Immuta Installation on Self Managed Infrastructure Overview
Day 0 Operations
These operations should be completed ahead of deploying the Immuta application and include deployment and configuration of the Kubernetes cluster. A list of typical activities in this phase is included for reference below. Individual environments may include other steps not listed here:
Deploy the Kubernetes cluster
Deploy a managed PostgreSQL database service
Deploy an Elasticsearch (ES) or Opensearch (OS) cluster
Networking configuration
Ensure that the cluster has communications paths to both the Elasticsearch cluster and the managed database service, including any necessary firewall rules or security group configurations
Ingress configuration
Set up any necessary IAM permissions
Deploy the load balancer controller software to the cluster
DNS Configuration
Install and configure software such as ExternalDNS to control interaction with DNS providers if necessary
Determine the endpoint that will be used to access the Immuta application after deployment
Security configurations
If mTLS within the cluster is a requirement, deploy a service mesh to the cluster
TLS configuration
Obtain a TLS certificate for the software deployment endopoint and upload to the cloud provider certificate manager service if necessary
Identification of any TLS Certificate Authority certificate chains needed for communication from the application to connected services
Day 1 Operations
The day 1 operations described here are associated with the deployment of the Immuta application and include properly configuration of dependencies and installation of the application itself.
Configuration and Deployment
Configuration of the PostgreSQL role(s) and database(s) needed to deploy the application
Configuration Elasticsearch/Opensearch user and permissions
Optionally, mirroring of all deployment related artifacts for the application to a private container registry
Configuration of application settings according to the deployment environment. Key elements include:
Identification of endpoints and authentication credentials for:
Any container registries contacted during application deployment
Endpoint location and authentication credentials for dependent (ES/OS and PostgreSQL) services
Ingress settings according to the destination environment
Any custom Immuta application settings identified during pre-installation planning
Custom Certificate Authority certificate chains should be mounted into the application pods and made available to running processes so that connected services can function properly
Configuration of secrets for sensitive information, such as database passwords
Deployment of the application to the kubernetes cluster via the Helm package manager
Validation and Initial configuration
Post successful deployment there are a few steps required to complete the installation phase before moving into application configuration. These include:
Validation of web application availablity via the provided endpoint
Configuration of an intiial administrator service account via the web application
Application of the Immuta software license
Validation that all purchased connectors are available for configuration
Validation that any custom settings have been appropriately applied
Validation that outbound network connectivity to any desired identity management, catalog, and data platform is successful
This can usually be confirmed by testing outbound network connectivity from an ephemeral network debugging pod deployed in the same namespace as the Immuta application or by performing an initial, basic connectivity test via the web application
Late Day 1, early Day 2 operations
These steps often get completed after the initial installation effort but are important to call out in this document and should be planned in advance and accomplished prior to most other meaningful configuration operations that are outside the scope of this document.
Configure and validate successful deployment of the desired identity provider (Okta, Entra ID, etc) and the Immuta application
Determine the standard(s) being used and configure via the IAM configuration in Immuta
If SCIM is being used to provision users, enable this setting in the IAM and validate proper connectivity and operation from the Identity Provider
Enable and configure any data providers identified as part of the initial use case
Last updated