Skip to content

You are viewing documentation for Immuta version 2023.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

Helm Installation on Microsoft Azure Kubernetes Service (AKS)

Audience: System Administrators

Content Summary: This guide illustrates the deployment of an Immuta cluster on Microsoft Azure Kubernetes Service. Requirements may vary depending on the Azure Cloud environment and/or region. For comprehensive assistance, please contact an Immuta Support Professional.

This guide is intended to supplement the main Helm installation guide, which is referred to often throughout this page.

Prerequisites:

  • Software:Helm 2.3.0 or greater and Azure CLI 2.0.30 or greater
  • Node Size: Immuta's suggested minimum Azure VM size for Azure Kubernetes Service deployments is Standard_D3_v2 (4 vCPU, 14GB RAM, 200 GB SSD) or equivalent. The Immuta helm installation requires a minimum of 3 nodes. Additional nodes can be added on demand.
  • TLS Certificates: See the main helm installation guide for TLS certificate requirements.

To install Azure CLI 2.0, please visit Microsoft's documentation and follow the instructions for your chosen platform. You can also use the Azure Cloud Shell.

For more information on nodes, see the Azure VM sizing documentation.

Deploy Cluster Infrastructure

Before installing Immuta, you will need to spin up your AKS cluster. If you would like to install Immuta on an existing AKS cluster, you can skip this step. If wish to deploy a dedicated cluster for Immuta, please visit Deploying Immuta Cluster Infrastructure on AKS.

Navigate to the installation method of your choice:

Option 1: Install Immuta Manually via Helm

Please see the main helm installation guide for the full walkthrough of installing Immuta via our Helm Chart. This section will focus on the specific requirements for the helm installation on AKS.

Use the Nginx Ingress Controller as a Load Balancer in Azure Cloud

Since you are deploying Immuta as an Azure cloud application in AKS, you can easily configure the Nginx Ingress Controller that is bundled with the Immuta Helm deployment as a load balancer using the generated hostname from Azure.

  1. Confirm that you have the following configurations in your values.yaml file before deploying:

    externalHostname: <your immuta helm release name>.<your azure region>.cloudapp.azure.com
nginxIngress:
  enabled: true
  controller:
    service:
      type: LoadBalancer
      annotations:
        service.beta.kubernetes.io/azure-load-balancer-internal: "true"

    If you are using the included ingress controller, it will create a Kubernetes LoadBalancer Service to expose Immuta outside of your cluster. The following options are available for configuring the LoadBalancer Service:

    • nginxIngress.controller.service.annotations: Useful for setting options such as creating an internal load balancer or configuring TLS termination at the load balancer.
    • nginxIngress.controller.service.loadBalancerSourceRanges: Used to limit which client IP addresses can access the load balancer.
    • nginxIngress.controller.service.externalTrafficPolicy: Useful when working with Network Load Balancers on AWS. It can be set to “Local” to allow the client IP address to be propagated to the Pods.

    Possible values for these various settings can be found in the Kubernetes Documentation.

  2. After running helm install, you can find the public IP address of the nginx controller by running

    kubectl get services -n <your immuta namespace>

  3. If the public IP address shows up as <pending>, wait a few moments and check again. Once you have the IP address, run the following commands to configure the Immuta Azure Cloud Application to use your ingress controller:

    IP="<controller public IP address>"
DNSNAME="<your immuta helm release name>"
RG=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[resourceGroup]" --output tsv)
PIPNAME=$(az network public-ip list --query "[?ipAddress!=null]|[?contains(ipAddress, '$IP')].[name]" --output tsv)
az network public-ip update --resource-group $RG --name $PIPNAME --dns-name $DNSNAME

  4. Shortly after running these commands, you should be able to reach the Immuta console in your web browser at the configured externalHostName.

Configure Security Groups

Best Practice: Network Security Group

Immuta recommends that you set up the network security group for the Immuta cluster to be closed to public traffic outside of your organization. If your organization already has rules and guidelines for your Azure Cloud Application security groups, then you should adhere to those. Otherwise, we recommend visiting Microsoft's documentation page for configuring Network security groups to find a solution that fits your environment.

Backup

To configure backups with Azure, see the backup section in the Immuta Helm Chart.

Option 2: Automated Installation

If you've previously provisioned an AKS cluster (see Deploying Immuta Cluster Infrastructure on AKS) and have installed the Installation Prerequisites, you can run an automated script that will

  • Prepare the Helm values file,
  • Register the required secrets to pull Immuta's Docker images,
  • Run the Helm installation, and
  • Create the mapping between the external IP address Ingress Controller (the cluster's load balancer) and the cluster's public DNS name.
Please Note

Running the automated deployment script will make a series of decisions for you:

  • The TLS certificates will be generated on-the-fly and will be self-signed. You can easily change this later by following the instructions in the main Helm installation guide.
  • The number of replicas from each component will be automatically derived from your AKS cluster's node count. This can be easily modified by overriding the replicas parameter.
  • The installation will set up backup volumes by default. Set the BACKUPS value to 0 to disable Immuta backups.

Download the Script

  1. Download the script here.
  2. Make it executable by running
chmod +x immuta-aks.sh

Deploy to an AKS Cluster

Parameters

Below is the list of the parameters that the script accepts. These parameters are environment variables that are prepended to the execution command.

Variable Name Description Required Default
CLUSTER_NAME The name of your AKS cluster Required -
SUBSCRIPTION_ID The Azure Subscription ID Required -
CLUSTER_RESOURCE_GROUP The resource group that contains the cluster Required -
DOCKER_USERNAME Obtain here Required -
DOCKER_PASSWORD Obtain here Required -
DB_PASSWORD An arbitrary metadata database password Required -
DB_SUPERUSER_PASSWORD An arbitrary metadata database super-user password Required -
DB_REPLICATION_PASSWORD An arbitrary metadata database replication password Required -
DB_PATRONI_API_PASSWORD An arbitrary metadata database Patroni API password Required -
QE_PASSWORD An arbitrary Query Engine password Required -
QE_SUPERUSER_PASSWORD An arbitrary Query Engine super-user password Required -
QE_REPLICATION_PASSWORD An arbitrary Query Engine replication password Required -
QE_PATRONI_API_PASSWORD An arbitrary Query Engine Patroni API password Required -
IMMUTA_VERSION The version tag of the desired Immuta installation Optional <Current Immuta version>
IMMUTA_K8S_NAMESPACE The Kubernetes namespace to create and deploy Immuta to Optional default
REPLICAS The number of replicas of each main component in the cluster Optional 1
BACKUPS Whether or not backups should be enabled Optional 1
SA_RESOURCE_GROUP Backup Storage Account resource group Optional Same as CLUSTER_RESOURCE_GROUP

Run the Deployment

To run the script and deploy, you can simply prepend the above-mentioned parameters to the execution command, with the action deploy. For example,

CLUSTER_NAME="..." \
SUBSCRIPTION_ID="..." \
CLUSTER_RESOURCE_GROUP="..." \
DOCKER_USERNAME="..." \
DOCKER_PASSWORD="..." \
DB_PASSWORD="..." \
DB_SUPERUSER_PASSWORD="..." \
DB_REPLICATION_PASSWORD="..." \
DB_PATRONI_API_PASSWORD="..." \
QE_PASSWORD="..." \
QE_SUPERUSER_PASSWORD="..." \
QE_REPLICATION_PASSWORD="..." \
QE_PATRONI_API_PASSWORD="..." \
./immuta-aks.sh deploy

Destroy a Deployment

You can use the same script to destroy a deployment you had previously run with this script, by running the following command:

CLUSTER_NAME="..." \
./immuta-aks.sh destroy

The value of CLUSTER_NAME should be identical to the name of the CLUSTER_NAME value you've used to deploy Immuta.

External References