opensearch
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
clusterName: "opensearch-cluster"
2
nodeGroup: "master"
3
# If discovery.type in the opensearch configuration is set to "single-node",
4
# this should be set to "true"
5
# If "true", replicas will be forced to 1
6
singleNode: false
7
# The service that non master groups will try to connect to when joining the cluster
8
# This should be set to clusterName + "-" + nodeGroup for your master group
9
masterService: "opensearch-cluster-master"
10
# OpenSearch roles that will be applied to this nodeGroup
11
# These will be set as environment variable "node.roles". E.g. node.roles=master,ingest,data,remote_cluster_client
12
roles:
13
- master
14
- ingest
15
- data
16
- remote_cluster_client
17
replicas: 3
18
# if not set, falls back to parsing .Values.imageTag, then .Chart.appVersion.
19
majorVersion: ""
20
global:
21
# Set if you want to change the default docker registry, e.g. a private one.
22
dockerRegistry: ""
23
# Allows you to add any config files in {{ .Values.opensearchHome }}/config
24
opensearchHome: /usr/share/opensearch
25
# such as opensearch.yml and log4j2.properties
26
config:
27
# Values must be YAML literal style scalar / YAML multiline string.
28
# <filename>: |
29
# <formatted-value(s)>
30
# log4j2.properties: |
31
# status = error
32
#
33
# appender.console.type = Console
34
# appender.console.name = console
35
# appender.console.layout.type = PatternLayout
36
# appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
37
#
38
# rootLogger.level = info
39
# rootLogger.appenderRef.console.ref = console
40
opensearch.yml: |
41
cluster.name: opensearch-cluster
42
43
# Bind to all interfaces because we don't know what IP address Docker will assign to us.
44
network.host: 0.0.0.0
45
46
# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
47
# Implicitly done if ".singleNode" is set to "true".
48
# discovery.type: single-node
49
50
# Start OpenSearch Security Demo Configuration
51
# WARNING: revise all the lines below before you go into production
52
# plugins:
53
# security:
54
# ssl:
55
# transport:
56
# pemcert_filepath: esnode.pem
57
# pemkey_filepath: esnode-key.pem
58
# pemtrustedcas_filepath: root-ca.pem
59
# enforce_hostname_verification: false
60
# http:
61
# enabled: true
62
# pemcert_filepath: esnode.pem
63
# pemkey_filepath: esnode-key.pem
64
# pemtrustedcas_filepath: root-ca.pem
65
# allow_unsafe_democertificates: true
66
# allow_default_init_securityindex: true
67
# authcz:
68
# admin_dn:
69
# - CN=kirk,OU=client,O=client,L=test,C=de
70
# audit.type: internal_opensearch
71
# enable_snapshot_restore_privilege: true
72
# check_snapshot_restore_write_privileges: true
73
# restapi:
74
# roles_enabled: ["all_access", "security_rest_api_access"]
75
# system_indices:
76
# enabled: true
77
# indices:
78
# [
79
# ".opendistro-alerting-config",
80
# ".opendistro-alerting-alert*",
81
# ".opendistro-anomaly-results*",
82
# ".opendistro-anomaly-detector*",
83
# ".opendistro-anomaly-checkpoints",
84
# ".opendistro-anomaly-detection-state",
85
# ".opendistro-reports-*",
86
# ".opendistro-notifications-*",
87
# ".opendistro-notebooks",
88
# ".opendistro-asynchronous-search-response*",
89
# ]
90
######## End OpenSearch Security Demo Configuration ########
91
# log4j2.properties:
92
# Extra environment variables to append to this nodeGroup
93
# This will be appended to the current 'env:' key. You can use any of the kubernetes env
94
# syntax here
95
extraEnvs: []
96
# - name: MY_ENVIRONMENT_VAR
97
# value: the_value_goes_here
98
# Chart version 2.18.0 and App Version OpenSearch 2.12.0 onwards a custom strong password needs to be provided in order to setup demo admin user.
99
# Cluster will not spin-up without this unless demo config install is disabled.
100
# - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
101
# value: <strong-password>
102
103
# Allows you to load environment variables from kubernetes secret or config map
104
envFrom: []
105
# - secretRef:
106
# name: env-secret
107
# - configMapRef:
108
# name: config-map
109
110
# A list of secrets and their paths to mount inside the pod
111
# This is useful for mounting certificates for security and for mounting
112
# the X-Pack license
113
secretMounts: []
114
hostAliases: []
115
# - ip: "127.0.0.1"
116
# hostnames:
117
# - "foo.local"
118
# - "bar.local"
119
120
image:
121
repository: chainreg.biz/chainguard-private/opensearch
122
# override image tag, which is .Chart.AppVersion by default
123
tag: latest@sha256:cd0170736847268f609ebea3bd0b1d2ea08887540402d124e9e0d1ceeb91d2ab
124
pullPolicy: "IfNotPresent"
125
podAnnotations: {}
126
# iam.amazonaws.com/role: es-cluster
127
128
# OpenSearch Statefulset annotations
129
openSearchAnnotations: {}
130
# additionals labels
131
labels: {}
132
opensearchJavaOpts: "-Xmx512M -Xms512M"
133
resources:
134
requests:
135
cpu: "1000m"
136
memory: "100Mi"
137
initResources: {}
138
# limits:
139
# cpu: "25m"
140
# memory: "128Mi"
141
# requests:
142
# cpu: "25m"
143
# memory: "128Mi"
144
145
sidecarResources: {}
146
# limits:
147
# cpu: "25m"
148
# memory: "128Mi"
149
# requests:
150
# cpu: "25m"
151
# memory: "128Mi"
152
153
networkHost: "0.0.0.0"
154
rbac:
155
create: false
156
serviceAccountAnnotations: {}
157
serviceAccountName: ""
158
# Controls whether or not the Service Account token is automatically mounted to /var/run/secrets/kubernetes.io/serviceaccount
159
automountServiceAccountToken: false
160
podSecurityPolicy:
161
create: false
162
name: ""
163
spec:
164
privileged: true
165
fsGroup:
166
rule: RunAsAny
167
runAsUser:
168
rule: RunAsAny
169
seLinux:
170
rule: RunAsAny
171
supplementalGroups:
172
rule: RunAsAny
173
volumes:
174
- secret
175
- configMap
176
- persistentVolumeClaim
177
- emptyDir
178
persistence:
179
enabled: true
180
# Set to false to disable the `fsgroup-volume` initContainer that will update permissions on the persistent disk.
181
enableInitChown: true
182
# override image, which is busybox by default
183
# image: busybox
184
# override image tag, which is latest by default
185
# imageTag:
186
labels:
187
# Add default labels for the volumeClaimTemplate of the StatefulSet
188
enabled: false
189
# Add custom labels for the volumeClaimTemplate of the StatefulSet
190
additionalLabels: {}
191
# OpenSearch Persistent Volume Storage Class
192
# If defined, storageClassName: <storageClass>
193
# If set to "-", storageClassName: "", which disables dynamic provisioning
194
# If undefined (the default) or set to null, no storageClassName spec is
195
# set, choosing the default provisioner. (gp2 on AWS, standard on
196
# GKE, AWS & OpenStack)
197
#
198
# storageClass: "-"
199
accessModes:
200
- ReadWriteOnce
201
size: 8Gi
202
annotations: {}
203
image: chainreg.biz/chainguard-private/busybox
204
imageTag: latest@sha256:ce51e2758ff53af9857fa85bba296cf045a6c0cc9114981527d866ae58403ac4
205
extraVolumes: []
206
# - name: extras
207
# emptyDir: {}
208
209
extraVolumeMounts: []
210
# - name: extras
211
# mountPath: /usr/share/extras
212
# readOnly: true
213
214
extraContainers: []
215
# - name: do-something
216
# image: busybox
217
# command: ['do', 'something']
218
219
extraInitContainers: []
220
# - name: do-somethings
221
# image: busybox
222
# command: ['do', 'something']
223
224
# This is the PriorityClass settings as defined in
225
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
226
priorityClassName: ""
227
# By default this will make sure two pods don't end up on the same node
228
# Changing this to a region would allow you to spread pods across regions
229
antiAffinityTopologyKey: "kubernetes.io/hostname"
230
# Hard means that by default pods will only be scheduled if there are enough nodes for them
231
# and that they will never end up on the same node. Setting this to soft will do this "best effort".
232
# Setting this to custom will use what is passed into customAntiAffinity.
233
antiAffinity: "soft"
234
# Allows passing in custom anti-affinity settings as defined in
235
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#types-of-inter-pod-affinity-and-anti-affinity
236
# Using this parameter requires setting antiAffinity to custom.
237
customAntiAffinity: {}
238
# This is the node affinity settings as defined in
239
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature
240
nodeAffinity: {}
241
# This is the pod affinity settings as defined in
242
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#types-of-inter-pod-affinity-and-anti-affinity
243
podAffinity: {}
244
# This is the pod topology spread constraints
245
# https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
246
topologySpreadConstraints: []
247
# The default is to deploy all pods serially. By setting this to parallel all pods are started at
248
# the same time when bootstrapping the cluster
249
podManagementPolicy: "Parallel"
250
# The environment variables injected by service links are not used, but can lead to slow OpenSearch boot times when
251
# there are many services in the current namespace.
252
# If you experience slow pod startups you probably want to set this to `false`.
253
enableServiceLinks: true
254
protocol: https
255
httpPort: 9200
256
transportPort: 9300
257
metricsPort: 9600
258
httpHostPort: ""
259
transportHostPort: ""
260
service:
261
labels: {}
262
labelsHeadless: {}
263
headless:
264
annotations: {}
265
type: ClusterIP
266
# The IP family and IP families options are to set the behaviour in a dual-stack environment
267
# Omitting these values will let the service fall back to whatever the CNI dictates the defaults
268
# should be
269
#
270
# ipFamilyPolicy: SingleStack
271
# ipFamilies:
272
# - IPv4
273
nodePort: ""
274
annotations: {}
275
httpPortName: http
276
transportPortName: transport
277
metricsPortName: metrics
278
loadBalancerIP: ""
279
loadBalancerSourceRanges: []
280
externalTrafficPolicy: ""
281
updateStrategy: RollingUpdate
282
# This is the max unavailable setting for the pod disruption budget
283
# The default value of 1 will make sure that kubernetes won't allow more than 1
284
# of your pods to be unavailable during maintenance
285
maxUnavailable: 1
286
podSecurityContext:
287
fsGroup: 1000
288
runAsUser: 1000
289
securityContext:
290
capabilities:
291
drop:
292
- ALL
293
# readOnlyRootFilesystem: true
294
runAsNonRoot: true
295
runAsUser: 1000
296
securityConfig:
297
enabled: true
298
path: "/usr/share/opensearch/config/opensearch-security"
299
actionGroupsSecret:
300
configSecret:
301
internalUsersSecret:
302
rolesSecret:
303
rolesMappingSecret:
304
tenantsSecret:
305
# The following option simplifies securityConfig by using a single secret and
306
# specifying the config files as keys in the secret instead of creating
307
# different secrets for for each config file.
308
# Note that this is an alternative to the individual secret configuration
309
# above and shouldn't be used if the above secrets are used.
310
config:
311
# There are multiple ways to define the configuration here:
312
# * If you define anything under data, the chart will automatically create
313
# a secret and mount it. This is best option to choose if you want to override all the
314
# existing yml files at once.
315
# * If you define securityConfigSecret, the chart will assume this secret is
316
# created externally and mount it. This is best option to choose if your intention is to
317
# only update a single yml file.
318
# * It is an error to define both data and securityConfigSecret.
319
securityConfigSecret: ""
320
dataComplete: true
321
data: {}
322
# config.yml: |-
323
# internal_users.yml: |-
324
# roles.yml: |-
325
# roles_mapping.yml: |-
326
# action_groups.yml: |-
327
# tenants.yml: |-
328
# How long to wait for opensearch to stop gracefully
329
terminationGracePeriod: 120
330
sysctlVmMaxMapCount: 262144
331
startupProbe:
332
tcpSocket:
333
port: 9200
334
initialDelaySeconds: 5
335
periodSeconds: 10
336
timeoutSeconds: 3
337
failureThreshold: 30
338
livenessProbe: {}
339
# periodSeconds: 20
340
# timeoutSeconds: 5
341
# failureThreshold: 10
342
# successThreshold: 1
343
# initialDelaySeconds: 10
344
# tcpSocket:
345
# port: 9200
346
347
readinessProbe:
348
tcpSocket:
349
port: 9200
350
periodSeconds: 5
351
timeoutSeconds: 3
352
failureThreshold: 3
353
## Use an alternate scheduler.
354
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
355
##
356
schedulerName: ""
357
imagePullSecrets: []
358
nodeSelector: {}
359
tolerations: []
360
# Enabling this will publically expose your OpenSearch instance.
361
# Only enable this if you have security enabled on your cluster
362
ingress:
363
enabled: false
364
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
365
# See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
366
# ingressClassName: nginx
367
368
annotations: {}
369
# kubernetes.io/ingress.class: nginx
370
# kubernetes.io/tls-acme: "true"
371
ingressLabels: {}
372
path: /
373
hosts:
374
- chart-example.local
375
tls: []
376
# - secretName: chart-example-tls
377
# hosts:
378
# - chart-example.local
379
nameOverride: ""
380
fullnameOverride: ""
381
masterTerminationFix: false
382
opensearchLifecycle: {}
383
# preStop:
384
# exec:
385
# command: ["/bin/sh", "-c", "echo Hello from the preStart handler > /usr/share/message"]
386
# postStart:
387
# exec:
388
# command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
389
390
lifecycle: {}
391
# preStop:
392
# exec:
393
# command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"]
394
# postStart:
395
# exec:
396
# command:
397
# - bash
398
# - -c
399
# - |
400
# #!/bin/bash
401
# # Add a template to adjust number of shards/replicas1
402
# TEMPLATE_NAME=my_template
403
# INDEX_PATTERN="logstash-*"
404
# SHARD_COUNT=8
405
# REPLICA_COUNT=1
406
# ES_URL=http://localhost:9200
407
# while [[ "$(curl -s -o /dev/null -w '%{http_code}\n' $ES_URL)" != "200" ]]; do sleep 1; done
408
# curl -XPUT "$ES_URL/_template/$TEMPLATE_NAME" -H 'Content-Type: application/json' -d'{"index_patterns":['\""$INDEX_PATTERN"\"'],"settings":{"number_of_shards":'$SHARD_COUNT',"number_of_replicas":'$REPLICA_COUNT'}}'
409
410
keystore: []
411
# To add secrets to the keystore:
412
# - secretName: opensearch-encryption-key
413
414
networkPolicy:
415
create: false
416
## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
417
## In order for a Pod to access OpenSearch, it needs to have the following label:
418
## {{ template "uname" . }}-client: "true"
419
## Example for default configuration to access HTTP port:
420
## opensearch-master-http-client: "true"
421
## Example for default configuration to access transport port:
422
## opensearch-master-transport-client: "true"
423
424
http:
425
enabled: false
426
# Deprecated
427
# please use the above podSecurityContext.fsGroup instead
428
fsGroup: ""
429
## Set optimal sysctl's through securityContext. This requires privilege. Can be disabled if
430
## the system has already been preconfigured. (Ex: https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html)
431
## Also see: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
432
sysctl:
433
enabled: false
434
## Set optimal sysctl's through privileged initContainer.
435
sysctlInit:
436
enabled: false
437
# override image, which is busybox by default
438
# image: busybox
439
# override image tag, which is latest by default
440
# imageTag:
441
442
image: chainreg.biz/chainguard-private/busybox
443
imageTag: latest@sha256:ce51e2758ff53af9857fa85bba296cf045a6c0cc9114981527d866ae58403ac4
444
## Enable to add 3rd Party / Custom plugins not offered in the default OpenSearch image.
445
plugins:
446
enabled: false
447
installList: []
448
# - example-fake-plugin
449
removeList: []
450
# - example-fake-plugin
451
# -- Array of extra K8s manifests to deploy
452
extraObjects: []
453
# - apiVersion: secrets-store.csi.x-k8s.io/v1
454
# kind: SecretProviderClass
455
# metadata:
456
# name: argocd-secrets-store
457
# spec:
458
# provider: aws
459
# parameters:
460
# objects: |
461
# - objectName: "argocd"
462
# objectType: "secretsmanager"
463
# jmesPath:
464
# - path: "client_id"
465
# objectAlias: "client_id"
466
# - path: "client_secret"
467
# objectAlias: "client_secret"
468
# secretObjects:
469
# - data:
470
# - key: client_id
471
# objectName: client_id
472
# - key: client_secret
473
# objectName: client_secret
474
# secretName: argocd-secrets-store
475
# type: Opaque
476
# labels:
477
# app.kubernetes.io/part-of: argocd
478
# - |
479
# apiVersion: policy/v1
480
# kind: PodDisruptionBudget
481
# metadata:
482
# name: {{ template "opensearch.uname" . }}
483
# labels:
484
# {{- include "opensearch.labels" . | nindent 4 }}
485
# spec:
486
# minAvailable: 1
487
# selector:
488
# matchLabels:
489
# {{- include "opensearch.selectorLabels" . | nindent 6 }}
490
491
# ServiceMonitor Configuration for Prometheus
492
# Enabling this option will create a ServiceMonitor resource that allows Prometheus to scrape metrics from the OpenSearch service.
493
# This only creates the serviceMonitor, to actually have metrics Make sure to install the prometheus-exporter plugin needed for
494
# serving metrics over the `.Values.plugins` value:
495
# plugins:
496
# enabled: true
497
# installList:
498
# - https://github.com/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/x.x.x.x/prometheus-exporter-x.x.x.x.zip
499
serviceMonitor:
500
# Set to true to enable the ServiceMonitor resource
501
enabled: false
502
# HTTP path where metrics are exposed.
503
# Ensure this matches your OpenSearch service configuration.
504
path: /_prometheus/metrics
505
# Scheme to use for scraping.
506
scheme: http
507
# Frequency at which Prometheus will scrape metrics.
508
# Adjust based on your needs.
509
interval: 10s
510
# additional labels to be added to the ServiceMonitor
511
# labels:
512
# k8s.example.com/prometheus: kube-prometheus
513
labels: {}
514
# additional tlsConfig to be added to the ServiceMonitor
515
tlsConfig: {}
516
# Basic Auth configuration for the service monitor
517
# You can either use existingSecret, which expects a secret to be already present with data.username and data.password
518
# or set the credentials over the helm values, making helm create a secret for you
519
# basicAuth:
520
# enaled: true
521
# existingSecret: my-secret
522
# username: my-username
523
# password: my-password
524
basicAuth:
525
enabled: false
526
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.