Red Hat OpenShift
Last updated
Last updated
This is a guide on how to deploy Immuta on OpenShift.
The following managed services must be provisioned and running before proceeding. For further assistance consult the for your respective cloud provider.
Feature availability
If deployed without Elasticsearch/OpenSearch, several core services and features will be unavailable. See the for details.
PostgreSQL
(Optional) Elasticsearch/OpenSearch
This checklist outlines the necessary prerequisites for successfully deploying Immuta.
Creating a dedicated namespace ensures a logically isolated environment for your Immuta deployment, preventing resource conflicts with other applications.
Create an OpenShift project named immuta.
Get the UID range allocated to the project. Each running container's UID must fall within this range. This value will be referenced later on.
Get the GID range allocated to the project. Each running container's GID must fall within this range. This value will be referenced later on.
Switch to project immuta.
Connecting a client
There are numerous ways to connect to a PostgreSQL database. This step demonstrates how to connect with psql by creating an ephemeral Kubernetes pod.
Connect to the database as an admin (e.g., postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the kubectl run command outlined below. Wait 5 seconds, and then proceed by entering a password.
Temporal's upgrade mechanism utilizes SQL command CREATE EXTENSION when managing database schema changes. However, in cloud-managed PostgreSQL offerings, this command is typically restricted to roles with elevated privileges to protect the database and maintain the stability of the cloud environment.
To ensure Temporal can successfully manage its schema, a pre-defined administrator role must be granted. The role name varies depending on the cloud-managed service:
Amazon RDS: rds_superuser
Azure Database: azure_pg_admin
Google Cloud SQL: cloudsqlsuperuser
Create the immuta role.
Grant administrator privileges to the immuta role. Upon successfully completing this installation guide, you can optionally revoke this role grant.
Create databases.
Configure the immuta database.
Configure the temporal database.
Configure the temporal_visibility database.
Exit the interactive prompt. Type \q, and then press Enter.
This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.
Why disable Ingress?
In OpenShift, Ingress resources are managed by OpenShift Routes. These routes provide a more integrated and streamlined way to handle external access to your applications. To avoid conflicts and ensure proper functionality, it's necessary to disable the pre-defined Ingress resource in the Helm chart.
Feature availability
Deploy Immuta.
Wait for all pods to become ready.
Determine the name of the Secure service.
Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.
Press Control+C to stop port forwarding.
Configure Ingress for OpenShift (required).
The Elasticsearch instance's hostname/FQDN is .
The Elasticsearch instance is .
The user must have the .
Create a container registry pull secret. Your credentials to authenticate with ocir.immuta.com can be viewed in your user profile at .
Grant role immuta additional privileges. Refer to the for further details on database roles and privileges.
If deployed without Elasticsearch/OpenSearch, several core services and features will be unavailable. See the for details.
Create a file named immuta-values.yaml with the above content, making sure to update all .
This section helps you validate your Immuta installation by temporarily accessing the application locally. However, this access is limited to your own computer. To enable access for other devices, you must proceed with configuring Ingress outlined in the section.
In a web browser, navigate to , to ensure the Immuta application loads.
.