Manage OpenSearch on AWS
AWS OpenSearch is an open source, distributed search and analytics suite derived from Elasticsearch.
Access OpenSearch Dashboard
We typically can’t access an OpenSearch dashboard with the URL provided in the AWS console because the endpoint is in a private subnet in a virtual private cloud (VPC). Therefore to access it we need to configure our system to tunnel into the subnet in the VPC.
Prerequisites
Access to a GOV.UK EKS cluster with admin role permissions has been configured and established.
The krelay kubectl plugin and jq command have been installed.
brew install knight42/tap/krelay jq
Connect to the OpenSearch Dashboard
List OpenSearch domain names:
aws opensearch list-domain-names | jq -r '.DomainNames[]|.DomainName'Get OpenSearch host name for the OpenSearch Domain you want to access (e.g. for
chat-engine):OPENSEARCH_URL=$(aws opensearch describe-domain --domain-name chat-engine | jq -r '.DomainStatus.Endpoints.vpc')Forward the OpenSearch HTTPS port to your local machine:
kubectl relay host/$OPENSEARCH_URL 4443:443The OpenSearch Dashboard web interface username and password for each environment can be found in AWS Secrets Manager. To find the
opensearchsecret name, use the command:aws secretsmanager list-secrets | jq -r '.SecretList[]|select(.Name|contains("opensearch"))|.Name'Get the credentials from Secrets Manager and display them on screen (e.g. for
govuk/govuk-chat/opensearch):aws secretsmanager get-secret-value --secret-id govuk/govuk-chat/opensearch | jq -r '.SecretString| tostring' | jqOpen https://localhost:4443/_dashboards in your browser. The TLS certificate will not match
localhost, so navigate past the certificate warnings. In Chrome, you can set chrome://flags/#allow-insecure-localhost if you prefer.Enter the username and password credentials obtained from Secrets Manager to log into the dashboard.