Skip to content

Architecture

A WazuhCluster is reconciled into a complete Wazuh stack. The operator owns every object — there is no Helm release for the workload.

Components

Component Workload HA default Ports
Indexer StatefulSet 3 9200 (HTTP), 9300 (transport)
Manager master StatefulSet 1 1515 (enroll), 1516 (cluster), 55000 (API)
Manager worker StatefulSet 2 1514 (events)
Dashboard Deployment 1 443 → 5601 
flowchart TD
  agents[Wazuh agents] -->|1514 events| workers[manager-worker]
  agents -->|1515 enroll| master[manager-master]
  workers --> master
  master -->|filebeat 9200/TLS| indexer[(indexer cluster)]
  workers -->|filebeat 9200/TLS| indexer
  dashboard[dashboard] -->|9200/TLS| indexer

Objects created per cluster

  • Secrets*-ca (CA), *-indexer-certs, *-manager-certs, *-dashboard-certs, and *-credentials (generated passwords + bcrypt hashes).
  • ConfigMapsopensearch.yml, internal_users.yml, master/worker ossec.conf
  • filebeat.yml, and opensearch_dashboards.yml.
  • Services — indexer (ClusterIP 9200) + headless (9300); manager master headless (cluster) + worker headless; agent enrollment (*-wazuh, 1515/55000) and events (*-wazuh-workers, 1514); dashboard (443).
  • Workloads — indexer, manager-master, manager-worker StatefulSets; dashboard Deployment; a one-shot securityadmin Job to apply indexer credentials.

All children carry an owner reference to the WazuhCluster, so deletion cascades.

Reconciliation

The reconcile loop is staged and readiness-gated — each stage must be ready before the next begins, and the loop requeues while waiting:

  1. CertificatesCertificatesReady
  2. Credentials
  3. ConfigMaps
  4. Indexer (waits for full rollout) → IndexerReady, then the securityadmin Job
  5. Manager master then workers → ManagerReady
  6. DashboardDashboardReady
  7. Aggregate → Ready, endpoints populated, phase: Ready

This same ordering is what makes upgrades safe.

Status

kubectl get wazuhcluster shows MODE, VERSION (observed, not requested), PHASE, and AGE. status.conditions carries the per-component readiness above; status.endpoints reports the dashboard, agent-enrollment and indexer addresses.