Red Hat OpenShift

This is an OpenShift-specific guide on how to deploy Immuta with the following managed services:

• Cloud-managed PostgreSQL

• Cloud-managed Redis

• Cloud-managed ElasticSearch

Prerequisites

Review the following criteria before proceeding with deploying Immuta.

PostgreSQL

1. The PostgreSQL instance has been provisioned and is actively running.

2. The PostgreSQL instance's hostname/FQDN is resolvable from within the Kubernetes cluster.

3. The PostgreSQL instance is accepting connections.

Redis

1. The Redis instance has been provisioned and is actively running.

2. The Redis instance's hostname/FQDN is resolvable from within the Kubernetes cluster.

3. The Redis instance is accepting connections.

Elasticsearch

1. The Elasticsearch instance has been provisioned and is actively running.

2. The Elasticsearch instance's hostname/FQDN is resolvable from within the Kubernetes cluster.

3. The Elasticsearch instance is accepting connections.

Authenticate with OCI registry

Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Setup

1. Create a new OpenShift project named immuta for Immuta.

   Copy

   oc new-project immuta

2. Get the UID range allocated to the project. Each running container's UID must fall within this range. This value will be referenced later on.

   Copy

   oc get project immuta --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'

3. Get the GID range allocated to the project. Each running container's GID must fall within this range. This value will be referenced later on.

   Copy

   oc get project immuta --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'

4. Switch to project immuta.

   Copy

   oc project immuta

5. Create a container registry pull secret. Contact your Immuta representative to obtain credentials to authenticate with ocir.immuta.com.

   Copy

   oc create secret docker-registry immuta-oci-registry \
       --docker-server=https://ocir.immuta.com \
       --docker-username="<username>" \
       --docker-password="<token>" \
       --docker-email=support@immuta.com

Cloud-managed PostgreSQL

1. Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the oc run command outlined below. Wait 5 seconds, and then proceed by entering a password.

   Copy

   oc run pgclient \
       --stdin \
       --tty \
       --rm \
       --image docker.io/bitnami/postgresql -- \
       psql --host <postgres-fqdn> --username postgres --port 5432 --password

2. Create immuta, temporal, and temporal_visiblity databases and an immuta role.

   Copy

   CREATE ROLE immuta with login encrypted password '<postgres-password>';
   
   GRANT immuta TO CURRENT_USER;
   
   CREATE DATABASE immuta OWNER immuta;
   CREATE DATABASE temporal OWNER immuta;
   CREATE DATABASE temporal_visibility OWNER immuta;
   
   GRANT all ON DATABASE immuta TO immuta;
   GRANT all ON DATABASE temporal TO immuta;
   GRANT all ON DATABASE temporal_visibility TO immuta;
   ALTER ROLE immuta SET search_path TO bometadata,public;

3. Revoke privileges from CURRENT_USER as they're no longer required.

   Copy

   REVOKE immuta FROM CURRENT_USER;

4. Enable the pgcrypto extension.

   Copy

   \c immuta
   CREATE EXTENSION pgcrypto;

5. Type \q, and then press Enter to exit.

Install Immuta

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.

1. Create a Helm values file named immuta-values.yaml with the content below. Because the Ingress resource will be managed by an OpenShift route you will create when configuring Ingress and not the Immuta Enterprise Helm chart, ingress is set to false below. TLS comes pre-configured with OpenShift, so tls is also set to false.

   Copy

   global:
     imageRegistry: ocir.immuta.com
     imagePullSecrets:
       - name: immuta-oci-registry
     postgresql:
       host: <postgres-fqdn>
       port: 5432
       username: <postgres-username>
       password: <postgres-password>
   
   audit:
     config:
       elasticsearchEndpoint: http://es-db-elasticsearch.immuta.svc.cluster.local:9200
       elasticsearchUsername: <elasticsearch-username>
       elasticsearchPassword: <elasticsearch-password>
     postgresql:
       database: immuta 
   
     deployment:
       podSecurityContext:
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'
         runAsUser: <user-id>
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'
         runAsGroup: <group-id>
         seccompProfile:
           type: RuntimeDefault
         
       containerSecurityContext:
         allowPrivilegeEscalation: false
         capabilities:
           drop:
             - ALL
   
   discover:
     deployment:
       podSecurityContext:
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'
         runAsUser: <user-id>
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'
         runAsGroup: <group-id>
         seccompProfile:
           type: RuntimeDefault
         
       containerSecurityContext:
         allowPrivilegeEscalation: false
         capabilities:
           drop:
             - ALL
   
   secure:
     ingress:
       enabled: false
       tls: false
   
     postgresql:
       database: immuta
       ssl: false
   
     web:
       podSecurityContext:
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'
         runAsUser: <user-id>
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'
         runAsGroup: <group-id>
         seccompProfile:
           type: RuntimeDefault
         
       containerSecurityContext:
         allowPrivilegeEscalation: false
         capabilities:
           drop:
             - ALL
   
     backgroundWorker:
       podSecurityContext:
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'
         runAsUser: <user-id>
         # A number that is within the project range:
         #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'
         runAsGroup: <group-id>
         seccompProfile:
           type: RuntimeDefault
         
       containerSecurityContext:
         allowPrivilegeEscalation: false
         capabilities:
           drop:
             - ALL
     
   temporal:
     enabled: true
     server:
       podSecurityContext:
           # A number that is within the project range:
           #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'
           runAsUser: 1000660000
           # A number that is within the project range:
           #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'
           runAsGroup: 1000660000
           seccompProfile:
             type: RuntimeDefault
       config:
         persistence:
           default:
             sql:
               tls: 
                 enabled: true
           visibility:
             sql:
               tls:
                 enabled: true
       frontend:
         containerSecurityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL
       history:
         containerSecurityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL
       matching:
         containerSecurityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL
       worker:
         containerSecurityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL
     schema:
       podSecurityContext:
           # A number that is within the project range:
           #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'
           runAsUser: 1000660000
           # A number that is within the project range:
           #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'
           runAsGroup: 1000660000
           seccompProfile:
             type: RuntimeDefault
       containerSecurityContext:
         allowPrivilegeEscalation: false
         capabilities:
           drop:
             - ALL
     proxy:
       deployment:
         podSecurityContext:
           # A number that is within the project range:
           #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}'
           runAsUser: 1000660000
           # A number that is within the project range:
           #   oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}'
           runAsGroup: 1000660000
           seccompProfile:
             type: RuntimeDefault
         containerSecurityContext:
           enabled: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:
               - ALL

2. Update all placeholder values in the immuta-values.yaml file.

3. Deploy Immuta.

   Copy

   helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \
       --values immuta-values.yaml \
       --version 2024.3.0

Validation

1. Wait for all pods in the namespace to become ready.

   Copy

   oc wait --for=condition=Ready pods --all

2. Determine the name of the Secure service.

   Copy

   oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'

3. Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.

   Copy

   oc port-forward service/<name> 8080:http

Next steps

• Configure Ingress to complete your installation and access your Immuta application.

• Learn more about best practices for Immuta in Production.