Upgrade IEHC 2024.2 LTS to 2024.3

New in IEHC 2024.3

Temporal

Requirements

Starting in IEHC 2024.3, a Temporal server is included in the chart and requires two databases to store state. You can expand the existing PostgreSQL database in use for Immuta by creating Temporal databases like so:

CREATE DATABASE temporal WITH OWNER <immuta_user_username>;
CREATE DATABASE temporal_visibility WITH OWNER <immuta_user_username>;

GRANT ALL PRIVILEGES ON DATABASE temporal TO <immuta_user_username>;
GRANT ALL PRIVILEGES ON DATABASE temporal_visibility TO <immuta_user_username>;

These database names are the default values for the Temporal sub-chart but can be set (if necessary) with the following values:

temporal:
  server:
    config:
      persistence:
        default:
          sql:
            database: "temporal"
        visibility:
          sql:
            database: "temporal_visibility"

Enabling Temporal

To enable the Temporal deployment, set the following values. Include the tls settings if using a Cloud database that requires TLS:

temporal:
  enabled: true
  server:
    config:
      persistence:
        default:
          sql:
            tls:
              # Set to true if Postgres Database uses TLS
              enabled: true
        visibility:
          sql:
            tls:
              # Set to true if Postgres Database uses TLS
              enabled: true

Helm values

To improve the experience using the IEHC, two Helm value changes have been introduced. Before deploying the IEHC 2024.3.x, you must perform the following Helm value changes:

PostgreSQL configuration

IEHC 2024.3.x adds support for global and component-level PostgreSQL connection details. This means you only need to specify the PostgreSQL connection information once in the global scope and apply overrides (if necessary) at a component level.

If you installed IEHC 2024.2 LTS using our install guides, your immuta-values.yaml file probably looks something like this to configure your PostgreSQL connection for multiple components:

audit:
  config:
    databaseConnectionString: postgres://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit
#...
secure:
  postgresql:
    host: <postgres-fqdn>
    port: 5432
    database: immuta
    username: immuta
    password: <postgres-password>
    ssl: true
#...

Now, with PostgreSQL configuration in the global scope, your immuta-values.yaml file can look like this to specify the PostgreSQL connection:

global:
#...
  postgresql:
    host: <postgres-fqdn>
    port: 5432
    username: immuta
    password: <postgres-password>

audit:
  postgresql:
    database: immuta
#...
secure:
  postgresql:
    database: immuta
    ssl: true

Feature flags

Feature flags have moved from environment variables IEHC 2024.3.x as well. You may now set feature flags globally, and then the IEHC will properly configure all applications for you. Migrate all feature flags from secure.extraEnvVars to global.featureFlags.

Additionally, if you use conditional tags, you must add the discoverDeprecateLegacyTags feature flag when upgrading. Otherwise the conditional tags will be removed from Immuta next time SDD runs.

# Feature Flags may not be set as global boolean values
global:
#...
  featureFlags:
    AuditService: true
    detect: true
    auditLegacyViewHide: true
    discoverDeprecateLegacyTags: false

# Remove flags being set via extraEnvVars
#
# secure:
#  extraEnvVars:
#    - name: FeatureFlag_AuditService
#      value: "true"
#    - name: FeatureFlag_detect
#      value: "true"
#    - name: FeatureFlag_auditLegacyViewHide
#      value: "true"

If you fail to migrate the values from secure.extraEnvVars to global.featureFlags , then Helm will display warnings similar to below:

How to upgrade

After updating your immuta-values.yaml file to include any of the changes for the updates above, you can upgrade Immuta with the following command:

helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.3.0