Azure Immuta Deployment

Create a resource group and container registry

export RELEASE_NAME=soleng
export ACR_NAME=soleng
export LOCATION=eastus
az group create --name $RELEASE_NAME --location $LOCATION
# Create a container registry
az acr create --resource-group $RELEASE_NAME \
              --name $ACR_NAME \
              --sku Basic

Install skopeo and authenticate to ACR

This article uses skopeo to copy container images between registries. Please install for your host OS according to the documentation here:

az acr token create --name $RELEASE_NAME-token --registry $ACR_NAME --repository '*' content/write content/read
TOKEN_PASSWORD=$(az acr token credential generate -n $RELEASE_NAME-token -r $ACR_NAME --password1 --expiration-in-days 120|jq -r '.passwords[0].value')
echo $TOKEN_PASSWORD | skopeo login --username $RELEASE_NAME-token --password-stdin $ACR_NAME.azurecr.io

Authenticate to Immuta Registry

export IMMUTA_USER=<found in support.immuta.com profile>
export IMMUTA_TOKEN=<find in support.immuta.com profile>
echo $IMMUTA_TOKEN |skopeo login --username $IMMUTA_USER --password-stdin ocir.immuta.com

Copy images to ACR

export IMMUTA_VERSION=2024.3.0
for image in audit-service audit-export-cronjob cache classify-service detect-temporal-worker immuta-service temporal-admin-tools temporal-proxy temporal-server; do
  skopeo copy docker://ocir.immuta.com/stable/$image:$IMMUTA_VERSION docker://$ACR_NAME.azurecr.io/immuta/$image:$IMMUTA_VERSION;
done

Deploy AKS Cluster

az aks create --location $LOCATION \
              --name $RELEASE_NAME-cluster \
              --resource-group $RELEASE_NAME \
              --network-plugin azure \
              --enable-oidc-issuer \
              --enable-app-routing \
              --enable-workload-identity \
              --attach-acr $ACR_NAME

Deploy Azure Elastic Monitor

export EMAIL=rbauman@immuta.com
az elastic monitor create --location $LOCATION \
                          --name $RELEASE_NAME-elastic \
                          --resource-group $RELEASE_NAME \
                          --user-info "{emailAddress:$EMAIL}" \
                          --sku "{name:ess-consumption-2024_Monthly}"

Deploy Azure Flexible Server for PostgreSQL

The following steps create the necessary networking relationships to access PostgreSQL privately from the AKS cluster created above.

az network private-dns zone create --resource-group $RELEASE_NAME \
                                   --name $RELEASE_NAME.postgres.database.azure.com

AKS_VNET_ID=$(az network vnet list --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} --query "[0].id" -o tsv)
az network private-dns link vnet create --resource-group ${RELEASE_NAME} \
                                        --name postgres-dns-link \
                                        --zone-name ${RELEASE_NAME}.postgres.database.azure.com \
                                        --virtual-network ${AKS_VNET_ID} \
                                        --registration-enabled false

DNS_ZONE_ID=$(az network private-dns zone show --resource-group ${RELEASE_NAME} --name ${RELEASE_NAME}.postgres.database.azure.com --query "id" -o tsv)
POSTGRES_CONNECTION_STRING=$(az postgres flexible-server create --version 16 \
                                   --resource-group ${RELEASE_NAME} \
                                   --name ${RELEASE_NAME}-postgres \
                                   --private-dns-zone ${DNS_ZONE_ID} \
                                   --vnet ${RELEASE_NAME}-postgres-vnet \
                                   --subnet ${RELEASE_NAME}-postgres-subnet \
                                   --address-prefixes 10.0.0.0/16 \
                                   --subnet-prefixes 10.0.0.0/24 --query "connectionString" -o tsv --yes)
echo $POSTGRES_CONNECTION_STRING

az postgres flexible-server parameter set --resource-group ${RELEASE_NAME} \
                                          --server-name ${RELEASE_NAME}-postgres \
                                          --name azure.extensions \
                                          --value pgcrypto

az network vnet peering create --resource-group ${RELEASE_NAME} \
                               --name ${RELEASE_NAME}-postgres-to-cluster \
                               --vnet-name ${RELEASE_NAME}-postgres-vnet \
                               --remote-vnet ${AKS_VNET_ID} \
                               --allow-vnet-access

POSTGRES_VNET_ID=$(az network vnet show --name ${RELEASE_NAME}-postgres-vnet --resource-group ${RELEASE_NAME} --query "id" -o tsv)
AKS_VNET_NAME=$(az network vnet show --ids $AKS_VNET_ID --query "name" -o "tsv")
az network vnet peering create --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} \
                               --name ${RELEASE_NAME}-cluster-to-postgres \
                               --vnet-name ${AKS_VNET_NAME} \
                               --remote-vnet ${POSTGRES_VNET_ID} \
                               --allow-vnet-access

az network vnet subnet create --name ${RELEASE_NAME}-vm-subnet \
                              --vnet-name ${RELEASE_NAME}-postgres-vnet \
                              --resource-group ${RELEASE_NAME} \
                              --address-prefixes "10.0.1.0/24"

Create a VM and export the IP Address as an environment variable

VM_IP_ADDRESS=$(az vm create --name ${RELEASE_NAME}-vm \
             --resource-group ${RELEASE_NAME} \
             --image Ubuntu2204 \
             --vnet-name ${RELEASE_NAME}-postgres-vnet \
             --subnet ${RELEASE_NAME}-vm-subnet \
             --admin-username immuta-user \
             --public-ip-sku Standard \
             --ssh-key-value ~/.ssh/id_rsa.pub --query "publicIpAddress" -o tsv)

Connect to the VM and and install postgresql

ssh -i ~/.ssh/id_rsa immuta-user@${VM_IP_ADDRESS}
sudo apt update && sudo apt install -y postgresql

Connect to the database using the POSTGRES_CONNECTION_STRING variable created above

psql postgresql://username:password@soleng.postgres.database.azure.com/flexibleserverdb?sslmode=require

Create Immuta Database

create database immuta;

\connect immuta

create extension pgcrypto;
create role immuta with createrole login encrypted password 'secret';
grant immuta to current_user;
alter database immuta owner to immuta;
grant all on database immuta to immuta;
alter role immuta set search_path to bometadata,audit,public;

Verify Connection

psql postgresql://username:password@soleng-postgres.postgres.database.azure.com/immuta?sslmode=require

Create a TLS Secret

IMMUTA_URL=soleng.immuta.us
NAMESPACE=immuta
TLS_CERT=immutaus.crt
TLS_KEY=immutausnopass.key
kubectl create ns immuta
kubectl -n immuta create secret tls ${IMMUTA_URL}-tls \
                  --key=${TLS_KEY} \
                  --cert=${TLS_CERT}

Install Immuta via Helm

helm upgrade --install -n ${NAMESPACE} immuta \
             ./immuta-enterprise-2024.3.0.tgz -f immuta-values.yaml

Example Helm Values

global:
  imageRegistry: soleng.azurecr.io
  imageTag: 2024.3.0
  imageRepositoryMap:
    stable/audit-service: immuta/audit-service
    stable/audit-export-cronjob: immuta/audit-export-cronjob
    stable/cache: immuta/cache
    stable/classify-service: immuta/classify-service
    stable/detect-temporal-worker: immuta/detect-temporal-worker
    stable/immuta-service: immuta/immuta-service
    stable/temporal-admin-tools: immuta/temporal-admin-tools
    stable/temporal-proxy: immuta/temporal-proxy
    stable/temporal-server: immuta/temporal-server
  postgresql:
    host: soleng.postgres.database.azure.com
    port: 5432
    username: immuta
    password: immuta
    ssl: true
audit:
  enabled: true
  postgresql:
    database: immuta
  config:
    elasticsearchEndpoint: https://soleng-elastic.es.eastus.azure.elastic-cloud.com/
    elasticsearchUsername: soleng-audit-service
    elasticsearchPassword: jcp.cqz7GPM6jfp0rhk
secure:
  extraConfig:
    publicImmutaUrl: https://soleng.immuta.us
  postgresql:
    database: immuta
  ingress:
    ingressClassName: webapprouting.kubernetes.azure.com
    hostname: soleng.immuta.us
    tls: true
temporal:
  enabled: true
  server:
    additionalVolumes:
    - name: secret-with-certs
      secret:
        secretName: secret-with-certs
    extraVolumeMounts:
    - name: secret-with-certs
      mountPath: /certs/
    config:
      persistence:
        default:
          sql:
            database: temporal
            tls:
              caFile: /certs/global-bundle.pem
              enabled: true
        visibility:
          sql:
            database: temporal_visibility
            tls:
              caFile: /certs/global-bundle.pem
              enabled: true

PreviousStuck Prisma Migrations during Upgrade NextIn-cluster PostgreSQL using Crunchydata

Last updated 3 months ago

export RELEASE_NAME=soleng export ACR_NAME=soleng export LOCATION=eastus az group create --name $RELEASE_NAME --location $LOCATION # Create a container registry az acr create --resource-group $RELEASE_NAME \ --name $ACR_NAME \ --sku Basic

az acr token create --name $RELEASE_NAME-token --registry $ACR_NAME --repository '*' content/write content/read TOKEN_PASSWORD=$(az acr token credential generate -n $RELEASE_NAME-token -r $ACR_NAME --password1 --expiration-in-days 120|jq -r '.passwords[0].value') echo $TOKEN_PASSWORD | skopeo login --username $RELEASE_NAME-token --password-stdin $ACR_NAME.azurecr.io

export IMMUTA_USER=<found in support.immuta.com profile> export IMMUTA_TOKEN=<find in support.immuta.com profile> echo $IMMUTA_TOKEN |skopeo login --username $IMMUTA_USER --password-stdin ocir.immuta.com

export IMMUTA_VERSION=2024.3.0 for image in audit-service audit-export-cronjob cache classify-service detect-temporal-worker immuta-service temporal-admin-tools temporal-proxy temporal-server; do skopeo copy docker://ocir.immuta.com/stable/$image:$IMMUTA_VERSION docker://$ACR_NAME.azurecr.io/immuta/$image:$IMMUTA_VERSION; done

az aks create --location $LOCATION \ --name $RELEASE_NAME-cluster \ --resource-group $RELEASE_NAME \ --network-plugin azure \ --enable-oidc-issuer \ --enable-app-routing \ --enable-workload-identity \ --attach-acr $ACR_NAME

export EMAIL=rbauman@immuta.com az elastic monitor create --location $LOCATION \ --name $RELEASE_NAME-elastic \ --resource-group $RELEASE_NAME \ --user-info "{emailAddress:$EMAIL}" \ --sku "{name:ess-consumption-2024_Monthly}"

AKS_VNET_ID=$(az network vnet list --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} --query "[0].id" -o tsv) az network private-dns link vnet create --resource-group ${RELEASE_NAME} \ --name postgres-dns-link \ --zone-name ${RELEASE_NAME}.postgres.database.azure.com \ --virtual-network ${AKS_VNET_ID} \ --registration-enabled false

DNS_ZONE_ID=$(az network private-dns zone show --resource-group ${RELEASE_NAME} --name ${RELEASE_NAME}.postgres.database.azure.com --query "id" -o tsv) POSTGRES_CONNECTION_STRING=$(az postgres flexible-server create --version 16 \ --resource-group ${RELEASE_NAME} \ --name ${RELEASE_NAME}-postgres \ --private-dns-zone ${DNS_ZONE_ID} \ --vnet ${RELEASE_NAME}-postgres-vnet \ --subnet ${RELEASE_NAME}-postgres-subnet \ --address-prefixes 10.0.0.0/16 \ --subnet-prefixes 10.0.0.0/24 --query "connectionString" -o tsv --yes) echo $POSTGRES_CONNECTION_STRING

az postgres flexible-server parameter set --resource-group ${RELEASE_NAME} \ --server-name ${RELEASE_NAME}-postgres \ --name azure.extensions \ --value pgcrypto

az network vnet peering create --resource-group ${RELEASE_NAME} \ --name ${RELEASE_NAME}-postgres-to-cluster \ --vnet-name ${RELEASE_NAME}-postgres-vnet \ --remote-vnet ${AKS_VNET_ID} \ --allow-vnet-access

POSTGRES_VNET_ID=$(az network vnet show --name ${RELEASE_NAME}-postgres-vnet --resource-group ${RELEASE_NAME} --query "id" -o tsv) AKS_VNET_NAME=$(az network vnet show --ids $AKS_VNET_ID --query "name" -o "tsv") az network vnet peering create --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} \ --name ${RELEASE_NAME}-cluster-to-postgres \ --vnet-name ${AKS_VNET_NAME} \ --remote-vnet ${POSTGRES_VNET_ID} \ --allow-vnet-access

az network vnet subnet create --name ${RELEASE_NAME}-vm-subnet \ --vnet-name ${RELEASE_NAME}-postgres-vnet \ --resource-group ${RELEASE_NAME} \ --address-prefixes "10.0.1.0/24"

VM_IP_ADDRESS=$(az vm create --name ${RELEASE_NAME}-vm \ --resource-group ${RELEASE_NAME} \ --image Ubuntu2204 \ --vnet-name ${RELEASE_NAME}-postgres-vnet \ --subnet ${RELEASE_NAME}-vm-subnet \ --admin-username immuta-user \ --public-ip-sku Standard \ --ssh-key-value ~/.ssh/id_rsa.pub --query "publicIpAddress" -o tsv)

create extension pgcrypto; create role immuta with createrole login encrypted password 'secret'; grant immuta to current_user; alter database immuta owner to immuta; grant all on database immuta to immuta; alter role immuta set search_path to bometadata,audit,public;

IMMUTA_URL=soleng.immuta.us NAMESPACE=immuta TLS_CERT=immutaus.crt TLS_KEY=immutausnopass.key kubectl create ns immuta kubectl -n immuta create secret tls ${IMMUTA_URL}-tls \ --key=${TLS_KEY} \ --cert=${TLS_CERT}

global: imageRegistry: soleng.azurecr.io imageTag: 2024.3.0 imageRepositoryMap: stable/audit-service: immuta/audit-service stable/audit-export-cronjob: immuta/audit-export-cronjob stable/cache: immuta/cache stable/classify-service: immuta/classify-service stable/detect-temporal-worker: immuta/detect-temporal-worker stable/immuta-service: immuta/immuta-service stable/temporal-admin-tools: immuta/temporal-admin-tools stable/temporal-proxy: immuta/temporal-proxy stable/temporal-server: immuta/temporal-server postgresql: host: soleng.postgres.database.azure.com port: 5432 username: immuta password: immuta ssl: true audit: enabled: true postgresql: database: immuta config: elasticsearchEndpoint: https://soleng-elastic.es.eastus.azure.elastic-cloud.com/ elasticsearchUsername: soleng-audit-service elasticsearchPassword: jcp.cqz7GPM6jfp0rhk secure: extraConfig: publicImmutaUrl: https://soleng.immuta.us postgresql: database: immuta ingress: ingressClassName: webapprouting.kubernetes.azure.com hostname: soleng.immuta.us tls: true temporal: enabled: true server: additionalVolumes: - name: secret-with-certs secret: secretName: secret-with-certs extraVolumeMounts: - name: secret-with-certs mountPath: /certs/ config: persistence: default: sql: database: temporal tls: caFile: /certs/global-bundle.pem enabled: true visibility: sql: database: temporal_visibility tls: caFile: /certs/global-bundle.pem enabled: true