Skip to content

Immuta in Production

This guide highlights best practices when deploying Immuta in a production environment.

Kubernetes namespace

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace immuta and that the current namespace is immuta.

Helm values

Back up or source control your immuta-values.yaml Helm values file.

Kubernetes resource requests and limits

Assign memory resource limits to pods.

Edit Helm values

Edit immuta-values.yaml to include the following Helm values. Update all placeholder values with your own values.

immuta-values.yaml
audit:
  deployment:
    resources:
      limits:
        memory: <number>Mi
secure:
  web:
    resources:
      limits:
        memory: <number>Mi
discover:
  deployment:
    resources:
      limits:
        memory: <number>Mi
cache:
  deployment:
    resources:
      limits:
        memory: <number>Mi

Kubernetes secrets

Use Kubernetes secrets in the immuta-values.yaml file instead of passwords and tokens. The following section demonstrates how to create a secret and reference it in the Helm values file.

Create secret

  1. Create a file named secret-data.env with the following content.

    secret-data.env
    # audit
ELASTICSEARCH_USERNAME=<elasticsearch-username>
ELASTICSEARCH_PASSWORD=<elasticsearch-password>

# PostgreSQL connection string used by audit for the metadata database
#   postgresql://<user>:<password>@<postgres-fqdn>:5432/<database>?schema=audit
#
# More info
#   https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
DATABASE_CONNECTION_STRING=postgresql://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit

# secure
IMMUTA_DATABASES_IMMUTA_CONNECTIONS_IMMUTADB_PASSWORD=<postgres-password>

  2. Create secret named immuta-secret from file secret-data.env.

    kubectl create secret generic immuta-secret --from-env-file=secret-data.env

  3. Delete file secret-data.env, as it's no longer needed.

    rm -i secret-data.env

Edit Helm values

  1. Edit immuta-values.yaml to include the following Helm values.

    immuta-values.yaml
    audit:
  deployment:
    existingSecret: immuta-secret
  export:
    cronJob:
      existingSecret: immuta-secret

secure:
  existingSecret:
    name: immuta-secret
    # Optional. Map expected keys with keys in existing secret
    # keyMapping: {}

  2. Remove any sensitive key-value pairs from the immuta-values.yaml Helm values that were made redundant after the secret was created.

Apply Helm values

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> immuta/immuta-enterprise --values immuta-values.yaml