# Immuta in Production

This guide highlights best practices when deploying Immuta in a production environment.

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

## Helm values

Back up or source control your `immuta-values.yaml` Helm values file.

## Kubernetes resource requests and limits

Assign [memory resource limits](https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/) to pods.

### Edit Helm values

Edit `immuta-values.yaml` to include the following recommended resource requests and limits for most Immuta deployments.

{% hint style="info" %}
Increase replica count to 3 on `web` and `backgroundWorker` for large deployments.
{% endhint %}

```yaml
audit:
  worker:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 1024Mi
      limits:
        cpu: 1000m
        memory: 2048Mi  
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 8192Mi
secure:
  backgroundWorker:
    replicaCount: 2
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi  
  web:
    replicaCount: 2 
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi
discover:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 4096Mi
cache:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 512Mi
      limits:
        cpu: 1000m
        memory: 512Mi
```

## Kubernetes secrets

Use [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) in the `immuta-values.yaml` file instead of passwords and tokens. The following section demonstrates how to create a secret and reference it in the Helm values file.

### Create secret

1. Create a file named `secret-data.env` with the following content.

   ```shell
   # audit
   ELASTICSEARCH_USERNAME=<elasticsearch-username>
   ELASTICSEARCH_PASSWORD=<elasticsearch-password>

   # PostgreSQL connection string used by audit for the metadata database
   #   postgresql://<user>:<password>@<postgres-fqdn>:5432/<database>?schema=audit
   #
   # More info
   #   https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
   DATABASE_CONNECTION_STRING=postgresql://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit

   # secure
   IMMUTA_DATABASES_IMMUTA_CONNECTIONS_IMMUTADB_PASSWORD=<postgres-password>
   ```
2. Create secret named `immuta-secret` from file `secret-data.env`.

   ```shell
   kubectl create secret generic immuta-secret --from-env-file=secret-data.env
   ```
3. Delete file `secret-data.env`, as it's no longer needed.

   ```shell
   rm -i secret-data.env
   ```

### Edit Helm values

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   audit:
     #...
     deployment:
       existingSecret: immuta-secret
     export:
       cronJob:
         existingSecret: immuta-secret

   secure:
     #...
     existingSecret:
       name: immuta-secret
       # Optional. Map expected keys with keys in existing secret
       # keyMapping: {}
   ```
2. Remove any sensitive key-value pairs from the `immuta-values.yaml` Helm values that were made redundant after the secret was created.

### Apply Helm values

Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

```shell
helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
```