In-cluster Elasticsearch using Elastic Cloud on Kubernetes (ECK)
It is possible to deploy Immuta without the use of cloud provided managed services by using enterprise-ready tools for kubernetes.
This article describes deploying an Elasticsearch cluster in the Immuta installation namespace and pointing the Immuta application at this cluster for deployment
Deploying ECK
This section relies heavily on the Elasticsearch official guides found at the link below
Install CRDs and Operator
kubectl create -f https://download.elastic.co/downloads/eck/2.12.1/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/2.12.1/operator.yamlDeploy an Elasticsearch cluster
cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: immuta-audit-service
namespace: immuta
spec:
version: 8.13.4
volumeClaimDeletePolicy: DeleteOnScaledownOnly
http:
tls:
selfSignedCertificate:
disabled: true
nodeSets:
- name: default
count: 3
volumeClaimTemplates:
- metadata:
name: elasticsearch-data # Do not change this name unless you set up a volume mount for the data path.
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 200Gi
EOFVerifying cluster health
kubectl get -n immuta elasticsearch
NAME HEALTH NODES VERSION PHASE AGE
immuta-audit-service green 3 8.13.4 Ready 18mValidate Connectivity
PASSWORD=$(kubectl get -n immuta secret immuta-audit-service-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')Forward the port in a separate terminal
kubectl port-forward -n immuta service/immuta-audit-service-es-http 9200In the original terminal with the password set curl the endpoint
curl -u "elastic:$PASSWORD" -k "https://localhost:9200"
{
"name" : "immuta-audit-service-es-default-1",
"cluster_name" : "immuta-audit-service",
"cluster_uuid" : "qg6s9S49SSWlldGvdWi1Rg",
"version" : {
"number" : "8.13.4",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "da95df118650b55a500dcc181889ac35c6d8da7c",
"build_date" : "2024-05-06T22:04:45.107454559Z",
"build_snapshot" : false,
"lucene_version" : "9.10.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}Deploying Immuta
Install Immuta with the Elasticsearch endpoint and credentials specified.
global:
imageRegistry: 231431240278.dkr.ecr.us-east-1.amazonaws.com
imageTag: 2024.2.0
audit:
enabled: true
config:
databaseConnectionString: postgresql://immuta-pg:y7n;D%3FDK6%2F)0%2F<%3Dc,}J}Bm3^@immuta-pg-primary.immuta.svc:5432/immuta-pg
elasticsearchEndpoint: http://immuta-audit-service-es-http.immuta.svc:9200
elasticsearchUsername: elastic
elasticsearchPassword: z84cGbw8J1t73J7Rwt3n9I3s
secure:
extraEnvVars:
- name: FeatureFlag_AuditService
value: "true"
- name: FeatureFlag_detect
value: "true"
- name: FeatureFlag_auditLegacyViewHide
value: "true"
ingress:
hostname: crunchy.immuta.us
ingressClassName: alb
annotations:
alb.ingress.kubernetes.io/group.name: immuta-trino
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
alb.ingress.kubernetes.io/backend-protocol: HTTP
tls: true
postgresql:
host: immuta-pg-primary.immuta.svc
port: 5432
database: immuta-pg
username: immuta-pg
password: y7n;D?DK6/)0/<=c,}J}Bm3^
ssl: true