Helm Chart Configuration Options

The Helm Chart includes components that make up your Immuta infrastructure, and you can change these values to tailor your Immuta infrastructure to suit your needs. The tables below include parameter descriptions and default values for all components in the Helm Chart.

When installing Immuta, download immuta-values.yaml and update the values to your preferred settings.

6KB

immuta-values.yaml

See the Helm installation page for guidance and best practices.

Global

Parameter Description Default

Parameter	Description	Default
`immutaVersion`	Version of Immuta	`<Current Immuta Version>`
`imageTag`	Docker image tag	`<Current Version Tag>`
`imagePullPolicy`	Image pull policy	`IfNotPresent`
`imagePullSecrets`	List of image pull secrets to use	`[immuta-registry]`
`existingSecret`	Name of an existing Kubernetes Secret for the Helm install to use. A managed Secret is not created when this value is set.	`nil`
`externalHostname`	External hostname assigned to this immuta instance.	`nil`
`podSecurityContext`	Pod level security features on all pods.	`{}`
`containerSecurityContext`	Container level security features on all containers.	`{}`
`global.imageRegistry`	Global override for image registry.	`registry.immuta.com`
`global.podAnnotations`	Annotations to be set on all pods.	`{}`
`global.podLabels`	Labels that will be set on all pods.	`{}`

immutaVersion

Version of Immuta

<Current Immuta Version>

imageTag

Docker image tag

<Current Version Tag>

imagePullPolicy

Image pull policy

IfNotPresent

imagePullSecrets

List of image pull secrets to use

[immuta-registry]

existingSecret

Name of an existing Kubernetes Secret for the Helm install to use. A managed Secret is not created when this value is set.

nil

externalHostname

External hostname assigned to this immuta instance.

nil

podSecurityContext

Pod level security features on all pods.

{}

containerSecurityContext

Container level security features on all containers.

{}

global.imageRegistry

Global override for image registry.

registry.immuta.com

global.podAnnotations

Annotations to be set on all pods.

{}

global.podLabels

Labels that will be set on all pods.

{}

Backup

Parameter Description Default

Parameter	Description	Default
`backup.enabled`	Whether or not to turn on automatic backups	`true`
`backup.restore.enabled`	Whether or not to restore from backups if present	`false`
`backup.type`	Backup storage type. Must be defined if `backup.enabled` is `true`. Must be one of: `s3`, `gs`, or `azblob`.	`nil`
`backup.cronJob.nodeSelector`	Node selector for backup cron job.	`{"kubernetes.io/os": "linux"}`
`backup.cronJob.resources`	Container resources.	`{}`
`backup.cronJob.tolerations`	Tolerations for backup CronJob.	`nil`
`backup.extraEnv`	Mapping of key-value pairs to be set on backup Job containers.	`{}`
`backup.failedJobsHistoryLimit`	Number of failed jobs to exist before stopping	`1`
`backup.keepBackupVolumes`	Whether or not to delete backup volumes when uninstalling Immuta	`false`
`backup.maxBackupCount`	Max number of backups to exist at a given time.	`10`
`backup.podAnnotations`	Annotations to add to all pods associated with backups	`nil`
`backup.podLabels`	Labels to add to all pods associated with backups.	`nil`
`backup.restore.databaseFile`	Name of the file in the `database` backup folder to restore from.	`nil`
`backup.restore.queryEngineFile`	Name of the file in the `query-engine` backup folder to restore from.	`nil`
`backup.schedule`	Kubernetes CronJob schedule expression.	`0 0 * * *`
`backup.securityContext`	SecurityContext for backup Pods.	`{}`
`backup.serviceAccountAnnotations`	Annotations to add to all ServiceAccounts associated with backups.	`nil`
`backup.successfulJobsHistoryLimit`	Number of successful jobs to exist before cleanup.	`3`
`backup.podSecurityContext`	Pod level security features.	`{}`
`backup.containerSecurityContext`	Container level security.	`{}`

backup.enabled

Whether or not to turn on automatic backups

true

backup.restore.enabled

Whether or not to restore from backups if present

false

backup.type

Backup storage type. Must be defined if backup.enabled is true. Must be one of: s3, gs, or azblob.

nil

backup.cronJob.nodeSelector

Node selector for backup cron job.

{"kubernetes.io/os": "linux"}

backup.cronJob.resources

Container resources.

{}

backup.cronJob.tolerations

Tolerations for backup CronJob.

nil

backup.extraEnv

Mapping of key-value pairs to be set on backup Job containers.

{}

backup.failedJobsHistoryLimit

Number of failed jobs to exist before stopping

1

backup.keepBackupVolumes

Whether or not to delete backup volumes when uninstalling Immuta

false

backup.maxBackupCount

Max number of backups to exist at a given time.

10

backup.podAnnotations

Annotations to add to all pods associated with backups

nil

backup.podLabels

Labels to add to all pods associated with backups.

nil

backup.restore.databaseFile

Name of the file in the database backup folder to restore from.

nil

backup.restore.queryEngineFile

Name of the file in the query-engine backup folder to restore from.

nil

backup.schedule

Kubernetes CronJob schedule expression.

0 0 * * *

backup.securityContext

SecurityContext for backup Pods.

{}

backup.serviceAccountAnnotations

Annotations to add to all ServiceAccounts associated with backups.

nil

backup.successfulJobsHistoryLimit

Number of successful jobs to exist before cleanup.

3

backup.podSecurityContext

Pod level security features.

{}

backup.containerSecurityContext

Container level security.

{}

AWS S3 Backups

These values are used when backup.type=s3.

Parameter Description Default

Parameter	Description	Default
`backup.s3.awsAccessKeyId`	AWS Access Key ID.	`nil`
`backup.s3.awsSecretAccessKey`	AWS Secret Access Key.	`nil`
`backup.s3.awsRegion`	AWS Region.	`nil`
`backup.s3.bucket`	S3 Bucket to store backups in.	`nil`
`backup.s3.bucketPrefix`	Prefix to append to all backups.	`nil`
`backup.s3.endpoint`	Endpoint URL of an s3-compatible server.	`nil`
`backup.s3.caBundle`	CA bundle in PEM format. Used to verify TLS certificates of custom s3 endpoint.	`nil`
`backup.s3.forcePathStyle`	Set to "true" to force the use of path-style addressing.	`nil`
`backup.s3.disableSSL`	Set to "true" to disable SSL connections for the s3 endpoint.	`nil`

backup.s3.awsAccessKeyId

AWS Access Key ID.

nil

backup.s3.awsSecretAccessKey

AWS Secret Access Key.

nil

backup.s3.awsRegion

AWS Region.

nil

backup.s3.bucket

S3 Bucket to store backups in.

nil

backup.s3.bucketPrefix

Prefix to append to all backups.

nil

backup.s3.endpoint

Endpoint URL of an s3-compatible server.

nil

backup.s3.caBundle

CA bundle in PEM format. Used to verify TLS certificates of custom s3 endpoint.

nil

backup.s3.forcePathStyle

Set to "true" to force the use of path-style addressing.

nil

backup.s3.disableSSL

Set to "true" to disable SSL connections for the s3 endpoint.

nil

Azure Blob Storage

These values are used when backup.type=azblob.

Parameter Description Default

Parameter	Description	Default
`backup.azblob.azStorageAccount`	Azure Storage Account Name	`nil`
`backup.azblob.azStorageKey`	Azure Storage Account Key	`nil`
`backup.azblob.azStorageSASToken`	Azure Storage Account SAS Token	`nil`
`backup.azblob.container`	Azure Storage Account Container Name	`nil`
`backup.azblob.containerPrefix`	Prefix to append to all backups	`nil`

backup.azblob.azStorageAccount

Azure Storage Account Name

nil

backup.azblob.azStorageKey

Azure Storage Account Key

nil

backup.azblob.azStorageSASToken

Azure Storage Account SAS Token

nil

backup.azblob.container

Azure Storage Account Container Name

nil

backup.azblob.containerPrefix

Prefix to append to all backups

nil

Google Cloud Storage

These values are used when backup.type=gs.

Parameter Description Default

Parameter	Description	Default
`backup.gs.gsKeySecretName`	Kubernetes Secret containing `key.json` for Google Service Account	`nil`
`backup.gs.bucket`	Google Cloud Storage Bucket	`nil`
`backup.gs.bucketPrefix`	Prefix to append to all backups	`nil`

backup.gs.gsKeySecretName

Kubernetes Secret containing key.json for Google Service Account

nil

backup.gs.bucket

Google Cloud Storage Bucket

nil

backup.gs.bucketPrefix

Prefix to append to all backups

nil

Immuta TLS

Parameter Description Default

Parameter	Description	Default
`tls.enabled`	Whether or not to use TLS.	`true`
`tls.create`	Whether or not to generate TLS certificates.	`true`
`tls.manageGeneratedSecret`	When true, the generated TLS secret will be created as a resource of the Helm Chart.	`false`
`tls.secretName`	Secret name to use for internal and external communication. (For self-provided certs only)	`nil`
`tls.enabledInternal`	Whether or not to use TLS for all internal communication.	`true`
`tls.internalSecretName`	Secret name to use for internal communication. (For self-provided certs only)	`nil`
`tls.enabledExternal`	Whether or not to use TLS for all external communication.	`true`
`tls.externalSecretName`	Secret name to use for external communication. (For self-provided certs only)	`nil`

tls.enabled

Whether or not to use TLS.

true

tls.create

Whether or not to generate TLS certificates.

true

tls.manageGeneratedSecret

When true, the generated TLS secret will be created as a resource of the Helm Chart.

false

tls.secretName

Secret name to use for internal and external communication. (For self-provided certs only)

nil

tls.enabledInternal

Whether or not to use TLS for all internal communication.

true

tls.internalSecretName

Secret name to use for internal communication. (For self-provided certs only)

nil

tls.enabledExternal

Whether or not to use TLS for all external communication.

true

tls.externalSecretName

Secret name to use for external communication. (For self-provided certs only)

nil

tls.manageGeneratedSecret may cause issues with helm install.

In most cases, tls.manageGeneratedSecret should only be set to true when Helm is not being used to install the release (i.e., Argo CD).

If tls.manageGeneratedSecret is set to true when used with the default TLS generation hook configuration, you will encounter an error similar to the following.

Error: secrets "immuta-tls" already exists

You can work around this error by configuring the TLS generation hook to run as a post-install hook.

hooks:
  tlsGeneration:
    hookAnnotations:
      helm.sh/hook: post-install

However, this configuration is not compatible with helm install --wait. If the --wait flag is used, the command will timeout and fail.

Web Service

Parameter Description Default

Parameter	Description	Default
`web.extraEnv`	Mapping of key-value pairs to be set on web containers.	`{}`
`web.extraVolumeMounts`	List of extra volume mounts to be added to web containers.	`[]`
`web.extraVolumes`	List of extra volumes to be added to web containers.	`[]`
`web.image.registry`	Image registry for the Immuta service image.	Value from `global.imageRegistry`
`web.image.repository`	Image repository for the Immuta service image.	`immuta/immuta-service`
`web.image.tag`	Image tag for the Immuta service image.	Value from `imageTag` or `immutaVersion`
`web.image.digest`	Image digest for the Immuta service image in format of `sha256:<DIGEST>`.
`web.imagePullPolicy`	ImagePullPolicy for the Immuta service container.	`{{ .Values.imageTag }}`
`web.imageRepository` deprecated	Use `web.image.registry` and `web.image.repository`.	`nil`
`web.imageTag` deprecated	Use `web.image.tag`.	`nil`
`web.replicas`	Number of replicas of web service to deploy. Maximum: `3`	`1`
`web.workerCount`	Number of web service worker processes to deploy.	`2`
`web.threadPoolSize`	Number of threads to use for each NodeJS process.	`nil`
`web.ingress.enabled`	Controls the creation of an Ingress resource for the web service.	`true`
`web.ingress.clientMaxBodySize`	`client_max_body_size` passed through to nginx.	`1g`
`web.resources`	Container resources.	`{}`
`web.podAnnotations`	Additional annotations to apply to web pods.	`{}`
`web.podLabels`	Additional labels to apply to web pods.	`{}`
`web.nodeSelector`	Node selector for web pods.	`{"kubernetes.io/os": "linux"}`
`web.serviceAccountAnnotations`	Annotations for the web ServiceAccount.	`{}`
`web.tolerations`	Tolerations for web pods.	`nil`
`web.podSecurityContext`	Pod level security features.	`{}`
`web.containerSecurityContext`	Container level security features.	`{}`

web.extraEnv

Mapping of key-value pairs to be set on web containers.

{}

web.extraVolumeMounts

List of extra volume mounts to be added to web containers.

[]

web.extraVolumes

List of extra volumes to be added to web containers.

[]

web.image.registry

Image registry for the Immuta service image.

Value from global.imageRegistry

web.image.repository

Image repository for the Immuta service image.

immuta/immuta-service

web.image.tag

Image tag for the Immuta service image.

Value from imageTag or immutaVersion

web.image.digest

Image digest for the Immuta service image in format of sha256:<DIGEST>.

web.imagePullPolicy

ImagePullPolicy for the Immuta service container.

{{ .Values.imageTag }}

web.imageRepository deprecated

Use web.image.registry and web.image.repository.

nil

web.imageTag deprecated

Use web.image.tag.

nil

web.replicas

Number of replicas of web service to deploy. Maximum: 3

1

web.workerCount

Number of web service worker processes to deploy.

2

web.threadPoolSize

Number of threads to use for each NodeJS process.

nil

web.ingress.enabled

Controls the creation of an Ingress resource for the web service.

true

web.ingress.clientMaxBodySize

client_max_body_size passed through to nginx.

1g

web.resources

Container resources.

{}

web.podAnnotations

Additional annotations to apply to web pods.

{}

web.podLabels

Additional labels to apply to web pods.

{}

web.nodeSelector

Node selector for web pods.

{"kubernetes.io/os": "linux"}

web.serviceAccountAnnotations

Annotations for the web ServiceAccount.

{}

web.tolerations

Tolerations for web pods.

nil

web.podSecurityContext

Pod level security features.

{}

web.containerSecurityContext

Container level security features.

{}

Fingerprint Service

Parameter Description Default

Parameter	Description	Default
`fingerprint.image.registry`	Image registry for the Immuta fingerprint image.	Value from `global.imageRegistry`
`fingerprint.image.repository`	Image repository for the Immuta fingerprint image.	`immuta/immuta-fingerprint`
`fingerprint.image.tag`	Image tag for the Immuta fingerprint image.	Value from `imageTag` or `immutaVersion`
`fingerprint.image.digest`	Image digest for the Immuta fingerprint image in format of `sha256:<DIGEST>`.
`fingerprint.imagePullPolicy`	ImagePullPolicy for the Immuta fingerprint container.	`{{ .Values.imageTag }}`
`fingerprint.imageRepository` deprecated	Use `fingerprint.image.registry` and `fingerprint.image.repository`.	`nil`
`fingerprint.imageTag` deprecated	Use `fingerprint.image.tag`.	`nil`
`fingerprint.replicas`	Number of replicas of fingerprint service to deploy.	`1`
`fingerprint.logLevel`	Log level for the Fingerprint service.	`WARNING`
`fingerprint.extraConfig`	Object containing configuration options for the Immuta Fingerprint service.	`{}`
`fingerprint.resources`	Container resources.	`{}`
`fingerprint.podAnnotations`	Additional annotations to apply to fingerprint Pods.	`{}`
`fingerprint.podLabels`	Additional labels to apply to fingerprint Pods.	`{}`
`fingerprint.nodeSelector`	Node selector for fingerprint Pods.	`{"kubernetes.io/os": "linux"}`
`fingerprint.serviceAccountAnnotations`	Annotations for the fingerprint ServiceAccount.	`{}`
`fingerprint.tolerations`	Tolerations for fingerprint Pods.	`nil`
`<component>.podSecurityContext`	Pod level security features.
`<component>.containerSecurityContext`	Container level security features.

fingerprint.image.registry

Image registry for the Immuta fingerprint image.

Value from global.imageRegistry

fingerprint.image.repository

Image repository for the Immuta fingerprint image.

immuta/immuta-fingerprint

fingerprint.image.tag

Image tag for the Immuta fingerprint image.

Value from imageTag or immutaVersion

fingerprint.image.digest

Image digest for the Immuta fingerprint image in format of sha256:<DIGEST>.

fingerprint.imagePullPolicy

ImagePullPolicy for the Immuta fingerprint container.

{{ .Values.imageTag }}

fingerprint.imageRepository deprecated

Use fingerprint.image.registry and fingerprint.image.repository.

nil

fingerprint.imageTag deprecated

Use fingerprint.image.tag.

nil

fingerprint.replicas

Number of replicas of fingerprint service to deploy.

1

fingerprint.logLevel

Log level for the Fingerprint service.

WARNING

fingerprint.extraConfig

Object containing configuration options for the Immuta Fingerprint service.

{}

fingerprint.resources

Container resources.

{}

fingerprint.podAnnotations

Additional annotations to apply to fingerprint Pods.

{}

fingerprint.podLabels

Additional labels to apply to fingerprint Pods.

{}

fingerprint.nodeSelector

Node selector for fingerprint Pods.

{"kubernetes.io/os": "linux"}

fingerprint.serviceAccountAnnotations

Annotations for the fingerprint ServiceAccount.

{}

fingerprint.tolerations

Tolerations for fingerprint Pods.

nil

<component>.podSecurityContext

Pod level security features.

<component>.containerSecurityContext

Container level security features.

Metadata Database

The Metadata Database component can be configured to use either the built-in Kubernetes deployment or an external PostgreSQL database.

The following Helm values are shared between both built-in and external databases.

Parameter Description Default

Parameter	Description	Default
`database.enabled`	Enabled flag. Used to disable the built-in database when an external database is used.	`true`
`database.image.registry`	Image registry for the Immuta database image.	Value from `global.imageRegistry`
`database.image.repository`	Image repository for the Immuta database image.	`immuta/immuta-db`
`database.image.tag`	Image tag for the Immuta database image.	Value from `imageTag` or `immutaVersion`
`database.image.digest`	Image digest for the Immuta database image in format of `sha256:<DIGEST>`.
`database.imagePullPolicy`	ImagePullPolicy for the Immuta database container.	`{{ .Values.imageTag }}`
`database.imageRepository` deprecated	Use `database.image.registry` and `database.image.repository`.	`nil`
`database.imageTag` deprecated	Use `database.image.tag`.	`nil`

database.enabled

Enabled flag. Used to disable the built-in database when an external database is used.

true

database.image.registry

Image registry for the Immuta database image.

Value from global.imageRegistry

database.image.repository

Image repository for the Immuta database image.

immuta/immuta-db

database.image.tag

Image tag for the Immuta database image.

Value from imageTag or immutaVersion

database.image.digest

Image digest for the Immuta database image in format of sha256:<DIGEST>.

database.imagePullPolicy

ImagePullPolicy for the Immuta database container.

{{ .Values.imageTag }}

database.imageRepository deprecated

Use database.image.registry and database.image.repository.

nil

database.imageTag deprecated

Use database.image.tag.

nil

Built-in Database

These values are used when database.enabled=true.

Parameter Description Default

Parameter	Description	Default
`database.extraEnv`	Mapping of key-value pairs to be set on database containers.	`{}`
`database.extraVolumeMounts`	List of extra volume mounts to be added to database containers.	`[]`
`database.extraVolumes`	List of extra volumes to be added to database containers.	`[]`
`database.nodeSelector`	Node selector for database pods.	`{"kubernetes.io/os": "linux"}`
`database.password`	Password for immuta metadata database	`secret`
`database.patroniApiPassword`	Password for Patroni REST API.	`secret`
`database.patroniKubernetes`	Patroni Kubernetes settings.	`{"use_endpoints": true}`
`database.persistence.enabled`	Set this to true to enable data persistence on all database pods. It should be set to `true` for all non-testing environments.	`false`
`database.podAnnotations`	Additional annotations to apply to database pods.	`{}`
`database.podLabels`	Additional labels to apply to database pods.	`{}`
`database.replicas`	Number of database replicas.	`1`
`database.replicationPassword`	Password for replication user.	`secret`
`database.resources`	Container resources.	`{}`
`database.sharedMemoryVolume.enabled`	Enable the use of a memory-backed `emptyDir` volume for `/dev/shm`.	`false`
`database.sharedMemoryVolume.sizeLimit`	Size limit for the shared memory volume. Only available when the `SizeMemoryBackedVolumes` feature gate is enabled.	`nil`
`database.superuserPassword`	Password for PostgreSQL superuser.	`secret`
`database.tolerations`	Tolerations for database pods.	`nil`
`database.podSecurityContext`	Pod level security features.	`{}`
`database.containerSecurityContext`	Container level security features.	`{}`

database.extraEnv

Mapping of key-value pairs to be set on database containers.

{}

database.extraVolumeMounts

List of extra volume mounts to be added to database containers.

[]

database.extraVolumes

List of extra volumes to be added to database containers.

[]

database.nodeSelector

Node selector for database pods.

{"kubernetes.io/os": "linux"}

database.password

Password for immuta metadata database

secret

database.patroniApiPassword

Password for Patroni REST API.

secret

database.patroniKubernetes

Patroni Kubernetes settings.

{"use_endpoints": true}

database.persistence.enabled

Set this to true to enable data persistence on all database pods. It should be set to true for all non-testing environments.

false

database.podAnnotations

Additional annotations to apply to database pods.

{}

database.podLabels

Additional labels to apply to database pods.

{}

database.replicas

Number of database replicas.

1

database.replicationPassword

Password for replication user.

secret

database.resources

Container resources.

{}

database.sharedMemoryVolume.enabled

Enable the use of a memory-backed emptyDir volume for /dev/shm.

false

database.sharedMemoryVolume.sizeLimit

Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled.

nil

database.superuserPassword

Password for PostgreSQL superuser.

secret

database.tolerations

Tolerations for database pods.

nil

database.podSecurityContext

Pod level security features.

{}

database.containerSecurityContext

Container level security features.

{}

External Database

These values are used when database.enabled=false.

Parameter Description Default

Parameter	Description	Default
`externalDatabase.host` required	Hostname of the external database instance.	`nil`
`externalDatabase.port`	Port for the external database instance.	`5432`
`externalDatabase.sslmode`	PostgreSQL `sslmode` option for the external database connection. Behavior when unset is `require`.	`nil`
`externalDatabase.dbname`	Immuta database name.	`bometadata`
`externalDatabase.username`	Immuta database username.	`bometa`
`externalDatabase.password` required	Immuta database user password.	`nil`
`externalDatabase.superuser.username` required	Username for the superuser used to initialize the database instance.	`true`
`externalDatabase.superuser.password` required	Password for the superuser used to initialize the database instance.	`true`
`externalDatabase.backup.enabled`	(Deprecated) Enable flag for external database backups. Refer to `backup.enabled=true`.	`true`
`externalDatabase.restore.enabled`	(Deprecated) Enable flag for the external database restore. Refer to `backup.restore.enabled=true`.	`true`

externalDatabase.host required

Hostname of the external database instance.

nil

externalDatabase.port

Port for the external database instance.

5432

externalDatabase.sslmode

PostgreSQL sslmode option for the external database connection. Behavior when unset is require.

nil

externalDatabase.dbname

Immuta database name.

bometadata

externalDatabase.username

Immuta database username.

bometa

externalDatabase.password required

Immuta database user password.

nil

externalDatabase.superuser.username required

Username for the superuser used to initialize the database instance.

true

externalDatabase.superuser.password required

Password for the superuser used to initialize the database instance.

true

externalDatabase.backup.enabled

(Deprecated) Enable flag for external database backups. Refer to backup.enabled=true.

true

externalDatabase.restore.enabled

(Deprecated) Enable flag for the external database restore. Refer to backup.restore.enabled=true.

true

Query Engine

Parameter Description Default

Parameter	Description	Default
`queryEngine.extraEnv`	Mapping of key-value pairs to be set on Query Engine containers.	`{}`
`queryEngine.extraVolumeMounts`	List of extra volume mounts to be added to Query Engine containers.	`[]`
`queryEngine.extraVolumes`	List of extra volumes to be added to Query Engine containers.	`[]`
`queryEngine.image.registry`	Image registry for the Immuta Query Engine image.	Value from `global.imageRegistry`
`queryEngine.image.repository`	Image repository for the Immuta Query Engine image.	`immuta/immuta-db`
`queryEngine.image.tag`	Image tag for the Immuta Query Engine image.	Value from `imageTag` or `immutaVersion`
`queryEngine.image.digest`	Image digest for the Immuta Query Engine image in format of `sha256:<DIGEST>`.
`queryEngine.imagePullPolicy`	ImagePullPolicy for the Immuta Query Engine container.	`{{ .Values.imageTag }}`
`queryEngine.imageRepository` deprecated	Use `queryEngine.image.registry` and `queryEngine.image.repository`.	`nil`
`queryEngine.imageTag` deprecated	Use `queryEngine.image.tag`.	`nil`
`queryEngine.replicas`	Number of database replicas	`1`
`queryEngine.password`	Password for immuta feature store database	`secret`
`queryEngine.superuserPassword`	Password for PostgreSQL superuser.	`secret`
`queryEngine.replicationPassword`	Password for replication user.	`secret`
`queryEngine.patroniApiPassword`	Password for Patroni REST API.	`secret`
`queryEngine.patroniKubernetes`	Patroni Kubernetes settings.	`{"use_endpoints": true}`
`queryEngine.persistence.enabled`	This should be set to `true` for all non-testing environments.	`false`
`queryEngine.resources`	Container resources.	`{}`
`queryEngine.service`	Service configuration for Query Engine service if not using an Ingress Controller.
`queryEngine.podAnnotations`	Additional annotations to apply to Query Engine pods.	`{}`
`queryEngine.podLabels`	Additional labels to apply to Query Engine pods.	`{}`
`queryEngine.nodeSelector`	Node selector for Query Engine pods.	`{"kubernetes.io/os": "linux"}`
`queryEngine.sharedMemoryVolume.enabled`	Enable the use of a memory-backed `emptyDir` volume for `/dev/shm`.	`false`
`queryEngine.sharedMemoryVolume.sizeLimit`	Size limit for the shared memory volume. Only available when the `SizeMemoryBackedVolumes` feature gate is enabled.	`nil`
`queryEngine.tolerations`	Tolerations for Query Engine pods.	`nil`
`queryEngine.podSecurityContext`	Pod level security features.	`{}`
`queryEngine.containerSecurityContext`	Container level security features.	`{}`

queryEngine.extraEnv

Mapping of key-value pairs to be set on Query Engine containers.

{}

queryEngine.extraVolumeMounts

List of extra volume mounts to be added to Query Engine containers.

[]

queryEngine.extraVolumes

List of extra volumes to be added to Query Engine containers.

[]

queryEngine.image.registry

Image registry for the Immuta Query Engine image.

Value from global.imageRegistry

queryEngine.image.repository

Image repository for the Immuta Query Engine image.

immuta/immuta-db

queryEngine.image.tag

Image tag for the Immuta Query Engine image.

Value from imageTag or immutaVersion

queryEngine.image.digest

Image digest for the Immuta Query Engine image in format of sha256:<DIGEST>.

queryEngine.imagePullPolicy

ImagePullPolicy for the Immuta Query Engine container.

{{ .Values.imageTag }}

queryEngine.imageRepository deprecated

Use queryEngine.image.registry and queryEngine.image.repository.

nil

queryEngine.imageTag deprecated

Use queryEngine.image.tag.

nil

queryEngine.replicas

Number of database replicas

1

queryEngine.password

Password for immuta feature store database

secret

queryEngine.superuserPassword

Password for PostgreSQL superuser.

secret

queryEngine.replicationPassword

Password for replication user.

secret

queryEngine.patroniApiPassword

Password for Patroni REST API.

secret

queryEngine.patroniKubernetes

Patroni Kubernetes settings.

{"use_endpoints": true}

queryEngine.persistence.enabled

This should be set to true for all non-testing environments.

false

queryEngine.resources

Container resources.

{}

queryEngine.service

Service configuration for Query Engine service if not using an Ingress Controller.

queryEngine.podAnnotations

Additional annotations to apply to Query Engine pods.

{}

queryEngine.podLabels

Additional labels to apply to Query Engine pods.

{}

queryEngine.nodeSelector

Node selector for Query Engine pods.

{"kubernetes.io/os": "linux"}

queryEngine.sharedMemoryVolume.enabled

Enable the use of a memory-backed emptyDir volume for /dev/shm.

false

queryEngine.sharedMemoryVolume.sizeLimit

Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled.

nil

queryEngine.tolerations

Tolerations for Query Engine pods.

nil

queryEngine.podSecurityContext

Pod level security features.

{}

queryEngine.containerSecurityContext

Container level security features.

{}

Query Engine Port

If you will only use integrations, port 5432 is optional. Using the built-in Ingress Nginx Controller, you can disable it by setting the value to false.

Parameter Description Default

Parameter	Description	Default
`queryEngine.publishPort`	Controls whether or not the Query Engine port (5432) is published on the built-in Ingress Controller service.	`true`

queryEngine.publishPort

Controls whether or not the Query Engine port (5432) is published on the built-in Ingress Controller service.

true

Chart Hooks

Cleanup

The Cleanup hook is a Helm post-delete hook that is responsible for cleaning up some resources that are not deleted by Helm.

Parameter Description Default

Parameter	Description	Default
`hooks.cleanup.resources`	Container resources.	`{}`
`hooks.cleanup.serviceAccountAnnotations`	Annotations for the cleanup hook ServiceAccount.	`{}`
`hooks.cleanup.nodeSelector`	Node selector for pods.	`{"kubernetes.io/os": "linux"}`
`hooks.cleanup.tolerations`	Tolerations for pods.	`nil`
`hooks.cleanup.podSecurityContext`	Pod level security features.
`hooks.cleanup.containerSecurityContext`	Container level security features.

hooks.cleanup.resources

Container resources.

{}

hooks.cleanup.serviceAccountAnnotations

Annotations for the cleanup hook ServiceAccount.

{}

hooks.cleanup.nodeSelector

Node selector for pods.

{"kubernetes.io/os": "linux"}

hooks.cleanup.tolerations

Tolerations for pods.

nil

hooks.cleanup.podSecurityContext

Pod level security features.

hooks.cleanup.containerSecurityContext

Container level security features.

Database Initialize

The database initialize hook is used to initialize the external database when database.enabled=false.

Parameter Description Default

Parameter	Description	Default
`hooks.databaseInitialize.resources`	Container resources.	`{}`
`hooks.databaseInitialize.serviceAccountAnnotations`	Annotations for the database initialize hook ServiceAccount.	`{}`
`hooks.databaseInitialize.verbose`	Flag to enable or disable verbose logging in the database initialize hook.	`true`
`hooks.databaseInitialize.nodeSelector`	Node selector for pods.	`{"kubernetes.io/os": "linux"}`
`hooks.databaseInitialize.tolerations`	Tolerations for pods.	`nil`
`hooks.databaseInitialize.podSecurityContext`	Pod level security features.
`hooks.databaseInitialize.containerSecurityContext`	Container level security features.

hooks.databaseInitialize.resources

Container resources.

{}

hooks.databaseInitialize.serviceAccountAnnotations

Annotations for the database initialize hook ServiceAccount.

{}

hooks.databaseInitialize.verbose

Flag to enable or disable verbose logging in the database initialize hook.

true

hooks.databaseInitialize.nodeSelector

Node selector for pods.

{"kubernetes.io/os": "linux"}

hooks.databaseInitialize.tolerations

Tolerations for pods.

nil

hooks.databaseInitialize.podSecurityContext

Pod level security features.

hooks.databaseInitialize.containerSecurityContext

Container level security features.

TLS Generation

The TLS generation hook is a Helm pre-install hook that is responsible for generating TLS certificates used for connections between the Immuta pods.

Parameter Description Default

Parameter	Description	Default
`hooks.tlsGeneration.hookAnnotations."helm.sh/hook-delete-policy"`	Delete policy for the TLS generation hook.	`"before-hook-creation,hook-succeeded"`
`hooks.tlsGeneration.resources`	Container resources.	`{}`
`hooks.tlsGeneration.serviceAccountAnnotations`	Annotations for the cleanup hook ServiceAccount.	`{}`
`hooks.tlsGeneration.nodeSelector`	Node selector for pods.	`{"kubernetes.io/os": "linux"}`
`hooks.tlsGeneration.tolerations`	Tolerations for pods.	`nil`
`hooks.tlsGeneration.podSecurityContext`	Pod level security features.
`hooks.tlsGeneration.containerSecurityContext`	Container level security features.

hooks.tlsGeneration.hookAnnotations."helm.sh/hook-delete-policy"

Delete policy for the TLS generation hook.

"before-hook-creation,hook-succeeded"

hooks.tlsGeneration.resources

Container resources.

{}

hooks.tlsGeneration.serviceAccountAnnotations

Annotations for the cleanup hook ServiceAccount.

{}

hooks.tlsGeneration.nodeSelector

Node selector for pods.

{"kubernetes.io/os": "linux"}

hooks.tlsGeneration.tolerations

Tolerations for pods.

nil

hooks.tlsGeneration.podSecurityContext

Pod level security features.

hooks.tlsGeneration.containerSecurityContext

Container level security features.

Cache

Parameter Description Default

Parameter	Description	Default
`cache.type`	Type to use for the cache. Valid values are `memcached`.	`memcached`
`cache.replicas`	Number of replicas.	`1`
`cache.resources`	Container resources.	`{}`
`cache.nodeSelector`	Node selector for pods.	`{"kubernetes.io/os": "linux"}`
`cache.podSecurityContext`	SecurityContext for cache Pods.	`{"runAsUser": 65532}`
`cache.containerSecurityContext`	Container level security features.	`{}`
`cache.updateStrategy`	UpdateStrategy Spec for cache workloads.	`{}`
`cache.tolerations`	Tolerations for pods.	`nil`
`cache.memcached.image.registry`	Image registry for Memcached image.	Value from `global.imageRegistry`
`cache.memcached.image.repository`	Image repository for Memcached image.	`memcached`
`cache.memcached.image.tag`	Image tag for Memcached image.	`1.6-alpine`
`cache.memcached.image.digest`	Image digest for the Immuta Memcached image in format of `sha256:<DIGEST>`.
`cache.memcached.imagePullPolicy`	Image pull policy.	Value from `imagePullPolicy`
`cache.memcached.maxItemMemory`	Limit for max item memory in cache (in MB).	`64`

cache.type

Type to use for the cache. Valid values are memcached.

memcached

cache.replicas

Number of replicas.

1

cache.resources

Container resources.

{}

cache.nodeSelector

Node selector for pods.

{"kubernetes.io/os": "linux"}

cache.podSecurityContext

SecurityContext for cache Pods.

{"runAsUser": 65532}

cache.containerSecurityContext

Container level security features.

{}

cache.updateStrategy

UpdateStrategy Spec for cache workloads.

{}

cache.tolerations

Tolerations for pods.

nil

cache.memcached.image.registry

Image registry for Memcached image.

Value from global.imageRegistry

cache.memcached.image.repository

Image repository for Memcached image.

memcached

cache.memcached.image.tag

Image tag for Memcached image.

1.6-alpine

cache.memcached.image.digest

Image digest for the Immuta Memcached image in format of sha256:<DIGEST>.

cache.memcached.imagePullPolicy

Image pull policy.

Value from imagePullPolicy

cache.memcached.maxItemMemory

Limit for max item memory in cache (in MB).

64

Deploy Tools

Parameter Description Default

Parameter	Description	Default
`deployTools.image.registry`	Image registry for Immuta deploy tools image.	Value from `global.imageRegistry`
`deployTools.image.repository`	Image repository for Immuta deploy tools image.	`immuta/immuta-deploy-tools`
`deployTools.image.tag`	Image tag for Immuta deploy tools image.	`2.4.3`
`deployTools.image.digest`	Image digest for the Immuta deploy tools image in format of `sha256:<DIGEST>`.
`deployTools.imagePullPolicy`	Image pull policy.	Value from `imagePullPolicy`

deployTools.image.registry

Image registry for Immuta deploy tools image.

Value from global.imageRegistry

deployTools.image.repository

Image repository for Immuta deploy tools image.

immuta/immuta-deploy-tools

deployTools.image.tag

Image tag for Immuta deploy tools image.

2.4.3

deployTools.image.digest

Image digest for the Immuta deploy tools image in format of sha256:<DIGEST>.

deployTools.imagePullPolicy

Image pull policy.

Value from imagePullPolicy

Ingress Controller

Parameter Description Default

Parameter	Description	Default
`nginxIngress.enabled`	Enable nginx ingress deployment	`true`
`nginxIngress.podSecurityContext`	Pod level security features.	`{}`
`nginxIngress.containerSecurityContext`	Container level security features.	`{capabilities: {drop: [ALL], add: [NET_BIND_SERVICE]}, runAsUser: 101}`
`nginxIngress.controller.image.registry`	Image registry for the Nginx Ingress controller image.	Value from `global.imageRegistry`
`nginxIngress.controller.image.repository`	Image repository for the Nginx Ingress controller image.	`ingress-nginx-controller`
`nginxIngress.controller.image.tag`	Image tag for the Nginx Ingress controller image.	`v1.1.0`
`nginxIngress.controller.image.digest`	Image digest for the Immuta Nginx Ingress controller image in format of `sha256:<DIGEST>`.
`nginxIngress.controller.imagePullPolicy`	ImagePullPolicy for the Nginx Ingress controller container.	`{{ .Values.imageTag }}`
`nginxIngress.controller.imageRepository` deprecated	Use `nginxIngress.controller.image.registry` and `nginxIngress.controller.image.repository`.	`nil`
`nginxIngress.controller.imageTag` deprecated	Use `nginxIngress.controller.image.tag`.	`nil`
`nginxIngress.controller.service.annotations`	Used to set arbitrary annotations on the Nginx Ingress Service.	`{}`
`nginxIngress.controller.service.type`	Controller service type.	`LoadBalancer`
`nginxIngress.controller.service.isInternal`	Whether or not to use an internal ELB	`false`
`nginxIngress.controller.service.acmCertArn`	ARN for ACM certificate
`nginxIngress.controller.replicas`	Number of controller replicas	`1`
`nginxIngress.controller.minReadySeconds`	Minimum ready seconds	`0`
`nginxIngress.controller.electionID`	Election ID for nginx ingress controller	`ingress-controller-leader`
`nginxIngress.controller.hostNetwork`	Run nginx ingress controller on host network	`false`
`nginxIngress.controller.config.proxy-read-timeout`	Controller proxy read timeout.	`300`
`nginxIngress.controller.config.proxy-send-timeout`	Controller proxy send timeout.	`300`
`nginxIngress.controller.podAnnotations`	Additional annotations to apply to nginx ingress controller pods.	`{}`
`nginxIngress.controller.podLabels`	Additional labels to apply to nginx ingress controller pods.	`{}`
`nginxIngress.controller.nodeSelector`	Node selector for nginx ingress controller pods.	`{"kubernetes.io/os": "linux"}`
`nginxIngress.controller.tolerations`	Tolerations for nginx ingress controller pods.	`nil`
`nginxIngress.controller.resources`	Container resources.	`{}`

nginxIngress.enabled

Enable nginx ingress deployment

true

nginxIngress.podSecurityContext

Pod level security features.

{}

nginxIngress.containerSecurityContext

Container level security features.

{capabilities: {drop: [ALL], add: [NET_BIND_SERVICE]}, runAsUser: 101}

nginxIngress.controller.image.registry

Image registry for the Nginx Ingress controller image.

Value from global.imageRegistry

nginxIngress.controller.image.repository

Image repository for the Nginx Ingress controller image.

ingress-nginx-controller

nginxIngress.controller.image.tag

Image tag for the Nginx Ingress controller image.

v1.1.0

nginxIngress.controller.image.digest

Image digest for the Immuta Nginx Ingress controller image in format of sha256:<DIGEST>.

nginxIngress.controller.imagePullPolicy

ImagePullPolicy for the Nginx Ingress controller container.

{{ .Values.imageTag }}

nginxIngress.controller.imageRepository deprecated

Use nginxIngress.controller.image.registry and nginxIngress.controller.image.repository.

nil

nginxIngress.controller.imageTag deprecated

Use nginxIngress.controller.image.tag.

nil

nginxIngress.controller.service.annotations

Used to set arbitrary annotations on the Nginx Ingress Service.

{}

nginxIngress.controller.service.type

Controller service type.

LoadBalancer

nginxIngress.controller.service.isInternal

Whether or not to use an internal ELB

false

nginxIngress.controller.service.acmCertArn

ARN for ACM certificate

nginxIngress.controller.replicas

Number of controller replicas

1

nginxIngress.controller.minReadySeconds

Minimum ready seconds

0

nginxIngress.controller.electionID

Election ID for nginx ingress controller

ingress-controller-leader

nginxIngress.controller.hostNetwork

Run nginx ingress controller on host network

false

nginxIngress.controller.config.proxy-read-timeout

Controller proxy read timeout.

300

nginxIngress.controller.config.proxy-send-timeout

Controller proxy send timeout.

300

nginxIngress.controller.podAnnotations

Additional annotations to apply to nginx ingress controller pods.

{}

nginxIngress.controller.podLabels

Additional labels to apply to nginx ingress controller pods.

{}

nginxIngress.controller.nodeSelector

Node selector for nginx ingress controller pods.

{"kubernetes.io/os": "linux"}

nginxIngress.controller.tolerations

Tolerations for nginx ingress controller pods.

nil

nginxIngress.controller.resources

Container resources.

{}

Memcached

Deprecation Warning

The following values are deprecated. Values should be migrated to cache and cache.memcached. See Cache for replacement values.

Parameter Description Default

Parameter	Description	Default
`memcached.pdbMinAvailable`	Minimum pdb available.	`1`
`memcached.maxItemMemory`	Limit for max item memory in cache (in MB).	`64`
`memcached.resources`	Container resources.	`{requests: {memory: 64Mi}}`
`memcached.podAnnotations`	Additional annotations to apply to memcached pods.	`{}`
`memcached.podLabels`	Additional labels to apply to memcached pods.	`{}`
`memcached.nodeSelector`	Node selector for memcached pods.	`{"kubernetes.io/os": "linux"}`
`memcached.tolerations`	Tolerations for memcached pods.	`nil`

memcached.pdbMinAvailable

Minimum pdb available.

1

memcached.maxItemMemory

Limit for max item memory in cache (in MB).

64

memcached.resources

Container resources.

{requests: {memory: 64Mi}}

memcached.podAnnotations

Additional annotations to apply to memcached pods.

{}

memcached.podLabels

Additional labels to apply to memcached pods.

{}

memcached.nodeSelector

Node selector for memcached pods.

{"kubernetes.io/os": "linux"}

memcached.tolerations

Tolerations for memcached pods.

nil

PreviousTroubleshoot Helm NextInstall Azure Cloud Provider

Last updated 1 month ago