Helm Installation on Microsoft Azure Kubernetes Service (AKS)
Audience: System Administrators
Content Summary: This guide illustrates the deployment of an Immuta cluster on Microsoft Azure Kubernetes Service. Requirements may vary depending on the Azure Cloud environment and/or region. For comprehensive assistance, please contact an Immuta Support Professional.
This guide is intended to supplement the main Helm installation guide, which is referred to often throughout this page.
- Software:Helm 2.3.0 or greater and Azure CLI 2.0.30 or greater
- Node Size: Immuta's suggested minimum Azure VM size for Azure Kubernetes Service deployments is
Standard_D3_v2(4 vCPU, 14GB RAM, 200 GB SSD) or equivalent. The Immuta helm installation requires a minimum of 3 nodes. Additional nodes can be added on demand.
- TLS Certificates: See the main helm installation guide for TLS certificate requirements.
For more information on nodes, see the Azure VM sizing documentation.
Deploy Cluster Infrastructure
Before installing Immuta, you will need to spin up your AKS cluster. If you would like to install Immuta on an existing AKS cluster, you can skip this step. If wish to deploy a dedicated cluster for Immuta, please visit Deploying Immuta Cluster Infrastructure on AKS.
Navigate to the installation method of your choice:
Option 1: Install Immuta Manually via Helm
Please see the main helm installation guide for the full walkthrough of installing Immuta via our Helm chart. This section will focus on the specific requirements for the helm installation on AKS.
Use the Nginx Ingress Controller as a Load Balancer in Azure Cloud
Since you are deploying Immuta as an Azure cloud application in AKS, you can easily configure the Nginx Ingress Controller that is bundled with the Immuta Helm deployment as a load balancer using the generated hostname from Azure.
Confirm that you have the following configurations in your
values.yamlfile before deploying:
externalHostname: <your immuta helm release name>.<your azure region>.cloudapp.azure.com nginxIngress: enabled: true controller: service: type: LoadBalancer annotations: service.beta.kubernetes.io/azure-load-balancer-internal: "true"
If you are using the included ingress controller, it will create a Kubernetes LoadBalancer Service to expose Immuta outside of your cluster. The following options are available for configuring the LoadBalancer Service:
nginxIngress.controller.service.annotations: Useful for setting options such as creating an internal load balancer or configuring TLS termination at the load balancer.
nginxIngress.controller.service.loadBalancerSourceRanges: Used to limit which client IP addresses can access the load balancer.
nginxIngress.controller.service.externalTrafficPolicy: Useful when working with Network Load Balancers on AWS. It can be set to “Local” to allow the client IP address to be propagated to the Pods.
Possible values for these various settings can be found in the Kubernetes Documentation.
helm install, you can find the public IP address of the nginx controller by running
kubectl get services -n <your immuta namespace>
If the public IP address shows up as
<pending>, wait a few moments and check again. Once you have the IP address, run the following commands to configure the Immuta Azure Cloud Application to use your ingress controller:
IP="<controller public IP address>" DNSNAME="<your immuta helm release name>" RG=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[resourceGroup]" --output tsv) PIPNAME=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[name]" --output tsv) az network public-ip update --resource-group $RG --name $PIPNAME --dns-name $DNSNAME
Shortly after running these commands, you should be able to reach the Immuta console in your web browser at the configured
Configure Security Groups
Best Practice: Network Security Group
Immuta recommends that you set up the network security group for the Immuta cluster to be closed to public traffic outside of your organization. If your organization already has rules and guidelines for your Azure Cloud Application security groups, then you should adhere to those. Otherwise, we recommend visiting Microsoft's documentation page for configuring Network security groups to find a solution that fits your environment.
To configure backups with Azure, see the backup section in the Immuta Helm Chart.
Option 2: Automated Installation
If you've previously provisioned an AKS cluster (see Deploying Immuta Cluster Infrastructure on AKS) and have installed the Installation Prerequisites, you can run an automated script that will
- Prepare the Helm values file,
- Register the required secrets to pull Immuta's Docker images,
- Run the Helm installation, and
- Create the mapping between the external IP address Ingress Controller (the cluster's load balancer) and the cluster's public DNS name.
Running the automated deployment script will make a series of decisions for you:
- The TLS certificates will be generated on-the-fly and will be self-signed. You can easily change this later by following the instructions in the main Helm installation guide.
- The number of replicas from each component will be automatically derived from your AKS cluster's node count. This can be easily modified by overriding the replicas parameter.
- The installation will set up backup volumes by default. Set the
0to disable Immuta backups.
Download the Script
- Download the script here.
- Make it executable by running
chmod +x immuta-aks.sh
Deploy to an AKS Cluster
Below is the list of the parameters that the script accepts. These parameters are environment variables that are prepended to the execution command.
||The name of your AKS cluster||Required||-|
||The Azure Subscription ID||Required||-|
||The resource group that contains the cluster||Required||-|
||An arbitrary metadata database password||Required||-|
||An arbitrary metadata database super-user password||Required||-|
||An arbitrary metadata database replication password||Required||-|
||An arbitrary metadata database Patroni API password||Required||-|
||An arbitrary Query Engine password||Required||-|
||An arbitrary Query Engine super-user password||Required||-|
||An arbitrary Query Engine replication password||Required||-|
||An arbitrary Query Engine Patroni API password||Required||-|
||The version tag of the desired Immuta installation||Optional||2.6.1|
||The Kubernetes namespace to create and deploy Immuta to||Optional||immuta|
||The number of replicas of each main component in the cluster||Optional||1|
||Whether or not backups should be enabled||Optional||1|
||Backup Storage Account resource group||Optional||Same as
Run the Deployment
To run the script and deploy, you can simply prepend the above-mentioned parameters to the
execution command, with the action
deploy. For example,
CLUSTER_NAME="..." \ SUBSCRIPTION_ID="..." \ CLUSTER_RESOURCE_GROUP="..." \ DOCKER_USERNAME="..." \ DOCKER_PASSWORD="..." \ DB_PASSWORD="..." \ DB_SUPERUSER_PASSWORD="..." \ DB_REPLICATION_PASSWORD="..." \ DB_PATRONI_API_PASSWORD="..." \ QE_PASSWORD="..." \ QE_SUPERUSER_PASSWORD="..." \ QE_REPLICATION_PASSWORD="..." \ QE_PATRONI_API_PASSWORD="..." \ ./immuta-aks.sh deploy
Destroy a Deployment
You can use the same script to destroy a deployment you had previously run with this script, by running the following command:
CLUSTER_NAME="..." \ ./immuta-aks.sh destroy
The value of
CLUSTER_NAME should be identical to the name of the
CLUSTER_NAME value you've used to deploy Immuta.