Skip to content

Immuta Helm Chart Options

Audience: System Administrators

Content Summary: This page illustrates all configurable parameters for the Immuta Helm Chart.

Global

Parameter Description Default
immutaVersion Version of Immuta <Current Immuta Version>
imageTag Docker image tag <Current Version Tag>
imagePullPolicy Image pull policy IfNotPresent
imagePullSecrets List of image pull secrets to use [immuta-registry]
existingSecret Name of an existing Kubernetes Secret for the Helm install to use. A managed Secret is not created when this value is set. nil
externalHostname External hostname assigned to this immuta instance. nil
global.imageRegistry Global override for image registry. registry.immuta.com
global.podAnnotations Annotations to be set on all pods. {}
global.podLabels Labels that will be set on all pods. {}

Backup

Parameter Description Default
backup.enabled Whether or not to turn on automatic backups true
backup.restore.enabled Whether or not to restore from backups if present false
backup.type Backup storage type. Must be one of: volume, s3, gs, or azblob. volume
backup.cronJob.nodeSelector Node selector for backup cron job. {"kubernetes.io/os": "linux"}
backup.cronJob.resources Container resources. {}
backup.cronJob.tolerations Tolerations for backup cron job. nil
backup.failedJobsHistoryLimit Number of failed jobs to exist before stopping 1
backup.keepBackupVolumes Whether or not to delete backup volumes when uninstalling Immuta false
backup.maxBackupCount Max number of backups to exist at a given time. 10
backup.podAnnotations Annotations to add to all pods associated with backups nil
backup.podLabels Labels to add to all pods associated with backups. nil
backup.restore.databaseFile Name of the file in the database backup folder to restore from. nil
backup.restore.queryEngineFile Name of the file in the query-engine backup folder to restore from. nil
backup.schedule Kubernetes CronJob schedule expression. 0 0 * * *
backup.serviceAccountAnnotations Annotations to add to all ServiceAccounts associated with backups. nil
backup.successfulJobsHistoryLimit Number of successful jobs to exist before cleanup. 3

Volume Backups

These values are used when backup.type=volume.

Parameter Description Default
backup.volume.persistentVolumeClaimSpec PersistentVolumeClaim spec to use for volume See Default Volume PVC for more
backup.volume.keepBackupVolume Whether or not to keep the backup volume if Immuta deployment is deleted true
backup.volume.claimName Name of PersistentVolumeClaim. If set, deployment assumes the PVC exists. nil

Default Volume PVC Spec

backup:
  volume:
    persistentVolumeClaimSpec:
      accessModes:
        - ReadWriteMany
      resources:
        requests:
          storage: 5Gi

AWS S3 Backups

These values are used when backup.type=s3.

Parameter Description Default
backup.s3.awsAccessKeyId AWS Access Key ID. nil
backup.s3.awsSecretAccessKey AWS Secret Access Key. nil
backup.s3.awsRegion AWS Region. nil
backup.s3.bucket S3 Bucket to store backups in. nil
backup.s3.bucketPrefix Prefix to append to all backups. nil
backup.s3.endpoint Endpoint URL of an s3-compatible server. nil
backup.s3.caBundle CA bundle in PEM format. Used to verify TLS certificates of custom s3 endpoint. nil
backup.s3.forcePathStyle Set to "true" to force the use of path-style addressing. nil
backup.s3.disableSSL Set to "true" to disable SSL connections for the s3 endpoint. nil

Azure Blob Storage

These values are used when backup.type=azblob.

Parameter Description Default
backup.azblob.azStorageAccount Azure Storage Account Name nil
backup.azblob.azStorageKey Azure Storage Account Key nil
backup.azblob.azStorageSASToken Azure Storage Account SAS Token nil
backup.azblob.container Azure Storage Account Container Name nil
backup.azblob.containerPrefix Prefix to append to all backups nil

Google Cloud Storage

These values are used when backup.type=gs.

Parameter Description Default
backup.gs.gsKeySecretName Kubernetes Secret containing key.json for Google Service Account nil
backup.gs.bucket Google Cloud Storage Bucket nil
backup.gs.bucketPrefix Prefix to append to all backups nil

Immuta TLS

Parameter Description Default
tls.enabled Whether or not to use TLS. true
tls.create Whether or not to generate TLS certificates. true
tls.manageGeneratedSecret When true, the generated TLS secret will be created as a resource of the Helm chart. false
tls.secretName Secret name to use for internal and external communication. (For self-provided certs only) nil
tls.enabledInternal Whether or not to use TLS for all internal communication. true
tls.internalSecretName Secret name to use for internal communication. (For self-provided certs only) nil
tls.enabledExternal Whether or not to use TLS for all external communication. true
tls.externalSecretName Secret name to use for external communication. (For self-provided certs only) nil
tls.manageGeneratedSecret may cause issues with helm install.

In most cases, tls.manageGeneratedSecret should only be set to true when Helm is not being used to install the release (i.e., Argo CD).

If tls.manageGeneratedSecret is set to true when used with the default TLS generation hook configuration, you will encounter an error similar to the following.

Error: secrets "immuta-tls" already exists

You can work around this error by configuring the TLS generation hook to run as a post-install hook.

hooks:
  tlsGeneration:
    hookAnnotations:
      helm.sh/hook: post-install

However, this configuration is not compatible with helm install --wait. If the --wait flag is used, the command will timeout and fail.

Web Service

Parameter Description Default
web.image.registry Image registry for the Immuta service image. Value from global.imageRegistry
web.image.repository Image repository for the Immuta service image. immuta/immuta-service
web.image.tag Image tag for the Immuta service image. Value from imageTag or immutaVersion
web.imagePullPolicy ImagePullPolicy for the Immuta service container. {{ .Values.imageTag }}
web.imageRepository deprecated Use web.image.registry and web.image.repository. nil
web.imageTag deprecated Use web.image.tag. nil
web.replicas Number of replicas of web service to deploy 2
web.workerCount Number of web service worker processes to deploy 2
web.threadPoolSize Number of threads to use for each NodeJS process. nil
web.ingress.clientMaxBodySize client_max_body_size passed through to nginx. 1g
web.resources Container resources. {}
web.podAnnotations Additional annotations to apply to web pods. {}
web.podLabels Additional labels to apply to web pods. {}
web.nodeSelector Node selector for web pods. {"kubernetes.io/os": "linux"}
web.tolerations Tolerations for web pods. nil

Fingerprint Service

Parameter Description Default
fingerprint.image.registry Image registry for the Immuta fingerprint image. Value from global.imageRegistry
fingerprint.image.repository Image repository for the Immuta fingerprint image. immuta/immuta-fingerprint
fingerprint.image.tag Image tag for the Immuta fingerprint image. Value from imageTag or immutaVersion
fingerprint.imagePullPolicy ImagePullPolicy for the Immuta fingerprint container. {{ .Values.imageTag }}
fingerprint.imageRepository deprecated Use fingerprint.image.registry and fingerprint.image.repository. nil
fingerprint.imageTag deprecated Use fingerprint.image.tag. nil
fingerprint.replicas Number of replicas of fingerprint service to deploy. 2
fingerprint.logLevel Log level for the Fingerprint service. WARNING
fingerprint.extraConfig Object containing configuration options for the Immuta Fingerprint service. {}
fingerprint.resources Container resources. {}
fingerprint.podAnnotations Additional annotations to apply to fingerprint pods. {}
fingerprint.podLabels Additional labels to apply to fingerprint pods. {}
fingerprint.nodeSelector Node selector for fingerprint pods. {"kubernetes.io/os": "linux"}
fingerprint.tolerations Tolerations for fingerprint pods. nil

Metadata Database

The Metadata Database component can be configured to use either the built-in Kubernetes deployment or an external PostgreSQL database.

The following Helm values are shared between both built-in and external databases.

Parameter Description Default
database.enabled Enabled flag. Used to disable the built-in database when an external database is used. true
database.image.registry Image registry for the Immuta database image. Value from global.imageRegistry
database.image.repository Image repository for the Immuta database image. immuta/immuta-db
database.image.tag Image tag for the Immuta database image. Value from imageTag or immutaVersion
database.imagePullPolicy ImagePullPolicy for the Immuta database container. {{ .Values.imageTag }}
database.imageRepository deprecated Use database.image.registry and database.image.repository. nil
database.imageTag deprecated Use database.image.tag. nil

Built-in Database

These values are used when database.enabled=true.

Parameter Description Default
database.nodeSelector Node selector for database pods. {"kubernetes.io/os": "linux"}
database.password Password for immuta metadata database secret
database.patroniApiPassword Password for Patroni REST API. secret
database.persistence.enabled Set this to true to enable data persistence on all database pods. It should be set to true for all non-testing environments. false
database.podAnnotations Additional annotations to apply to database pods. {}
database.podLabels Additional labels to apply to database pods. {}
database.replicas Number of database replicas. 2
database.replicationPassword Password for replication user. secret
database.resources Container resources. {}
database.sharedMemoryVolume.enabled Enable the use of a memory-backed emptyDir volume for /dev/shm. false
database.sharedMemoryVolume.sizeLimit Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled. nil
database.superuserPassword Password for PostgreSQL superuser. secret
database.tolerations Tolerations for database pods. nil

External Database

These values are used when database.enabled=false.

Parameter Description Default
externalDatabase.host required Hostname of the external database instance. nil
externalDatabase.port Port for the external database instance. 5432
externalDatabase.sslmode PostgreSQL sslmode option for the external database connection. Behavior when unset is require. nil
externalDatabase.dbname Immuta database name. bometadata
externalDatabase.username Immuta database user name. bometa
externalDatabase.password required Immuta database user password. nil
externalDatabase.superuser.username required Username for the superuser used to initialize the database instance. true
externalDatabase.superuser.password required Password for the superuser used to initialize the database instance. true
externalDatabase.backup.enabled Enable flag for external database backups. Only used when backup.enabled=true. true
externalDatabase.restore.enabled Enable flag for the external database restore. Only used when backup.restore.enabled=true. true

Query Engine

Parameter Description Default
queryEngine.image.registry Image registry for the Immuta Query Engine image. Value from global.imageRegistry
queryEngine.image.repository Image repository for the Immuta Query Engine image. immuta/immuta-db
queryEngine.image.tag Image tag for the Immuta Query Engine image. Value from imageTag or immutaVersion
queryEngine.imagePullPolicy ImagePullPolicy for the Immuta Query Engine container. {{ .Values.imageTag }}
queryEngine.imageRepository deprecated Use queryEngine.image.registry and queryEngine.image.repository. nil
queryEngine.imageTag deprecated Use queryEngine.image.tag. nil
queryEngine.replicas Number of database replicas 2
queryEngine.password Password for immuta feature store database secret
queryEngine.superuserPassword Password for PostgreSQL superuser. secret
queryEngine.replicationPassword Password for replication user. secret
queryEngine.patroniApiPassword Password for Patroni REST API. secret
queryEngine.persistence.enabled This should be set to true for all non-testing environments. false
queryEngine.resources Container resources. {}
queryEngine.service Service configuration for Query Engine service if not using an Ingress Controller.
queryEngine.podAnnotations Additional annotations to apply to Query Engine pods. {}
queryEngine.podLabels Additional labels to apply to Query Engine pods. {}
queryEngine.nodeSelector Node selector for Query Engine pods. {"kubernetes.io/os": "linux"}
queryEngine.sharedMemoryVolume.enabled Enable the use of a memory-backed emptyDir volume for /dev/shm. false
queryEngine.sharedMemoryVolume.sizeLimit Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled. nil
queryEngine.tolerations Tolerations for Query Engine pods. nil

Chart Hooks

Cleanup

The Cleanup hook is a Helm post-delete hook that is responsible for cleaning up some resources that are not deleted by Helm.

Parameter Description Default
hooks.cleanup.resources Container resources. {}
hooks.cleanup.serviceAccountAnnotations Annotations for the cleanup hook ServiceAccount. {}
hooks.cleanup.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
hooks.cleanup.tolerations Tolerations for pods. nil

Database Initialize

The database initialize hook is used to initialize the external database when database.enabled=false.

Parameter Description Default
hooks.databaseInitialize.resources Container resources. {}
hooks.databaseInitialize.serviceAccountAnnotations Annotations for the database initialize hook ServiceAccount. {}
hooks.databaseInitialize.verbose Flag to enable or disable verbose logging in the database initialize hook. true
hooks.databaseInitialize.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
hooks.databaseInitialize.tolerations Tolerations for pods. nil

Database Migrate

The database migrate hook is used to migrate the external database when database.enabled=false.

Parameter Description Default
hooks.databaseMigrate.resources Container resources. {}
hooks.databaseMigrate.serviceAccountAnnotations Annotations for the database migrate hook ServiceAccount. {}
hooks.databaseMigrate.verbose Flag to enable or disable verbose logging in the database migrate hook. true
hooks.databaseMigrate.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
hooks.databaseMigrate.tolerations Tolerations for pods. nil

TLS Generation

The TLS generation hook is a Helm pre-install hook that is responsible for generating TLS certificates used for connections between the Immuta pods.

Parameter Description Default
hooks.tlsGeneration.hookAnnotations."helm.sh/hook-delete-policy" Delete policy for the TLS generation hook. "before-hook-creation,hook-succeeded"
hooks.tlsGeneration.resources Container resources. {}
hooks.tlsGeneration.serviceAccountAnnotations Annotations for the cleanup hook ServiceAccount. {}
hooks.tlsGeneration.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
hooks.tlsGeneration.tolerations Tolerations for pods. nil

Cache

Parameter Description Default
cache.type Type to use for the cache. Valid values are memcached and redis. memcached
cache.replicas Number of replicas. 3
cache.resources Container resources. {}
cache.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
cache.tolerations Tolerations for pods. nil
cache.redis.image.registry Image registry for Redis image. Value from global.imageRegistry
cache.redis.image.repository Image repository for Redis image. redis
cache.redis.image.tag Image tag for Redis image. 6.2-alpine
cache.redis.imagePullPolicy Image pull policy. Value from imagePullPolicy
cache.memcached.image.registry Image registry for Memcached image. Value from global.imageRegistry
cache.memcached.image.repository Image repository for Memcached image. memcached
cache.memcached.image.tag Image tag for Memcached image. 1.6-alpine
cache.memcached.imagePullPolicy Image pull policy. Value from imagePullPolicy
cache.memcached.maxItemMemory Limit for max item memory in cache (in MB). 64
cache.proxySidecar.image.registry Image registry for cache proxy image. Value from global.imageRegistry
cache.proxySidecar.image.repository Image repository for cache proxy image. envoyproxy-envoy-alpine
cache.proxySidear.image.tag Image tag for cache proxy image. v1.20.0
cache.proxySidecar.imagePullPolicy Image pull policy. Value from imagePullPolicy
cache.proxySidecar.resources Container resources. map[limits:map[cpu:250m memory:256Mi] requests:map[cpu:125m memory:128Mi]]

Deploy Tools

Parameter Description Default
deployTools.image.registry Image registry for Immuta deploy tools image. Value from global.imageRegistry
deployTools.image.repository Image repository for Immuta deploy tools image. immuta/immuta-deploy-tools
deployTools.image.tag Image tag for Immuta deploy tools image. 2.0.1
deployTools.imagePullPolicy Image pull policy. Value from imagePullPolicy

Ingress Controller

Parameter Description Default
nginxIngress.enabled Enable nginx ingress deployment false
nginxIngress.controller.image.registry Image registry for the Nginx Ingress controller image. Value from global.imageRegistry
nginxIngress.controller.image.repository Image repository for the Nginx Ingress controller image. ingress-nginx-controller
nginxIngress.controller.image.tag Image tag for the Nginx Ingress controller image. v0.49.3
nginxIngress.controller.imagePullPolicy ImagePullPolicy for the Nginx Ingress controller container. {{ .Values.imageTag }}
nginxIngress.controller.imageRepository deprecated Use nginxIngress.controller.image.registry and nginxIngress.controller.image.repository. nil
nginxIngress.controller.imageTag deprecated Use nginxIngress.controller.image.tag. nil
nginxIngress.controller.service.annotations Used to set arbitrary annotations on the Nginx Ingress Service. {}
nginxIngress.controller.service.type Controller service type. LoadBalancer
nginxIngress.controller.service.isInternal Whether or not to use an internal ELB false
nginxIngress.controller.service.acmCertArn ARN for ACM certificate
nginxIngress.controller.replicas Number of controller replicas 1
nginxIngress.controller.minReadySeconds Minimum ready seconds 0
nginxIngress.controller.electionID Election ID for nginx ingress controller ingress-controller-leader
nginxIngress.controller.hostNetwork Run nginx ingress controller on host network false
nginxIngress.controller.config.proxy-read-timeout Controller proxy read timeout. 300
nginxIngress.controller.config.proxy-send-timeout Controller proxy send timeout. 300
nginxIngress.controller.podAnnotations Additional annotations to apply to nginx ingress controller pods. {}
nginxIngress.controller.podLabels Additional labels to apply to nginx ingress controller pods. {}
nginxIngress.controller.nodeSelector Node selector for nginx ingress controller pods. {"kubernetes.io/os": "linux"}
nginxIngress.controller.tolerations Tolerations for nginx ingress controller pods. nil
nginxIngress.controller.resources Container resources. {}

Memcached

Deprecation Warning

The following values are deprecated. Values should be migrated to cache and cache.memcached. See Cache for replacement values.

Parameter Description Default
memcached.pdbMinAvailable Minimum pdb available. 1
memcached.maxItemMemory Limit for max item memory in cache (in MB). 64
memcached.resources Container resources. {requests: {memory: 64Mi}}
memcached.podAnnotations Additional annotations to apply to memcached pods. {}
memcached.podLabels Additional labels to apply to memcached pods. {}
memcached.nodeSelector Node selector for memcached pods. {"kubernetes.io/os": "linux"}
memcached.tolerations Tolerations for memcached pods. nil