Managed Public Cloud
This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
Prerequisites
The following cloud-managed services must be provisioned before proceeding:
Validation
PostgreSQL
The PostgreSQL instance's hostname/FQDN is resolvable from within the Kubernetes cluster.
The PostgreSQL instance is accepting connections.
The Helm chart only supports username/password authentication for PostgreSQL. At this time, other authentication mechanisms are not supported.
Elasticsearch
The Elasticsearch instance's hostname/FQDN is resolvable from within the Kubernetes cluster.
The Elasticsearch instance is accepting connections.
The user must have the required permissions.
The Helm chart only supports username/password authentication for Elasticsearch. At this time, other authentication mechanisms are not supported.
Authenticate with OCI registry
Helm chart availability
The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.
Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:
echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
Setup
Create a Kubernetes namespace named
immuta
for Immuta.kubectl create namespace immuta
Switch to namespace
immuta
.kubectl config set-context --current --namespace=immuta
Create a container registry pull secret. Your credentials to authenticate with ocir.immuta.com can be viewed in your user profile at support.immuta.com.
kubectl create secret docker-registry immuta-oci-registry \ --docker-server=https://ocir.immuta.com \ --docker-username="<username>" \ --docker-password="<token>" \ [email protected]
PostgreSQL
Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the
kubectl run
command outlined below. Wait 5 seconds, and then proceed by entering a password.kubectl run pgclient \ --stdin \ --tty \ --rm \ --image docker.io/bitnami/postgresql -- \ psql --host <postgres-fqdn> --username <postgres-admin> --dbname postgres --port 5432 --password
Create an
immuta
role and database.CREATE ROLE immuta with login encrypted password '<postgres-password>'; GRANT immuta TO CURRENT_USER; CREATE DATABASE immuta OWNER immuta; GRANT all ON DATABASE immuta TO immuta; ALTER ROLE immuta SET search_path TO bometadata,public;
Revoke privileges from
CURRENT_USER
as they're no longer required.REVOKE immuta FROM CURRENT_USER;
Enable the
pgcrypto
extension.\c immuta CREATE EXTENSION pgcrypto;
Type
\q
, and then pressEnter
to exit.
Install Immuta
This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.
Create a Helm values file named
immuta-values.yaml
with the following content:global: imageRegistry: ocir.immuta.com imagePullSecrets: - name: immuta-oci-registry imageRepositoryMap: immuta/immuta-service: stable/immuta-service immuta/immuta-db: stable/immuta-db immuta/immuta-fingerprint: stable/immuta-fingerprint immuta/audit-service: stable/audit-service immuta/audit-export-cronjob: stable/audit-export-cronjob immuta/classify-service: stable/classify-service immuta/cache: stable/cache audit: config: databaseConnectionString: postgres://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit elasticsearchEndpoint: <elasticsearch-endpoint> elasticsearchUsername: <elasticsearch-username> elasticsearchPassword: <elasticsearch-password> secure: ingress: enabled: false tls: false extraEnvVars: - name: FeatureFlag_AuditService value: "true" - name: FeatureFlag_detect value: "true" - name: FeatureFlag_auditLegacyViewHide value: "true" postgresql: host: <postgres-fqdn> port: 5432 database: immuta username: immuta password: <postgres-password> ssl: true
Update all placeholder values in the
immuta-values.yaml
file.Deploy Immuta.
helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \ --values immuta-values.yaml \ --version 2024.2.20
Validation
Wait for all pods in the namespace to become ready.
kubectl wait --for=condition=Ready pods --all
Determine the name of the Secure service.
kubectl get service --selector "app.kubernetes.io/component=secure" --output name
Listen on local port
8080
, forwarding TCP traffic to the Secure service's port namedhttp
.kubectl port-forward service/<name> 8080:http
Next steps
Configure Ingress to complete your installation and access your Immuta application.
Configure TLS to secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
Last updated
Was this helpful?