Use Amazon OpenSearch Service with the Helm chart
Configure Camunda 8 Self-Managed to use Amazon OpenSearch Service as a secondary storage backend when deploying with the Helm chart. OpenSearch is used for indexing and querying operational data consumed by multiple Camunda components. For a canonical definition, see Elasticsearch/OpenSearch.
By default, the Helm chart deployment provisions an Elasticsearch instance. You can instead configure the Helm chart to connect to an external Amazon OpenSearch Service instance.
Camunda 8 supports both the open-source OpenSearch distribution and Amazon OpenSearch Service.
Prerequisites
Amazon OpenSearch requires two layers of permissions:
- AWS IAM permissions
- OpenSearch internal authentication
To connect to OpenSearch using AWS IAM roles for service accounts (IRSA), see the IAM roles for service accounts documentation.
To connect to OpenSearch using basic authentication, follow the configuration below.
Configuration
Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
global.opensearch.enabled | boolean | false | Enable external OpenSearch. |
global.opensearch.aws.enabled | boolean | false | Enable AWS IRSA integration. |
global.opensearch.tls.enabled | boolean | false | Enable TLS for external OpenSearch. |
global.opensearch.tls.existingSecret | string | "" | Reference an existing TLS secret for OpenSearch. |
global.opensearch.auth.username | string | "" | Username for OpenSearch. |
global.opensearch.auth.secret.inlineSecret | string | "" | Plain-text password for non-production use. |
global.opensearch.auth.secret.existingSecret | string | "" | Reference an existing Kubernetes Secret containing the password. |
global.opensearch.auth.secret.existingSecretKey | string | "" | Key within the existing secret object. |
global.opensearch.url.protocol | string | "https" | Access protocol for OpenSearch. |
global.opensearch.url.host | string | "" | OpenSearch host, ideally the service name inside the namespace. |
global.opensearch.url.port | number | 443 | Port used to access OpenSearch. |
global.opensearch.clusterName | string | "opensearch" | Name of the OpenSearch cluster. |
global.opensearch.prefix | string | zeebe-record | Index prefix for zeebe-record indices. See Configure Elasticsearch and OpenSearch index prefixes. |
Example usage
global:
elasticsearch:
enabled: false
opensearch:
enabled: true
auth:
username: user
secret:
# For non-production environments only:
inlineSecret: "your-password-here"
# For production (recommended):
# existingSecret: "opensearch-secret"
# existingSecretKey: "password"
url:
protocol: https
host: opensearch.example.com
port: 443
elasticsearch:
enabled: false
This configuration disables the internal Elasticsearch component and the Elasticsearch configuration for all components. This is required to use Amazon OpenSearch Service.
To avoid storing the username and password in plaintext in your values.yaml, reference a Kubernetes secret.
For details and examples, see Helm charts secret management.
Connect to external OpenSearch with custom index prefixes
When running multiple Camunda instances on a shared OpenSearch cluster, use custom index prefixes to isolate data:
global:
elasticsearch:
enabled: false
opensearch:
enabled: true
prefix: my-env-zeebe # Prefix for zeebe-record indices
auth:
username: admin
secret:
inlineSecret: pass
url:
protocol: https
host: opensearch.example.com
port: 443
orchestration:
index:
prefix: my-env-camunda # Prefix for unified Camunda indices
For more details about index prefix configuration and Optimize-specific settings, see Configure Elasticsearch and OpenSearch index prefixes.
Component configuration
Camunda components use the same configuration keys for both Elasticsearch and OpenSearch.
To switch, replace the elasticsearch prefix with opensearch and provide the corresponding values.
For example:
- Operate:
CAMUNDA_OPERATE_ELASTICSEARCH_URL→CAMUNDA_OPERATE_OPENSEARCH_URL - Tasklist:
CAMUNDA_TASKLIST_ELASTICSEARCH_URL→CAMUNDA_TASKLIST_OPENSEARCH_URL - Optimize:
OPTIMIZE_ELASTICSEARCH_HTTP_PORT→CAMUNDA_OPTIMIZE_OPENSEARCH_HTTP_PORT
For Zeebe, configure the OpenSearch exporter.
For full parameter details, see: