LogoLogo
Public Knowledge Base
Public Knowledge Base
  • Self-hosted Immuta
    • Official Immuta Self-Managed Deployment Documentation
    • What's new in 2024.2?
    • Deployment Options
      • AWS Immuta Deployment
      • Azure Immuta Deployment
      • K3s Deployment
      • SUSE Rancher Kubernetes Engine (RKE2) Deployment
      • In-cluster PostgreSQL using Crunchydata
      • In-cluster Elasticsearch using Elastic Cloud on Kubernetes (ECK)
      • Production Linkerd with AWS Private CA issuer
      • Deploying Linkerd via Open Source Linkerd
      • Deploying Linkerd Service Mesh via Buoyant Enterprise for Linkerd
      • Uninstalling Linkerd
      • Upgrading to Immuta 2024.2 LTS
      • LTS Upgrade via Legacy Chart
      • Legacy Audit - no Elasticsearch
      • Temporal with RDS
      • Setting Up OpenSearch User Pemissions
    • Air gapped installations
      • Immuta Installation on k3s in Air Gapped environment
      • Air-gapped Installation Artifact Transfer
  • Excessive failed jobs in pgboss impacting system performance
  • Example Trino installation via Open Source Helm Chart
  • Immuta Installation on Self Managed Infrastructure Overview
  • Repeatable k3s stack deployment on AWS EC2
  • Trino OAuth2 and JWT via Okta
  • Copy of Okta Attribute Mapping
Powered by GitBook
On this page
  • Deploying ECK
  • Install CRDs and Operator
  • Deploy an Elasticsearch cluster
  • Verifying cluster health
  • Validate Connectivity
  • Deploying Immuta
  1. Self-hosted Immuta
  2. Deployment Options

In-cluster Elasticsearch using Elastic Cloud on Kubernetes (ECK)

PreviousIn-cluster PostgreSQL using CrunchydataNextProduction Linkerd with AWS Private CA issuer

It is possible to deploy Immuta without the use of cloud provided managed services by using enterprise-ready tools for kubernetes.

This article describes deploying an Elasticsearch cluster in the Immuta installation namespace and pointing the Immuta application at this cluster for deployment

Deploying ECK

This section relies heavily on the Elasticsearch official guides found at the link below

Install CRDs and Operator

kubectl create -f https://download.elastic.co/downloads/eck/2.12.1/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/2.12.1/operator.yaml

Deploy an Elasticsearch cluster

cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: immuta-audit-service
  namespace: immuta
spec:
  version: 8.13.4
  volumeClaimDeletePolicy: DeleteOnScaledownOnly
  http:
    tls:
      selfSignedCertificate:
        disabled: true
  nodeSets:
  - name: default
    count: 3
    volumeClaimTemplates:
    - metadata:
        name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
      spec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 200Gi
EOF

Verifying cluster health

kubectl get -n immuta elasticsearch
NAME                   HEALTH   NODES   VERSION   PHASE   AGE
immuta-audit-service   green    3       8.13.4    Ready   18m

Validate Connectivity

PASSWORD=$(kubectl get -n immuta secret immuta-audit-service-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')

Forward the port in a separate terminal

kubectl port-forward -n immuta service/immuta-audit-service-es-http 9200

In the original terminal with the password set curl the endpoint

curl -u "elastic:$PASSWORD" -k "https://localhost:9200"
{
  "name" : "immuta-audit-service-es-default-1",
  "cluster_name" : "immuta-audit-service",
  "cluster_uuid" : "qg6s9S49SSWlldGvdWi1Rg",
  "version" : {
    "number" : "8.13.4",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "da95df118650b55a500dcc181889ac35c6d8da7c",
    "build_date" : "2024-05-06T22:04:45.107454559Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Deploying Immuta

Install Immuta with the Elasticsearch endpoint and credentials specified.

global:
  imageRegistry: 231431240278.dkr.ecr.us-east-1.amazonaws.com
  imageTag: 2024.2.0
audit:
  enabled: true
  config:
    databaseConnectionString: postgresql://immuta-pg:y7n;D%3FDK6%2F)0%2F<%3Dc,}J}Bm3^@immuta-pg-primary.immuta.svc:5432/immuta-pg
    elasticsearchEndpoint: http://immuta-audit-service-es-http.immuta.svc:9200
    elasticsearchUsername: elastic
    elasticsearchPassword: z84cGbw8J1t73J7Rwt3n9I3s
secure:
  extraEnvVars:
    - name: FeatureFlag_AuditService
      value: "true"
    - name: FeatureFlag_detect
      value: "true"
    - name: FeatureFlag_auditLegacyViewHide
      value: "true"
  ingress:
    hostname: crunchy.immuta.us
    ingressClassName: alb
    annotations:
      alb.ingress.kubernetes.io/group.name: immuta-trino
      alb.ingress.kubernetes.io/scheme: internet-facing
      alb.ingress.kubernetes.io/target-type: ip
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
      alb.ingress.kubernetes.io/ssl-redirect: '443'
      alb.ingress.kubernetes.io/backend-protocol: HTTP
    tls: true
  postgresql:
    host: immuta-pg-primary.immuta.svc
    port: 5432
    database: immuta-pg
    username: immuta-pg
    password: y7n;D?DK6/)0/<=c,}J}Bm3^
    ssl: true

Note that special characters need to be percent encoded in the postgresql connection string as described here:

https://www.prisma.io/dataguide/postgresql/short-guides/connection-uris#percent-encoding-values
Deploy ECK in your Kubernetes cluster | Elastic Cloud on Kubernetes [2.8] | ElasticElastic
Logo