Deploy OpenSearch as a Bitbucket sub-chart (#391)

* Deploy OpenSearch as a subchart

* Format code

* Remove debug config

* Update docs

* Update opensearch property

* Update function name

* Update modules/products/bitbucket/variables.tf

Co-authored-by: Adam Brokes <[email protected]>

* Update modules/products/bitbucket/helm.tf

Co-authored-by: Adam Brokes <[email protected]>

* Update modules/products/bitbucket/variables.tf

Co-authored-by: Adam Brokes <[email protected]>

---------

Co-authored-by: Yevhen Ivantsov <[email protected]>
Co-authored-by: Adam Brokes <[email protected]>

config.tfvars

@@ -504,13 +504,21 @@ bitbucket_db_name = "bitbucket"
 #bitbucket_nfs_limits_cpu      = "<LIMITS_CPU>"
 #bitbucket_nfs_limits_memory   = "<LIMITS_MEMORY>"
 
-# Elasticsearch resource configuration for Bitbucket
-#bitbucket_elasticsearch_requests_cpu    = "<REQUESTS_CPU>"
-#bitbucket_elasticsearch_requests_memory = "<REQUESTS_MEMORY>"
-#bitbucket_elasticsearch_limits_cpu      = "<LIMITS_CPU>"
-#bitbucket_elasticsearch_limits_memory   = "<LIMITS_MEMORY>"
-#bitbucket_elasticsearch_storage         = "<REQUESTS_STORAGE>"
-#bitbucket_elasticsearch_replicas        = "<NUMBER_OF_NODES>"
+# OpenSearch resource configuration for Bitbucket
+#bitbucket_opensearch_requests_cpu    = "<REQUESTS_CPU>"
+#bitbucket_opensearch_requests_memory = "<REQUESTS_MEMORY>"
+#bitbucket_opensearch_limits_cpu      = "<LIMITS_CPU>"
+#bitbucket_opensearch_limits_memory   = "<LIMITS_MEMORY>"
+#bitbucket_opensearch_storage         = "<REQUESTS_STORAGE>"
+#bitbucket_opensearch_replicas        = "<NUMBER_OF_NODES>"
+#bitbucket_opensearch_java_opts       = "<CUSTOM_JAVA_OPTS>"
+
+# Configure access to external OpenSearch (created outside Terraform modules)
+#bitbucket_opensearch_endpoint            = "<OPENSEARCH_URL>"
+#bitbucket_opensearch_secret_name         = "<K8S_SECRET_NAME>"
+#bitbucket_opensearch_secret_username_key = "<USERNAME_KEY_IN_SECRET>"
+#bitbucket_opensearch_secret_password_key = "<PASSWORD_KEY_IN_SECRET>"
+
 
 # Dataset size. Used only when snapshots_json_file_path is defined. Defaults to large
 # bitbucket_dataset_size = "large"
@@ -729,4 +737,4 @@ crowd_db_name                 = "crowd"
 #crowd_license = "<LICENSE_KEY>"
 
 # A list of JVM arguments to be passed to the server. Defaults to an empty list.
-# crowd_additional_jvm_args = ["-Dproperty=value", "-Dproperty1=value1"]
+# crowd_additional_jvm_args = ["-Dproperty=value", "-Dproperty1=value1"]

dc-infrastructure.tf

@@ -19,11 +19,11 @@ module "base-infrastructure" {
   enable_https_ingress      = var.enable_https_ingress
   create_external_dns       = var.create_external_dns
   additional_namespaces     = var.additional_namespaces
-  enable_ssh_tcp        = local.install_bitbucket
-  osquery_secret_name   = var.osquery_fleet_enrollment_secret_name
-  osquery_secret_region = var.osquery_fleet_enrollment_secret_region_aws
-  osquery_env           = var.osquery_env
-  osquery_version       = var.osquery_version
+  enable_ssh_tcp            = local.install_bitbucket
+  osquery_secret_name       = var.osquery_fleet_enrollment_secret_name
+  osquery_secret_region     = var.osquery_fleet_enrollment_secret_region_aws
+  osquery_env               = var.osquery_env
+  osquery_version           = var.osquery_version
 
   kinesis_log_producers_role_arns = var.kinesis_log_producers_role_arns
   osquery_fleet_enrollment_host   = var.osquery_fleet_enrollment_host
@@ -242,11 +242,11 @@ module "confluence" {
   # If local Helm charts path is provided, Terraform will then install using local charts and ignores remote registry
   local_confluence_chart_path = local.local_confluence_chart_path
 
-  opensearch_enabled = var.confluence_opensearch_enabled
-  opensearch_requests_cpu = var.confluence_opensearch_requests_cpu
-  opensearch_requests_memory = var.confluence_opensearch_requests_memory
-  opensearch_snapshot_id = var.confluence_opensearch_snapshot_id
-  opensearch_persistence_size = var.confluence_opensearch_persistence_size
+  opensearch_enabled                = var.confluence_opensearch_enabled
+  opensearch_requests_cpu           = var.confluence_opensearch_requests_cpu
+  opensearch_requests_memory        = var.confluence_opensearch_requests_memory
+  opensearch_snapshot_id            = var.confluence_opensearch_snapshot_id
+  opensearch_persistence_size       = var.confluence_opensearch_persistence_size
   opensearch_initial_admin_password = var.confluence_opensearch_initial_admin_password
 }
 
@@ -296,12 +296,17 @@ module "bitbucket" {
 
   additional_jvm_args = var.bitbucket_additional_jvm_args
 
-  elasticsearch_requests_cpu    = var.bitbucket_elasticsearch_requests_cpu
-  elasticsearch_requests_memory = var.bitbucket_elasticsearch_requests_memory
-  elasticsearch_limits_cpu      = var.bitbucket_elasticsearch_limits_cpu
-  elasticsearch_limits_memory   = var.bitbucket_elasticsearch_limits_memory
-  elasticsearch_storage         = var.bitbucket_elasticsearch_storage
-  elasticsearch_replicas        = var.bitbucket_elasticsearch_replicas
+  opensearch_requests_cpu        = var.bitbucket_opensearch_requests_cpu
+  opensearch_requests_memory     = var.bitbucket_opensearch_requests_memory
+  opensearch_limits_cpu          = var.bitbucket_opensearch_limits_cpu
+  opensearch_limits_memory       = var.bitbucket_opensearch_limits_memory
+  opensearch_storage             = var.bitbucket_opensearch_storage
+  opensearch_replicas            = var.bitbucket_opensearch_replicas
+  opensearch_java_opts           = var.bitbucket_opensearch_java_opts
+  deploy_opensearch              = var.bitbucket_deploy_opensearch
+  opensearch_secret_name         = var.bitbucket_opensearch_secret_name
+  opensearch_secret_username_key = var.bitbucket_opensearch_secret_username_key
+  opensearch_secret_password_key = var.bitbucket_opensearch_secret_password_key
 
   shared_home_snapshot_id = local.bitbucket_ebs_snapshot_id
 

docs/docs/userguide/configuration/BITBUCKET_CONFIGURATION.md

@@ -153,7 +153,7 @@ If you restore the database, you need to provide the db name from the snapshot.
 bitbucket_db_name = "bitbucket"
 ```
 
-## NFS and Elasticsearch Configuration
+## NFS and OpenSearch Configuration
 
 
 ### NFS resource configuration
@@ -168,18 +168,24 @@ bitbucket_nfs_limits_cpu      = "2"
 bitbucket_nfs_limits_memory   = "2Gi"
 ```
 
-### Elasticsearch Configuration
+### OpenSearch Configuration
 
-The following variables set the request for number of CPU, amount of memory, amount of storage, and the number of instances in elasticsearch cluster. (Used default values as example.)
+The following variables set the request for number of CPU, amount of memory, amount of storage, and the number of instances in elasticsearch cluster.
 
 ```terraform
 # Elasticsearch resource configuration for Bitbucket
-bitbucket_elasticsearch_requests_cpu    = "0.5"
-bitbucket_elasticsearch_requests_memory = "0.5Gi"
-bitbucket_elasticsearch_limits_cpu      = "1"
-bitbucket_elasticsearch_limits_memory   = "1Gi"
-bitbucket_elasticsearch_storage         = 10
-bitbucket_elasticsearch_replicas        = 2
+bitbucket_opensearch_requests_cpu    = "2"
+bitbucket_opensearch_requests_memory = "2Gi"
+bitbucket_opensearch_limits_cpu      = "4"
+bitbucket_opensearch_limits_memory   = "4Gi"
+bitbucket_opensearch_storage         = "20"
+bitbucket_opensearch_replicas        = "3"
+bitbucket_opensearch_java_opts       = "-Xmx=1024"
+#Configure access to external OpenSearch (created outside Terraform modules)
+bitbucket_opensearch_endpoint            = "https://myopensearch.com"
+bitbucket_opensearch_secret_name         = "os-creds"
+bitbucket_opensearch_secret_username_key = "user"
+bitbucket_opensearch_secret_password_key = "pass"
 ```
 
 

modules/AWS/ingress/main.tf

@@ -93,7 +93,7 @@ resource "helm_release" "ingress" {
             "service.beta.kubernetes.io/aws-load-balancer-backend-protocol" : "http"
 
             # LoadBalancer is created by AWS not Terraform, so we need to add resource tags to it
-            "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags": local.resource_tags
+            "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" : local.resource_tags
           }
         }
       }

modules/AWS/ingress/variables.tf

@@ -38,5 +38,5 @@ variable "additional_namespaces" {
 
 variable "tags" {
   description = "Additional tags for all resources to be created."
-  type = map(string)
+  type        = map(string)
 }

modules/products/bitbucket/helm.tf

@@ -35,9 +35,6 @@ resource "helm_release" "bitbucket" {
             }
           }
         }
-        elasticSearch = {
-          baseUrl = local.elasticsearch_endpoint
-        }
         additionalJvmArgs = concat(local.dcapt_analytics_property)
       }
       database = {
@@ -75,6 +72,32 @@ resource "helm_release" "bitbucket" {
           enabled = false
         }
       }
+      opensearch = {
+        install = var.opensearch_endpoint == null ? true : false
+        baseUrl = local.opensearch_endpoint
+        credentials = {
+          secretName        = var.opensearch_secret_name
+          usernameSecretKey = var.opensearch_secret_username_key
+          passwordSecretKey = var.opensearch_secret_password_key
+        }
+        singleNode = var.opensearch_replicas == 1 ? true : false
+        replicas   = var.opensearch_replicas
+        resources = {
+          requests = {
+            cpu    = var.opensearch_requests_cpu
+            memory = var.opensearch_requests_memory
+          }
+          limits = {
+            cpu    = var.opensearch_limits_cpu
+            memory = var.opensearch_limits_memory
+          }
+        }
+        opensearchJavaOpts = var.opensearch_java_opts
+        persistence = {
+          side = "${var.opensearch_storage}Gi"
+        }
+        terminationGracePeriod = "0"
+      }
     }),
     local.ingress_settings,
     local.context_path_settings,

modules/products/bitbucket/locals.tf

@@ -60,21 +60,8 @@ locals {
     }
   }) : yamlencode({})
 
-  # Elasticsearch
-  elasticsearch_name                  = "elasticsearch"
-  elasticsearch_helm_chart_repository = "https://helm.elastic.co"
-  elasticsearch_helm_chart_version    = "7.17.3"
-  elasticsearch_antiAffinity          = "soft"
+  opensearch_endpoint = var.opensearch_endpoint == null ? "http://opensearch-cluster-master:9200" : var.opensearch_endpoint
 
-  elasticsearch_endpoint = var.elasticsearch_endpoint == null ? "http://${local.elasticsearch_name}-master:9200" : var.elasticsearch_endpoint
-  minimumMasterNodes     = var.elasticsearch_replicas == 1 ? 1 : 2
-
-  single_mode_elasticsearch = var.elasticsearch_replicas > 1 ? yamlencode({}) : yamlencode({
-    extraEnvs = [
-      { name = "discovery.type", value = "single-node" },
-      { name = "cluster.initial_master_nodes", value = "" }
-    ]
-  })
 
   # Bitbucket display name
   display_name = var.display_name != null ? yamlencode({

modules/products/bitbucket/outputs.tf

@@ -18,6 +18,6 @@ output "kubernetes_rds_secret_name" {
   value = kubernetes_secret.rds_secret.metadata[0].name
 }
 
-output "elasticsearch_endpoint" {
-  value = local.elasticsearch_endpoint
+output "opensearch_endpoint" {
+  value = local.opensearch_endpoint
 }

modules/products/bitbucket/variables.tf

@@ -115,44 +115,71 @@ variable "shared_home_size" {
   default     = "10Gi"
 }
 
-# If an external elasticsearch is not provided, Bitbucket will provision an elasticsearch cluster in k8s
-variable "elasticsearch_endpoint" {
-  description = "The external elasticsearch endpoint to be use by Bitbucket."
+variable "deploy_opensearch" {
+  description = "Install OpenSearch sub-chart with Bitbucket Helm chart"
+  type        = bool
+  default     = true
+}
+
+# If an external OpenSearch is not provided, Bitbucket will provision an OpenSearch cluster in k8s
+variable "opensearch_endpoint" {
+  description = "The external OpenSearch endpoint to be used by Bitbucket."
+  type        = string
+  default     = null
+}
+
+variable "opensearch_secret_name" {
+  description = "Secret name with OpenSearch credentials."
   type        = string
   default     = null
 }
 
-variable "elasticsearch_requests_cpu" {
-  description = "Number of CPUs requested for elasticsearch instance."
+variable "opensearch_secret_username_key" {
+  description = "Username key in the opensearch secret"
+  type        = string
+}
+
+variable "opensearch_secret_password_key" {
+  description = "Password key in the opensearch secret"
+  type        = string
+}
+
+variable "opensearch_requests_cpu" {
+  description = "Number of CPUs requested for opensearch instance."
+  type        = string
+}
+
+variable "opensearch_requests_memory" {
+  description = "Amount of memory requested for opensearch instance."
   type        = string
 }
 
-variable "elasticsearch_requests_memory" {
-  description = "Amount of memory requested for elasticsearch instance."
+variable "opensearch_limits_cpu" {
+  description = "CPU limit for opensearch instance."
   type        = string
 }
 
-variable "elasticsearch_limits_cpu" {
-  description = "CPU limit for elasticsearch instance."
+variable "opensearch_limits_memory" {
+  description = "Memory limit for opensearch instance."
   type        = string
 }
 
-variable "elasticsearch_limits_memory" {
-  description = "Memory limit for elasticsearch instance."
+variable "opensearch_java_opts" {
+  description = "JAVA_OPTS passed to OpenSearch JVM."
   type        = string
 }
 
-variable "elasticsearch_storage" {
-  description = "Storage size for elasticsearch instance in Gib."
+variable "opensearch_storage" {
+  description = "Storage size for opensearch instance in Gib."
   type        = number
 }
 
-variable "elasticsearch_replicas" {
-  description = "Number of nodes for elasticsearch instance."
+variable "opensearch_replicas" {
+  description = "Number of nodes for opensearch instance."
   type        = number
   validation {
-    condition     = can(regex("^[2-8]$", var.elasticsearch_replicas))
-    error_message = "Invalid elasticsearch replicas. Valid replicas is a positive integer in range of [2,8]."
+    condition     = can(regex("^[1-8]$", var.opensearch_replicas))
+    error_message = "Invalid opensearch replicas. Valid replicas is a positive integer in range of [2,8]."
   }
 }
 

modules/products/confluence/provider_version.tf

@@ -10,7 +10,7 @@ terraform {
       version = "~> 2.4"
     }
     random = {
-      source = "hashicorp/random"
+      source  = "hashicorp/random"
       version = "3.6.1"
     }
   }

outputs.tf

@@ -102,9 +102,9 @@ output "synchrony_url" {
   value       = var.confluence_collaborative_editing_enabled && length(module.confluence) == 1 ? module.confluence[0].synchrony_url : null
 }
 
-output "elasticsearch_url" {
+output "opensearch_url" {
   description = "URL to access the Bitbucket elasticsearch"
-  value       = local.install_bitbucket && length(module.bitbucket) == 1 ? module.bitbucket[0].elasticsearch_endpoint : null
+  value       = local.install_bitbucket && length(module.bitbucket) == 1 ? module.bitbucket[0].opensearch_endpoint : null
 }
 
 output "confluence_s3_bucket" {

provider_version.tf

@@ -10,7 +10,7 @@ terraform {
       version = "~> 2.4"
     }
     random = {
-      source = "hashicorp/random"
+      source  = "hashicorp/random"
       version = "3.6.1"
     }
   }