-
Notifications
You must be signed in to change notification settings - Fork 58
Deploying to Kubernetes
This guide covers deploying Migration Assistant to a generic Kubernetes cluster using Helm charts. For AWS EKS deployment (recommended for AWS users), see Deploying to EKS.
- Kubernetes cluster: Version 1.24 or later
- Helm 3: Installed and configured
- kubectl: Configured to access your cluster
- Network access: Connectivity from the cluster to source and target clusters
- Persistent storage: StorageClass with dynamic provisioning for state management
Migration Assistant is deployed via Helm charts from the opensearch-migrations repository.
git clone https://github.com/opensearch-project/opensearch-migrations
cd opensearch-migrations/deployment/k8sSee the deployment/k8s/README.md in the repository for:
- Helm chart configuration options
- Required values and customization
- Environment-specific setup
kubectl create namespace maBefore deploying, create Kubernetes secrets for cluster authentication.
Basic authentication:
kubectl create secret generic <secret-name> \
--from-literal=username=<user> \
--from-literal=password=<pass> \
-n mamTLS authentication:
kubectl create secret generic <secret-name> \
--from-file=client.crt=<path-to-cert> \
--from-file=client.key=<path-to-key> \
-n mahelm install migration-assistant ./charts/migration-assistant -n ma -f values.yamlkubectl get pods -n maExpected output:
NAME READY STATUS RESTARTS AGE
argo-workflows-server-xxxxxxxxx-xxxxx 1/1 Running 0 5m
argo-workflows-workflow-controller-xx 1/1 Running 0 5m
migration-console-0 1/1 Running 0 5m
kubectl exec -it migration-console-0 -n ma -- /bin/bashYou should see:
Welcome to the Migration Assistant Console
Configure authentication in your workflow configuration. Run workflow configure sample on the Migration Console to see the exact schema for your installed version.
| Type | Use case | Secret requirements |
|---|---|---|
| Basic | Username/password auth | Secret with username and password keys |
| SigV4 | AWS managed OpenSearch/Elasticsearch | IAM role (no secret needed) |
| mTLS | Certificate-based auth | Secret with client.crt and client.key
|
Basic auth:
kubectl create secret generic source-credentials \
--from-literal=username=admin \
--from-literal=password=<password> \
-n mamTLS:
kubectl create secret generic source-mtls \
--from-file=client.crt=/path/to/client.crt \
--from-file=client.key=/path/to/client.key \
-n maReference these secret names in your workflow configuration under the appropriate authConfig section.
| From | To | Port | Purpose |
|---|---|---|---|
| Migration Console | Source cluster | 9200/443 | Source cluster access |
| Migration Console | Target cluster | 9200/443 | Target cluster access |
| Migration Console | Snapshot storage | 443 | S3/snapshot repository |
| Workflow pods | Source cluster | 9200/443 | Migration operations |
| Workflow pods | Target cluster | 9200/443 | Migration operations |
kubectl describe pod <pod-name> -n ma
kubectl logs <pod-name> -n maVerify connectivity from the migration console:
kubectl exec -it migration-console-0 -n ma -- curl -k https://<cluster-endpoint>:9200Common issues:
- Network policies: Ensure egress to cluster endpoints is allowed
- DNS resolution: Verify cluster hostnames resolve correctly
- Firewall rules: Check that ports 9200/443 are accessible
- Workflow CLI Overview — Learn about the Workflow CLI concepts
- Workflow CLI Getting Started — Run your first migration
- Backfill Workflow — Configure and execute document backfill
Encountering a compatibility issue or missing feature?
- Search existing issues to see if it’s already reported. If it is, feel free to upvote and comment.
- Can’t find it? Create a new issue to let us know.