Managed Public Cloud

This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:

• Amazon Web Services (AWS)

• Microsoft Azure

• Google Cloud Platform (GCP)

Prerequisites

The following cloud-managed services must be provisioned before proceeding:

Validation

PostgreSQL

1. The PostgreSQL instance's hostname/FQDN is .

2. The PostgreSQL instance is .

Elasticsearch

1. The Elasticsearch instance's hostname/FQDN is .

2. The Elasticsearch instance is .

3. The user must have the .

Authenticate with OCI registry

Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Setup

1. Create a Kubernetes namespace named immuta for Immuta.

   Copy

   kubectl create namespace immuta

2. Switch to namespace immuta.

   Copy

   kubectl config set-context --current --namespace=immuta

3. Copy

   kubectl create secret docker-registry immuta-oci-registry \
       --docker-server=https://ocir.immuta.com \
       --docker-username="<username>" \
       --docker-password="<token>" \
       --docker-email=support@immuta.com

PostgreSQL

1. Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the kubectl run command outlined below. Wait 5 seconds, and then proceed by entering a password.

   Copy

   kubectl run pgclient \
       --stdin \
       --tty \
       --rm \
       --image docker.io/bitnami/postgresql -- \
       psql --host <postgres-fqdn> --username postgres --port 5432 --password

2. Create an immuta role and database.

   Copy

   CREATE ROLE immuta with login encrypted password '<postgres-password>';
   
   GRANT immuta TO CURRENT_USER;
   
   CREATE DATABASE immuta OWNER immuta;
   
   GRANT all ON DATABASE immuta TO immuta;
   ALTER ROLE immuta SET search_path TO bometadata,public;

3. Revoke privileges from CURRENT_USER as they're no longer required.

   Copy

   REVOKE immuta FROM CURRENT_USER;

4. Enable the pgcrypto extension.

   Copy

   \c immuta
   CREATE EXTENSION pgcrypto;

5. Type \q, and then press Enter to exit.

Install Immuta

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.

1. Create a Helm values file named immuta-values.yaml with the following content:

   Copy

   global:
     imageRegistry: ocir.immuta.com
     imagePullSecrets:
       - name: immuta-oci-registry
     imageRepositoryMap:
       immuta/immuta-service: stable/immuta-service
       immuta/immuta-db: stable/immuta-db
       immuta/immuta-fingerprint: stable/immuta-fingerprint
       immuta/audit-service: stable/audit-service
       immuta/audit-export-cronjob: stable/audit-export-cronjob
       immuta/classify-service: stable/classify-service
       immuta/cache: stable/cache
   
   audit:
     config:
       databaseConnectionString: postgres://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit
       elasticsearchEndpoint: <elasticsearch-endpoint>
       elasticsearchUsername: <elasticsearch-username>
       elasticsearchPassword: <elasticsearch-password>
   
   secure:
     ingress:
       enabled: false
       tls: false
     extraEnvVars:
       - name: FeatureFlag_AuditService
         value: "true"
       - name: FeatureFlag_detect
         value: "true"
       - name: FeatureFlag_auditLegacyViewHide
         value: "true"
   
     postgresql:
       host: <postgres-fqdn>
       port: 5432
       database: immuta
       username: immuta
       password: <postgres-password>
       ssl: true

3. Deploy Immuta.

   Copy

   helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \
       --values immuta-values.yaml \
       --version 2024.2.16

Validation

1. Wait for all pods in the namespace to become ready.

   Copy

   kubectl wait --for=condition=Ready pods --all

2. Determine the name of the Secure service.

   Copy

   kubectl get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'

3. Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.

   Copy

   kubectl port-forward service/<name> 8080:http

Next steps