# Enabling Legacy Query Engine The query engine is no longer installed by default. This guide demonstrates how to enable the query engine using the Immuta Enterprise Helm chart (IEHC). If you are using any of the [legacy data platforms](/latest/releases/support-matrix.md#legacy-databases), you must enable the query engine. {% hint style="info" %} **Kubernetes namespace** The following section(s) presume the IEHC was deployed into namespace `immuta`, and that the current namespace is `immuta`. {% endhint %} ## Prerequisites {% hint style="info" %} When migrating from the IHC to IEHC, query engine state is not retained. You must enable query engine rehydration to restore existing data source tables. If SQL credentials are used, they must be recreated by using LDAP sync or manually with the following command executed in the `bometadata` database: `TRUNCATE bometadata."profile-sql";` {% endhint %} * The [Immuta in production](/latest/configuration/self-managed-deployment/configure/immuta-in-production.md#kubernetes-secrets) guide must be completed before proceeding. * Validate that secret `immuta-secret` exists in the current namespace. ```bash kubectl get secret/immuta-secret ``` ## Create Kubernetes secret 1. Create a file named `secret-data.env` with the following content. ```bash # query-engine IMMUTA_FEATURE_PASSWORD= PATRONI_SUPERUSER_PASSWORD= PATRONI_REPLICATION_PASSWORD= PATRONI_RESTAPI_PASSWORD= ``` 2. Create secret named `immuta-legacy-secret` from file `secret-data.env` ```bash kubectl create secret generic immuta-legacy-secret --from-env-file=secret-data.env ``` 3. Delete file `secret-data.env`, as it's no longer needed. ```bash rm -i secret-data.env ``` ## Edit Helm values 1. Edit the `immuta-values.yaml` file to include the following Helm values. 
legacy:
     enabled: true

     queryEngine:
       statefulset:
         extraEnvVars:
         - name: IMMUTA_FEATURE_PASSWORD
           valueFrom:
             secretKeyRef:
               name: immuta-legacy-secret
               key: IMMUTA_FEATURE_PASSWORD
         - name: PATRONI_SUPERUSER_PASSWORD
           valueFrom:
             secretKeyRef:
               name: immuta-legacy-secret
               key: PATRONI_SUPERUSER_PASSWORD
         - name: PATRONI_REPLICATION_PASSWORD
           valueFrom:
             secretKeyRef:
               name: immuta-legacy-secret
               key: PATRONI_REPLICATION_PASSWORD
         - name: PATRONI_RESTAPI_PASSWORD
           valueFrom:
             secretKeyRef:
               name: immuta-legacy-secret
               key: PATRONI_RESTAPI_PASSWORD

       postgres:
         # Query Engine feature user
         # Instead use queryEngine.statefulset.extraEnvVars[].name[IMMUTA_FEATURE_PASSWORD]
         # password: <immuta-feature-password>

         # Query Engine superuser user
         # Instead use queryEngine.statefulset.extraEnvVars[].name[PATRONI_SUPERUSER_PASSWORD]
         # superuserPassword: <patroni-superuser-password>

         # Query Engine replication user
         # Instead use queryEngine.statefulset.extraEnvVars[].name[PATRONI_REPLICATION_PASSWORD]
         # replicationPassword: <patroni-replication-password>

         # Query Engine patroni api user
         # Instead use queryEngine.statefulset.extraEnvVars[].name[PATRONI_RESTAPI_PASSWORD]
         # patroniApiPassword: <patroni-api-password>
       immutaSecurity:
         # Each Kubernetes Service has a DNS record associated with it. See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
         # The anatomy of a domain name is as followed:
         #   <service>.<namespace>.svc.<cluster-domain>
         #
         # Where the default cluster domain is: cluster.local
         authEndpoint: "http://immuta-secure.immuta.svc.cluster.local:8823"

   secure:
     extraEnvVars:
     - name: IMMUTA_DATABASES_IMMUTA_CONNECTIONS_FEATURESTOREDB_PASSWORD
       valueFrom:
         secretKeyRef:
           name: immuta-legacy-secret
           key: IMMUTA_FEATURE_PASSWORD

     extraConfig:
       queryEngineRehydration:
         enabled: true
       disableFeatureStore: false
       databases:
         immuta:
           connections:
             featureStoreDb:
               # Each Kubernetes Service has a DNS record associated with it. See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
               # The anatomy of a domain name is as followed:
               #   <service>.<namespace>.svc.<cluster-domain>
               #
               # Where the default cluster domain is: cluster.local
               host: "immuta-legacy-query-engine-service.immuta.svc.cluster.local"
               port: 5432
               ssl: false
               # Query Engine feature user
               # Instead use secure.extraEnvVars[].name[IMMUTA_DATABASES_IMMUTA_CONNECTIONS_FEATURESTOREDB_PASSWORD]
               # password: <immuta-feature-password>
2. Update all [placeholder values](/latest/configuration/self-managed-deployment/conventions.md) in the `immuta-values.yaml` file. {% hint style="warning" %} **Avoid these special characters in generated passwords** whitespace, `$`, `&`, `:`, `\`, `/`, `'`, `"` {% endhint %} ## Apply Helm values Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. ```shell helm upgrade oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2026.1.4 ``` [^1]: You must enable query engine rehydration to restore existing data source tables. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.immuta.com/latest/configuration/self-managed-deployment/configure/enabling-legacy-query-engine.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.