Immuta in Production
This guide highlights best practices when deploying Immuta in a production environment.
Helm values
Back up or source control your immuta-values.yaml
Helm values file.
Kubernetes resource requests and limits
Assign memory resource limits to pods.
Edit Helm values
Edit immuta-values.yaml
to include the following recommended resource requests and limits for most Immuta deployments.
audit:
worker:
replicaCount: 1
resources:
requests:
cpu: 1000m
memory: 1024Mi
limits:
cpu: 1000m
memory: 2048Mi
deployment:
replicaCount: 1
resources:
requests:
cpu: 1000m
memory: 4096Mi
limits:
cpu: 3000m
memory: 8192Mi
secure:
backgroundWorker:
replicaCount: 2
resources:
requests:
cpu: 1000m
memory: 4096Mi
limits:
cpu: 4000m
memory: 4096Mi
web:
replicaCount: 2
resources:
requests:
cpu: 1000m
memory: 4096Mi
limits:
cpu: 4000m
memory: 4096Mi
discover:
deployment:
replicaCount: 1
resources:
requests:
cpu: 500m
memory: 4096Mi
limits:
cpu: 3000m
memory: 4096Mi
cache:
deployment:
replicaCount: 1
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 1000m
memory: 512Mi
Kubernetes secrets
Use Kubernetes secrets in the immuta-values.yaml
file instead of passwords and tokens. The following section demonstrates how to create a secret and reference it in the Helm values file.
Create secret
Create a file named
secret-data.env
with the following content.# audit ELASTICSEARCH_USERNAME=<elasticsearch-username> ELASTICSEARCH_PASSWORD=<elasticsearch-password> # PostgreSQL connection string used by audit for the metadata database # postgresql://<user>:<password>@<postgres-fqdn>:5432/<database>?schema=audit # # More info # https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING DATABASE_CONNECTION_STRING=postgresql://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit # secure IMMUTA_DATABASES_IMMUTA_CONNECTIONS_IMMUTADB_PASSWORD=<postgres-password>
Create secret named
immuta-secret
from filesecret-data.env
.kubectl create secret generic immuta-secret --from-env-file=secret-data.env
Delete file
secret-data.env
, as it's no longer needed.rm -i secret-data.env
Edit Helm values
Edit
immuta-values.yaml
to include the following Helm values.audit: #... deployment: existingSecret: immuta-secret export: cronJob: existingSecret: immuta-secret secure: #... existingSecret: name: immuta-secret # Optional. Map expected keys with keys in existing secret # keyMapping: {}
Remove any sensitive key-value pairs from the
immuta-values.yaml
Helm values that were made redundant after the secret was created.
Apply Helm values
Perform a Helm upgrade to apply the changes made to immuta-values.yaml
.
helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.19
Last updated
Was this helpful?