Azure Immuta Deployment

Create a resource group and container registry

export RELEASE_NAME=soleng
export ACR_NAME=soleng
export LOCATION=eastus
az group create --name $RELEASE_NAME --location $LOCATION
# Create a container registry
az acr create --resource-group $RELEASE_NAME \
              --name $ACR_NAME \
              --sku Basic

Install skopeo and authenticate to ACR

This article uses skopeo to copy container images between registries. Please install for your host OS according to the documentation here:

skopeo/install.md at main · containers/skopeoGitHub

az acr token create --name $RELEASE_NAME-token --registry $ACR_NAME --repository '*' content/write content/read
TOKEN_PASSWORD=$(az acr token credential generate -n $RELEASE_NAME-token -r $ACR_NAME --password1 --expiration-in-days 120|jq -r '.passwords[0].value')
echo $TOKEN_PASSWORD | skopeo login --username $RELEASE_NAME-token --password-stdin $ACR_NAME.azurecr.io

Authenticate to Immuta Registry

export IMMUTA_USER=<found in support.immuta.com profile>
export IMMUTA_TOKEN=<find in support.immuta.com profile>
echo $IMMUTA_TOKEN |skopeo login --username $IMMUTA_USER --password-stdin ocir.immuta.com

Copy images to ACR

export IMMUTA_VERSION=2024.3.0
for image in audit-service audit-export-cronjob cache classify-service detect-temporal-worker immuta-service temporal-admin-tools temporal-proxy temporal-server; do
  skopeo copy docker://ocir.immuta.com/stable/$image:$IMMUTA_VERSION docker://$ACR_NAME.azurecr.io/immuta/$image:$IMMUTA_VERSION;
done

Deploy AKS Cluster

az aks create --location $LOCATION \
              --name $RELEASE_NAME-cluster \
              --resource-group $RELEASE_NAME \
              --network-plugin azure \
              --enable-oidc-issuer \
              --enable-app-routing \
              --enable-workload-identity \
              --attach-acr $ACR_NAME

Deploy Azure Elastic Monitor

export [email protected]
az elastic monitor create --location $LOCATION \
                          --name $RELEASE_NAME-elastic \
                          --resource-group $RELEASE_NAME \
                          --user-info "{emailAddress:$EMAIL}" \
                          --sku "{name:ess-consumption-2024_Monthly}"

Deploy Azure Flexible Server for PostgreSQL

The following steps create the necessary networking relationships to access PostgreSQL privately from the AKS cluster created above.

az network private-dns zone create --resource-group $RELEASE_NAME \
                                   --name $RELEASE_NAME.postgres.database.azure.com

AKS_VNET_ID=$(az network vnet list --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} --query "[0].id" -o tsv)
az network private-dns link vnet create --resource-group ${RELEASE_NAME} \
                                        --name postgres-dns-link \
                                        --zone-name ${RELEASE_NAME}.postgres.database.azure.com \
                                        --virtual-network ${AKS_VNET_ID} \
                                        --registration-enabled false

DNS_ZONE_ID=$(az network private-dns zone show --resource-group ${RELEASE_NAME} --name ${RELEASE_NAME}.postgres.database.azure.com --query "id" -o tsv)
POSTGRES_CONNECTION_STRING=$(az postgres flexible-server create --version 16 \
                                   --resource-group ${RELEASE_NAME} \
                                   --name ${RELEASE_NAME}-postgres \
                                   --private-dns-zone ${DNS_ZONE_ID} \
                                   --vnet ${RELEASE_NAME}-postgres-vnet \
                                   --subnet ${RELEASE_NAME}-postgres-subnet \
                                   --address-prefixes 10.0.0.0/16 \
                                   --subnet-prefixes 10.0.0.0/24 --query "connectionString" -o tsv --yes)
echo $POSTGRES_CONNECTION_STRING

az postgres flexible-server parameter set --resource-group ${RELEASE_NAME} \
                                          --server-name ${RELEASE_NAME}-postgres \
                                          --name azure.extensions \
                                          --value pgcrypto

az network vnet peering create --resource-group ${RELEASE_NAME} \
                               --name ${RELEASE_NAME}-postgres-to-cluster \
                               --vnet-name ${RELEASE_NAME}-postgres-vnet \
                               --remote-vnet ${AKS_VNET_ID} \
                               --allow-vnet-access

POSTGRES_VNET_ID=$(az network vnet show --name ${RELEASE_NAME}-postgres-vnet --resource-group ${RELEASE_NAME} --query "id" -o tsv)
AKS_VNET_NAME=$(az network vnet show --ids $AKS_VNET_ID --query "name" -o "tsv")
az network vnet peering create --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} \
                               --name ${RELEASE_NAME}-cluster-to-postgres \
                               --vnet-name ${AKS_VNET_NAME} \
                               --remote-vnet ${POSTGRES_VNET_ID} \
                               --allow-vnet-access

az network vnet subnet create --name ${RELEASE_NAME}-vm-subnet \
                              --vnet-name ${RELEASE_NAME}-postgres-vnet \
                              --resource-group ${RELEASE_NAME} \
                              --address-prefixes "10.0.1.0/24"

Create a VM and export the IP Address as an environment variable

VM_IP_ADDRESS=$(az vm create --name ${RELEASE_NAME}-vm \
             --resource-group ${RELEASE_NAME} \
             --image Ubuntu2204 \
             --vnet-name ${RELEASE_NAME}-postgres-vnet \
             --subnet ${RELEASE_NAME}-vm-subnet \
             --admin-username immuta-user \
             --public-ip-sku Standard \
             --ssh-key-value ~/.ssh/id_rsa.pub --query "publicIpAddress" -o tsv)

Connect to the VM and and install postgresql

ssh -i ~/.ssh/id_rsa immuta-user@${VM_IP_ADDRESS}
sudo apt update && sudo apt install -y postgresql

Connect to the database using the POSTGRES_CONNECTION_STRING variable created above

psql postgresql://username:[email protected]/flexibleserverdb?sslmode=require

Create Immuta Database

create database immuta;

\connect immuta

create extension pgcrypto;
create role immuta with createrole login encrypted password 'secret';
grant immuta to current_user;
alter database immuta owner to immuta;
grant all on database immuta to immuta;
alter role immuta set search_path to bometadata,audit,public;

Verify Connection

psql postgresql://username:[email protected]/immuta?sslmode=require

Create a TLS Secret

IMMUTA_URL=soleng.immuta.us
NAMESPACE=immuta
TLS_CERT=immutaus.crt
TLS_KEY=immutausnopass.key
kubectl create ns immuta
kubectl -n immuta create secret tls ${IMMUTA_URL}-tls \
                  --key=${TLS_KEY} \
                  --cert=${TLS_CERT}

Install Immuta via Helm

helm upgrade --install -n ${NAMESPACE} immuta \
             ./immuta-enterprise-2024.3.0.tgz -f immuta-values.yaml

Example Helm Values

global:
  imageRegistry: soleng.azurecr.io
  imageTag: 2024.3.0
  imageRepositoryMap:
    stable/audit-service: immuta/audit-service
    stable/audit-export-cronjob: immuta/audit-export-cronjob
    stable/cache: immuta/cache
    stable/classify-service: immuta/classify-service
    stable/detect-temporal-worker: immuta/detect-temporal-worker
    stable/immuta-service: immuta/immuta-service
    stable/temporal-admin-tools: immuta/temporal-admin-tools
    stable/temporal-proxy: immuta/temporal-proxy
    stable/temporal-server: immuta/temporal-server
  postgresql:
    host: soleng.postgres.database.azure.com
    port: 5432
    username: immuta
    password: immuta
    ssl: true
audit:
  enabled: true
  postgresql:
    database: immuta
  config:
    elasticsearchEndpoint: https://soleng-elastic.es.eastus.azure.elastic-cloud.com/
    elasticsearchUsername: soleng-audit-service
    elasticsearchPassword: jcp.cqz7GPM6jfp0rhk
secure:
  extraConfig:
    publicImmutaUrl: https://soleng.immuta.us
  postgresql:
    database: immuta
  ingress:
    ingressClassName: webapprouting.kubernetes.azure.com
    hostname: soleng.immuta.us
    tls: true
temporal:
  enabled: true
  server:
    additionalVolumes:
    - name: secret-with-certs
      secret:
        secretName: secret-with-certs
    extraVolumeMounts:
    - name: secret-with-certs
      mountPath: /certs/
    config:
      persistence:
        default:
          sql:
            database: temporal
            tls:
              caFile: /certs/global-bundle.pem
              enabled: true
        visibility:
          sql:
            database: temporal_visibility
            tls:
              caFile: /certs/global-bundle.pem
              enabled: true

PreviousAWS Immuta Deployment NextK3s Deployment

Last updated 1 year ago