OpenSearch Provisioning

Laralord provisions OpenSearch, a powerful open-source search and analytics engine, as a key component for logging, monitoring, and full-text search in Kubernetes clusters. Widely used in Laravel applications for indexing and querying data, OpenSearch is paired with OpenSearch Dashboards for intuitive visualization and management. This page details the OpenSearch deployment, its configurations, secure access to OpenSearch Dashboards, and integration with Laralord’s multi-tenant SaaS platform. For more information, refer to the official OpenSearch documentation.

OpenSearch Dashboards, securely accessed via Laralord’s SSO proxy

OpenSearch Overview

OpenSearch is an open-source search and analytics engine derived from Elasticsearch, designed for scalable indexing, searching, and analyzing large datasets. It is widely used in Laravel applications for logging, monitoring, and full-text search, integrating seamlessly with libraries like Laravel Scout. Laralord deploys OpenSearch with OpenSearch Dashboards, providing a secure, user-friendly interface for data visualization and management in multi-tenant SaaS environments.

OpenSearch Deployment Details

Laralord deploys OpenSearch and OpenSearch Dashboards in a user-defined namespace using Helm charts from the OpenSearch project. The deployment is configured for security, scalability, and performance, with mTLS for cluster communication and a secure dashboard interface. Key aspects include:

Namespace: Deployed in a user-defined namespace, isolating OpenSearch from other services for security and organization.
Helm Configuration: Uses specific Helm chart versions for OpenSearch and OpenSearch Dashboards, with settings for replicas, roles, plugins, and mTLS certificates.
Secret Management: Stores an initial admin password and a JWT signing key in Kubernetes secrets, with randomly generated values for enhanced security.
mTLS Security: Configures SSL for transport and HTTP communication, using certificates mounted from a secret for secure cluster and client interactions.
Cluster Roles: Assigns roles (cluster_manager, ingest, data, remote_cluster_client) to nodes, with multiple master nodes for high availability.
Plugins and Indices: Enables plugins (e.g., repository-s3) and system indices for alerting, anomaly detection, and reporting, with demo configurations included.
Node Selector: Schedules pods on nodes labeled for OpenSearch, optimizing resource allocation.
Resource Limits: Sets CPU (500m) and memory (512Mi) requests, with a sysctl adjustment for `vm.max_map_count` to support OpenSearch’s memory requirements.
OpenSearch Dashboards: Deploys a separate Helm chart for OpenSearch Dashboards, connecting to the OpenSearch cluster via HTTPS and a master service endpoint.

Key Features

The OpenSearch deployment by Laralord provides the following features:

Scalable Search: Indexes and queries large datasets for logging, monitoring, and full-text search in Laravel applications.
Secure Connectivity: Uses mTLS for encrypted cluster and client communication, with admin authentication.
OpenSearch Dashboards: Offers a user-friendly HTTP interface for data visualization and management, securely accessed via APISIX.
High Availability: Configures multiple master nodes and replicas for fault tolerance.
Plugin Support: Includes plugins like repository-s3 for snapshot storage and system indices for advanced features (alerting, anomaly detection).
Laravel Integration: Supports Laravel Scout for efficient search and indexing in multi-tenant applications.

Why OpenSearch?

OpenSearch is chosen by Laralord for its scalability, open-source governance, and compatibility with Laravel ecosystems. Key advantages include:

Laravel Integration: Seamlessly integrates with Laravel Scout for full-text search and indexing, enhancing application functionality.
Security: mTLS and admin authentication ensure secure data access in multi-tenant environments.
Scalability: Handles large-scale datasets and high-query volumes, ideal for SaaS platforms.
Analytics Capabilities: Supports logging, monitoring, alerting, and anomaly detection for comprehensive observability.
Kubernetes-Native: Deploys efficiently via Helm, with OpenSearch Dashboards for accessible management.

Integration with Laralord

OpenSearch is a core component of Laralord’s multi-tenant SaaS platform, providing scalable search and analytics for tenant applications. Key integrations include:

Tenant Indexing: Supports tenant-specific indices for isolated search and analytics, managed via OpenSearch Dashboards.
Laravel Applications: Powers Laravel applications with Laravel Scout, indexing data for search and analytics.
APISIX Gateway: Routes OpenSearch Dashboards traffic to a custom domain, enforcing mTLS and SSO for secure access.
Vault Integration: Stores OpenSearch admin credentials and JWT signing keys in Vault HashiCorp, securely distributing them to applications.
Argo CD Deployments: Monitors Argo CD-managed applications by indexing logs and metrics for search.
Prometheus + Grafana Synergy: Complements Prometheus and Grafana by providing searchable logs and analytics alongside metrics visualization.
Database Integration: Enhances PostgreSQL and MySQL by indexing database logs for search and analysis.

Secure Access with SSO

Laralord secures access to OpenSearch and OpenSearch Dashboards through mTLS for the cluster and a robust Single Sign-On (SSO) proxy for the dashboard, integrated with APISIX Gateway. Key features of the secure access mechanism include:

mTLS for OpenSearch: Cluster and client communication is encrypted using mTLS, with certificates mounted from a Kubernetes secret.
SSO Authentication: Users log in to OpenSearch Dashboards via Laralord’s frontend, leveraging SSO to authenticate requests.
mTLS for Dashboards: Dashboard traffic is encrypted using mTLS, requiring a client certificate managed by Laralord.
APISIX Gateway Proxy: Routes OpenSearch Dashboards requests to a custom domain, enforcing SSO, mTLS, and HTTP-to-HTTPS redirection.
Admin Authentication: Secures OpenSearch cluster access with a randomly generated admin password, stored in a Kubernetes secret.