Upgrade Wazuh installed in Kubernetes
Checking which files are exported to the volume
Our Kubernetes deployment uses our Wazuh images from Docker. If we look at the following code extracted from the Wazuh configuration using Docker, we can see which directories and files are used in the upgrade.
/var/ossec/api/configuration
/var/ossec/etc
/var/ossec/logs
/var/ossec/queue
/var/ossec/var/multigroups
/var/ossec/integrations
/var/ossec/active-response/bin
/var/ossec/agentless
/var/ossec/wodles
/etc/filebeat
/var/lib/filebeat
/usr/share/wazuh-dashboard/config/
/usr/share/wazuh-dashboard/certs/
/var/lib/wazuh-indexer
/usr/share/wazuh-indexer/certs/
/usr/share/wazuh-indexer/opensearch.yml
/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
Any modification related to these files will also be made in the associated volume. When the replica pod is created, it will get those files from the volume, keeping the previous changes.
Recreating certificates
Upgrading from a version earlier than v4.8.0 requires you to recreate the SSL certificates. Clone the wazuh-kubernetes repository and check out the v4.10.1 tag. Then, follow the instructions in Setup SSL certificates.
Configuring the upgrade
To upgrade to version 4.10, you can follow one of two strategies.
Using default manifests : This strategy uses the default manifests for Wazuh 4.10. It replaces the wazuh-kubernetes manifests of your outdated Wazuh version.
Keeping custom manifests : This strategy preserves the wazuh-kubernetes manifests of your outdated Wazuh deployment. It ignores the manifests of the latest Wazuh version.
Using default manifests
Checkout the tag for the current version of wazuh-kubernetes:
# git checkout v4.10.1
Next, apply the new configuration.
Keeping custom manifests
To upgrade your deployment keeping your custom manifests, do the following.
If you are upgrading from version 4.3, update the Java Opts variable name with the new one.
If you are upgrading from version 4.3, update old paths with the new ones.
If you are upgrading from a version earlier than 4.8, update configuration parameters.
Next, apply the new configuration.
Updating Java Opts variable name
If you are upgrading from version 4.3, you must replace
ES_JAVA_OPTS
withOPENSEARCH_JAVA_OPTS
and modify the value.wazuh/wazuh_managers/wazuh-master-sts.yaml
env: - name: OPENSEARCH_JAVA_OPTS value: '-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true'
Updating old paths
Wazuh dashboard
Edit
wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml
and do the following replacements.Replace
/usr/share/wazuh-dashboard/config/certs/
with/usr/share/wazuh-dashboard/certs/
.
Edit
wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml
and do the following replacements.Replace
/usr/share/wazuh-dashboard/config/certs/
with/usr/share/wazuh-dashboard/certs/
.
Wazuh indexer
Edit
wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml
and do the following replacements.Replace
/usr/share/wazuh-indexer/config/certs/
with/usr/share/wazuh-indexer/certs/
.Replace
/usr/share/wazuh-indexer/config/opensearch.yml
with/usr/share/wazuh-indexer/opensearch.yml
.Replace
/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/
with/usr/share/wazuh-indexer/opensearch-security/
.
Edit
wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
and do the following replacements.Replace
/usr/share/wazuh-indexer/config/certs/
with/usr/share/wazuh-indexer/certs/
.
Updating configuration parameters
Update the
defaultRoute
parameter in the Wazuh dashboard configuration.wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml
.uiSettings.overrides.defaultRoute: /app/wz-home
Edit
opensearch.yml
and modifyCN
for Wazuh indexer.wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml
plugins.security.nodes_dn: - CN=indexer,O=Company,L=California,C=US
Edit the following files and modify all Wazuh indexer URLs in the deployment.
wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml
env: - name: INDEXER_URL value: 'https://indexer:9200'
wazuh/wazuh_managers/wazuh-master-sts.yaml
env: - name: INDEXER_URL value: 'https://indexer:9200'
wazuh/wazuh_managers/wazuh-worker-sts.yaml
env: - name: INDEXER_URL value: 'https://indexer:9200'
Edit the following files of the
v4.10.1
tag and apply all the customizations from your Wazuh managerossec.conf
file.wazuh/wazuh_managers/wazuh_conf/master.conf
wazuh/wazuh_managers/wazuh_conf/worker.conf
Apply the new configuration
The last step is to apply the new configuration:
EKS cluster
$ kubectl apply -k envs/eks/
Other cluster types
$ kubectl apply -k envs/local-env/
statefulset.apps "wazuh-manager-master" configured
This process will end the old pod while creating a new one with the new version, linked to the same volume. Once the Pods are booted, the update will be ready, and we can check the new version of Wazuh installed, the cluster, and the changes that have been maintained through the use of the volumes.