Upgrade Wazuh installed in Kubernetes

Checking which files are exported to the volume

Our Kubernetes deployment uses our Wazuh images from Docker. If we look at the following code extracted from the Wazuh configuration using Docker, we can see which directories and files are used in the upgrade.

/var/ossec/api/configuration
/var/ossec/etc
/var/ossec/logs
/var/ossec/queue
/var/ossec/var/multigroups
/var/ossec/integrations
/var/ossec/active-response/bin
/var/ossec/agentless
/var/ossec/wodles
/etc/filebeat
/var/lib/filebeat
/usr/share/wazuh-dashboard/config/
/usr/share/wazuh-dashboard/certs/
/var/lib/wazuh-indexer
/usr/share/wazuh-indexer/certs/
/usr/share/wazuh-indexer/opensearch.yml
/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

Any modification related to these files will also be made in the associated volume. When the replica pod is created, it will get those files from the volume, keeping the previous changes.

Recreating certificates

Upgrading from a version earlier than v4.8.0 requires you to recreate the SSL certificates. Clone the wazuh-kubernetes repository and check out the v4.10.1 tag. Then, follow the instructions in Setup SSL certificates.

Configuring the upgrade

To upgrade to version 4.10, you can follow one of two strategies.

  • Using default manifests : This strategy uses the default manifests for Wazuh 4.10. It replaces the wazuh-kubernetes manifests of your outdated Wazuh version.

  • Keeping custom manifests : This strategy preserves the wazuh-kubernetes manifests of your outdated Wazuh deployment. It ignores the manifests of the latest Wazuh version.

Using default manifests

  1. Checkout the tag for the current version of wazuh-kubernetes:

    # git checkout v4.10.1
    

Next, apply the new configuration.

Keeping custom manifests

To upgrade your deployment keeping your custom manifests, do the following.

  1. If you are upgrading from version 4.3, update the Java Opts variable name with the new one.

  2. If you are upgrading from version 4.3, update old paths with the new ones.

  3. If you are upgrading from a version earlier than 4.8, update configuration parameters.

  4. Modify tags of Wazuh images.

Next, apply the new configuration.

Updating Java Opts variable name

  1. If you are upgrading from version 4.3, you must replace ES_JAVA_OPTS with OPENSEARCH_JAVA_OPTS and modify the value.

    • wazuh/wazuh_managers/wazuh-master-sts.yaml

      env:
        - name: OPENSEARCH_JAVA_OPTS
          value: '-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true'
      

Updating old paths

Wazuh dashboard

  1. Edit wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml and do the following replacements.

    • Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.

  2. Edit wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml and do the following replacements.

    • Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.

Wazuh indexer

  1. Edit wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml and do the following replacements.

    • Replace /usr/share/wazuh-indexer/config/certs/ with /usr/share/wazuh-indexer/certs/.

    • Replace /usr/share/wazuh-indexer/config/opensearch.yml with /usr/share/wazuh-indexer/opensearch.yml.

    • Replace /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ with /usr/share/wazuh-indexer/opensearch-security/.

  2. Edit wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml and do the following replacements.

    • Replace /usr/share/wazuh-indexer/config/certs/ with /usr/share/wazuh-indexer/certs/.

Updating configuration parameters

  1. Update the defaultRoute parameter in the Wazuh dashboard configuration.

    • wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml.

      uiSettings.overrides.defaultRoute: /app/wz-home
      
  2. Edit opensearch.yml and modify CN for Wazuh indexer.

    • wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml

      plugins.security.nodes_dn:
        - CN=indexer,O=Company,L=California,C=US
      
  3. Edit the following files and modify all Wazuh indexer URLs in the deployment.

    • wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml

      env:
        - name: INDEXER_URL
          value: 'https://indexer:9200'
      
    • wazuh/wazuh_managers/wazuh-master-sts.yaml

      env:
        - name: INDEXER_URL
          value: 'https://indexer:9200'
      
    • wazuh/wazuh_managers/wazuh-worker-sts.yaml

      env:
        - name: INDEXER_URL
          value: 'https://indexer:9200'
      
  4. Edit the following files of the v4.10.1 tag and apply all the customizations from your Wazuh manager ossec.conf file.

    • wazuh/wazuh_managers/wazuh_conf/master.conf

    • wazuh/wazuh_managers/wazuh_conf/worker.conf

Modifying tags of Wazuh images

Modify the tag of Wazuh images in the different statefulsets and deployments.

image: 'wazuh/wazuh-dashboard:4.10.1'
image: 'wazuh/wazuh-manager:4.10.1'
image: 'wazuh/wazuh-indexer:4.10.1'

Apply the new configuration

The last step is to apply the new configuration:

  • EKS cluster

    $ kubectl apply -k envs/eks/
    
  • Other cluster types

    $ kubectl apply -k envs/local-env/
    
 statefulset.apps "wazuh-manager-master" configured

This process will end the old pod while creating a new one with the new version, linked to the same volume. Once the Pods are booted, the update will be ready, and we can check the new version of Wazuh installed, the cluster, and the changes that have been maintained through the use of the volumes.