# Managed Public Cloud

This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:

* Amazon Web Services (AWS)
* Microsoft Azure
* Google Cloud Platform (GCP)

## Prerequisites

The following cloud-managed services must be provisioned before proceeding:

{% tabs %}
{% tab title="Amazon Web Services (AWS)" %}

* [Amazon RDS for PostgreSQL](https://docs.aws.amazon.com/rds/)
* [Amazon OpenSearch](https://docs.aws.amazon.com/opensearch-service/)
  {% endtab %}

{% tab title="Microsoft Azure" %}

* [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/)
* [Elastic Cloud on Azure](https://www.elastic.co/partners/microsoft-azure)
  {% endtab %}

{% tab title="Google Cloud Platform (GCP)" %}

* [Google Cloud SQL for PostgreSQL](https://cloud.google.com/sql/docs/postgres)
* [Elastic Cloud on Google Cloud](https://www.elastic.co/partners/google-cloud)
  {% endtab %}
  {% endtabs %}

### Validation

#### PostgreSQL

1. The PostgreSQL instance's hostname/FQDN is [resolvable from within the Kubernetes cluster](/2024.2/self-managed-deployment/troubleshooting.md#common).
2. The PostgreSQL instance is [accepting connections](/2024.2/self-managed-deployment/troubleshooting.md#postgresql).
3. The Helm chart only supports username/password authentication for PostgreSQL. At this time, other authentication mechanisms are not supported.

#### Elasticsearch

1. The Elasticsearch instance's hostname/FQDN is [resolvable from within the Kubernetes cluster](/2024.2/self-managed-deployment/troubleshooting.md#common).
2. The Elasticsearch instance is [accepting connections](/2024.2/self-managed-deployment/troubleshooting.md#elasticsearch).
3. The user must have the [required permissions](/2024.2/self-managed-deployment/deployment-requirements.md#opensearch-user).
4. The Helm chart only supports username/password authentication for Elasticsearch. At this time, other authentication mechanisms are not supported.

## Authenticate with OCI registry

{% hint style="warning" %}
**Helm chart availability**

The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.
{% endhint %}

Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:

```shell
echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
```

## Setup

1. Create a Kubernetes namespace named `immuta` for Immuta.

   ```shell
   kubectl create namespace immuta
   ```
2. Switch to namespace `immuta`.

   ```shell
   kubectl config set-context --current --namespace=immuta
   ```
3. Create a container registry pull secret. Your credentials to authenticate with ocir.immuta.com can be viewed in your user profile at [support.immuta.com](https://support.immuta.com).

   ```
   kubectl create secret docker-registry immuta-oci-registry \
       --docker-server=https://ocir.immuta.com \
       --docker-username="<username>" \
       --docker-password="<token>" \
       --docker-email=support@immuta.com
   ```

### PostgreSQL

{% hint style="info" %}
**Connecting to the database**

There are numerous ways to connect to a PostgreSQL database. This step demonstrates how to connect by creating an ephemeral Kubernetes pod.
{% endhint %}

1. Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the `kubectl run` command outlined below. Wait 5 seconds, and then proceed by entering a password.

   ```sh
   kubectl run pgclient \
       --stdin \
       --tty \
       --rm \
       --image docker.io/bitnami/postgresql -- \
       psql --host <postgres-fqdn> --username <postgres-admin> --dbname postgres --port 5432 --password
   ```
2. Create an `immuta` role and database.

   ```sql
   CREATE ROLE immuta with login encrypted password '<postgres-password>';

   GRANT immuta TO CURRENT_USER;

   CREATE DATABASE immuta OWNER immuta;

   GRANT all ON DATABASE immuta TO immuta;
   ALTER ROLE immuta SET search_path TO bometadata,public;
   ```
3. Revoke privileges from `CURRENT_USER` as they're no longer required.

   ```sql
   REVOKE immuta FROM CURRENT_USER;
   ```
4. Enable the `pgcrypto` extension.

   ```sql
   \c immuta
   CREATE EXTENSION pgcrypto;
   ```
5. Type `\q`, and then press `Enter` to exit.

## Install Immuta

{% hint style="warning" %}
**Audit records**

**Preserving legacy audit records**

Immuta does not migrate legacy audit records to the [universal audit model (UAM)](/2024.2/detect-your-activity/audit/reference-guides/universal-audit-model-uam.md), so when you upgrade Immuta those audit records will be lost unless you enable the following setting in your immuta-values.yaml file:

```
secure:
  extraEnvVars:
    - name: FeatureFlag_auditLegacyViewHide
      value: "false"
```

**Audit record retention**

Immuta defaults to keeping audit records for 7 days. To change this duration, set the following values in the immuta-values.yaml file. The example below configures audit records to be kept for 90 days:

```yaml
audit:
  deployment:
      extraEnvVars:
        - name: AUDIT_RETENTION_POLICY_IN_DAYS
          value: "90"
```

{% endhint %}

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.

1. Create a Helm values file named `immuta-values.yaml` with the following content:

   ```yaml
   global:
     imageRegistry: ocir.immuta.com
     imagePullSecrets:
       - name: immuta-oci-registry
     imageRepositoryMap:
       immuta/immuta-service: stable/immuta-service
       immuta/immuta-db: stable/immuta-db
       immuta/immuta-fingerprint: stable/immuta-fingerprint
       immuta/audit-service: stable/audit-service
       immuta/audit-export-cronjob: stable/audit-export-cronjob
       immuta/classify-service: stable/classify-service
       immuta/cache: stable/cache

   audit:
     config:
       databaseConnectionString: postgres://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit
       elasticsearchEndpoint: <elasticsearch-endpoint>
       elasticsearchUsername: <elasticsearch-username>
       elasticsearchPassword: <elasticsearch-password>

   secure:
     ingress:
       enabled: false
       tls: false
     extraEnvVars:
       - name: FeatureFlag_AuditService
         value: "true"
       - name: FeatureFlag_detect
         value: "true"
       - name: FeatureFlag_auditLegacyViewHide
         value: "true"

     postgresql:
       host: <postgres-fqdn>
       port: 5432
       database: immuta
       username: immuta
       password: <postgres-password>
       ssl: true
   ```
2. Update all [placeholder values](/2024.2/self-managed-deployment/conventions.md) in the `immuta-values.yaml` file.

{% hint style="warning" %}
**Avoid these special characters in generated passwords**

whitespace, `$`, `&`, `:`, `\`, `/`, `'`
{% endhint %}

3. Deploy Immuta.

   ```shell
   helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \
       --values immuta-values.yaml \
       --version 2024.2.20
   ```

## Validation

1. Wait for all pods in the namespace to become ready.

   ```shell
   kubectl wait --for=condition=Ready pods --all
   ```
2. Determine the name of the Secure service.

   ```shell
   kubectl get service --selector "app.kubernetes.io/component=secure" --output name
   ```
3. Listen on local port `8080`, forwarding TCP traffic to the Secure service's port named `http`.

   ```shell
   kubectl port-forward service/<name> 8080:http
   ```

## Next steps

{% tabs %}
{% tab title="Amazon Web Services (AWS)" %}

* [Configure Ingress](/2024.2/self-managed-deployment/configure/ingress-configuration.md#aws-load-balancer-controller) to complete your installation and access your Immuta application.
* [Configure TLS](/2024.2/self-managed-deployment/configure/tls-configuration.md#aws-load-balancer-controller) to secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
* [Learn more about the best practices for Immuta in production](/2024.2/self-managed-deployment/configure/immuta-in-production.md).
  {% endtab %}

{% tab title="Microsoft Azure" %}

* [Configure Ingress](/2024.2/self-managed-deployment/configure/ingress-configuration.md#aks-application-gateway-ingress-controller) to complete your installation and access your Immuta application.
* [Configure TLS](/2024.2/self-managed-deployment/configure/tls-configuration.md#aks-application-gateway-ingress-controller) to secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
* [Learn more about the best practices for Immuta in production](/2024.2/self-managed-deployment/configure/immuta-in-production.md).
  {% endtab %}

{% tab title="Google Cloud Platform (GCP)" %}

* [Configure Ingress](/2024.2/self-managed-deployment/configure/ingress-configuration.md#gke-ingress-controller) to complete your installation and access your Immuta application.
* [Configure TLS](/2024.2/self-managed-deployment/configure/tls-configuration.md#gke-ingress-controller) to secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
* [Learn more about the best practices for Immuta in production](/2024.2/self-managed-deployment/configure/immuta-in-production.md).
  {% endtab %}
  {% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/2024.2/self-managed-deployment/install/managed-public-cloud.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.