Wazuh password tool script
• Test the Wazuh certificates tool script

Important

The Wazuh installation scripts must have this format wazuh-install.sh, wazuh-certs-tool.sh, and wazuh-passwords-tool.sh
Stage package, for example: wazuh-install.sh
For development package must have commit associate, for example: wazuh-install-f45asg.sh

[Enaraque]

Update report

The process of building the different files has been implemented. The process for uploading the files to the S3 bucket and defining the directory where they will be stored is yet to be defined.

[Enaraque]

Update report

After deciding the names of the files to upload, their proper functionality has been tested.
A new input DEVELOPMENT has been added to determine how to build the files. If this variable is activated, the files will be created with the commit hash added to the current name (e.g., wazuh-install-<hash>.sh) and with the development option (-d) enabled. If this option is not activated, the files will be built with the usual name.

To verify that the files were built correctly, an artifact has been created to check the construction of the files. When the development option is added, the files are built with the hash in the name.

$ ls -la
total 536
drwx------@  5 enriquearaqueespinosa  staff     160 Sep 18 18:45 .
drwxrwxrwx@ 51 enriquearaqueespinosa  staff    1632 Sep 18 18:45 ..
-rw-r--r--@  1 enriquearaqueespinosa  staff   36475 Sep 18 16:44 wazuh-certs-tool-379769d234200b0d23b55befdfb4f976870a8b7d.sh
-rw-r--r--@  1 enriquearaqueespinosa  staff  192228 Sep 18 16:44 wazuh-install-379769d234200b0d23b55befdfb4f976870a8b7d.sh
-rw-r--r--@  1 enriquearaqueespinosa  staff   44178 Sep 18 16:44 wazuh-passwords-tool-379769d234200b0d23b55befdfb4f976870a8b7d.sh

Next steps

Having the path where the artifacts need to be uploaded, the only thing left is to add the steps to upload the files to S3 and tests that the files are build correctly.

[Enaraque]

Update report

The necessary steps to upload the files to S3 have been added. The only thing left is to test that they were built correctly.

[jnasselle]

Update

Please consider the next information, because our package generation script needs an undocumented mandatory input field and behaviors.

Specs:

• Name (proposal. SHOULD HAVE ID)

run-name: Build Installation Assistant ${{ inputs.id }}

• Inputs

      id:
        type: string
        required: false

      id:
        type: string
        description: |
          ID used to identify the workflow uniquely.
        required: false

[Enaraque]

Update report

The file name for the Installation Assistant files has been changed so that, if it is not stage, a shorter commit hash is used to make the file name more readable. The workflow_call event and the id imput have also been added.

Testing

Files execution testing

Once these changes were made, the three files were tested.

Installtion Assistant AIO

[root@vagrant vagrant]# bash wazuh-install-a4d81c1.sh -a
20/09/2024 15:04:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
20/09/2024 15:04:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log
20/09/2024 15:04:12 INFO: Verifying that your system meets the recommended minimum hardware requirements.
20/09/2024 15:04:12 INFO: Wazuh web interface port will be 443.
20/09/2024 15:04:13 INFO: Wazuh repository added.
20/09/2024 15:04:13 INFO: --- Configuration files ---
20/09/2024 15:04:13 INFO: Generating configuration files.
20/09/2024 15:04:13 INFO: Generating the root certificate.
20/09/2024 15:04:13 INFO: Generating Admin certificates.
20/09/2024 15:04:13 INFO: Generating Wazuh indexer certificates.
20/09/2024 15:04:13 INFO: Generating Filebeat certificates.
20/09/2024 15:04:13 INFO: Generating Wazuh dashboard certificates.
20/09/2024 15:04:13 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
20/09/2024 15:04:13 INFO: --- Wazuh indexer ---
20/09/2024 15:04:13 INFO: Starting Wazuh indexer installation.
20/09/2024 15:04:43 INFO: Wazuh indexer installation finished.
20/09/2024 15:04:43 INFO: Wazuh indexer post-install configuration finished.
20/09/2024 15:04:43 INFO: Starting service wazuh-indexer.
20/09/2024 15:05:23 INFO: wazuh-indexer service started.
20/09/2024 15:05:23 INFO: Initializing Wazuh indexer cluster security settings.
20/09/2024 15:05:36 INFO: Wazuh indexer cluster security configuration initialized.
20/09/2024 15:05:36 INFO: Wazuh indexer cluster initialized.
20/09/2024 15:05:36 INFO: --- Wazuh server ---
20/09/2024 15:05:36 INFO: Starting the Wazuh manager installation.
20/09/2024 15:05:59 INFO: Wazuh manager installation finished.
20/09/2024 15:05:59 INFO: Wazuh manager vulnerability detection configuration finished.
20/09/2024 15:05:59 INFO: Starting service wazuh-manager.
20/09/2024 15:06:13 INFO: wazuh-manager service started.
20/09/2024 15:06:13 INFO: Checking Wazuh API connection
20/09/2024 15:06:14 INFO: Wazuh API connection successful
20/09/2024 15:06:14 INFO: Starting Filebeat installation.
20/09/2024 15:06:14 INFO: Another process is using YUM. Waiting for it to release the lock. Next retry in 30 seconds (1/10)
20/09/2024 15:06:58 INFO: Filebeat installation finished.
20/09/2024 15:06:59 INFO: Filebeat post-install configuration finished.
20/09/2024 15:06:59 INFO: Starting service filebeat.
20/09/2024 15:06:59 INFO: filebeat service started.
20/09/2024 15:06:59 INFO: Checking Filebeat connection
20/09/2024 15:06:59 INFO: Filebeat connection successful
20/09/2024 15:06:59 INFO: --- Wazuh dashboard ---
20/09/2024 15:06:59 INFO: Starting Wazuh dashboard installation.
20/09/2024 15:07:42 INFO: Wazuh dashboard installation finished.
20/09/2024 15:07:42 INFO: Wazuh dashboard post-install configuration finished.
20/09/2024 15:07:42 INFO: Starting service wazuh-dashboard.
20/09/2024 15:07:42 INFO: wazuh-dashboard service started.
20/09/2024 15:07:43 INFO: Updating the internal users.
20/09/2024 15:07:56 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
20/09/2024 15:08:12 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
20/09/2024 15:08:49 INFO: Initializing Wazuh dashboard web application.
20/09/2024 15:08:50 INFO: Wazuh dashboard web application initialized.
20/09/2024 15:08:50 INFO: --- Summary ---
20/09/2024 15:08:50 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: xxxxx
20/09/2024 15:08:50 INFO: Installation finished.

Wazuh-password-tool

[root@vagrant vagrant]# bash wazuh-passwords-tool-a4d81c1.sh -a -A -au wazuh -ap xxxx
20/09/2024 15:11:46 INFO: Updating the internal users.
20/09/2024 15:11:58 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
20/09/2024 15:12:14 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
20/09/2024 15:12:45 INFO: The password for user admin is 7OBjgPlCERBP?6pDoiiCC7TO*r7*M*sA
20/09/2024 15:12:45 INFO: The password for user anomalyadmin is UG4GvWwsbBHfK9.8IrRHULkTNMgFBrto
20/09/2024 15:12:45 INFO: The password for user kibanaserver is TBU0pH9SehUnTi.KWl?0lQ7a4MOY?BX?
20/09/2024 15:12:45 INFO: The password for user kibanaro is IF.gpl+M3a+*qDZu5.6o9oG*FA?JImgt
20/09/2024 15:12:45 INFO: The password for user logstash is q*?ldM.*hUA0BUdbQWPJAxntq953rfyQ
20/09/2024 15:12:45 INFO: The password for user readall is GMHgSmAEH9ikktX*3S+9FehJ*fP5sC?Y
20/09/2024 15:12:45 INFO: The password for user snapshotrestore is iXT5?*6inj5f6nrjuYXmzZgUAHGBA2LR
20/09/2024 15:12:45 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
20/09/2024 15:12:47 INFO: The password for Wazuh API user wazuh is n.VqwSYSn10JrJAkyMWYngAmPhh39T*r
20/09/2024 15:12:47 INFO: The password for Wazuh API user wazuh-wui is ?xsrhzi2NbS+OsSJqXXF4ZP*I79qdOhZ
20/09/2024 15:12:47 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.

wazuh-cets-tool

[root@vagrant vagrant]# bash wazuh-certs-tool-a4d81c1.sh -A -v
20/09/2024 15:14:57 INFO: Verbose logging redirected to /home/vagrant/wazuh-certificates-tool.log
20/09/2024 15:14:57 DEBUG: Reading configuration file.
20/09/2024 15:14:57 DEBUG: Checking if 127.0.0.1 is private.
20/09/2024 15:14:57 DEBUG: Checking if 127.0.0.1 is private.
20/09/2024 15:14:57 DEBUG: Checking if 127.0.0.1 is private.
20/09/2024 15:14:57 DEBUG: Checking if the root CA exists.
20/09/2024 15:14:57 INFO: Generating the root certificate.
20/09/2024 15:14:57 INFO: Generating Admin certificates.
20/09/2024 15:14:57 DEBUG: Generating Admin private key.
20/09/2024 15:14:57 DEBUG: Converting Admin private key to PKCS8 format.
20/09/2024 15:14:57 DEBUG: Generating Admin CSR.
20/09/2024 15:14:57 DEBUG: Creating Admin certificate.
20/09/2024 15:14:57 INFO: Admin certificates created.
20/09/2024 15:14:57 INFO: Generating Wazuh indexer certificates.
20/09/2024 15:14:57 DEBUG: Creating the certificates for node-1 indexer node.
20/09/2024 15:14:57 DEBUG: Generating certificate configuration.
20/09/2024 15:14:57 DEBUG: Creating the Wazuh indexer tmp key pair.
20/09/2024 15:14:57 DEBUG: Creating the Wazuh indexer certificates.
20/09/2024 15:14:57 INFO: Wazuh indexer certificates created.
20/09/2024 15:14:57 INFO: Generating Filebeat certificates.
20/09/2024 15:14:57 DEBUG: Generating the certificates for wazuh-1 server node.
20/09/2024 15:14:57 DEBUG: Generating certificate configuration.
20/09/2024 15:14:57 DEBUG: Creating the Wazuh server tmp key pair.
20/09/2024 15:14:57 DEBUG: Creating the Wazuh server certificates.
20/09/2024 15:14:57 INFO: Wazuh Filebeat certificates created.
20/09/2024 15:14:57 INFO: Generating Wazuh dashboard certificates.
20/09/2024 15:14:57 DEBUG: Generating certificate configuration.
20/09/2024 15:14:57 DEBUG: Creating the Wazuh dashboard tmp key pair.
20/09/2024 15:14:57 DEBUG: Creating the Wazuh dashboard certificates.
20/09/2024 15:14:57 INFO: Wazuh dashboard certificates created.
20/09/2024 15:14:57 DEBUG: Cleaning certificate files.

Workflow testing

The workflow has been tested with the is stage option and without it. This was done to verify that the files are generated correctly and to check whether the corresponding commit hash is added to the files uploaded to S3 for the workflow without the is stage option.

• Workflow with stage option: https://github.com/wazuh/wazuh-installation-assistant/actions/runs/10962254788
• Workflow without stage option: https://github.com/wazuh/wazuh-installation-assistant/actions/runs/10962280940

[Enaraque]

Update report

After #63 was merged, everything was tested again to ensure it works correctly.

Testing

The behavior was retested by creating an AIO, generating new certificates, and changing all the passwords.

Installation Assistant AIO (development mode with 4.9.0)

$ bash wazuh-install-71882dd.sh -d -a
24/09/2024 15:04:44 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
24/09/2024 15:04:44 INFO: Verbose logging redirected to /var/log/wazuh-install.log
24/09/2024 15:04:55 INFO: Using Filebeat template from master branch.
24/09/2024 15:04:55 INFO: Verifying that your system meets the recommended minimum hardware requirements.
24/09/2024 15:04:55 INFO: Wazuh web interface port will be 443.
24/09/2024 15:05:10 INFO: Wazuh development repository added.
24/09/2024 15:05:10 INFO: --- Configuration files ---
24/09/2024 15:05:10 INFO: Generating configuration files.
24/09/2024 15:05:11 INFO: Generating the root certificate.
24/09/2024 15:05:11 INFO: Generating Admin certificates.
24/09/2024 15:05:11 INFO: Generating Wazuh indexer certificates.
24/09/2024 15:05:12 INFO: Generating Filebeat certificates.
24/09/2024 15:05:12 INFO: Generating Wazuh dashboard certificates.
24/09/2024 15:05:13 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
24/09/2024 15:05:13 INFO: --- Wazuh indexer ---
24/09/2024 15:05:13 INFO: Starting Wazuh indexer installation.
24/09/2024 15:06:10 INFO: Wazuh indexer installation finished.
24/09/2024 15:06:10 INFO: Wazuh indexer post-install configuration finished.
24/09/2024 15:06:10 INFO: Starting service wazuh-indexer.
24/09/2024 15:06:35 INFO: wazuh-indexer service started.
24/09/2024 15:06:35 INFO: Initializing Wazuh indexer cluster security settings.
24/09/2024 15:06:44 INFO: Wazuh indexer cluster security configuration initialized.
24/09/2024 15:06:44 INFO: Wazuh indexer cluster initialized.
24/09/2024 15:06:44 INFO: --- Wazuh server ---
24/09/2024 15:06:44 INFO: Starting the Wazuh manager installation.
24/09/2024 15:08:32 INFO: Wazuh manager installation finished.
24/09/2024 15:08:32 INFO: Wazuh manager vulnerability detection configuration finished.
24/09/2024 15:08:32 INFO: Starting service wazuh-manager.
24/09/2024 15:08:55 INFO: wazuh-manager service started.
24/09/2024 15:08:55 INFO: Checking Wazuh API connection
24/09/2024 15:08:55 INFO: Attempt 1: Checking the Wazuh API to be ready
24/09/2024 15:09:01 INFO: Wazuh API is ready to receive requests.
24/09/2024 15:09:01 INFO: Wazuh API connection successful
24/09/2024 15:09:01 INFO: Starting Filebeat installation.
24/09/2024 15:09:21 INFO: Filebeat installation finished.
24/09/2024 15:09:23 INFO: Filebeat post-install configuration finished.
24/09/2024 15:09:24 INFO: Starting service filebeat.
24/09/2024 15:09:25 INFO: filebeat service started.
24/09/2024 15:09:25 INFO: Checking Filebeat connection
24/09/2024 15:09:25 INFO: Filebeat connection successful
24/09/2024 15:09:25 INFO: --- Wazuh dashboard ---
24/09/2024 15:09:25 INFO: Starting Wazuh dashboard installation.
24/09/2024 15:11:47 INFO: Wazuh dashboard installation finished.
24/09/2024 15:11:47 INFO: Wazuh dashboard post-install configuration finished.
24/09/2024 15:11:47 INFO: Starting service wazuh-dashboard.
24/09/2024 15:11:48 INFO: wazuh-dashboard service started.
24/09/2024 15:11:50 INFO: Updating the internal users.
24/09/2024 15:11:58 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
24/09/2024 15:12:15 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
24/09/2024 15:12:56 INFO: Initializing Wazuh dashboard web application.
24/09/2024 15:12:56 INFO: Wazuh dashboard web application not yet initialized. Waiting...
24/09/2024 15:13:11 INFO: Wazuh dashboard web application not yet initialized. Waiting...
24/09/2024 15:13:26 INFO: Wazuh dashboard web application initialized.
24/09/2024 15:13:26 INFO: --- Summary ---
24/09/2024 15:13:26 INFO: You can access the web interface https://<wazuh-dashboard-ip>:443
    User: admin
    Password: k.iZlWsAD9P7rbmTSDtn4eEIY+v6VnED
24/09/2024 15:13:26 INFO: Installation finished.

Wazuh-password-tool

$ bash wazuh-passwords-tool-71882dd.sh -a -A -au wazuh -ap LyDjo1p9yH1iE+s3VJG?F75YAXwysP++
24/09/2024 16:02:07 INFO: Updating the internal users.
24/09/2024 16:02:15 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
24/09/2024 16:02:37 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
24/09/2024 16:03:17 INFO: The password for user admin is F1Ci4bzSAr5Nt0FgekDWlu?5k8*t+tJ+
24/09/2024 16:03:17 INFO: The password for user anomalyadmin is ICFDrnUfmCnqeYs?60z854*rllk7qgr+
24/09/2024 16:03:17 INFO: The password for user kibanaserver is Ex8O2lWwpD2bw1ERSkdPt5b*jjD80BN9
24/09/2024 16:03:17 INFO: The password for user kibanaro is ETh0xr.d?FFKS?l42iXg?fOunRC0iWTj
24/09/2024 16:03:17 INFO: The password for user logstash is MXYU.N1dmBy?*7XF19mzkg0G.HQOxWdM
24/09/2024 16:03:17 INFO: The password for user readall is TWBq3w7PjXgHJL?3vLBZvE3sIG2JhJz7
24/09/2024 16:03:17 INFO: The password for user snapshotrestore is SxZe5QrO?RpL39Vj02q+p.?e24SSWa96
24/09/2024 16:03:17 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
24/09/2024 16:03:21 INFO: The password for Wazuh API user wazuh is 3wlTNjFTFJ3w.erN9+eSTCpRTAA00?q4
24/09/2024 16:03:22 INFO: The password for Wazuh API user wazuh-wui is 75+NccUk60f?S*4TZoMf+QRGWpV*ez+C
24/09/2024 16:03:22 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.

Wazuh-certs-tool

$ bash wazuh-certs-tool-71882dd.sh -A -v
24/09/2024 16:06:21 INFO: Verbose logging redirected to /home/ubuntu/4.10.0/wazuh-certificates-tool.log
24/09/2024 16:06:21 DEBUG: Reading configuration file.
24/09/2024 16:06:21 DEBUG: Checking if 127.0.0.1 is private.
24/09/2024 16:06:21 DEBUG: Checking if 127.0.0.1 is private.
24/09/2024 16:06:21 DEBUG: Checking if 127.0.0.1 is private.
24/09/2024 16:06:22 DEBUG: Checking if the root CA exists.
24/09/2024 16:06:22 INFO: Generating the root certificate.
24/09/2024 16:06:22 INFO: Generating Admin certificates.
24/09/2024 16:06:22 DEBUG: Generating Admin private key.
24/09/2024 16:06:23 DEBUG: Converting Admin private key to PKCS8 format.
24/09/2024 16:06:23 DEBUG: Generating Admin CSR.
24/09/2024 16:06:23 DEBUG: Creating Admin certificate.
24/09/2024 16:06:23 INFO: Admin certificates created.
24/09/2024 16:06:23 INFO: Generating Wazuh indexer certificates.
24/09/2024 16:06:23 DEBUG: Creating the certificates for wazuh-indexer indexer node.
24/09/2024 16:06:23 DEBUG: Generating certificate configuration.
24/09/2024 16:06:23 DEBUG: Creating the Wazuh indexer tmp key pair.
24/09/2024 16:06:23 DEBUG: Creating the Wazuh indexer certificates.
24/09/2024 16:06:23 INFO: Wazuh indexer certificates created.
24/09/2024 16:06:23 INFO: Generating Filebeat certificates.
24/09/2024 16:06:23 DEBUG: Generating the certificates for wazuh-server server node.
24/09/2024 16:06:23 DEBUG: Generating certificate configuration.
24/09/2024 16:06:23 DEBUG: Creating the Wazuh server tmp key pair.
24/09/2024 16:06:24 DEBUG: Creating the Wazuh server certificates.
24/09/2024 16:06:24 INFO: Wazuh Filebeat certificates created.
24/09/2024 16:06:24 INFO: Generating Wazuh dashboard certificates.
24/09/2024 16:06:24 DEBUG: Generating certificate configuration.
24/09/2024 16:06:24 DEBUG: Creating the Wazuh dashboard tmp key pair.
24/09/2024 16:06:24 DEBUG: Creating the Wazuh dashboard certificates.
24/09/2024 16:06:24 INFO: Wazuh dashboard certificates created.
24/09/2024 16:06:24 DEBUG: Cleaning certificate files.

$ ls -la wazuh-certificates
total 48
drwxr--r-- 2 root   root   4096 Sep 24 16:06 .
drwx------ 3 ubuntu ubuntu 4096 Sep 24 16:06 ..
-rwxr--r-- 1 root   root   1704 Sep 24 16:06 admin-key.pem
-rwxr--r-- 1 root   root   1119 Sep 24 16:06 admin.pem
-rwxr--r-- 1 root   root   1704 Sep 24 16:06 root-ca.key
-rwxr--r-- 1 root   root   1204 Sep 24 16:06 root-ca.pem
-rwxr--r-- 1 root   root   1704 Sep 24 16:06 wazuh-dashboard-key.pem
-rwxr--r-- 1 root   root   1289 Sep 24 16:06 wazuh-dashboard.pem
-rwxr--r-- 1 root   root   1700 Sep 24 16:06 wazuh-indexer-key.pem
-rwxr--r-- 1 root   root   1285 Sep 24 16:06 wazuh-indexer.pem
-rwxr--r-- 1 root   root   1704 Sep 24 16:06 wazuh-server-key.pem
-rwxr--r-- 1 root   root   1285 Sep 24 16:06 wazuh-server.pem

Workflow testing

A new workflow was also run (from which the files used for testing were obtained) to verify that it executes successfully.

• https://github.com/wazuh/wazuh-installation-assistant/actions/runs/11016130419