diff --git a/manifests/config.pp b/manifests/config.pp index 10a8cae..f73177b 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -98,8 +98,15 @@ ], } - file { "${bitbucket::webappdir}/elasticsearch/config-template/elasticsearch.yml": - content => template('bitbucket/elasticsearch.yml.erb'), + if versioncmp($version, '7.21') >= 0 { + $search_config = "${bitbucket::webappdir}/opensearch/config/opensearch.yml" + $search_config_template = 'bitbucket/opensearch.yml.erb' + } else { + $search_config = "${bitbucket::webappdir}/elasticsearch/config-template/elasticsearch.yml" + $search_config_template = 'bitbucket/elasticsearch.yml.erb' + } + file { $search_config: + content => template($search_config_template), mode => '0640', require => [ Class['bitbucket::install'], diff --git a/manifests/init.pp b/manifests/init.pp index 25edb64..94b4807 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -98,7 +98,7 @@ ) { - validate_hash($config_properties) + assert_type(Hash, $config_properties) include ::bitbucket::params diff --git a/manifests/service.pp b/manifests/service.pp index c6f085d..f440ab2 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -14,7 +14,7 @@ ) { - validate_bool($service_manage) + assert_type(Boolean, $service_manage) if $bitbucket::service_manage { @@ -23,8 +23,8 @@ mode => $service_file_mode, } - validate_string($service_ensure) - validate_bool($service_enable) + assert_type(String, $service_ensure) + assert_type(Boolean, $service_enable) if ($::osfamily == 'RedHat' and $::operatingsystemmajrelease == '7') or ($::osfamily == 'Debian' and $::operatingsystemmajrelease == '16.04') { exec { 'bitbucket_refresh_systemd': diff --git a/templates/opensearch.yml.erb b/templates/opensearch.yml.erb new file mode 100644 index 0000000..10050d2 --- /dev/null +++ b/templates/opensearch.yml.erb @@ -0,0 +1,38 @@ +cluster.name: bitbucket_search +node: + name: bitbucket_bundled + +network.host: _local_ +discovery.type: single-node + +path: + logs: <%= scope.lookupvar('bitbucket::logdir') %>/search + data: ${BITBUCKET_HOME}/shared/search/data + +action.auto_create_index: false + +http.port: 7992 +transport.tcp.port: 7993 + +# The OpenSearch security plugin stores its configuration in an index in the cluster itself. On startup if the +# security index doesn't exist yet, sitting this to true will cause the security plugin to read the yml files and +# configure the index using the contents of the files. +plugins.security.allow_default_init_securityindex: true + +# Using the yml files with default initialisation, we create a bitbucket user and give it the all_access in-built role. +# However, access to the REST API is disabled by default even for the all_access role so we need to explicitly give +# it permission here so that the bitbucket user can access the OpenSearch REST API. +plugins.security.restapi.roles_enabled: ["all_access"] + +# Mandatory TLS setup for transport layer +plugins.security.authcz.admin_dn: + - CN=BITBUCKET +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.pemcert_filepath: bitbucket.pem +plugins.security.ssl.transport.pemkey_filepath: bitbucket-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem + +# Logs audit events to bitbucket_search_server.json +plugins.security.audit.type: log4j +plugins.security.audit.config.log4j.logger_name: audit +plugins.security.audit.config.log4j.level: INFO \ No newline at end of file