Kubernetes (Helm)

Deploy the Observability Stack to any Kubernetes cluster using the Helm umbrella chart. This creates the same observability platform as the local Docker Compose stack — OpenSearch, OpenSearch Dashboards, Data Prepper, OTel Collector, and Prometheus — as Kubernetes workloads.

Prerequisites

• Kubernetes cluster (1.26+) — kind, EKS, GKE, AKS, etc.
• Helm v3.12+
• kubectl configured for your cluster

Install

git clone https://github.com/opensearch-project/observability-stack.git
cd observability-stack

helm install obs charts/observability-stack

This deploys all components with sensible defaults. The stack is ready when all pods are running:

kubectl get pods

Note

The default configuration deploys a 3-node OpenSearch cluster, 3 OpenSearch Dashboards replicas, and single instances of Data Prepper, OTel Collector, and Prometheus. This is suitable for small production workloads. For local development with kind, see Resource sizing below.

Access Dashboards

kubectl port-forward svc/obs-opensearch-dashboards 5601:5601

Open http://localhost:5601. Default credentials: admin / My_password_123!@#

Caution

Change the default password for any non-local deployment. Set it at install time with --set opensearchPassword="...". The password only takes effect on first boot — OpenSearch hashes it into its internal security index on initial startup. To change the password after install, update it via the Security REST API or security-admin.sh, then run helm upgrade with the new password so the Kubernetes Secret and all pods stay in sync.

Send Telemetry

Services running inside the cluster can send telemetry directly to the OTel Collector:

Protocol	Endpoint
gRPC	obs-opentelemetry-collector:4317
HTTP	obs-opentelemetry-collector:4318

Set the environment variable in your pod spec or deployment:

env:
  - name: OTEL_EXPORTER_OTLP_ENDPOINT
    value: http://obs-opentelemetry-collector:4317

For sending telemetry from outside the cluster (e.g. local development), port-forward the OTLP endpoints:

kubectl port-forward svc/obs-opentelemetry-collector 4317:4317 4318:4318

export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317

Configuration

Key values in charts/observability-stack/values.yaml:

Value	Default	Description
opensearchUsername	admin	OpenSearch admin username
opensearchPassword	My_password_123!@#	OpenSearch admin password
examples.enabled	true	Deploy example agents that generate sample telemetry
opentelemetry-demo.enabled	false	Deploy the OTel Demo microservices app
ismRetentionDays	7	Days to retain trace/log indices (0 = rollover only)
gateway.enabled	false	Enable Gateway API ingress
opensearchExporter.enabled	true	Deploy Prometheus exporter for OpenSearch metrics

Override values at install time:

helm install obs charts/observability-stack \
  --set opensearchPassword="YourSecurePassword123!" \
  --set examples.enabled=false

Credential management

All components read credentials from a single Kubernetes Secret (opensearch-credentials), sourced from opensearchUsername and opensearchPassword in values.yaml. No passwords are hardcoded in sub-chart configurations. Pods read the Secret as environment variables at startup, so changing the password requires both updating OpenSearch’s internal security index (via the Security API) and running helm upgrade with the new value to update the Secret and restart pods.

Resource sizing

For local development (kind):

helm install obs charts/observability-stack \
  --set opensearch.singleNode=true \
  --set opensearch.replicas=1 \
  --set opensearch.resources.requests.memory=1Gi \
  --set opensearch.resources.limits.memory=1Gi \
  --set opensearch.opensearchJavaOpts="-Xms512m -Xmx512m" \
  --set opensearch.persistence.size=2Gi \
  --set data-prepper.resources.requests.memory=512Mi \
  --set data-prepper.resources.limits.memory=512Mi

For production sizing, dedicated node roles, and advanced cluster topologies, see the chart README sizing guide and the official Tuning your cluster documentation.

Anonymous authentication

For public-facing demos where login isn’t needed:

helm install obs charts/observability-stack \
  -f charts/observability-stack/values-anonymous-auth.yaml

EKS deployment

A Terraform module for deploying to AWS EKS is included at terraform/aws/. A single terraform apply provisions:

• VPC with public/private subnets
• EKS cluster with managed node groups
• ALB with TLS termination via ACM certificate, routing to OpenSearch Dashboards
• WAF rules for web application protection
• Route 53 DNS records pointing to ALB
• Helm release of the full Observability Stack
• Optional anonymous authentication for public demos

See the EKS Deployment Guide for the step-by-step checklist, including S3 state backend setup, multi-region support, verification steps, troubleshooting, and cost estimates.

Next steps

• Send Data — instrument your applications and agents to send telemetry to the stack
• Dashboards & Visualize — build custom dashboards and visualizations
• Agent Observability — trace AI agent execution with GenAI semantic conventions
• Application Monitoring — explore service maps, RED metrics, and latency tracking

Uninstall

# Keep data (PVCs)
helm uninstall obs

# Remove everything including data
helm uninstall obs
kubectl delete pvc -l app.kubernetes.io/part-of=observability-stack