Immuta Installation on Self Managed Infrastructure Overview

Day 0 Operations

These operations should be completed ahead of deploying the Immuta application and include deployment and configuration of the Kubernetes cluster. A list of typical activities in this phase is included for reference below. Individual environments may include other steps not listed here:

  • Deploy the Kubernetes cluster

  • Deploy a managed PostgreSQL database service

  • Deploy an Elasticsearch (ES) or Opensearch (OS) cluster

  • Networking configuration

    • Ensure that the cluster has communications paths to both the Elasticsearch cluster and the managed database service, including any necessary firewall rules or security group configurations

  • Ingress configuration

    • Set up any necessary IAM permissions

    • Deploy the load balancer controller software to the cluster

  • DNS Configuration

    • Install and configure software such as ExternalDNS to control interaction with DNS providers if necessary

    • Determine the endpoint that will be used to access the Immuta application after deployment

  • Security configurations

    • If mTLS within the cluster is a requirement, deploy a service mesh to the cluster

    • TLS configuration

      • Obtain a TLS certificate for the software deployment endopoint and upload to the cloud provider certificate manager service if necessary

      • Identification of any TLS Certificate Authority certificate chains needed for communication from the application to connected services

Day 1 Operations

The day 1 operations described here are associated with the deployment of the Immuta application and include properly configuration of dependencies and installation of the application itself.

Configuration and Deployment

  • Configuration of the PostgreSQL role(s) and database(s) needed to deploy the application

  • Configuration Elasticsearch/Opensearch user and permissions

  • Optionally, mirroring of all deployment related artifacts for the application to a private container registry

  • Configuration of application settings according to the deployment environment. Key elements include:

    • Identification of endpoints and authentication credentials for:

      • Any container registries contacted during application deployment

      • Endpoint location and authentication credentials for dependent (ES/OS and PostgreSQL) services

    • Ingress settings according to the destination environment

    • Any custom Immuta application settings identified during pre-installation planning

      • Custom Certificate Authority certificate chains should be mounted into the application pods and made available to running processes so that connected services can function properly

  • Configuration of secrets for sensitive information, such as database passwords

  • Deployment of the application to the kubernetes cluster via the Helm package manager

Validation and Initial configuration

Post successful deployment there are a few steps required to complete the installation phase before moving into application configuration. These include:

  • Validation of web application availablity via the provided endpoint

  • Configuration of an intiial administrator service account via the web application

  • Application of the Immuta software license

  • Validation that all purchased connectors are available for configuration

  • Validation that any custom settings have been appropriately applied

  • Validation that outbound network connectivity to any desired identity management, catalog, and data platform is successful

    • This can usually be confirmed by testing outbound network connectivity from an ephemeral network debugging pod deployed in the same namespace as the Immuta application or by performing an initial, basic connectivity test via the web application

Late Day 1, early Day 2 operations

These steps often get completed after the initial installation effort but are important to call out in this document and should be planned in advance and accomplished prior to most other meaningful configuration operations that are outside the scope of this document.

  • Configure and validate successful deployment of the desired identity provider (Okta, Entra ID, etc) and the Immuta application

    • Determine the standard(s) being used and configure via the IAM configuration in Immuta

      • If SCIM is being used to provision users, enable this setting in the IAM and validate proper connectivity and operation from the Identity Provider

    • Enable and configure any data providers identified as part of the initial use case

PreviousExample Trino installation via Open Source Helm ChartNextRepeatable k3s stack deployment on AWS EC2

Last updated