Using Amazon OpenSearch Service

Camunda 8 Self-Managed has two different types of components: Camunda components (Operate, Optimize, Tasklist, etc.) and non-Camunda dependency components (such as Keycloak and Elasticsearch). For more details, review the architecture documentation for more information on the different types of applications.

This guide steps through using an existing Amazon OpenSearch Service instance. By default, Helm chart deployment creates a new Elasticsearch instance, but it's possible to use Amazon OpenSearch Service instead.

Preparation

Authentication

There are two layers of permissions with OpenSearch: AWS IAM and OpenSearch internal. If you would like to connect to OpenSearch using AWS IAM roles for service accounts (IRSA) then please also refer to the IAM roles for service accounts documentation.

Otherwise, if it is intended to connect to Amazon OpenSearch Service with basic auth, then the example below can be followed:

Values file

The following values can be configured in the Camunda 8 Self-Managed Helm chart in order to use Amazon OpenSearch Service:

Connecting to Amazon OpenSearch Service with basic auth

global:
  elasticsearch:
    enabled: false
  opensearch:
    enabled: true
    auth:
      username: user
      password: pass
    url:
      protocol: https
      host: opensearch.example.com
      port: 443

elasticsearch:
  enabled: false

From the above configuration, the internal Elasticsearch component and the Elasticsearch configuration for all components are disabled. This is required to use Amazon OpenSearch Service.

If you do not wish to specify the username and password in plaintext within the values.yaml file, then the following configuration can be used:

global:
  opensearch:
    auth:
      existingSecret: secretName
      existingSecretKey: secretKey

Next steps

Use the custom values file to deploy Camunda 8 as usual:

helm install camunda camunda/camunda-platform -f existing-elasticsearch-values.yaml