Immuta Helm Chart Options
Audience: System Administrators
Content Summary: This page illustrates
all the configurable parameters for the Immuta Helm Chart.
Global
Parameter |
Description |
Default |
immutaVersion |
Version of Immuta |
<Current Immuta Version> |
imageTag |
Docker image tag |
<Current Version Tag> |
imagePullPolicy |
Image pull policy |
IfNotPresent |
imagePullSecrets |
List of image pull secrets to use |
[immuta-registry] |
externalHostname |
External hostname assigned to this immuta instance. |
nil |
global.podAnnotations |
Annotations to be set on all pods. |
{} |
global.podLabels |
Labels that will be set on all pods. |
{} |
Backup
Parameter |
Description |
Default |
backup.enabled |
Whether or not to turn on automatic backups |
true |
backup.restore.enabled |
Whether or not to restore from backups if present |
false |
backup.schedule |
Kubernetes CronJob schedule expression |
0 0 * * * |
backup.successfulJobsHistoryLimit |
Number of successful jobs to exist before cleanup |
3 |
backup.failedJobsHistoryLimit |
Number of failed jobs to exist before stopping |
1 |
backup.maxBackupCount |
Max number of backups to exist at a given time |
10 |
backup.keepBackupVolumes |
Whether or not to delete backup volumes when uninstalling Immuta |
false |
backup.type |
Backup storage type. Must be defined if backup.enabled is true . Must be one of: s3 , gs , or azblob . |
nil |
Parameter |
Description |
Default |
backup.podAnnotations |
Annotations to add to all pods associated with backups |
nil |
backup.podLabels |
Labels to add to all pods associated with backups. |
nil |
backup.serviceAccountAnnotations |
Annotations to add to all ServiceAccounts associated with backups. |
nil |
backup.cronJob.nodeSelector |
Node selector for backup cron job. |
{"kubernetes.io/os": "linux"} |
backup.cronJob.tolerations |
Tolerations for backup cron job. |
nil |
AWS S3 Backups
Parameter |
Description |
Default |
backup.s3.awsAccessKeyId |
AWS Access Key ID |
nil |
backup.s3.awsSecretAccessKey |
AWS Secret Access Key |
nil |
backup.s3.awsRegion |
AWS Region |
nil |
backup.s3.bucket |
S3 Bucket to store backups in |
nil |
backup.s3.bucketPrefix |
Prefix to append to all backups |
nil |
Azure Blob Storage
Parameter |
Description |
Default |
backup.azblob.azStorageAccount |
Azure Storage Account Name |
nil |
backup.azblob.azStorageKey |
Azure Storage Account Key |
nil |
backup.azblob.azStorageSASToken |
Azure Storage Account SAS Token |
nil |
backup.azblob.container |
Azure Storage Account Container Name |
nil |
backup.azblob.containerPrefix |
Prefix to append to all backups |
nil |
Google Cloud Storage
Parameter |
Description |
Default |
backup.gs.gsKeySecretName |
Kubernetes Secret containing key.json for Google Service Account |
nil |
backup.gs.bucket |
Google Cloud Storage Bucket |
nil |
backup.gs.bucketPrefix |
Prefix to append to all backups |
nil |
Immuta TLS
Parameter |
Description |
Default |
tls.enabled |
Whether or not to use TLS. |
true |
tls.create |
Whether or not to generate TLS certificates. |
true |
tls.manageGeneratedSecret |
When true, the generated TLS secret will be created as a resource of the Helm chart. |
false |
tls.secretName |
Secret name to use for internal and external communication. (For self-provided certs only) |
nil |
tls.enabledInternal |
Whether or not to use TLS for all internal communication. |
true |
tls.internalSecretName |
Secret name to use for internal communication. (For self-provided certs only) |
nil |
tls.enabledExternal |
Whether or not to use TLS for all external communication. |
true |
tls.externalSecretName |
Secret name to use for external communication. (For self-provided certs only) |
nil |
tls.manageGeneratedSecret
may cause issues with helm install
.
In most cases, tls.manageGeneratedSecret
should only be set to true when
Helm is not being used to install the release (i.e., Argo CD).
If tls.manageGeneratedSecret
is set to true when used with the default TLS
generation hook configuration, you will encounter an error similar to the
following.
Error: secrets "immuta-tls" already exists
You can work around this error by configuring the TLS generation hook to run
as a post-install
hook.
hooks:
tlsGeneration:
hookAnnotations:
helm.sh/hook: post-install
However, this configuration is not compatible with helm install --wait
.
If the --wait
flag is used, the command will timeout and fail.
Web Service
Parameter |
Description |
Default |
web.imageRepository |
Docker repository to pull for Immuta service image |
registry.immuta.com/immuta/immuta-service |
web.imageTag |
Docker tag to pull for Immuta service image |
{{ .Values.imageTag }} |
web.replicas |
Number of replicas of web service to deploy |
2 |
web.workerCount |
Number of web service worker processes to deploy |
2 |
web.threadPoolSize |
Number of threads to use for each NodeJS process. |
nil |
web.ingress.clientMaxBodySize |
client_max_body_size passed through to nginx. |
1g |
web.resources |
See Resource Limits for more. |
{} |
web.podAnnotations |
Additional annotations to apply to web pods. |
{} |
web.podLabels |
Additional labels to apply to web pods. |
{} |
web.nodeSelector |
Node selector for web pods. |
{"kubernetes.io/os": "linux"} |
web.tolerations |
Tolerations for web pods. |
nil |
Fingerprint Service
Parameter |
Description |
Default |
fingerprint.imageRepository |
Docker repository to pull for Immuta fingerprint image. |
registry.immuta.com/immuta/immuta-fingerprint |
fingerprint.imageTag |
Docker tag to pull for Immuta fingerprint image. |
{{ .Values.imageTag }} |
fingerprint.replicas |
Number of replicas of fingerprint service to deploy. |
2 |
fingerprint.resources |
See Resource Limits for more. |
{} |
fingerprint.podAnnotations |
Additional annotations to apply to fingerprint pods. |
{} |
fingerprint.podLabels |
Additional labels to apply to fingerprint pods. |
{} |
fingerprint.nodeSelector |
Node selector for fingerprint pods. |
{"kubernetes.io/os": "linux"} |
fingerprint.tolerations |
Tolerations for fingerprint pods. |
nil |
Parameter |
Description |
Default |
database.imageRepository |
Docker repository to pull for Immuta database image |
registry.immuta.com/immuta/immuta-db |
database.imageTag |
Docker tag to pull for Immuta database image |
{{ .Values.imageTag }} |
database.replicas |
Number of database replicas |
2 |
database.password |
Password for immuta metadata database |
secret |
database.superuserPassword |
Password for PostgreSQL superuser |
secret |
database.replicationPassword |
Password for replication user. |
secret |
database.patroniApiPassword |
Password for Patroni REST API. |
secret |
database.resources |
See Resource Limits for more. |
{} |
database.podAnnotations |
Additional annotations to apply to database pods. |
{} |
database.podLabels |
Additional labels to apply to database pods. |
{} |
database.nodeSelector |
Node selector for database pods. |
{"kubernetes.io/os": "linux"} |
database.tolerations |
Tolerations for database pods. |
nil |
Query Engine
Parameter |
Description |
Default |
queryEngine.imageRepository |
Docker repository to pull for Immuta database image |
registry.immuta.com/immuta/immuta-db |
queryEngine.imageTag |
Docker tag to pull for Immuta database image |
{{ .Values.imageTag }} |
queryEngine.replicas |
Number of database replicas |
2 |
queryEngine.password |
Password for immuta feature store database |
secret |
queryEngine.superuserPassword |
Password for PostgreSQL superuser. |
secret |
queryEngine.replicationPassword |
Password for replication user. |
secret |
queryEngine.patroniApiPassword |
Password for Patroni REST API. |
secret |
queryEngine.immutaResources |
See Resource Limits for more. |
{} |
queryEngine.service |
Service configuration for Query Engine service if not using an Ingress Controller. |
|
queryEngine.podAnnotations |
Additional annotations to apply to Query Engine pods. |
{} |
queryEngine.podLabels |
Additional labels to apply to Query Engine pods. |
{} |
queryEngine.nodeSelector |
Node selector for Query Engine pods. |
{"kubernetes.io/os": "linux"} |
queryEngine.tolerations |
Tolerations for Query Engine pods. |
nil |
Memcached
Parameter |
Description |
Default |
memcached.memcached.maxItemMemory |
Max memory for items (in MB). |
64 |
memcached.pdbMinAvailable |
Minimum pdb available. |
1 |
memcached.memcached.maxItemMemory |
Limit for max item memory in cache. |
64 |
memcached.resources |
See Resource Limits for more. |
{} |
memcached.podAnnotations |
Additional annotations to apply to memcached pods. |
{} |
memcached.podLabels |
Additional labels to apply to memcached pods. |
{} |
memcached.nodeSelector |
Node selector for memcached pods. |
{"kubernetes.io/os": "linux"} |
memcached.tolerations |
Tolerations for memcached pods. |
nil |
Ingress Controller
Parameter |
Description |
Default |
nginxIngress.enabled |
Enable nginx ingress deployment |
true |
nginxIngress.controller.service.type |
Controller service type |
ClusterIP |
nginxIngress.controller.service.isInternal |
Whether or not to use an internal ELB |
false |
nginxIngress.controller.service.acmCertArn |
ARN for ACM certificate |
|
nginxIngress.controller.replicas |
Number of controller replicas |
1 |
nginxIngress.controller.minReadySeconds |
Minimum ready seconds |
0 |
nginxIngress.controller.electionID |
Election ID for nginx ingress controller |
ingress-controller-leader |
nginxIngress.controller.hostNetwork |
Run nginx ingress controller on host network |
false |
nginxIngress.controller.config.proxy-read-timeout |
Controller proxy read timeout. |
300 |
nginxIngress.controller.config.proxy-send-timeout |
Controller proxy send timeout. |
300 |
nginxIngress.controller.podAnnotations |
Additional annotations to apply to nginx ingress controller pods. |
{} |
nginxIngress.controller.podLabels |
Additional labels to apply to nginx ingress controller pods. |
{} |
nginxIngress.controller.nodeSelector |
Node selector for nginx ingress controller pods. |
{"kubernetes.io/os": "linux"} |
nginxIngress.controller.tolerations |
Tolerations for nginx ingress controller pods. |
nil |