Use external Elasticsearch for Optimize with Helm
Configure Optimize in Camunda 8 Self-Managed to connect to an external Elasticsearch instance when deploying with Helm.
This page applies to Optimize only. If the Orchestration Cluster also uses Elasticsearch as secondary storage, configure that separately using use external Elasticsearch for Orchestration Cluster with Helm.
Optimize supports Elasticsearch only through Elasticsearch or OpenSearch backends. It does not support RDBMS.
Prerequisites
Before configuring, collect the following information about your external Elasticsearch instance:
- URL to access the cluster (protocol, host, and port)
- Authentication requirements and credentials (if needed)
- TLS requirements:
- Whether the certificate is publicly trusted
- Whether you need to provide a custom or self-signed certificate
Configuration
Parameters
Use the following Helm values for Optimize's Elasticsearch connection:
| values.yaml option | type | default | description |
|---|---|---|---|
optimize.database.elasticsearch.enabled | boolean | false | Enables Elasticsearch for Optimize. |
optimize.database.elasticsearch.external | boolean | false | Set to true to connect to an external Elasticsearch instance. |
optimize.database.elasticsearch.auth.username | string | "" | Username for external Elasticsearch authentication. |
optimize.database.elasticsearch.auth.secret.inlineSecret | string | "" | Elasticsearch password as a plain-text value for non-production environments only. |
optimize.database.elasticsearch.auth.secret.existingSecret | string | "" | Reference to an existing Kubernetes Secret containing the password. |
optimize.database.elasticsearch.auth.secret.existingSecretKey | string | "" | Key within the existing Kubernetes Secret containing the password. |
optimize.database.elasticsearch.prefix | string | zeebe-record | Index prefix for zeebe-record indices. See configure Elasticsearch and OpenSearch index prefixes. |
optimize.database.elasticsearch.tls.enabled | boolean | false | Enables TLS when connecting to Elasticsearch. |
optimize.database.elasticsearch.tls.secret.existingSecret | string | "" | Name of the Kubernetes Secret containing a TLS certificate. |
optimize.database.elasticsearch.tls.secret.existingSecretKey | string | externaldb.jks | Key within the secret containing the TLS certificate. |
optimize.database.elasticsearch.url.protocol | string | "" | Protocol to use when connecting to Elasticsearch. Possible values are http and https. |
optimize.database.elasticsearch.url.host | string | "" | Hostname or IP address of the Elasticsearch instance. |
optimize.database.elasticsearch.url.port | integer | 0 | Port number of the Elasticsearch instance. |
Example usage
Connect Optimize to external Elasticsearch without a certificate
optimize:
enabled: true
database:
elasticsearch:
enabled: true
external: true
auth:
username: elastic
secret:
inlineSecret: pass
url:
protocol: http
host: elastic.example.com
port: 443
elasticsearch:
enabled: false
Connect Optimize to external Elasticsearch with a self-signed certificate
If the Elasticsearch cluster accepts only https requests with a self-signed certificate:
-
Create an
externaldb.jksfile from the Elasticsearch certificate file. For example, using thekeytoolCLI:keytool -import -alias elasticsearch -keystore externaldb.jks -storetype jks -file elastic.crt -storepass changeit -noprompt -
Create a Kubernetes secret from the
externaldb.jksfile before installing Camunda:kubectl create secret -n camunda generic elastic-jks --from-file=externaldb.jks -
Configure Optimize:
optimize:
enabled: true
database:
elasticsearch:
enabled: true
external: true
tls:
enabled: true
secret:
existingSecret: elastic-jks
auth:
username: elastic
secret:
inlineSecret: pass
url:
protocol: https
host: elastic.example.com
port: 443
elasticsearch:
enabled: false
Connect Optimize to external Elasticsearch with a publicly trusted certificate
optimize:
enabled: true
database:
elasticsearch:
enabled: true
external: true
auth:
username: elastic
secret:
inlineSecret: pass
url:
protocol: https
host: elastic.example.com
port: 443
elasticsearch:
enabled: false