Production Best Practices

This guide highlights best practices when deploying Immuta in a production environment.

Database sizing recommendations

Provisioning an appropriately resourced PostgreSQL database for Immuta is critical to application performance. The recommendations below are based on the number of data sources registered multiplied (*) by the number of users on the deployment:

Elasticsearch/OpenSearch sizing recommendations

This recommendation assumes approximately 1 million events per day with a 90-day data retention policy:

• 2 nodes

• 2 CPUs/node

• 4GB RAM/node

• Storage 100GB SSD/node

Helm values

Back up or source control your immuta-values.yaml Helm values file.

Kubernetes resource requests and limits

Assign memory resource limits to pods.

Edit Helm values

Edit immuta-values.yaml to include the following recommended resource requests and limits for most Immuta deployments.

audit:
  worker:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 1024Mi
      limits:
        cpu: 1000m
        memory: 2048Mi  
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 8192Mi
secure:
  backgroundWorker:
    replicaCount: 2
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi  
  web:
    replicaCount: 2 
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi
discover:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 4096Mi
cache:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 512Mi
      limits:
        cpu: 1000m
        memory: 512Mi

Kubernetes secrets

Use Kubernetes secrets in the immuta-values.yaml file instead of passwords and tokens. The following section demonstrates how to create a secret and reference it in the Helm values file. For guidance on updating these credentials based on your specific security policies, refer to the Rotating credentials guide.

Create secret

1. Create a file named secret-data.env with the following content.

   Copy

   # audit
   ELASTICSEARCH_USERNAME=<elasticsearch-username>
   ELASTICSEARCH_PASSWORD=<elasticsearch-password>
   
   # PostgreSQL connection string used by audit for the metadata database
   #   postgresql://<user>:<password>@<postgres-fqdn>:5432/<database>?schema=audit
   #
   # More info
   #   https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
   DATABASE_CONNECTION_STRING=postgresql://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit
   
   # secure
   IMMUTA_DATABASES_IMMUTA_CONNECTIONS_IMMUTADB_PASSWORD=<postgres-password>

2. Create secret named immuta-secret from file secret-data.env.

   Copy

   kubectl create secret generic immuta-secret --from-env-file=secret-data.env

3. Delete file secret-data.env, as it's no longer needed.

   Copy

   rm -i secret-data.env

Edit Helm values

1. Edit immuta-values.yaml to include the following Helm values.

   Copy

   audit:
     deployment:
       existingSecret: immuta-secret
     export:
       cronJob:
         existingSecret: immuta-secret
   
   secure:
     existingSecret:
       name: immuta-secret
       # Optional. Map expected keys with keys in existing secret
       # keyMapping: {}

2. Remove any sensitive key-value pairs from the immuta-values.yaml Helm values that were made redundant after the secret was created.

Apply Helm values

Perform a Helm upgrade to apply the changes made to immuta-values.yaml.

helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.3.12