feat(opensearch): Add helm charts (#7606)

2026-02-16 23:35:46 +00:00 · 2026-01-21 11:34:18 -08:00
parent dbde2e6d6d
commit 61f2c48ebc
6 changed files with 94 additions and 3 deletions
--- a/.github/workflows/pr-helm-chart-testing.yml
+++ b/.github/workflows/pr-helm-chart-testing.yml
@@ -88,6 +88,7 @@ jobs:
          echo "=== Adding Helm repositories ==="
          helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
          helm repo add vespa https://onyx-dot-app.github.io/vespa-helm-charts
+          helm repo add opensearch https://opensearch-project.github.io/helm-charts
          helm repo add cloudnative-pg https://cloudnative-pg.github.io/charts
          helm repo add ot-container-kit https://ot-container-kit.github.io/helm-charts
          helm repo add minio https://charts.min.io/
@@ -180,6 +181,11 @@ jobs:
          trap cleanup EXIT

          # Run the actual installation with detailed logging
+          # Note that opensearch.enabled is true whereas others in this install
+          # are false. There is some work that needs to be done to get this
+          # entire step working in CI, enabling opensearch here is a small step
+          # in that direction. If this is causing issues, disabling it in this
+          # step should be ok in the short term.
          echo "=== Starting ct install ==="
          set +e
          ct install --all \
@@ -187,6 +193,8 @@ jobs:
              --set=nginx.enabled=false \
              --set=minio.enabled=false \
              --set=vespa.enabled=false \
+              --set=opensearch.enabled=true \
+              --set=auth.opensearch.enabled=true \
              --set=slackbot.enabled=false \
              --set=postgresql.enabled=true \
              --set=postgresql.nameOverride=cloudnative-pg \
--- a/ct.yaml
+++ b/ct.yaml
@@ -7,6 +7,7 @@ chart-dirs:
 # must be kept in sync with Chart.yaml
 chart-repos:
  - vespa=https://onyx-dot-app.github.io/vespa-helm-charts
+  - opensearch=https://opensearch-project.github.io/helm-charts
  - ingress-nginx=https://kubernetes.github.io/ingress-nginx
  - postgresql=https://cloudnative-pg.github.io/charts
  - redis=https://ot-container-kit.github.io/helm-charts
--- a/deployment/helm/charts/onyx/Chart.lock
+++ b/deployment/helm/charts/onyx/Chart.lock
@@ -5,6 +5,9 @@ dependencies:
 - name: vespa
  repository: https://onyx-dot-app.github.io/vespa-helm-charts
  version: 0.2.25
+- name: opensearch
+  repository: https://opensearch-project.github.io/helm-charts
+  version: 3.4.0
 - name: ingress-nginx
  repository: https://kubernetes.github.io/ingress-nginx
  version: 4.13.3
@@ -17,5 +20,5 @@ dependencies:
 - name: code-interpreter
  repository: https://onyx-dot-app.github.io/code-interpreter/
  version: 0.2.0
-digest: sha256:57ee955a0205debd38dceb4902681b96c4ba1cd7e437e2c7c1f73d95f37f70ef
-generated: "2025-11-30T11:17:28.336304-08:00"
+digest: sha256:65e3aad0189907ff35e1532374ca0b4a5c32c7356c8af55f646a6e3c59e574cd
+generated: "2026-01-21T11:06:55.190114-08:00"
--- a/deployment/helm/charts/onyx/Chart.yaml
+++ b/deployment/helm/charts/onyx/Chart.yaml
@@ -5,7 +5,7 @@ home: https://www.onyx.app/
 sources:
  - "https://github.com/onyx-dot-app/onyx"
 type: application
-version: 0.4.18
+version: 0.4.19
 appVersion: latest
 annotations:
  category: Productivity
@@ -27,6 +27,10 @@ dependencies:
    version: 0.2.25
    repository: https://onyx-dot-app.github.io/vespa-helm-charts
    condition: vespa.enabled
+  - name: opensearch
+    version: 3.4.0
+    repository: https://opensearch-project.github.io/helm-charts
+    condition: opensearch.enabled
  - name: ingress-nginx
    version: 4.13.3
    repository: https://kubernetes.github.io/ingress-nginx
--- a/deployment/helm/charts/onyx/templates/configmap.yaml
+++ b/deployment/helm/charts/onyx/templates/configmap.yaml
@@ -12,6 +12,12 @@ data:
  {{- if .Values.vespa.enabled }}
  VESPA_HOST: {{ .Values.vespa.name }}.{{ .Values.vespa.service.name }}.{{ .Release.Namespace }}.svc.cluster.local
  {{- end }}
+  {{- if .Values.opensearch.enabled }}
+  OPENSEARCH_HOST: {{ .Values.opensearch.clusterName }}-{{ .Values.opensearch.nodeGroup }}.{{ .Release.Namespace }}.svc.cluster.local
+  OPENSEARCH_REST_API_PORT: "9200"
+  ENABLE_OPENSEARCH_INDEXING_FOR_ONYX: "true"
+  ENABLE_OPENSEARCH_RETRIEVAL_FOR_ONYX: "false"
+  {{- end }}
  {{- if .Values.redis.enabled }}
  REDIS_HOST: {{ .Values.redis.redisStandalone.name | default .Release.Name }}-master
  {{- end }}
--- a/deployment/helm/charts/onyx/values.yaml
+++ b/deployment/helm/charts/onyx/values.yaml
@@ -58,6 +58,52 @@ vespa:
      cpu: 8000m
      memory: 32000Mi

+opensearch:
+  enabled: false
+  # These values are passed to the opensearch subchart.
+  # See https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml
+
+  singleNode: true  # Forces replicas=1, sets discovery.type=single-node
+
+  # Determines service DNS: onyx-opensearch-master.<namespace>.svc.cluster.local
+  clusterName: "onyx-opensearch"
+  nodeGroup: "master"
+  masterService: "onyx-opensearch-master"
+
+  replicas: 1
+
+  image:
+    repository: "opensearchproject/opensearch"
+    tag: ""  # Empty uses chart's appVersion (3.4.0).
+
+  # The security plugin requires OPENSEARCH_INITIAL_ADMIN_PASSWORD for
+  # OpenSearch 2.12+.
+  # See https://docs.opensearch.org/latest/install-and-configure/install-opensearch/helm/#prerequisites
+  extraEnvs:
+    - name: OPENSEARCH_INITIAL_ADMIN_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: onyx-opensearch  # Must match auth.opensearch.secretName.
+          key: opensearch_admin_password  # Must match auth.opensearch.secretKeys value.
+
+  resources:
+    requests:
+      cpu: 2000m
+      memory: 4Gi
+    limits:
+      cpu: 4000m
+      memory: 8Gi
+
+  persistence:
+    enabled: true
+    size: 30Gi
+    storageClass: ""
+
+  # Java heap should be ~50% of memory limit.
+  # See https://opster.com/guides/opensearch/opensearch-basics/opensearch-heap-size-usage-and-jvm-garbage-collection/
+  # Xms is the starting size, Xmx is the maximum size. These should be the same.
+  opensearchJavaOpts: "-Xmx4g -Xms4g"
+
 persistent:
  storageClassName: ""

@@ -1028,6 +1074,29 @@ auth:
    values:
      db_readonly_user: ""
      db_readonly_password: ""
+  opensearch:
+    # Enable or disable this secret entirely. Will remove from env var
+    # configurations and remove any created secrets.
+    # Set to true when opensearch.enabled is true.
+    enabled: false
+    # Overwrite the default secret name, ignored if existingSecret is defined.
+    secretName: 'onyx-opensearch'
+    # Use a secret specified elsewhere.
+    existingSecret: ""
+    # This defines the env var to secret map, key is always upper-cased as an
+    # env var.
+    secretKeys:
+      OPENSEARCH_ADMIN_USERNAME: opensearch_admin_username
+      OPENSEARCH_ADMIN_PASSWORD: opensearch_admin_password
+    # Secrets values IF existingSecret is empty. Key here must match the value
+    # in secretKeys to be used. Values will be base64 encoded in the k8s
+    # cluster.
+    # Password must meet OpenSearch complexity requirements:
+    # min 8 chars, uppercase, lowercase, digit, and special character.
+    # CHANGE THIS FOR PRODUCTION.
+    values:
+      opensearch_admin_username: "admin"
+      opensearch_admin_password: "OnyxDev1!"

 configMap:
  # Change this for production uses unless Onyx is only accessible behind VPN