Managed Public Cloud
This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:
Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
Prerequisites
The following managed services must be provisioned and running before proceeding. For further assistance consult the recommendations table for your respective cloud provider.
Feature availability
If deployed without ElasticSearch/OpenSearch, several core services and features will be unavailable. See the deployment requirements for details.
(Optional) Amazon OpenSearch
Checklist
This checklist outlines the necessary prerequisites for successfully deploying Immuta.
Credentials
PostgreSQL
Elasticsearch
Setup
Helm
Authenticate with OCI registry
echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
Kubernetes
Create namespace
Create a Kubernetes namespace named
immuta
.kubectl create namespace immuta
Switch to namespace
immuta
. All subsequentkubectl
commands will default to this namespace.kubectl config set-context --current --namespace=immuta
Create registry secret
Create a container registry pull secret. Your credentials to authenticate with ocir.immuta.com can be viewed in your user profile at support.immuta.com.
kubectl create secret docker-registry immuta-oci-registry \
--docker-server=https://ocir.immuta.com \
--docker-username="<username>" \
--docker-password="<token>" \
[email protected]
PostgreSQL
Connect to the database
Connect to the database as an admin (e.g., postgres
) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the kubectl run
command outlined below. Wait 5 seconds, and then proceed by entering a password.
kubectl run pgclient \
--stdin \
--tty \
--rm \
--image docker.io/bitnami/postgresql -- \
psql --host <postgres-fqdn> --username <postgres-admin> --dbname postgres --port 5432 --password
Create role
Create the
immuta
role.CREATE ROLE immuta with LOGIN ENCRYPTED PASSWORD '<postgres-password>'; ALTER ROLE immuta SET search_path TO bometadata,public;
Grant administrator privileges to the
immuta
role. Upon successfully completing this installation guide, you can optionally revoke this role grant.GRANT <admin-role> TO immuta;
Grant the
immuta
role to the current user. Upon successfully completing this installation guide, you can optionally revoke this role grant.GRANT immuta TO CURRENT_USER;
Create databases
Create databases.
CREATE DATABASE immuta OWNER immuta; CREATE DATABASE temporal OWNER immuta; CREATE DATABASE temporal_visibility OWNER immuta;
Grant role
immuta
additional privileges. Refer to the PostgreSQL documentation for further details on database roles and privileges.GRANT ALL ON DATABASE immuta TO immuta; GRANT ALL ON DATABASE temporal TO immuta; GRANT ALL ON DATABASE temporal_visibility TO immuta;
Configure the
immuta
database.\c immuta CREATE EXTENSION pgcrypto;
Configure the
temporal
database.\c temporal GRANT CREATE ON SCHEMA public TO immuta;
Configure the
temporal_visibility
database.\c temporal_visibility GRANT CREATE ON SCHEMA public TO immuta; CREATE EXTENSION btree_gin;
Exit the interactive prompt. Type
\q
, and then pressEnter
.
Install Immuta
This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.
Feature availability
If deployed without Elasticsearch/OpenSearch, several core services and features will be unavailable. See the deployment requirements for details.
Audit records
Preserving legacy audit records
Immuta does not migrate legacy audit records to the universal audit model (UAM), so when you upgrade Immuta those audit records will be lost unless you enable the following setting in your immuta-values.yaml file:
secure:
extraEnvVars:
- name: FeatureFlag_auditLegacyViewHide
value: "false"
Audit record retention
Immuta defaults to keeping audit records for 7 days. To change this duration, set the following values in the immuta-values.yaml file. The example below configures audit records to be kept for 90 days:
audit:
deployment:
extraEnvVars:
- name: AUDIT_RETENTION_POLICY_IN_DAYS
value: "90"
global:
imageRegistry: ocir.immuta.com
imagePullSecrets:
- name: immuta-oci-registry
postgresql:
host: <postgres-fqdn>
port: 5432
username: immuta
password: <postgres-password>
audit:
config:
elasticsearchEndpoint: <elasticsearch-endpoint>
elasticsearchUsername: <elasticsearch-username>
elasticsearchPassword: <elasticsearch-password>
postgresql:
database: immuta
secure:
postgresql:
database: immuta
ssl: true
temporal:
enabled: true
schema:
createDatabase:
enabled: false
server:
config:
persistence:
default:
sql:
database: temporal
tls:
enabled: true
visibility:
sql:
database: temporal_visibility
tls:
enabled: true
Create a file named
immuta-values.yaml
with the above content, making sure to update all placeholder values.Deploy Immuta.
helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \ --values immuta-values.yaml \ --version 2024.3.12
Wait for all pods to become ready.
kubectl wait --for=condition=Ready pods --all
Validation
Determine the name of the Secure service.
kubectl get service --selector "app.kubernetes.io/component=secure" --output name
Listen on local port
8080
, forwarding TCP traffic to the Secure service's port namedhttp
.kubectl port-forward <service-name> 8080:http
In a web browser, navigate to localhost:8080, to ensure the Immuta application loads.
Press
Control+C
to stop port forwarding.
Next steps
Last updated
Was this helpful?