Merge with master

build-scripts/assemble.sh

@@ -366,16 +366,8 @@ function assemble_deb() {
 
     # Extract min-package. Creates usr/, etc/ and var/ in the current directory
     echo "Extract ${ARTIFACT_BUILD_NAME} archive"
-    # Extracts code
     ar xf "${ARTIFACT_BUILD_NAME}" data.tar.gz
     tar zvxf data.tar.gz
-    # Extracts debian control files (preinst, postrm, ...)
-    # We need to use some custom files, otherwise debuild fails
-    mv "./debian/control" "./debian/wazuh-control"
-    ar xf "${ARTIFACT_BUILD_NAME}" control.tar.gz
-    tar zvxf control.tar.gz -C "debian"
-    mv "./debian/wazuh-control" "./debian/control"
-    rm "./debian/conffiles"
 
     local version
     version=$(cat ./usr/share/wazuh-indexer/VERSION)

distribution/packages/src/common/scripts/install-demo-certificates.sh

@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# The OpenSearch Contributors require contributions made to
+# this file be licensed under the Apache-2.0 license or a
+# compatible open source license.
+
+# Directories
+TMP_DIR="/tmp/wazuh-indexer/certs"
+CERTS_DIR="/etc/wazuh-indexer/certs"
+
+# Create directories
+mkdir -p "$TMP_DIR"
+
+# Root CA
+openssl genrsa -out "$TMP_DIR/root-ca-key-temp.pem" 2048
+openssl req -new -x509 -sha256 -key "$TMP_DIR/root-ca-key-temp.pem" -subj "/OU=Wazuh/O=Wazuh/L=California/" -out "$TMP_DIR/root-ca.pem" -days 3650
+
+# Admin cert
+openssl genrsa -out "$TMP_DIR/admin-key-temp.pem" 2048
+openssl pkcs8 -inform PEM -outform PEM -in "$TMP_DIR/admin-key-temp.pem" -topk8 -nocrypt -v1 PBE-SHA1-3DES -out "$TMP_DIR/admin-key.pem"
+openssl req -new -key "$TMP_DIR/admin-key.pem" -subj "/C=US/L=California/O=Wazuh/OU=Wazuh/CN=admin" -out "$TMP_DIR/admin.csr"
+openssl x509 -req -in "$TMP_DIR/admin.csr" -CA "$TMP_DIR/root-ca.pem" -CAkey "$TMP_DIR/root-ca-key-temp.pem" -CAcreateserial -sha256 -out "$TMP_DIR/admin.pem" -days 3650
+
+# Node cert
+openssl genrsa -out "$TMP_DIR/indexer-key-temp.pem" 2048
+openssl pkcs8 -inform PEM -outform PEM -in "$TMP_DIR/indexer-key-temp.pem" -topk8 -nocrypt -v1 PBE-SHA1-3DES -out "$TMP_DIR/indexer-key.pem"
+openssl req -new -key "$TMP_DIR/indexer-key.pem" -subj "/C=US/L=California/O=Wazuh/OU=Wazuh/CN=node-0.wazuh.indexer" -out "$TMP_DIR/indexer.csr"
+cat <<'INDEXER_EXT' >$TMP_DIR/indexer.ext
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost
+DNS.2 = *.wazuh.indexer
+RID.1 = 1.2.3.4.5
+IP.1 = 127.0.0.1
+IP.2 =  0:0:0:0:0:0:0:1
+INDEXER_EXT
+
+openssl x509 -req -in "$TMP_DIR/indexer.csr" -CA "$TMP_DIR/root-ca.pem" -CAkey "$TMP_DIR/root-ca-key-temp.pem" -CAcreateserial -sha256 -out "$TMP_DIR/indexer.pem" -days 3650 -extfile "$TMP_DIR/indexer.ext"
+
+# Cleanup temporary files
+rm "$TMP_DIR/"*.csr "$TMP_DIR"/*.ext "$TMP_DIR"/*.srl "$TMP_DIR"/*-temp.pem
+
+# Move certs to permanent location
+mkdir -p "$CERTS_DIR"
+mv "$TMP_DIR"/* "$CERTS_DIR/"
+
+chmod 500 "$CERTS_DIR"
+chmod 400 "$CERTS_DIR"/*
+chown -R wazuh-indexer:wazuh-indexer "$CERTS_DIR"
+
+# Cleanup /tmp directory
+rm -r "$TMP_DIR"

distribution/packages/src/deb/debian/postinst

@@ -32,7 +32,6 @@ chown -R wazuh-indexer:wazuh-indexer ${data_dir}
 chown -R wazuh-indexer:wazuh-indexer ${pid_dir}
 chown -R wazuh-indexer:wazuh-indexer ${tmp_dir}
 
-
 export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-${config_dir}}
 # Apply Performance Analyzer settings, as per https://github.com/opensearch-project/opensearch-build/blob/2.18.0/scripts/pkg/build_templates/current/opensearch/deb/debian/postinst#L28-L37
 if ! grep -q '## OpenSearch Performance Analyzer' "$OPENSEARCH_PATH_CONF/jvm.options"; then
@@ -44,28 +43,34 @@ if ! grep -q '## OpenSearch Performance Analyzer' "$OPENSEARCH_PATH_CONF/jvm.opt
         echo "-Djdk.attach.allowAttachSelf=true"
         echo "-Djava.security.policy=file://$OPENSEARCH_PATH_CONF/opensearch-performance-analyzer/opensearch_security.policy"
         echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED"
-    } >> "$OPENSEARCH_PATH_CONF/jvm.options"
+    } >>"$OPENSEARCH_PATH_CONF/jvm.options"
 fi
 
 # Reload systemctl daemon
-if command -v systemctl > /dev/null; then
+if command -v systemctl >/dev/null; then
     systemctl daemon-reload
 fi
 
 # Reload other configs
-if command -v systemctl > /dev/null; then
+if command -v systemctl >/dev/null; then
     systemctl restart systemd-sysctl.service || true
 fi
 
-if command -v systemd-tmpfiles > /dev/null; then
+if command -v systemd-tmpfiles >/dev/null; then
     systemd-tmpfiles --create wazuh-indexer.conf
 fi
 
+if ! [ -d "${config_dir}/certs" ] && [ -f "${product_dir}/plugins/opensearch-security/tools/install-demo-certificates.sh" ]; then
+    echo "No certificates detected in ${config_dir}, installing demo certificates..."
+    echo "### If you are using a custom certificates path, ignore this message."
+    bash "${product_dir}/plugins/opensearch-security/tools/install-demo-certificates.sh" >"${log_dir}/install_demo_certificates.log" 2>&1
+fi
+
 if [ -f $restart_service ]; then
     rm -f $restart_service
     echo "Restarting wazuh-indexer service..."
-    if command -v systemctl > /dev/null; then
-        systemctl restart wazuh-indexer.service > /dev/null 2>&1
+    if command -v systemctl >/dev/null; then
+        systemctl restart wazuh-indexer.service >/dev/null 2>&1
     fi
     exit 0
 fi

distribution/packages/src/rpm/wazuh-indexer.rpm.spec

@@ -207,6 +207,12 @@ if command -v systemd-tmpfiles > /dev/null; then
     systemd-tmpfiles --create %{name}.conf
 fi
 
+if ! [ -d %{config_dir}/certs ] && [ -f %{product_dir}/plugins/opensearch-security/tools/install-demo-certificates.sh ]; then
+    echo "No certificates detected in %{config_dir}, installing demo certificates..."
+    echo "### If you are using a custom certificates path, ignore this message."
+    bash %{product_dir}/plugins/opensearch-security/tools/install-demo-certificates.sh > %{log_dir}/install_demo_certificates.log 2>&1
+fi
+
 if [ -f %{tmp_dir}/wazuh-indexer.restart ]; then
     rm -f %{tmp_dir}/wazuh-indexer.restart
     if command -v systemctl > /dev/null; then

test-tools/Vagrantfile

@@ -19,7 +19,7 @@ Vagrant.configure("2") do |config|
             systemctl stop firewalld
             systemctl disable firewalld
             yum clean all
-            yum install curl jq unzip tar -y
+            yum install jq unzip tar -y
             # Add node-2 to /etc/hosts
             echo "192.168.56.11 node-2" >> /etc/hosts
             # Copy generated certificates