Add an option to configure S3 repository to store snapshots out of the box

README.md

@@ -47,6 +47,9 @@ FILEBEAT_SSL_VERIFICATION_MODE=full                 # Filebeat SSL Verification
 SSL_CERTIFICATE_AUTHORITIES=""                      # Path of Filebeat SSL CA
 SSL_CERTIFICATE=""                                  # Path of Filebeat SSL Certificate
 SSL_KEY=""                                          # Path of Filebeat SSL Key
+
+S3_ACCESS_KEY_ID=""                                 # S3 access key to add to OpenSearch keystore
+S3_SECRET_ACCESS_KEY=""                             # S3 secret key to add to OpenSearch keystore
 ```
 
 ### Dashboard

build-docker-images/README.md

@@ -26,6 +26,7 @@ Usage: build-docker-images/build-images.sh [OPTIONS]
     -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default.
     -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default 0.4.
     -r, --revision <rev>         [Optional] Package revision. By default 1
+    -s, --s3-repository          [Optional] Install 'repository-s3' plugin for OpenSearch. By default false.
     -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, 5.0.0.
     -h, --help                   Show this help.
 

build-docker-images/build-images.sh

@@ -16,6 +16,7 @@ WAZUH_IMAGE_VERSION="5.0.0"
 WAZUH_TAG_REVISION="1"
 WAZUH_DEV_STAGE=""
 FILEBEAT_MODULE_VERSION="0.4"
+S3_REPOSITORY="false"
 
 # -----------------------------------------------------------------------------
 
@@ -69,6 +70,7 @@ build() {
     echo FILEBEAT_TEMPLATE_BRANCH=$FILEBEAT_TEMPLATE_BRANCH >> .env
     echo WAZUH_FILEBEAT_MODULE=$WAZUH_FILEBEAT_MODULE >> .env
     echo WAZUH_UI_REVISION=$WAZUH_UI_REVISION >> .env
+    echo S3_REPOSITORY=$S3_REPOSITORY >> .env
 
     docker-compose -f build-docker-images/build-images.yml --env-file .env build --no-cache
 
@@ -84,6 +86,7 @@ help() {
     echo "    -d, --dev <ref>              [Optional] Set the development stage you want to build, example rc1 or beta1, not used by default."
     echo "    -f, --filebeat-module <ref>  [Optional] Set Filebeat module version. By default ${FILEBEAT_MODULE_VERSION}."
     echo "    -r, --revision <rev>         [Optional] Package revision. By default ${WAZUH_TAG_REVISION}"
+    echo "    -s, --s3-repository          [Optional] Install 'repository-s3' plugin for OpenSearch. By default ${S3_REPOSITORY}."
     echo "    -v, --version <ver>          [Optional] Set the Wazuh version should be builded. By default, ${WAZUH_IMAGE_VERSION}."
     echo "    -h, --help                   Show this help."
     echo
@@ -123,6 +126,10 @@ main() {
                 help 1
             fi
             ;;
+        "-s"|"--s3-repository")
+            S3_REPOSITORY="true"
+            shift 1
+            ;;
         "-v"|"--version")
             if [ -n "$2" ]; then
                 WAZUH_IMAGE_VERSION="$2"

build-docker-images/build-images.yml

@@ -42,6 +42,7 @@ services:
       args:
         WAZUH_VERSION: ${WAZUH_VERSION}
         WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
+        S3_REPOSITORY: ${S3_REPOSITORY}
     image: wazuh/wazuh-indexer:${WAZUH_IMAGE_VERSION}
     hostname: wazuh.indexer
     restart: always

build-docker-images/wazuh-indexer/Dockerfile

@@ -31,10 +31,13 @@ RUN bash config.sh
 ################################################################################
 FROM amazonlinux:2023.3.20240219.0
 
+ARG S3_REPOSITORY
+
 ENV USER="wazuh-indexer" \
     GROUP="wazuh-indexer" \
     NAME="wazuh-indexer" \
-    INSTALL_DIR="/usr/share/wazuh-indexer"
+    INSTALL_DIR="/usr/share/wazuh-indexer" \
+    OPENSEARCH_PATH_CONF="/usr/share/wazuh-indexer"
 
 RUN yum install curl-minimal shadow-utils findutils hostname -y
 
@@ -76,6 +79,9 @@ RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer &&
 
 USER wazuh-indexer
 
+# S3 bucket as a snapshot repository
+RUN if [ "$S3_REPOSITORY" = "true" ] ; then "${INSTALL_DIR}/bin/opensearch-plugin" install --batch repository-s3 ; fi
+
 # Services ports
 EXPOSE 9200
 

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -76,6 +76,36 @@ if [[ -f bin/opensearch-users ]]; then
   fi
 fi
 
+# S3 bucket as a snapshot repository
+if [[ -n "$S3_ACCESS_KEY_ID" && -n "$S3_SECRET_ACCESS_KEY" ]] && \
+    (run_as_other_user_if_needed "${INSTALLATION_DIR}/bin/opensearch-plugin" list | grep -q '^repository-s3$') ; then
+  # Check for S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY environment variables
+  # and 'repository-s3' plugin presence in installed OpenSearch plugins
+  # to add the S3 access and secret keys to the OpenSearch keystore.
+  [[ -f /usr/share/wazuh-indexer/opensearch.keystore ]] || (run_as_other_user_if_needed "${INSTALLATION_DIR}/bin/opensearch-keystore" create)
+  if ! (run_as_other_user_if_needed "${INSTALLATION_DIR}/bin/opensearch-keystore" has-passwd --silent) ; then
+    # keystore is unencrypted
+    if ! (run_as_other_user_if_needed "${INSTALLATION_DIR}/bin/opensearch-keystore" list | grep -q '^s3.client.default.access_key$') ; then
+      (run_as_other_user_if_needed echo "$S3_ACCESS_KEY_ID" | "${INSTALLATION_DIR}/bin/opensearch-keystore" add -x 's3.client.default.access_key')
+    fi
+    if ! (run_as_other_user_if_needed "${INSTALLATION_DIR}/bin/opensearch-keystore" list | grep -q '^s3.client.default.secret_key$') ; then
+      (run_as_other_user_if_needed echo "$S3_SECRET_ACCESS_KEY" | "${INSTALLATION_DIR}/bin/opensearch-keystore" add -x 's3.client.default.secret_key')
+    fi
+  else
+    # keystore requires password
+    if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
+        | "${INSTALLATION_DIR}/bin/opensearch-keystore" list | grep -q '^s3.client.default.access_key$') ; then
+      COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$S3_ACCESS_KEY_ID")"
+      (run_as_other_user_if_needed echo "$COMMANDS" | "${INSTALLATION_DIR}/bin/opensearch-keystore" add -x 's3.client.default.access_key')
+    fi
+    if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
+        | "${INSTALLATION_DIR}/bin/opensearch-keystore" list | grep -q '^s3.client.default.secret_key$') ; then
+      COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$S3_SECRET_ACCESS_KEY")"
+      (run_as_other_user_if_needed echo "$COMMANDS" | "${INSTALLATION_DIR}/bin/opensearch-keystore" add -x 's3.client.default.secret_key')
+    fi
+  fi
+fi
+
 if [[ "$(id -u)" == "0" ]]; then
   # If requested and running as root, mutate the ownership of bind-mounts
   if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then