# Deployment Requirements Immuta comprises three core services (Secure, Discover, and Detect) that rely on PostgreSQL and Elasticsearch to store their states. The illustration below shows the relationships among these services. {% @mermaid/diagram content="%%{ init: { 'flowchart': { 'curve': 'stepBefore' } } }%% flowchart secureWeb --> pg\[(PostgreSQL)] secureWorker --> pg ``` secureWeb --> cacheDecision secureWorker --> cacheDecision detectApi --> es[(Elasticsearch)] detectApi --> pg cacheDecision --> |Built-in?| builtinCache cacheDecision -.-> |External?| externalCache externalCache[(Redis/Memcached)] subgraph ideploy[Immuta Enterprise Helm chart] subgraph secure[Secure] secureWeb[Secure Web/API] secureWorker[Secure Worker] end subgraph detect[Detect] detectApi[Detect API] end subgraph discover[Discover] discoverApi[Discover API] end cacheDecision{Cache} builtinCache[(Memcached)] end %% Add links click pg "#metadata-database-postgresql" "PostgreSQL Prerequistes"; click externalCache "#cache-redismemcached" "Redis/Memcached Prerequistes"; click es "#elasticsearch" "Elasticsearch Prerequistes";" %} ``` The Immuta Enterprise Helm chart (IEHC) (represented by the yellow box above) does not deploy PostgreSQL or Elasticsearch, so you must deploy and manage them separately. Although Immuta recommends using Elasticsearch because it supports several new Immuta features and services, you can deploy Immuta without Elasticsearch. The table below outlines the Immuta features supported with and without Elasticsearch and the dependencies you must deploy and manage yourself. | | Immuta with Elasticsearch | Immuta without Elasticsearch | | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | | Dependencies |

| [Externalized PostgreSQL](#metadata-database-postgresql) | | Immuta Detect | :white\_check\_mark: | :x: | | Audit of Immuta and data platform events | :white\_check\_mark: | :x: | | Legacy audit | :white\_check\_mark: ([Disabled by default, but can be enabled](#legacy-features-and-services)) | :white\_check\_mark: (Until October 2024) | | Immuta Monitors | :white\_check\_mark: | :x: | | Sensitive data discovery | :white\_check\_mark: | :white\_check\_mark: | For guidance on how to configure the IEHC to deploy Immuta with or without Elasticsearch, see one of the guides below: * [Deploy Immuta with Elasticsearch](https://documentation.immuta.com/2024.2/self-managed-deployment/getting-started) * [Deploy Immuta without Elasticsearch](https://documentation.immuta.com/2024.2/self-managed-deployment/install/no-es-os) For more information about legacy features and services no longer enabled in the recommended deployment of Immuta, see the [Legacy features and services section](#legacy-features-and-services). ## Version requirements ### Kubernetes versions * Kubernetes 1.29 to 1.32 ### Metadata database (PostgreSQL) {% hint style="danger" %} **PostgreSQL incompatibilities** Immuta is not compatible with PostgreSQL abstraction layers, such as Amazon Aurora. {% endhint %} * PostgreSQL 15.0 or newer * The `pgcrypto` extension must be enabled ### Elasticsearch * Elasticsearch v7 API or newer * AWS OpenSearch Service compatible with Elasticsearch v7 API or newer * AWS OpenSearch Serverless is not supported #### OpenSearch user The user provided during the install must have the following [permissions](https://opensearch.org/docs/latest/security/access-control/permissions/): * cluster:monitor/health * indices:data/write/bulk\* * indices:data/write/bulk * indices:data/read/search * indices:admin/exists * indices:admin/create * indices:admin/delete * indices:admin/settings/update * indices:admin/get * indices:data/write/delete/byquery * indices:data/write/index * indices:admin/mapping/put * indices:data/write/bulk * indices:data/write/bulk\* Follow OpenSearch documentation to [create the user](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html#createdomains) and add permissions. ### Cache (Redis/Memcached) {% hint style="info" %} **Built-in cache** The IEHC manages its own Memcached deployment inside the cluster. The key-value cache can optionally be externalized post installation. {% endhint %} * Redis 7.0 or newer * Memcached 1.6 or newer ## Infrastructure recommendations

Kubernetes distribution	Ingress	External metadata database	External Elasticsearch	External cache
Amazon Elastic Kubernetes Service (EKS)	AWS Load Balancer Controller	Amazon RDS for PostgreSQL	Amazon OpenSearch	Amazon ElastiCache for Redis
Azure Kubernetes Service (AKS)	Azure Application Gateway Ingress Controller	Azure Database for PostgreSQL	Elastic Cloud on Azure	Azure Cache for Redis
Google Kubernetes Engine (GKE)	GKE Ingress Controller	Google Cloud SQL for PostgreSQL	Elastic Cloud on Google Cloud	Memorystore for Redis
Red Hat OpenShift	OpenShift Ingress Operator	Cloud-managed PostgreSQL	Cloud-managed Elasticsearch	Cloud-managed Redis
SUSE Rancher Government (RKE2)	Ingress NGINX Controller	Cloud-managed PostgreSQL	Cloud-managed Elasticsearch	Cloud-managed Redis
SUSE K3s - For evaluation purposes only	Traefik	Cloud-managed PostgreSQL	Cloud-managed Elasticsearch	Cloud-managed Redis

## Legacy features and services Some legacy services and features are no longer enabled in the recommended configuration of the IEHC. The table below lists these features and provides links to documentation that outlines how to enable them in Immuta. | Feature | Immuta Enterprise Helm chart configuration | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Legacy audit |

Set each of the following secure.extraEnvVars in your immuta-values.yaml file to false:

FeatureFlag\_AuditService
FeatureFlag\_detect
FeatureFlag\_auditLegacyViewHide

| | Legacy sensitive data discovery | [Enable the query engine and fingerprint services](https://documentation.immuta.com/2024.2/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint) | |

Data platforms

Amazon Redshift
Azure Synapse Analytics
Google BigQuery
Legacy databases

| [Enable the query engine](https://documentation.immuta.com/2024.2/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint) | |

Policies

Masking with format preserving masking (unless using the Snowflake integration)
Masking with k-anonymization
Masking using randomized response (unless using the Snowflake integration)

| [Enable the query engine and fingerprint services](https://documentation.immuta.com/2024.2/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint) | ## Next step Follow the [Getting started guide](https://documentation.immuta.com/2024.2/self-managed-deployment/getting-started) to install Immuta. [^1]: Cloud-managed PostgreSQL, such as Amazon RDS, Azure Database for PostgreSQL, or Google Cloud SQL for PostgreSQL, is recommended when running Kubernetes in cloud environments. [^2]: Cloud-managed Elasticsearch, such as Amazon OpenSearch, or Elastic Cloud, is recommended when running Kubernetes in cloud environments. [^3]: Cloud-managed Redis/Memcached, such as Amazon ElastiCache, Azure Cache, or Google Cloud Memorystore, is recommended when running Kubernetes in cloud environments.