localDecoder and localRules ignored due to PVC mounts overriding ConfigMap file mounts

[scottn26]

localDecoder and localRules are mounted from ConfigMap into /wazuh-config-mount/etc/decoders/ and /var/ossec/etc/decoders/

/var/ossec/etc is also mounted as a directory from the PVC and ends up overriding the ConfigMap file mounts of the same files.

I found that my custom decoders never loaded with no error message.

My workaround was to manually copy /wazuh-config-mount/etc/decoders/ to /var/ossec/etc/decoders/ and then wrote an extraInitContainer to do this automatically.

script.sh only copies ossec.conf - it should also copy the decoder and rule files or document this is a manual process with an extraInitContainer example.

Manual workaround example:

kubectl exec -n siem wazuh-manager-master-0 -c wazuh-manager -- sh -c \
  'cp /wazuh-config-mount/etc/decoders/local_decoder.xml \
     /var/ossec/etc/decoders/local_decoder.xml && \
   cp /wazuh-config-mount/etc/rules/local_rules.xml \
     /var/ossec/etc/rules/local_rules.xml'

extraInitContainer workaround example:

wazuh:
  master:
    extraInitContainers:
      - name: sync-custom-config
        image: alpine
        command:
          - sh
          - -c
          - |
            cp /wazuh-config-mount/etc/decoders/local_decoder.xml /var/ossec/etc/decoders/local_decoder.xml &&
            cp /wazuh-config-mount/etc/rules/local_rules.xml /var/ossec/etc/rules/local_rules.xml &&
            echo "Custom config synced"
        volumeMounts:
          - mountPath: /wazuh-config-mount/etc/decoders/local_decoder.xml
            name: config
            subPath: local_decoder.xml
            readOnly: true
          - mountPath: /wazuh-config-mount/etc/rules/local_rules.xml
            name: config
            subPath: local_rules.xml
            readOnly: true
          - mountPath: /var/ossec/etc
            name: wazuh-manager-master
            subPath: wazuh/var/ossec/etc

[morgoved]

you can do some changes into chart and open MR for it)