Immuta in Production

This guide highlights best practices when deploying Immuta in a production environment.

Kubernetes namespace

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace immuta and that the current namespace is immuta.

Helm values

Back up or source control your immuta-values.yaml Helm values file.

Kubernetes resource requests and limits

Assign memory resource limits to pods.

Edit Helm values

Edit immuta-values.yaml to include the following recommended resource requests and limits for most Immuta deployments.

Increase replica count to 3 on web and backgroundWorker for large deployments.

audit:
  worker:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 1024Mi
      limits:
        cpu: 1000m
        memory: 2048Mi  
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 8192Mi
secure:
  backgroundWorker:
    replicaCount: 2
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi  
  web:
    replicaCount: 2 
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi
discover:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 4096Mi
cache:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 512Mi
      limits:
        cpu: 1000m
        memory: 512Mi

Kubernetes secrets

Use Kubernetes secrets in the immuta-values.yaml file instead of passwords and tokens. The following section demonstrates how to create a secret and reference it in the Helm values file.

Create secret

Create a file named secret-data.env with the following content.

# audit
ELASTICSEARCH_USERNAME=<elasticsearch-username>
ELASTICSEARCH_PASSWORD=<elasticsearch-password>

# PostgreSQL connection string used by audit for the metadata database
#   postgresql://<user>:<password>@<postgres-fqdn>:5432/<database>?schema=audit
#
# More info
#   https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
DATABASE_CONNECTION_STRING=postgresql://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit

# secure
IMMUTA_DATABASES_IMMUTA_CONNECTIONS_IMMUTADB_PASSWORD=<postgres-password>

Create secret named immuta-secret from file secret-data.env.

kubectl create secret generic immuta-secret --from-env-file=secret-data.env

Delete file secret-data.env, as it's no longer needed.
```
rm -i secret-data.env
```

Edit Helm values

Edit immuta-values.yaml to include the following Helm values.

audit:
  #...
  deployment:
    existingSecret: immuta-secret
  export:
    cronJob:
      existingSecret: immuta-secret

secure:
  #...
  existingSecret:
    name: immuta-secret
    # Optional. Map expected keys with keys in existing secret
    # keyMapping: {}

Remove any sensitive key-value pairs from the immuta-values.yaml Helm values that were made redundant after the secret was created.

Apply Helm values

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.19

PreviousTLS Configuration NextExternal Cache Configuration

Last updated 19 days ago

Was this helpful?