Azure Immuta Deployment
Last updated
Last updated
export RELEASE_NAME=soleng
export ACR_NAME=soleng
export LOCATION=eastus
az group create --name $RELEASE_NAME --location $LOCATION
# Create a container registry
az acr create --resource-group $RELEASE_NAME \
--name $ACR_NAME \
--sku BasicThis article uses skopeo to copy container images between registries. Please install for your host OS according to the documentation here:
az acr token create --name $RELEASE_NAME-token --registry $ACR_NAME --repository '*' content/write content/read
TOKEN_PASSWORD=$(az acr token credential generate -n $RELEASE_NAME-token -r $ACR_NAME --password1 --expiration-in-days 120|jq -r '.passwords[0].value')
echo $TOKEN_PASSWORD | skopeo login --username $RELEASE_NAME-token --password-stdin $ACR_NAME.azurecr.ioexport IMMUTA_USER=<found in support.immuta.com profile>
export IMMUTA_TOKEN=<find in support.immuta.com profile>
echo $IMMUTA_TOKEN |skopeo login --username $IMMUTA_USER --password-stdin ocir.immuta.comexport IMMUTA_VERSION=2024.3.0
for image in audit-service audit-export-cronjob cache classify-service detect-temporal-worker immuta-service temporal-admin-tools temporal-proxy temporal-server; do
skopeo copy docker://ocir.immuta.com/stable/$image:$IMMUTA_VERSION docker://$ACR_NAME.azurecr.io/immuta/$image:$IMMUTA_VERSION;
done az aks create --location $LOCATION \
--name $RELEASE_NAME-cluster \
--resource-group $RELEASE_NAME \
--network-plugin azure \
--enable-oidc-issuer \
--enable-app-routing \
--enable-workload-identity \
--attach-acr $ACR_NAMEexport EMAIL=rbauman@immuta.com
az elastic monitor create --location $LOCATION \
--name $RELEASE_NAME-elastic \
--resource-group $RELEASE_NAME \
--user-info "{emailAddress:$EMAIL}" \
--sku "{name:ess-consumption-2024_Monthly}"The following steps create the necessary networking relationships to access PostgreSQL privately from the AKS cluster created above.
az network private-dns zone create --resource-group $RELEASE_NAME \
--name $RELEASE_NAME.postgres.database.azure.comAKS_VNET_ID=$(az network vnet list --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} --query "[0].id" -o tsv)
az network private-dns link vnet create --resource-group ${RELEASE_NAME} \
--name postgres-dns-link \
--zone-name ${RELEASE_NAME}.postgres.database.azure.com \
--virtual-network ${AKS_VNET_ID} \
--registration-enabled falseDNS_ZONE_ID=$(az network private-dns zone show --resource-group ${RELEASE_NAME} --name ${RELEASE_NAME}.postgres.database.azure.com --query "id" -o tsv)
POSTGRES_CONNECTION_STRING=$(az postgres flexible-server create --version 16 \
--resource-group ${RELEASE_NAME} \
--name ${RELEASE_NAME}-postgres \
--private-dns-zone ${DNS_ZONE_ID} \
--vnet ${RELEASE_NAME}-postgres-vnet \
--subnet ${RELEASE_NAME}-postgres-subnet \
--address-prefixes 10.0.0.0/16 \
--subnet-prefixes 10.0.0.0/24 --query "connectionString" -o tsv --yes)
echo $POSTGRES_CONNECTION_STRINGaz postgres flexible-server parameter set --resource-group ${RELEASE_NAME} \
--server-name ${RELEASE_NAME}-postgres \
--name azure.extensions \
--value pgcryptoaz network vnet peering create --resource-group ${RELEASE_NAME} \
--name ${RELEASE_NAME}-postgres-to-cluster \
--vnet-name ${RELEASE_NAME}-postgres-vnet \
--remote-vnet ${AKS_VNET_ID} \
--allow-vnet-accessPOSTGRES_VNET_ID=$(az network vnet show --name ${RELEASE_NAME}-postgres-vnet --resource-group ${RELEASE_NAME} --query "id" -o tsv)
AKS_VNET_NAME=$(az network vnet show --ids $AKS_VNET_ID --query "name" -o "tsv")
az network vnet peering create --resource-group MC_${RELEASE_NAME}_${RELEASE_NAME}-cluster_${LOCATION} \
--name ${RELEASE_NAME}-cluster-to-postgres \
--vnet-name ${AKS_VNET_NAME} \
--remote-vnet ${POSTGRES_VNET_ID} \
--allow-vnet-access az network vnet subnet create --name ${RELEASE_NAME}-vm-subnet \
--vnet-name ${RELEASE_NAME}-postgres-vnet \
--resource-group ${RELEASE_NAME} \
--address-prefixes "10.0.1.0/24"Create a VM and export the IP Address as an environment variable
VM_IP_ADDRESS=$(az vm create --name ${RELEASE_NAME}-vm \
--resource-group ${RELEASE_NAME} \
--image Ubuntu2204 \
--vnet-name ${RELEASE_NAME}-postgres-vnet \
--subnet ${RELEASE_NAME}-vm-subnet \
--admin-username immuta-user \
--public-ip-sku Standard \
--ssh-key-value ~/.ssh/id_rsa.pub --query "publicIpAddress" -o tsv)Connect to the VM and and install postgresql
ssh -i ~/.ssh/id_rsa immuta-user@${VM_IP_ADDRESS}
sudo apt update && sudo apt install -y postgresqlConnect to the database using the POSTGRES_CONNECTION_STRING variable created above
psql postgresql://username:password@soleng.postgres.database.azure.com/flexibleserverdb?sslmode=requirecreate database immuta;\connect immutacreate extension pgcrypto;
create role immuta with createrole login encrypted password 'secret';
grant immuta to current_user;
alter database immuta owner to immuta;
grant all on database immuta to immuta;
alter role immuta set search_path to bometadata,audit,public;psql postgresql://username:password@soleng-postgres.postgres.database.azure.com/immuta?sslmode=requireIMMUTA_URL=soleng.immuta.us
NAMESPACE=immuta
TLS_CERT=immutaus.crt
TLS_KEY=immutausnopass.key
kubectl create ns immuta
kubectl -n immuta create secret tls ${IMMUTA_URL}-tls \
--key=${TLS_KEY} \
--cert=${TLS_CERT}helm upgrade --install -n ${NAMESPACE} immuta \
./immuta-enterprise-2024.3.0.tgz -f immuta-values.yamlglobal:
imageRegistry: soleng.azurecr.io
imageTag: 2024.3.0
imageRepositoryMap:
stable/audit-service: immuta/audit-service
stable/audit-export-cronjob: immuta/audit-export-cronjob
stable/cache: immuta/cache
stable/classify-service: immuta/classify-service
stable/detect-temporal-worker: immuta/detect-temporal-worker
stable/immuta-service: immuta/immuta-service
stable/temporal-admin-tools: immuta/temporal-admin-tools
stable/temporal-proxy: immuta/temporal-proxy
stable/temporal-server: immuta/temporal-server
postgresql:
host: soleng.postgres.database.azure.com
port: 5432
username: immuta
password: immuta
ssl: true
audit:
enabled: true
postgresql:
database: immuta
config:
elasticsearchEndpoint: https://soleng-elastic.es.eastus.azure.elastic-cloud.com/
elasticsearchUsername: soleng-audit-service
elasticsearchPassword: jcp.cqz7GPM6jfp0rhk
secure:
extraConfig:
publicImmutaUrl: https://soleng.immuta.us
postgresql:
database: immuta
ingress:
ingressClassName: webapprouting.kubernetes.azure.com
hostname: soleng.immuta.us
tls: true
temporal:
enabled: true
server:
additionalVolumes:
- name: secret-with-certs
secret:
secretName: secret-with-certs
extraVolumeMounts:
- name: secret-with-certs
mountPath: /certs/
config:
persistence:
default:
sql:
database: temporal
tls:
caFile: /certs/global-bundle.pem
enabled: true
visibility:
sql:
database: temporal_visibility
tls:
caFile: /certs/global-bundle.pem
enabled: true