# Production Best Practices

This guide highlights best practices when deploying Immuta in a production environment.

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the Immuta Enterprise Helm chart was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

## Database sizing recommendations

Provisioning an appropriately resourced PostgreSQL database for Immuta is critical to application performance. The recommendations below are based on the number of data sources registered multiplied (\*) by the number of users on the deployment:

| Size                                | CPU | Memory | Storage    |
| ----------------------------------- | --- | ------ | ---------- |
| Small (data sources \* users <100k) | 2   | 8GB    | 100 GB SSD |
| Normal                              | 4   | 16GB   | 100 GB SSD |
| Large (data sources \* users >1M)   | 8   | 32GB   | 100 GB SSD |

## Elasticsearch/OpenSearch sizing recommendations

This recommendation assumes approximately 1 million events per day with a 90-day data retention policy:

* 2 nodes
* 2 CPUs/node
* 4GB RAM/node
* Storage 100GB SSD/node

## Helm values

Back up or source control your `immuta-values.yaml` Helm values file.

## Kubernetes resource requests and limits

Assign [memory resource limits](https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/) to pods.

### Edit Helm values

Edit `immuta-values.yaml` to include the following recommended resource requests and limits for most Immuta deployments.

{% hint style="info" %}
Increase replica count to 3 on `web` and `backgroundWorker` for large deployments.
{% endhint %}

```yaml
audit:
  worker:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 1024Mi
      limits:
        cpu: 1000m
        memory: 2048Mi  
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 8192Mi
secure:
  backgroundWorker:
    replicaCount: 2
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi  
  web:
    replicaCount: 2 
    resources:
      requests:
        cpu: 1000m
        memory: 4096Mi
      limits:
        cpu: 4000m
        memory: 4096Mi
discover:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 4096Mi
      limits:
        cpu: 3000m
        memory: 4096Mi
cache:
  deployment:
    replicaCount: 1
    resources:
      requests:
        cpu: 500m
        memory: 512Mi
      limits:
        cpu: 1000m
        memory: 512Mi
```

## Kubernetes secrets

Use [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/) in the `immuta-values.yaml` file instead of passwords and tokens. The following section demonstrates how to create a secret and reference it in the Helm values file. For guidance on updating these credentials based on your specific security policies, [refer to the Rotating credentials guide](/2025.1/configuration/self-managed-deployment/configure/rotating-credentials.md).

### Create secret

1. Create a file named `secret-data.env` with the following content.

   ```bash
   # audit
   ELASTICSEARCH_USERNAME=<elasticsearch-username>
   ELASTICSEARCH_PASSWORD=<elasticsearch-password>

   # PostgreSQL connection string used by audit for the metadata database
   #   postgresql://<user>:<password>@<postgres-fqdn>:5432/<database>?schema=audit
   #
   # More info
   #   https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
   DATABASE_CONNECTION_STRING=postgresql://immuta:<postgres-password>@<postgres-fqdn>:5432/immuta?schema=audit

   # secure
   IMMUTA_DATABASES_IMMUTA_CONNECTIONS_IMMUTADB_PASSWORD=<postgres-password>
   ```
2. Create secret named `immuta-secret` from file `secret-data.env`.

   ```bash
   kubectl create secret generic immuta-secret --from-env-file=secret-data.env
   ```
3. Delete file `secret-data.env`, as it's no longer needed.

   ```bash
   rm -i secret-data.env
   ```

### Edit Helm values

1. Edit `immuta-values.yaml` to include the following Helm values.

   ```yaml
   audit:
     deployment:
       existingSecret: immuta-secret
     export:
       cronJob:
         existingSecret: immuta-secret

   secure:
     existingSecret:
       name: immuta-secret
       # Optional. Map expected keys with keys in existing secret
       # keyMapping: {}
   ```
2. Remove any sensitive key-value pairs from the `immuta-values.yaml` Helm values that were made redundant after the secret was created.

### Apply Helm values

Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`.

```bash
helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2025.1.10
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/2025.1/configuration/self-managed-deployment/configure/immuta-in-production.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.