Deploying Immuta with a custom Certificate Authority or Trust Chain

Issue

A customer is utilizing a Custom Certificate or CA Trust Chain and wants to have Immuta use it by default for authentication to their data sources such as connecting to Databricks, Starburst/Trino, etc. without needing to upload a certificate every time.

Cause

Immuta is being deployed in an Air-gapped or specialty customer environment that utilizes a custom CA Trust Chain that Immuta does not acknowledge/trust by default.

Resolution

In order to get Immuta to accept a Custom CA Trust Chain or Cert by default on each deployment we will need to perform a few things around the helm deployment. As with all advanced deployment elements, we strongly recommend you consult your Immuta expert to ensure that the information is up-to-date and correct for your use case. Additionally, this only works with a single file/secret. If you want to have multiple CAs or Certificates you can concatenate them together in a single .pem/.crt file and Immuta will accept all of them.

1. Start by creating a Kubernetes secret to store your Certificate or Custom CA Trust Chain (you can use either a .pem or .crt file for this):

   Copy

   kubectl -n immuta create secret generic ca-certs --from-file=ca-bundle.pem=custom-ca.pem

2. Identify what data sources that you want to use this custom CA/Certificate for

   1. databricksHandler - Use for Databricks Data Sources

   2. prestoHandler- Use for Trino Data Sources

   3. trinoHandler - Use for Licensed Starburst Data Sources

   4. snowflakeHandler - Use for Snowflake Data Sources

   5. redshiftHandler - Use for Redshift Data Sources

   6. bigqueryHandler - Use for Google BigQuery Data Sources

3. Utilize the new secret to mount a file to the web and query engine pods via the following helm values:

   Copy

   queryEngine:
     extraVolumes:
       - name: ca-certs
         secret:
           secretName: ca-certs
           items:
             - key: ca-bundle.pem
               path: ca-bundle.pem
     extraVolumeMounts:
       - name: ca-certs
         mountPath: /etc/pki/tls/certs
         readOnly: true
     extraConfig:
       plugins:
         targetHandler: #replace with appropriate backing technology, see step 2
           dbms:
             driverArguments:
               TrustedCerts: /etc/pki/tls/certs/ca-bundle.pem
   web:
     extraVolumes:
       - name: ca-certs
         secret:
           secretName: ca-certs
           items:
             - key: ca-bundle.pem
               path: ca-bundle.pem
     extraVolumeMounts:
       - name: ca-certs
         mountPath: /etc/pki/tls/certs
         readOnly: true
     extraEnv:
     - name: NODE_EXTRA_CA_CERTS
       value: /etc/pki/tls/certs/ca-bundle.pem
     extraConfig:
       plugins:
         targetHandler: #replace with appropriate backing technology, see step 2
           dbms:
             driverArguments:
               TrustedCerts: /etc/pki/tls/certs/ca-bundle.pem

4. Update your deployment to ensure that the pods get the new config options:

   Copy

   helm upgrade -n immuta immuta/immuta --values helm-values.yaml

5. From here on out, Immuta will use the new ca-cert.pem bundle and will trust any of these certificates when making SSL connections to your backing data sources.

   1. If you need to add or modify the bundle, you can update the secret and then upgrade you deployment again to get the new bundle to be accepted