Add K8s password change to documentation

source/deployment-options/deploying-with-kubernetes/kubernetes-deployment.rst

@@ -191,6 +191,183 @@ The Wazuh dashboard will be accessible on ``https://localhost:8443``.
 
 The default credentials are ``admin:SecretPassword``.
 
+Change the password of Wazuh users
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To improve security, you can change the default password of the Wazuh users. There are two types of Wazuh users:
+
+-  Wazuh indexer users
+-  Wazuh API users
+
+Wazuh indexer users
+~~~~~~~~~~~~~~~~~~~
+
+ To change the password of the default ``admin`` and ``kibanaserver`` users, do the following.
+
+.. warning::
+
+   If you have custom users, add them to the ``internal_users.yml`` file. Otherwise, executing this procedure deletes them.
+
+Setting a new hash
+..................
+
+#. Start a Bash shell in ``wazuh-indexer-0``.
+
+   .. code-block:: console
+
+      # kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash
+
+#. Run these commands to generate the hash of your new password. When prompted, input the new password and press **Enter**.
+
+   .. code-block:: console
+
+	  wazuh-indexer@wazuh-indexer-0:~$ export JAVA_HOME=/usr/share/wazuh-indexer/jdk
+	  wazuh-indexer@wazuh-indexer-0:~$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
+
+#. Copy the generated hash and exit the Bash shell.
+
+#. Open the ``wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml`` file. Locate the block for the user you are changing password for.
+
+#. Replace the hash.
+
+   -  ``admin`` user
+
+      .. code-block:: YAML
+         :emphasize-lines: 3
+
+         ...
+         admin:
+             hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
+             reserved: true
+             backend_roles:
+             - "admin"
+             description: "Demo admin user"
+
+         ...
+
+   -  ``kibanaserver`` user
+
+      .. code-block:: YAML
+         :emphasize-lines: 3
+
+         ...
+         kibanaserver:
+             hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
+             reserved: true
+             description: "Demo kibanaserver user"
+
+         ...
+
+Setting the new password
+........................
+
+#. Encode your new password in base64 format. Avoid inserting a trailing newline character to maintain the hash value. For example, use the ``-n`` option with the ``echo`` command as follows.
+
+   .. code-block::
+
+      # echo -n "NewPassword" | base64
+
+#. Edit the indexer or dashbboard secrets configuration file as follows. Replace the value of the ``password`` field with your new encoded password.
+
+   -  To change the ``admin`` user password, edit the ``wazuh/secrets/indexer-cred-secret.yaml`` file.
+
+      .. code-block:: YAML
+         :emphasize-lines: 8
+
+         ...
+         apiVersion: v1
+         kind: Secret
+         metadata:
+             name: indexer-cred
+         data:
+             username: YWRtaW4=              # string "admin" base64 encoded
+             password: U2VjcmV0UGFzc3dvcmQ=  # string "SecretPassword" base64 encoded
+         ...
+
+   -  To change the ``kibanaserver`` user password, edit the ``wazuh/secrets/dashboard-cred-secret.yaml`` file.
+
+      .. code-block:: YAML
+         :emphasize-lines: 8
+
+         ...
+         apiVersion: v1
+         kind: Secret
+         metadata:
+             name: dashboard-cred
+         data:
+             username: a2liYW5hc2VydmVy  # string "kibanaserver" base64 encoded
+             password: a2liYW5hc2VydmVy  # string "kibanaserver" base64 encoded
+         ...
+
+Applying the changes
+....................
+
+#. Apply the manifest changes
+
+   .. code-block:: console
+
+      # kubectl apply -k envs/eks/
+
+#. Start a bash shell in ``wazuh-indexer-0`` once more.
+
+   .. code-block:: console
+
+      # kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash
+
+#. Set the following variables:
+
+   .. code-block:: console
+
+      export INSTALLATION_DIR=/usr/share/wazuh-indexer
+      CACERT=$INSTALLATION_DIR/certs/root-ca.pem
+      KEY=$INSTALLATION_DIR/certs/admin-key.pem
+      CERT=$INSTALLATION_DIR/certs/admin.pem
+      export JAVA_HOME=/usr/share/wazuh-indexer/jdk
+
+#. Wait for the Wazuh indexer to initialize properly. The waiting time can vary from two to five minutes. It depends on the size of the cluster, the assigned resources, and the speed of the network. Then, run the ``securityadmin.sh`` script to apply all changes.
+
+   .. code-block:: console
+
+      $ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl -h $NODE_NAME
+
+#. Login with the new credentials on the Wazuh dashboard.
+
+Wazuh API users
+~~~~~~~~~~~~~~~
+
+The ``wazuh-wui`` user is the user to connect with the Wazuh API by default. Follow these steps to change the password.
+
+.. note::
+
+   The password for Wazuh API users must be between 8 and 64 characters long. It must contain at least one uppercase and one lowercase letter, a number, and a symbol.
+
+#. Encode your new password in base64 format. Avoid inserting a trailing newline character to maintain the hash value. For example, use the ``-n`` option with the ``echo`` command as follows.
+
+   .. code-block::
+
+      # echo -n "NewPassword" | base64
+
+#. Edit the ``wazuh/secrets/wazuh-api-cred-secret.yaml`` file and replace the value of the ``password`` field.
+
+   .. code-block:: YAML
+      :emphasize-lines: 8
+
+      apiVersion: v1
+      kind: Secret
+      metadata:
+          name: wazuh-api-cred
+          namespace: wazuh
+      data:
+          username: d2F6dWgtd3Vp          # string "wazuh-wui" base64 encoded
+          password: UGFzc3dvcmQxMjM0LmE=  # string "MyS3cr37P450r.*-" base64 encoded
+
+#. Apply the manifest changes.
+
+    .. code-block:: console
+
+        # kubectl apply -k envs/eks/
+
+#. Restart pods for Wazuh dashboard and Wazuh manager master.
 
 Agents
 ^^^^^^