Upgrade Wazuh installed in Kubernetes

This section provides a guide to upgrading your Wazuh deployment in a Kubernetes environment while preserving existing configurations and data. Because Wazuh uses persistent volumes and Docker-based components, updates can be performed seamlessly without losing prior settings or logs.

Check files exported to the volume

The Kubernetes deployment uses Wazuh Docker images. The following directories and files are used in the upgrade:

/var/ossec/api/configuration
/var/ossec/etc
/var/ossec/logs
/var/ossec/queue
/var/ossec/var/multigroups
/var/ossec/integrations
/var/ossec/active-response/bin
/var/ossec/agentless
/var/ossec/wodles
/etc/filebeat
/var/lib/filebeat
/usr/share/wazuh-dashboard/config/
/usr/share/wazuh-dashboard/certs/
/var/lib/wazuh-indexer
/usr/share/wazuh-indexer/config/certs/
/usr/share/wazuh-indexer/config/opensearch.yml
/usr/share/wazuh-indexer/config/opensearch-security/internal_users.yml

Any modifications to these files are also made in the associated volume. When a replica pod is created, it gets those files from the volume, keeping the previous changes.

Recreating certificates

Upgrading from a version earlier than v4.8.0 requires you to recreate the SSL certificates. Clone the wazuh-kubernetes repository and check out the v4.14.1 tag. Then, follow the instructions in Setup SSL certificates.

Configuring the upgrade

To upgrade to version 4.14.1, you can follow one of two strategies.

  • Using default manifests : This strategy uses the default manifests for Wazuh 4.14. It replaces the wazuh-kubernetes manifests of your outdated Wazuh version.

  • Keeping custom manifests : This strategy preserves the wazuh-kubernetes manifests of your outdated Wazuh deployment. It ignores the manifests of the latest Wazuh version.

Using default manifests

To upgrade your deployment using the default manifests, perform the following steps.

  1. Checkout the tag for the current version of wazuh-kubernetes:

    # git checkout v4.14.1

  2. Apply the new configuration.

Keeping custom manifests

The following approach allows administrators to preserve their existing deployment configurations instead of overwriting them with the default manifests from the new version. This method is ideal for environments with custom settings, resource allocations, network policies, or integrations that must remain intact during the upgrade.

The upgrade process differs slightly depending on your current Wazuh version.

  1. If you are upgrading from version 4.3, update the Java Opts variable name with the new one.

  2. Update old paths with the new ones.

  3. If you are upgrading from a version earlier than 4.8, update configuration parameters.

  4. Modify tags of Wazuh images.

Next, apply the new configuration.

Updating Java Opts variable name

  1. If you are upgrading from version 4.3, you must replace ES_JAVA_OPTS with OPENSEARCH_JAVA_OPTS and modify the value.

    • wazuh/wazuh_managers/wazuh-master-sts.yaml

      env:
  - name: OPENSEARCH_JAVA_OPTS
    value: '-Xms1g -Xmx1g -Dlog4j2.formatMsgNoLookups=true'

Updating old paths

Wazuh dashboard

  1. Edit wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml and do the following replacements.

    • Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.

  2. Edit wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml and do the following replacements.

    • Replace /usr/share/wazuh-dashboard/config/certs/ with /usr/share/wazuh-dashboard/certs/.

Wazuh indexer

  1. Edit wazuh/indexer_stack/wazuh-indexer/cluster/indexer-sts.yaml and do the following replacements.

    • Replace /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ with /usr/share/wazuh-indexer/opensearch-security/.

    • Add the following statements:

      volumes:
- name: indexer-certs
   secret:
      secretName: indexer-certs
      defaultMode: 0600
- name: indexer-conf
   configMap:
      name: indexer-conf
      defaultMode: 0600

      spec:
   securityContext:
   fsGroup: 1000
   # Set the wazuh-indexer volume permissions so the wazuh-indexer user can use it
   volumes:
   - name: indexer-certs

      securityContext:
   runAsUser: 1000
   runAsGroup: 1000
   capabilities:
      add: ["SYS_CHROOT"]

Updating configuration parameters

  1. Update the defaultRoute parameter in the Wazuh dashboard configuration.

    • wazuh/indexer_stack/wazuh-dashboard/dashboard_conf/opensearch_dashboards.yml.

      uiSettings.overrides.defaultRoute: /app/wz-home

  2. Edit opensearch.yml and modify CN for Wazuh indexer.

    • wazuh/indexer_stack/wazuh-indexer/indexer_conf/opensearch.yml

      plugins.security.nodes_dn:
  - CN=indexer,O=Company,L=California,C=US

  3. Edit the following files and modify all Wazuh indexer URLs in the deployment.

    • wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml

      env:
  - name: INDEXER_URL
    value: 'https://indexer:9200'

    • wazuh/wazuh_managers/wazuh-master-sts.yaml

      env:
  - name: INDEXER_URL
    value: 'https://indexer:9200'

    • wazuh/wazuh_managers/wazuh-worker-sts.yaml

      env:
  - name: INDEXER_URL
    value: 'https://indexer:9200'

  4. Edit the following files of the v4.14.1 tag and apply all the customizations from your Wazuh manager ossec.conf file.

    • wazuh/wazuh_managers/wazuh_conf/master.conf

    • wazuh/wazuh_managers/wazuh_conf/worker.conf

Modifying tags of Wazuh images

Modify the tag of Wazuh images in the different statefulsets and deployments.

image: 'wazuh/wazuh-dashboard:4.14.1'
image: 'wazuh/wazuh-manager:4.14.1'
image: 'wazuh/wazuh-indexer:4.14.1'

Apply the new configuration

The last step is to apply the new configuration:

  • EKS cluster

    $ kubectl apply -k envs/eks/

  • Other cluster types

    $ kubectl apply -k envs/local-env/

 statefulset.apps "wazuh-manager-master" configured

This process will end the old pod while creating a new one with the new version, linked to the same volume. Once the Pods are booted, the update will be ready, and we can check the new version of Wazuh installed, the cluster, and the changes that have been maintained through the use of the volumes.