Skip to content

Immuta Helm Chart Options

Audience: System Administrators

Content Summary: This page illustrates all configurable parameters for the Immuta Helm Chart.

Global

Parameter Description Default
immutaVersion Version of Immuta <Current Immuta Version>
imageTag Docker image tag <Current Version Tag>
imagePullPolicy Image pull policy IfNotPresent
imagePullSecrets List of image pull secrets to use [immuta-registry]
existingSecret Name of an existing Kubernetes Secret for the Helm install to use. A managed Secret is not created when this value is set. nil
externalHostname External hostname assigned to this immuta instance. nil
global.podAnnotations Annotations to be set on all pods. {}
global.podLabels Labels that will be set on all pods. {}

Backup

Parameter Description Default
backup.enabled Whether or not to turn on automatic backups true
backup.restore.enabled Whether or not to restore from backups if present false
backup.restore.databaseFile Name of the file in the database backup folder to restore from. nil
backup.restore.queryEngineFile Name of the file in the query-engine backup folder to restore from. nil
backup.schedule Kubernetes CronJob schedule expression 0 0 * * *
backup.successfulJobsHistoryLimit Number of successful jobs to exist before cleanup 3
backup.failedJobsHistoryLimit Number of failed jobs to exist before stopping 1
backup.maxBackupCount Max number of backups to exist at a given time 10
backup.keepBackupVolumes Whether or not to delete backup volumes when uninstalling Immuta false
backup.type Backup storage type. Must be one of: volume, s3, gs, or azblob. volume

Pod / Service Account Metadata

Parameter Description Default
backup.podAnnotations Annotations to add to all pods associated with backups nil
backup.podLabels Labels to add to all pods associated with backups. nil
backup.serviceAccountAnnotations Annotations to add to all ServiceAccounts associated with backups. nil
backup.cronJob.nodeSelector Node selector for backup cron job. {"kubernetes.io/os": "linux"}
backup.cronJob.tolerations Tolerations for backup cron job. nil
backup.cronJob.resources Container resources. {}

Volume Backups

Parameter Description Default
backup.volume.persistentVolumeClaimSpec PersistentVolumeClaim spec to use for volume See Default Volume PVC for more
backup.volume.keepBackupVolume Whether or not to keep the backup volume if Immuta deployment is deleted true
backup.volume.claimName Name of PersistentVolumeClaim. If set, deployment assumes the PVC exists. nil

Default Volume PVC Spec

backup:
  volume:
    persistentVolumeClaimSpec:
      accessModes:
        - ReadWriteMany
      resources:
        requests:
          storage: 5Gi

AWS S3 Backups

Parameter Description Default
backup.s3.awsAccessKeyId AWS Access Key ID. nil
backup.s3.awsSecretAccessKey AWS Secret Access Key. nil
backup.s3.awsRegion AWS Region. nil
backup.s3.bucket S3 Bucket to store backups in. nil
backup.s3.bucketPrefix Prefix to append to all backups. nil
backup.s3.endpoint Endpoint URL of an s3-compatible server. nil
backup.s3.caBundle CA bundle in PEM format. Used to verify TLS certificates of custom s3 endpoint. nil
backup.s3.forcePathStyle Set to "true" to force the use of path-style addressing. nil
backup.s3.disableSSL Set to "true" to disable SSL connections for the s3 endpoint. nil

Azure Blob Storage

Parameter Description Default
backup.azblob.azStorageAccount Azure Storage Account Name nil
backup.azblob.azStorageKey Azure Storage Account Key nil
backup.azblob.azStorageSASToken Azure Storage Account SAS Token nil
backup.azblob.container Azure Storage Account Container Name nil
backup.azblob.containerPrefix Prefix to append to all backups nil

Google Cloud Storage

Parameter Description Default
backup.gs.gsKeySecretName Kubernetes Secret containing key.json for Google Service Account nil
backup.gs.bucket Google Cloud Storage Bucket nil
backup.gs.bucketPrefix Prefix to append to all backups nil

Immuta TLS

Parameter Description Default
tls.enabled Whether or not to use TLS. true
tls.create Whether or not to generate TLS certificates. true
tls.manageGeneratedSecret When true, the generated TLS secret will be created as a resource of the Helm chart. false
tls.secretName Secret name to use for internal and external communication. (For self-provided certs only) nil
tls.enabledInternal Whether or not to use TLS for all internal communication. true
tls.internalSecretName Secret name to use for internal communication. (For self-provided certs only) nil
tls.enabledExternal Whether or not to use TLS for all external communication. true
tls.externalSecretName Secret name to use for external communication. (For self-provided certs only) nil
tls.manageGeneratedSecret may cause issues with helm install.

In most cases, tls.manageGeneratedSecret should only be set to true when Helm is not being used to install the release (i.e., Argo CD).

If tls.manageGeneratedSecret is set to true when used with the default TLS generation hook configuration, you will encounter an error similar to the following.

Error: secrets "immuta-tls" already exists

You can work around this error by configuring the TLS generation hook to run as a post-install hook.

hooks:
  tlsGeneration:
    hookAnnotations:
      helm.sh/hook: post-install

However, this configuration is not compatible with helm install --wait. If the --wait flag is used, the command will timeout and fail.

Web Service

Parameter Description Default
web.imageRepository Docker repository to pull for Immuta service image registry.immuta.com/immuta/immuta-service
web.imageTag Docker tag to pull for Immuta service image {{ .Values.imageTag }}
web.replicas Number of replicas of web service to deploy 2
web.workerCount Number of web service worker processes to deploy 2
web.threadPoolSize Number of threads to use for each NodeJS process. nil
web.ingress.clientMaxBodySize client_max_body_size passed through to nginx. 1g
web.resources Container resources. {}
web.podAnnotations Additional annotations to apply to web pods. {}
web.podLabels Additional labels to apply to web pods. {}
web.nodeSelector Node selector for web pods. {"kubernetes.io/os": "linux"}
web.tolerations Tolerations for web pods. nil

Fingerprint Service

Parameter Description Default
fingerprint.imageRepository Docker repository to pull for Immuta fingerprint image. registry.immuta.com/immuta/immuta-fingerprint
fingerprint.imageTag Docker tag to pull for Immuta fingerprint image. {{ .Values.imageTag }}
fingerprint.replicas Number of replicas of fingerprint service to deploy. 2
fingerprint.logLevel Log level for the Fingerprint service. WARNING
fingerprint.extraConfig Object containing configuration options for the Immuta Fingerprint service. {}
fingerprint.resources Container resources. {}
fingerprint.podAnnotations Additional annotations to apply to fingerprint pods. {}
fingerprint.podLabels Additional labels to apply to fingerprint pods. {}
fingerprint.nodeSelector Node selector for fingerprint pods. {"kubernetes.io/os": "linux"}
fingerprint.tolerations Tolerations for fingerprint pods. nil

Metadata Database

Parameter Description Default
database.imageRepository Docker repository to pull for Immuta database image registry.immuta.com/immuta/immuta-db
database.imageTag Docker tag to pull for Immuta database image {{ .Values.imageTag }}
database.replicas Number of database replicas 2
database.password Password for immuta metadata database secret
database.superuserPassword Password for PostgreSQL superuser secret
database.replicationPassword Password for replication user. secret
database.patroniApiPassword Password for Patroni REST API. secret
database.persistence.enabled Set this to true to enable data persistence on all database pods. It should be set to true for all non-testing environments. false
database.resources Container resources. {}
database.podAnnotations Additional annotations to apply to database pods. {}
database.podLabels Additional labels to apply to database pods. {}
database.nodeSelector Node selector for database pods. {"kubernetes.io/os": "linux"}
database.tolerations Tolerations for database pods. nil

Query Engine

Parameter Description Default
queryEngine.imageRepository Docker repository to pull for Immuta database image registry.immuta.com/immuta/immuta-db
queryEngine.imageTag Docker tag to pull for Immuta database image {{ .Values.imageTag }}
queryEngine.replicas Number of database replicas 2
queryEngine.password Password for immuta feature store database secret
queryEngine.superuserPassword Password for PostgreSQL superuser. secret
queryEngine.replicationPassword Password for replication user. secret
queryEngine.patroniApiPassword Password for Patroni REST API. secret
queryEngine.persistence.enabled This should be set to true for all non-testing environments. false
queryEngine.resources Container resources. {}
queryEngine.service Service configuration for Query Engine service if not using an Ingress Controller.
queryEngine.podAnnotations Additional annotations to apply to Query Engine pods. {}
queryEngine.podLabels Additional labels to apply to Query Engine pods. {}
queryEngine.nodeSelector Node selector for Query Engine pods. {"kubernetes.io/os": "linux"}
queryEngine.tolerations Tolerations for Query Engine pods. nil

Chart Hooks

Cleanup

The Cleanup hook is a Helm post-delete hook that is responsible for cleaning up some resources that are not deleted by Helm.

Parameter Description Default
hooks.cleanup.resources Container resources. {}
hooks.cleanup.serviceAccountAnnotations Annotations for the cleanup hook ServiceAccount. {}

TLS Generation

The TLS generation hook is a Helm pre-install hook that is responsible for generating TLS certificates used for connections between the Immuta pods.

Parameter Description Default
hooks.tlsGeneration.hookAnnotations."helm.sh/hook-delete-policy" Delete policy for the TLS generation hook. "before-hook-creation,hook-succeeded"
hooks.tlsGeneration.resources Container resources. {}
hooks.tlsGeneration.serviceAccountAnnotations Annotations for the cleanup hook ServiceAccount. {}

Memcached

Parameter Description Default
memcached.memcached.maxItemMemory Max memory for items (in MB). 64
memcached.pdbMinAvailable Minimum pdb available. 1
memcached.memcached.maxItemMemory Limit for max item memory in cache. 64
memcached.resources Container resources. {requests: {memory: 64Mi}}
memcached.podAnnotations Additional annotations to apply to memcached pods. {}
memcached.podLabels Additional labels to apply to memcached pods. {}
memcached.nodeSelector Node selector for memcached pods. {"kubernetes.io/os": "linux"}
memcached.tolerations Tolerations for memcached pods. nil

Ingress Controller

Parameter Description Default
nginxIngress.enabled Enable nginx ingress deployment false
nginxIngress.controller.service.annotations Used to set arbitrary annotations on the Nginx Ingress Service. {}
nginxIngress.controller.service.type Controller service type ClusterIP
nginxIngress.controller.service.isInternal Whether or not to use an internal ELB false
nginxIngress.controller.service.acmCertArn ARN for ACM certificate
nginxIngress.controller.replicas Number of controller replicas 1
nginxIngress.controller.minReadySeconds Minimum ready seconds 0
nginxIngress.controller.electionID Election ID for nginx ingress controller ingress-controller-leader
nginxIngress.controller.hostNetwork Run nginx ingress controller on host network false
nginxIngress.controller.config.proxy-read-timeout Controller proxy read timeout. 300
nginxIngress.controller.config.proxy-send-timeout Controller proxy send timeout. 300
nginxIngress.controller.podAnnotations Additional annotations to apply to nginx ingress controller pods. {}
nginxIngress.controller.podLabels Additional labels to apply to nginx ingress controller pods. {}
nginxIngress.controller.nodeSelector Node selector for nginx ingress controller pods. {"kubernetes.io/os": "linux"}
nginxIngress.controller.tolerations Tolerations for nginx ingress controller pods. nil
nginxIngress.controller.resources Container resources. {}