Release Wazuh version 2.3.0

charts/wazuh/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2.2.1
+version: 2.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/wazuh/configs/indexer_conf/opensearch.yml

@@ -22,7 +22,7 @@ plugins.security.authcz.admin_dn:
 plugins.security.check_snapshot_restore_write_privileges: true
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.nodes_dn:
-  - CN=*.wazuh-indexer,O=Company,L=California,C=US
+  - CN=${SECURITY_NODES_DN}
 plugins.security.restapi.roles_enabled:
   - "all_access"
   - "security_rest_api_access"

charts/wazuh/templates/indexer/indexer-sts.yaml

@@ -81,6 +81,8 @@ spec:
               value: {{ include "wazuh.fullname" . }}-indexer
             - name: SECURITY_AUTHCZ_ADMIN_DN
               value: {{ .Values.tls.certManager.commonName }}
+            - name: SECURITY_NODES_DN
+              value: {{ .Values.indexer.config.nodesDN | default (printf "*.%s" (include "wazuh.fullname" .)) }}
             - name: KUBERNETES_NAMESPACE
               valueFrom:
                 fieldRef:
@@ -246,6 +248,8 @@ spec:
               value: {{ include "wazuh.fullname" . }}-indexer
             - name: SECURITY_AUTHCZ_ADMIN_DN
               value: {{ .Values.tls.certManager.commonName }}
+            - name: SECURITY_NODES_DN
+              value: {{ .Values.indexer.config.nodesDN | default (printf "*.%s" (include "wazuh.fullname" .)) }}
             - name: KUBERNETES_NAMESPACE
               valueFrom:
                 fieldRef:

charts/wazuh/templates/manager/wazuh-master-sts.yaml

@@ -15,6 +15,7 @@ spec:
       {{- include "wazuh.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      name: {{ include "wazuh.fullname" . }}-manager-master
       {{- with .Values.manager.master.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -114,26 +115,6 @@ spec:
               mountPath: /wazuh-config-mount/etc/authd.pass
               subPath: authd.pass
               readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.cert
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.key
-              subPath: server.key
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.crt
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.key
-              subPath: server.key
-              readOnly: true
-            - name: filebeat-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/ca.crt
-              subPath: root-ca.pem
-              readOnly: true
             - name: wazuh-manager-master
               mountPath: /var/ossec/api/configuration
               subPath: wazuh/var/ossec/api/configuration

charts/wazuh/templates/manager/wazuh-master-svc.yaml

@@ -1,12 +1,20 @@
+{{- if .Values.manager.master.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "wazuh.fullname" . }}-master
   labels:
     app: {{ include "wazuh.fullname" . }}-manager
     {{- include "wazuh.labels" . | nindent 4 }}
+  {{- with .Values.manager.master.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  type: ClusterIP
+  type: {{ .Values.manager.master.service.type }}
+  {{- if .Values.manager.master.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.manager.master.service.externalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: 1515
       targetPort: 1515
@@ -20,3 +28,4 @@ spec:
     app: {{ include "wazuh.fullname" . }}-manager
     node-type: master
     {{- include "wazuh.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/wazuh/templates/manager/wazuh-service.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.manager.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -11,6 +12,9 @@ metadata:
   {{- end }}
 spec:
   type: {{ .Values.manager.service.type }}
+  {{- if .Values.manager.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.manager.service.externalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: 1515
       targetPort: 1515
@@ -26,4 +30,5 @@ spec:
       name: api
   selector:
     app: {{ include "wazuh.fullname" . }}-manager
-    {{- include "wazuh.selectorLabels" . | nindent 4 }}
+    {{- include "wazuh.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/wazuh/templates/manager/wazuh-worker-sts.yaml

@@ -15,6 +15,7 @@ spec:
       {{- include "wazuh.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      name: {{ include "wazuh.fullname" . }}-manager-worker
       {{- with .Values.manager.workers.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
@@ -107,26 +108,6 @@ spec:
               mountPath: /wazuh-config-mount/etc/ossec.conf
               subPath: worker.conf
               readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.cert
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/etc/sslmanager.key
-              subPath: server.key
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.crt
-              subPath: server.cert
-              readOnly: true
-            - name: manager-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/server.key
-              subPath: server.key
-              readOnly: true
-            - name: filebeat-certs
-              mountPath: /wazuh-config-mount/api/configuration/ssl/ca.crt
-              subPath: root-ca.pem
-              readOnly: true
             - name: wazuh-manager-worker
               mountPath: /var/ossec/api/configuration
               subPath: wazuh/var/ossec/api/configuration

charts/wazuh/templates/manager/wazuh-workers-svc.yaml

@@ -1,12 +1,20 @@
+{{- if .Values.manager.workers.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "wazuh.fullname" . }}-workers
   labels:
     app: {{ include "wazuh.fullname" . }}-manager
     {{- include "wazuh.labels" . | nindent 4 }}
+  {{- with .Values.manager.workers.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
-  type: ClusterIP
+  type: {{ .Values.manager.workers.service.type }}
+  {{- if .Values.manager.workers.service.externalTrafficPolicy }}
+  externalTrafficPolicy: {{ .Values.manager.workers.service.externalTrafficPolicy }}
+  {{- end }}
   ports:
     - port: 1514
       targetPort: 1514
@@ -16,3 +24,4 @@ spec:
     app: {{ include "wazuh.fullname" . }}-manager
     node-type: worker
     {{- include "wazuh.selectorLabels" . | nindent 4 }}
+{{- end }}

charts/wazuh/values.yaml

@@ -27,8 +27,8 @@
   secretName: ""
   certManager:
     enabled: true
     duration: 2160h # 90d
     renewBefore: 360h # 15d
     issuer:
       name: "your-issuer"
       # We can reference ClusterIssuers by changing the kind here.
@@ -115,6 +115,14 @@
     # Must have the key "internal_users.yml"
     # Please read https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#change-the-password-of-wazuh-users
     indexerInternalUsersSecretName: ""
+    # Distinguished Name (DN) pattern for node certificates in plugins.security.nodes_dn
+    # This whitelist controls which certificates are trusted for node-to-node communication.
+    # Must match the CN (Common Name) in your node certificates issued by cert-manager.
+    # Default: "*.{release-name}" (e.g., "*.wazuh" for release "wazuh")
+    # Example: If your cert-manager issues certs with CN=wazuh, set this to "wazuh"
+    # Example: If your cert-manager issues certs with CN=*.wazuh-indexer, set this to "*.wazuh-indexer"
+    # Leave empty to auto-generate based on release name
+    nodesDN: ""
 
   imagePullSecrets: []
 
@@ -125,13 +133,13 @@
   podLabels: {}
 
   podSecurityContext:
     fsGroup: 1000 # Match Docker image user group
 
   securityContext:
     runAsUser: 1000 # Match Docker image UID (wazuh-indexer user)
     runAsGroup: 1000 # Match Docker image GID
     capabilities:
       add: ["SYS_CHROOT"] # Required for OpenSearch/Elasticsearch
   # capabilities:
   #   drop:
   #   - ALL
@@ -219,12 +227,12 @@
       # do not change unless you changed the passwords and the usernames
       # using the indexerInternalUsersSecretName in the indexer section
       indexerUsername: "admin"
       indexerPassword: "SecretPassword" #gitleaks:allow
       # -------------------
       wazuhApiUsername: "wazuh"
       # Note The password for Wazuh API users must be between 8 and 64 characters long.
       # It must contain at least one uppercase and one lowercase letter, a number, and a symbol.
       wazuhApiPassword: "Pho8OH1voo6eew@ahVui4Ahghu6leith" #gitleaks:allow
       wazuhClusterKey: "123a45bc67def891gh23i45jk67l8mn9" #gitleaks:allow
       wazuhAuthDPass: "password" #gitleaks:allow
       # The secret must have the following keys
@@ -234,11 +242,14 @@
       # authd.pass
       existingSecretName: ""
 
-  ## The manager service that is going to be responsible for the agent registration
-  ## and the agent events
+  ## Exposes the whole manager stack (master and workers) to agents and users under a single service.
+  ## Port 1515 registers agents (master pods), port 55000 serves the Wazuh API (master pods)
+  ## and port 1514 receives agent events (worker pods)
   service:
+    enabled: true
     type: LoadBalancer
     annotations: {}
+    externalTrafficPolicy: Cluster
 
   master:
     podSecurityContext:
@@ -308,6 +319,12 @@
       size: "25Gi"
       existingClaim: ""
 
+    service:
+      enabled: true
+      type: ClusterIP
+      annotations: {}
+      externalTrafficPolicy: ""
+
   workers:
     replicaCount: 1
 
@@ -378,6 +395,12 @@
       size: "25Gi"
       existingClaim: ""
 
+    service:
+      enabled: true
+      type: ClusterIP
+      annotations: {}
+      externalTrafficPolicy: ""
+
 dashboard:
   replicaCount: 1