atlassian · amierzwicki · Mar 23, 2026 · Mar 23, 2026
@@ -85,6 +85,11 @@ jobs:
           sleep 10
           kubectl wait --for=condition=ready pod/${DC_APP}-1 -n atlassian --timeout=360s
 
+      - name: Verify ${{inputs.dc_app}} OpenSearch integration
+        run: |
+          source src/test/scripts/kind/deploy_app.sh
+          verify_opensearch
+
       - name: Verify ${{inputs.dc_app}} metrics availability
         run: |
           source src/test/scripts/kind/deploy_app.sh

@@ -219,6 +219,55 @@ information, please refer to
 
   Override the default AWS API endpoint with a custom one (optional).
 
+### OpenSearch configuration
+
+Starting with Jira 11.2, you can configure Jira to use OpenSearch as the search platform.
+For the full list of available OpenSearch properties and requirements, see
+[Configuring OpenSearch for Jira](https://confluence.atlassian.com/adminjiraserver/configuring-opensearch-for-jira-1620511851.html).
+
+OpenSearch properties are injected into `jira-config.properties` using
+`ADDITIONAL_JIRA_CONFIG_*` environment variables (see
+[Custom `jira-config.properties`](#custom-jira-configproperties) for details on
+the mechanism).
+
+The minimum required properties are:
+
+* `search.platform`
+
+  The search platform to use. Set to `opensearch` to enable OpenSearch.
+
+* `opensearch.http.url`
+
+  HTTP(S) URL of the OpenSearch cluster, or multiple URLs separated by commas.
+
+* `opensearch.username`
+
+  Username for the OpenSearch cluster.
+
+* `opensearch.password`
+
+  Password for the OpenSearch cluster.
+
+The `__EXPAND_ENV` suffix lets you keep the password in a separate environment
+variable rather than embedding it directly in the property line. In the example
+below `MY_OPENSEARCH_PASSWORD` is passed inline for brevity:
+
+```bash
+docker run \
+  -e MY_OPENSEARCH_PASSWORD=my-secret \
+  -e ADDITIONAL_JIRA_CONFIG_01="search.platform=opensearch" \
+  -e ADDITIONAL_JIRA_CONFIG_02="opensearch.http.url=http://opensearch-host:9200" \
+  -e ADDITIONAL_JIRA_CONFIG_03="opensearch.username=admin" \
+  -e ADDITIONAL_JIRA_CONFIG_04__EXPAND_ENV="opensearch.password={MY_OPENSEARCH_PASSWORD}" \
+  atlassian/jira-software:latest
+```
+
+!!! warning "Sensitive values on the command line"
+    Passing secrets via `-e` exposes them in shell history, process listings,
+    and `docker inspect` output. In production, use `--env-file` with a
+    permission-protected file or an external secrets manager to supply
+    `MY_OPENSEARCH_PASSWORD`.
+
 ### S3 Attachments storage configuration
 Starting with Jira 9.9, you can configure Jira to [store attachment files in Amazon S3](https://confluence.atlassian.com/adminjiraserver/storing-attachments-in-amazon-s3-1282250191.html). For requirements and additional
 information, please refer to [Configuring Amazon S3 Object Storage](https://confluence.atlassian.com/pages/viewpage.action?spaceKey=JSERVERM&title=.Configuring+Amazon+S3+object+storage+vJira_admin_9.9).
@@ -523,6 +572,85 @@ as a non-root user.
 
   The default Tomcat session timeout (in minutes) for all newly created sessions which is set in web.xml. Defaults to 30.
 
+### Custom `jira-config.properties`
+
+Additional properties can be injected into `jira-config.properties` using
+environment variables prefixed with `ADDITIONAL_JIRA_CONFIG_`.
+
+Each variable's value must be a complete property line in `key=value` format.
+Environment variable names are sorted for consistent file generation; order has
+no effect on runtime behavior.
+
+```bash
+docker run \
+  -e ADDITIONAL_JIRA_CONFIG_01="jira.websudo.is.disabled=true" \
+  -e ADDITIONAL_JIRA_CONFIG_02="jira.lf.top.bgcolour=#003366" \
+  atlassian/jira-software:latest
+```
+
+#### How properties are written
+
+The properties are written to a clearly marked auto-generated section at the end
+of the file. Any manually added content outside this section is preserved across
+container restarts.
+
+#### Injecting secrets via `__EXPAND_ENV`
+
+For values that reference secrets stored in separate environment variables
+(common in Kubernetes where secrets are mounted as env vars), use the
+`__EXPAND_ENV` suffix. Placeholders in `{VAR_NAME}` format are replaced with
+the corresponding environment variable value at startup:
+
+```bash
+docker run \
+  -e MY_OPENSEARCH_PASSWORD=my-secret \
+  -e ADDITIONAL_JIRA_CONFIG_01="search.platform=opensearch" \
+  -e ADDITIONAL_JIRA_CONFIG_02__EXPAND_ENV="opensearch.password={MY_OPENSEARCH_PASSWORD}" \
+  atlassian/jira-software:latest
+```
+
+This generates the following in `jira-config.properties`:
+
+```properties
+# ---- AUTO GENERATED ADDITIONAL PROPERTIES FROM DOCKER IMAGE ---
+# DO NOT MODIFY this section - it is auto-generated during container startup
+# from ADDITIONAL_JIRA_CONFIG_* environment variables
+search.platform=opensearch
+opensearch.password=my-secret
+# ---- END OF AUTO GENERATED ADDITIONAL PROPERTIES ---
+```
+
+If a referenced environment variable is not set, the placeholder is left
+unchanged and a warning is logged.
+
+#### Limitations and requirements
+
+* **Local home directory only**: `jira-config.properties` is written to
+  `$JIRA_HOME` which must be the node-local home directory (not shared storage).
+  Using `ADDITIONAL_JIRA_CONFIG_*` when `jira-config.properties` is stored on a
+  shared filesystem (e.g. NFS, EFS) may cause unexpected outcomes due to update
+  races across different container instances during rolling deployments.
+
+* **Read-only mounts not supported**: If `jira-config.properties` is mounted as
+  a read-only file (e.g. via a Kubernetes ConfigMap volume mount), the
+  `ADDITIONAL_JIRA_CONFIG_*` variables will have no effect. A warning is logged
+  in this case. Manage the file content entirely through the mount instead — do
+  not combine both approaches.
+
+* **Auto-generated section**: The generated properties are placed inside clearly
+  marked comment boundaries at the end of the file. Manual edits outside these
+  markers are preserved. Do not edit content within the markers — it will be
+  overwritten on the next container startup.
+
+| Aspect                  | Detail                                                      |
+|-------------------------|-------------------------------------------------------------|
+| Env var prefix          | `ADDITIONAL_JIRA_CONFIG_`                                   |
+| Secret expansion suffix | `__EXPAND_ENV` (double underscore)                          |
+| Target file             | `$JIRA_HOME/jira-config.properties`                         |
+| Ordering                | Sorted for reproducibility; order has no effect on behavior |
+| Existing content        | Preserved (only auto-generated section is replaced)         |
+| No matching env vars    | File is not created; stale section is removed if present    |
+
 ### Advanced Configuration
 
 As mentioned at the top of this section, the settings from the environment are

@@ -8,5 +8,6 @@ nav:
     - bamboo
     - bitbucket
     - confluence
+    - jira
     - logging
     - ...
@@ -0,0 +1,4 @@
+collapse_single_pages: false
+nav:
+    - JIRA_OPENSEARCH.md
+    - ...
@@ -0,0 +1,96 @@
+# Configuring OpenSearch for Jira
+
+!!!info "Jira and Helm chart version"
+    OpenSearch is supported in Jira 11.2 and Helm chart 2.0.10 onwards.
+
+As Jira instances grow in size and scale, the default search engine, Lucene, may be slower to index and return search results. To address this, Jira Data Center offers an alternative search engine as an opt-in feature — OpenSearch.
+
+## Deploy OpenSearch Helm Chart with Jira
+
+!!!warning "Support disclaimer"
+    Atlassian does not officially support OpenSearch Helm chart that can be installed with the Jira Helm release. Should you encounter any issues with the deployment, maintenance and upgrades, reach out to the [vendor](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch){.external}.
+    Moreover, if you intend to deploy OpenSearch to a critical Kubernetes environment, make sure you follow all the best practices, i.e. deploy a multi node cluster, use taints and tolerations, affinity rules, sufficient resources requests, have DR and backup strategies etc.
+
+## Deploy with the default settings
+
+To deploy OpenSearch Helm chart and automatically configure Jira to use it as a search platform, set the following in your Helm values file:
+
+```yaml
+opensearch:
+  enabled: true
+```
+This will:
+
+* auto-generate the initial OpenSearch admin password and create a Kubernetes secret with `OPENSEARCH_INITIAL_ADMIN_PASSWORD` key
+* deploy [OpenSearch Helm chart](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch){.external} to the target namespace with the default settings: single node, 1Gi memory/1 vCPU resources requests, 10Gi storage request
+* configure Jira to use the deployed OpenSearch cluster by setting opensearch properties, which are written to `jira-config.properties` at startup. The following properties are configured: `search.platform=opensearch`, `opensearch.http.url=http://opensearch-cluster-master:9200`, `opensearch.username=admin`, and `opensearch.password`.
+
+## Override OpenSearch Helm chart values
+
+You can configure your OpenSearch cluster and the deployment options by overriding any values that the [Helm chart](https://github.com/opensearch-project/helm-charts/blob/main/charts/opensearch/values.yaml){.external} exposes. OpenSearch values must be nested under `opensearch` stanza in your Helm values file, for example:
+
+```yaml
+opensearch:
+  singleNode: false
+  replicas: 5
+  config:
+    opensearch.yml: |
+      cluster.name: opensearch-cluster
+```
+
+## Use an existing OpenSearch secret
+
+If you have a pre-created Kubernetes secret with the OpenSearch admin password, you can reference it instead of having the chart auto-generate one:
+
+```yaml
+opensearch:
+  enabled: true
+  credentials:
+    createSecret: false
+    existingSecretRef:
+      name: my-opensearch-secret
+```
+
+The secret must contain a key named `OPENSEARCH_INITIAL_ADMIN_PASSWORD`.
+
+## Connect to an external OpenSearch instance
+
+If you already have an OpenSearch cluster running outside of Kubernetes (or
+managed separately), you can configure Jira to use it without deploying the
+bundled OpenSearch Helm chart. OpenSearch properties are written to
+`jira-config.properties` at container startup via the
+`additionalConfigProperties` mechanism (see
+[Additional config properties](../../userguide/CONFIGURATION.md#additional-config-properties)).
+
+First, create a Kubernetes Secret containing the OpenSearch password:
+
+```bash
+kubectl create secret generic opensearch-credentials \
+  --from-literal=password='<your-opensearch-password>'
+```
+
+Then reference it in your Helm values file. The `additionalEnvironmentVariables`
+entry injects the secret as an environment variable, and
+`additionalConfigPropertiesExpandEnv` expands it into the property value at
+startup:
+
+```yaml
+jira:
+  additionalEnvironmentVariables:
+    - name: MY_OPENSEARCH_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: opensearch-credentials
+          key: password
+
+  additionalConfigProperties:
+    - "search.platform=opensearch"
+    - "opensearch.http.url=http://opensearch-host:9200"
+    - "opensearch.username=admin"
+
+  additionalConfigPropertiesExpandEnv:
+    - "opensearch.password={MY_OPENSEARCH_PASSWORD}"
+```
+
+For the full list of available OpenSearch properties, see
+[Configuring OpenSearch for Jira](https://confluence.atlassian.com/adminjiraserver/configuring-opensearch-for-jira-1620511851.html){.external}.
@@ -419,6 +419,58 @@ jira:
     * dash `-` becomes underscore `_`
     * Example: `this.new-property` becomes `THIS_NEW_PROPERTY`
 
+## :material-book-cog: Additional config properties
+
+!!!info "Jira only"
+    This feature is currently available for Jira only. It requires a Jira
+    container image version that supports the `ADDITIONAL_JIRA_CONFIG_*`
+    environment variables. See the
+    [Docker image documentation](../containers/JIRA.md#custom-jira-configproperties)
+    for full details on the underlying mechanism.
+
+The Helm chart provides dedicated values for injecting properties into
+`jira-config.properties` without constructing environment variable names
+manually:
+
+```yaml
+jira:
+  additionalConfigProperties:
+    - "jira.websudo.is.disabled=true"
+    - "jira.lf.top.bgcolour=#003366"
+```
+
+These are equivalent to setting `ADDITIONAL_JIRA_CONFIG_*` environment
+variables directly. The values can also be set via `--set`:
+
+```bash
+helm install jira atlassian-data-center/jira \
+  --set 'jira.additionalConfigProperties[0]=jira.websudo.is.disabled=true'
+```
+
+### Injecting secrets
+
+For values that reference Kubernetes Secrets (e.g. passwords), use
+`additionalConfigPropertiesExpandEnv`. Placeholders in `{VAR_NAME}` format are
+replaced with the corresponding environment variable value at container
+startup:
+
+```yaml
+jira:
+  additionalEnvironmentVariables:
+    - name: MY_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: my-k8s-secret
+          key: password
+
+  additionalConfigPropertiesExpandEnv:
+    - "some.password={MY_SECRET}"
+```
+
+Alternatively, you can use `jira.additionalEnvironmentVariables` to pass the
+`ADDITIONAL_JIRA_CONFIG_*` environment variables explicitly if you need full
+control over naming.
+
 ## :material-book-cog: Additional libraries & plugins
 
 The products' Docker images contain the default set of bundled libraries and plugins.

@@ -2,5 +2,8 @@ dependencies:
 - name: common
   repository: https://atlassian.github.io/data-center-helm-charts
   version: 1.2.7
-digest: sha256:6dc6e131380a4f43edcaae60ee0f8341a463013d8460bd657ca798139d4f428a
-generated: "2024-09-10T03:31:09.693286348Z"
+- name: opensearch
+  repository: https://opensearch-project.github.io/helm-charts
+  version: 3.5.0
+digest: sha256:1bd020af24c471b52a62f6b9330a0f1d94e27a60087fa48d6f1f152e91bec9ea
+generated: "2026-03-13T14:50:45.468195+01:00"
@@ -28,3 +28,7 @@ dependencies:
 - name: common
   version: 1.2.7
   repository: https://atlassian.github.io/data-center-helm-charts
+- name: opensearch
+  version: 3.5.0
+  repository: https://opensearch-project.github.io/helm-charts
+  condition: opensearch.enabled
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,5 +8,6 @@ nav: @@
         - bamboo
         - bitbucket
         - confluence
+        - jira
         - logging
         - ...