CR-2026-02-25: Wazuh Credential Rotation — Risk & Comms

K8s secret != OpenSearch password

Must run securityadmin.sh to update internal user database

Hardcoded secrets in config files

Use environment variables: $VAR not "literal"

Flat gopass structure

Use resource-based paths: /wazuh/indexer, /wazuh/api

No pre/post validation

Always test access BEFORE and AFTER rotation