Immuta Installation on Self Managed Infrastructure Overview

Day 0 Operations

These operations should be completed ahead of deploying the Immuta application and include deployment and configuration of the Kubernetes cluster. A list of typical activities in this phase is included for reference below. Individual environments may include other steps not listed here:

Deploy the Kubernetes cluster
Deploy a managed PostgreSQL database service
Deploy an Elasticsearch (ES) or Opensearch (OS) cluster
Networking configuration
- Ensure that the cluster has communications paths to both the Elasticsearch cluster and the managed database service, including any necessary firewall rules or security group configurations
Ingress configuration
- Set up any necessary IAM permissions
- Deploy the load balancer controller software to the cluster
DNS Configuration
- Install and configure software such as ExternalDNS to control interaction with DNS providers if necessary
- Determine the endpoint that will be used to access the Immuta application after deployment
Security configurations
- If mTLS within the cluster is a requirement, deploy a service mesh to the cluster
- TLS configuration
  - Obtain a TLS certificate for the software deployment endopoint and upload to the cloud provider certificate manager service if necessary
  - Identification of any TLS Certificate Authority certificate chains needed for communication from the application to connected services

Day 1 Operations

The day 1 operations described here are associated with the deployment of the Immuta application and include properly configuration of dependencies and installation of the application itself.

Configuration and Deployment

Configuration of the PostgreSQL role(s) and database(s) needed to deploy the application
Configuration Elasticsearch/Opensearch user and permissions
Optionally, mirroring of all deployment related artifacts for the application to a private container registry
Configuration of application settings according to the deployment environment. Key elements include:
- Identification of endpoints and authentication credentials for:
  - Any container registries contacted during application deployment
  - Endpoint location and authentication credentials for dependent (ES/OS and PostgreSQL) services
- Ingress settings according to the destination environment
- Any custom Immuta application settings identified during pre-installation planning
  - Custom Certificate Authority certificate chains should be mounted into the application pods and made available to running processes so that connected services can function properly
Configuration of secrets for sensitive information, such as database passwords
Deployment of the application to the kubernetes cluster via the Helm package manager

Validation and Initial configuration

Post successful deployment there are a few steps required to complete the installation phase before moving into application configuration. These include:

Validation of web application availablity via the provided endpoint
Configuration of an intiial administrator service account via the web application
Application of the Immuta software license
Validation that all purchased connectors are available for configuration
Validation that any custom settings have been appropriately applied
Validation that outbound network connectivity to any desired identity management, catalog, and data platform is successful
- This can usually be confirmed by testing outbound network connectivity from an ephemeral network debugging pod deployed in the same namespace as the Immuta application or by performing an initial, basic connectivity test via the web application

Late Day 1, early Day 2 operations

These steps often get completed after the initial installation effort but are important to call out in this document and should be planned in advance and accomplished prior to most other meaningful configuration operations that are outside the scope of this document.

Configure and validate successful deployment of the desired identity provider (Okta, Entra ID, etc) and the Immuta application
- Determine the standard(s) being used and configure via the IAM configuration in Immuta
  - If SCIM is being used to provision users, enable this setting in the IAM and validate proper connectivity and operation from the Identity Provider
- Enable and configure any data providers identified as part of the initial use case

PreviousExample Trino installation via Open Source Helm Chart NextRepeatable k3s stack deployment on AWS EC2

Last updated 3 months ago

Day 0 Operations

Deploy the Kubernetes cluster

Deploy a managed PostgreSQL database service

Deploy an Elasticsearch (ES) or Opensearch (OS) cluster

Networking configuration

Ensure that the cluster has communications paths to both the Elasticsearch cluster and the managed database service, including any necessary firewall rules or security group configurations

Ingress configuration

Set up any necessary IAM permissions
Deploy the load balancer controller software to the cluster

DNS Configuration

Install and configure software such as ExternalDNS to control interaction with DNS providers if necessary
Determine the endpoint that will be used to access the Immuta application after deployment

Security configurations

If mTLS within the cluster is a requirement, deploy a service mesh to the cluster
TLS configuration
- Obtain a TLS certificate for the software deployment endopoint and upload to the cloud provider certificate manager service if necessary
- Identification of any TLS Certificate Authority certificate chains needed for communication from the application to connected services

Day 1 Operations

The day 1 operations described here are associated with the deployment of the Immuta application and include properly configuration of dependencies and installation of the application itself.

Configuration and Deployment

Configuration of the PostgreSQL role(s) and database(s) needed to deploy the application

Configuration Elasticsearch/Opensearch user and permissions

Optionally, mirroring of all deployment related artifacts for the application to a private container registry

Configuration of application settings according to the deployment environment. Key elements include:

Identification of endpoints and authentication credentials for:
- Any container registries contacted during application deployment
- Endpoint location and authentication credentials for dependent (ES/OS and PostgreSQL) services
Ingress settings according to the destination environment
Any custom Immuta application settings identified during pre-installation planning
- Custom Certificate Authority certificate chains should be mounted into the application pods and made available to running processes so that connected services can function properly

Configuration of secrets for sensitive information, such as database passwords

Deployment of the application to the kubernetes cluster via the Helm package manager

Validation and Initial configuration

Post successful deployment there are a few steps required to complete the installation phase before moving into application configuration. These include:

Validation of web application availablity via the provided endpoint

Configuration of an intiial administrator service account via the web application

Application of the Immuta software license

Validation that all purchased connectors are available for configuration

Validation that any custom settings have been appropriately applied

Validation that outbound network connectivity to any desired identity management, catalog, and data platform is successful

This can usually be confirmed by testing outbound network connectivity from an ephemeral network debugging pod deployed in the same namespace as the Immuta application or by performing an initial, basic connectivity test via the web application

Late Day 1, early Day 2 operations

Configure and validate successful deployment of the desired identity provider (Okta, Entra ID, etc) and the Immuta application

Determine the standard(s) being used and configure via the IAM configuration in Immuta
- If SCIM is being used to provision users, enable this setting in the IAM and validate proper connectivity and operation from the Identity Provider
Enable and configure any data providers identified as part of the initial use case