In-cluster Elasticsearch using Elastic Cloud on Kubernetes (ECK)

It is possible to deploy Immuta without the use of cloud provided managed services by using enterprise-ready tools for kubernetes.

This article describes deploying an Elasticsearch cluster in the Immuta installation namespace and pointing the Immuta application at this cluster for deployment

Deploying ECK

This section relies heavily on the Elasticsearch official guides found at the link below

Install CRDs and Operator

kubectl create -f https://download.elastic.co/downloads/eck/2.12.1/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/2.12.1/operator.yaml

Deploy an Elasticsearch cluster

cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: immuta-audit-service
  namespace: immuta
spec:
  version: 8.13.4
  volumeClaimDeletePolicy: DeleteOnScaledownOnly
  http:
    tls:
      selfSignedCertificate:
        disabled: true
  nodeSets:
  - name: default
    count: 3
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 200Gi
EOF

Verifying cluster health

kubectl get -n immuta elasticsearch
NAME                   HEALTH   NODES   VERSION   PHASE   AGE
immuta-audit-service   green    3       8.13.4    Ready   18m

Validate Connectivity

PASSWORD=$(kubectl get -n immuta secret immuta-audit-service-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')

Forward the port in a separate terminal

kubectl port-forward -n immuta service/immuta-audit-service-es-http 9200

In the original terminal with the password set curl the endpoint

curl -u "elastic:$PASSWORD" -k "https://localhost:9200"
{
  "name" : "immuta-audit-service-es-default-1",
  "cluster_name" : "immuta-audit-service",
  "cluster_uuid" : "qg6s9S49SSWlldGvdWi1Rg",
  "version" : {
    "number" : "8.13.4",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "da95df118650b55a500dcc181889ac35c6d8da7c",
    "build_date" : "2024-05-06T22:04:45.107454559Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Deploying Immuta

Install Immuta with the Elasticsearch endpoint and credentials specified.

Note that special characters need to be percent encoded in the postgresql connection string as described here: https://www.prisma.io/dataguide/postgresql/short-guides/connection-uris#percent-encoding-values

global:
  imageRegistry: 231431240278.dkr.ecr.us-east-1.amazonaws.com
  imageTag: 2024.2.0
audit:
  enabled: true
  config:
    databaseConnectionString: postgresql://immuta-pg:y7n;D%3FDK6%2F)0%2F<%3Dc,}J}Bm3^@immuta-pg-primary.immuta.svc:5432/immuta-pg
    elasticsearchEndpoint: http://immuta-audit-service-es-http.immuta.svc:9200
    elasticsearchUsername: elastic
    elasticsearchPassword: z84cGbw8J1t73J7Rwt3n9I3s
secure:
  extraEnvVars:
    - name: FeatureFlag_AuditService
      value: "true"
    - name: FeatureFlag_detect
      value: "true"
    - name: FeatureFlag_auditLegacyViewHide
      value: "true"
  ingress:
    hostname: crunchy.immuta.us
    ingressClassName: alb
    annotations:
      alb.ingress.kubernetes.io/group.name: immuta-trino
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      alb.ingress.kubernetes.io/ssl-redirect: '443'
      alb.ingress.kubernetes.io/backend-protocol: HTTP
    tls: true
  postgresql:
    host: immuta-pg-primary.immuta.svc
    port: 5432
    database: immuta-pg
    username: immuta-pg
    password: y7n;D?DK6/)0/<=c,}J}Bm3^
    ssl: true

PreviousIn-cluster PostgreSQL using Crunchydata NextProduction Linkerd with AWS Private CA issuer

Deploy an Elasticsearch cluster

cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: immuta-audit-service
  namespace: immuta
spec:
  version: 8.13.4
  volumeClaimDeletePolicy: DeleteOnScaledownOnly
  http:
    tls:
      selfSignedCertificate:
        disabled: true
  nodeSets:
  - name: default
    count: 3
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 200Gi
EOF

Verifying cluster health

kubectl get -n immuta elasticsearch
NAME                   HEALTH   NODES   VERSION   PHASE   AGE
immuta-audit-service   green    3       8.13.4    Ready   18m

Validate Connectivity

PASSWORD=$(kubectl get -n immuta secret immuta-audit-service-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')

Forward the port in a separate terminal

kubectl port-forward -n immuta service/immuta-audit-service-es-http 9200

In the original terminal with the password set curl the endpoint

curl -u "elastic:$PASSWORD" -k "https://localhost:9200"
{
  "name" : "immuta-audit-service-es-default-1",
  "cluster_name" : "immuta-audit-service",
  "cluster_uuid" : "qg6s9S49SSWlldGvdWi1Rg",
  "version" : {
    "number" : "8.13.4",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "da95df118650b55a500dcc181889ac35c6d8da7c",
    "build_date" : "2024-05-06T22:04:45.107454559Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Deploying Immuta

Install Immuta with the Elasticsearch endpoint and credentials specified.

global:
  imageRegistry: 231431240278.dkr.ecr.us-east-1.amazonaws.com
  imageTag: 2024.2.0
audit:
  enabled: true
  config:
    databaseConnectionString: postgresql://immuta-pg:y7n;D%3FDK6%2F)0%2F<%3Dc,}J}Bm3^@immuta-pg-primary.immuta.svc:5432/immuta-pg
    elasticsearchEndpoint: http://immuta-audit-service-es-http.immuta.svc:9200
    elasticsearchUsername: elastic
    elasticsearchPassword: z84cGbw8J1t73J7Rwt3n9I3s
secure:
  extraEnvVars:
    - name: FeatureFlag_AuditService
      value: "true"
    - name: FeatureFlag_detect
      value: "true"
    - name: FeatureFlag_auditLegacyViewHide
      value: "true"
  ingress:
    hostname: crunchy.immuta.us
    ingressClassName: alb
    annotations:
      alb.ingress.kubernetes.io/group.name: immuta-trino
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      alb.ingress.kubernetes.io/ssl-redirect: '443'
      alb.ingress.kubernetes.io/backend-protocol: HTTP
    tls: true
  postgresql:
    host: immuta-pg-primary.immuta.svc
    port: 5432
    database: immuta-pg
    username: immuta-pg
    password: y7n;D?DK6/)0/<=c,}J}Bm3^
    ssl: true