Managed Public Cloud

This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:

• Amazon Web Services (AWS)

• Microsoft Azure

• Google Cloud Platform (GCP)

Prerequisites

The following managed services must be provisioned and running before proceeding. For further assistance consult the for your respective cloud provider.

Checklist

This checklist outlines the necessary prerequisites for successfully deploying Immuta.

Credentials

• You have the credentials needed to access the ocir.immuta.com OCI registry. These can be viewed in your user profile at .

PostgreSQL

• You have a PostgreSQL user account with the necessary privileges to create databases, extensions, and roles.

• The Helm chart only supports username/password authentication for PostgreSQL. At this time, secrets are not supported.

Elasticsearch

• The Helm chart only supports username/password authentication for Elasticsearch. At this time, secrets are not supported.

Setup

Helm

Authenticate with OCI registry

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Kubernetes

Create namespace

1. Create a Kubernetes namespace named immuta.

   Copy

   kubectl create namespace immuta

2. Switch to namespace immuta. All subsequent kubectl commands will default to this namespace.

   Copy

   kubectl config set-context --current --namespace=immuta

Create registry secret

kubectl create secret docker-registry immuta-oci-registry \
    --docker-server=https://ocir.immuta.com \
    --docker-username="<username>" \
    --docker-password="<token>" \
    --docker-email=support@immuta.com

PostgreSQL

Connect to the database

Connect to the database as an admin (e.g., postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the kubectl run command outlined below. Wait 5 seconds, and then proceed by entering a password.

kubectl run pgclient \
    --stdin \
    --tty \
    --rm \
    --image docker.io/bitnami/postgresql -- \
    psql --host <postgres-fqdn> --username <postgres-admin> --dbname postgres --port 5432 --password

Create role

1. Create the immuta role.

   Copy

   CREATE ROLE immuta with LOGIN ENCRYPTED PASSWORD '<postgres-password>';
   ALTER ROLE immuta SET search_path TO bometadata,public;

2. Grant administrator privileges to the immuta role. Upon successfully completing this installation guide, you can optionally revoke this role grant.

   Copy

   GRANT <admin-role> TO immuta;

3. Grant the immuta role to the current user. Upon successfully completing this installation guide, you can optionally revoke this role grant.

   Copy

   GRANT immuta TO CURRENT_USER;

Create databases

1. Create databases.

   Copy

   CREATE DATABASE immuta OWNER immuta;
   CREATE DATABASE temporal OWNER immuta;
   CREATE DATABASE temporal_visibility OWNER immuta;

2. Copy

   GRANT ALL ON DATABASE immuta TO immuta;
   GRANT ALL ON DATABASE temporal TO immuta;
   GRANT ALL ON DATABASE temporal_visibility TO immuta;

3. Configure the immuta database.

   Copy

   \c immuta
   CREATE EXTENSION pgcrypto;

4. Configure the temporal database.

   Copy

   \c temporal
   GRANT CREATE ON SCHEMA public TO immuta;

5. Configure the temporal_visibility database.

   Copy

   \c temporal_visibility
   GRANT CREATE ON SCHEMA public TO immuta;
   CREATE EXTENSION btree_gin;

6. Exit the interactive prompt. Type \q, and then press Enter.

Install Immuta

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.

global:
  imageRegistry: ocir.immuta.com
  imagePullSecrets:
    - name: immuta-oci-registry
  postgresql:
    host: <postgres-fqdn>
    port: 5432
    username: immuta
    password: <postgres-password>

audit:
  config:
    elasticsearchEndpoint: <elasticsearch-endpoint>
    elasticsearchUsername: <elasticsearch-username>
    elasticsearchPassword: <elasticsearch-password>
  postgresql:
    database: immuta

secure:
  postgresql:
    database: immuta
    ssl: true

temporal:
  enabled: true
  schema:
    createDatabase:
      enabled: false
  server:
    config:
      persistence:
        default:
          sql:
            database: temporal
            tls: 
              enabled: true
        visibility:
          sql:
            database: temporal_visibility
            tls:
              enabled: true

global:
  imageRegistry: ocir.immuta.com
  imagePullSecrets:
    - name: immuta-oci-registry
  postgresql:
    host: <postgres-fqdn>
    port: 5432
    username: immuta
    password: <postgres-password>

audit:
  enabled: false

secure:
  postgresql:
    database: immuta
    ssl: true
    
temporal:
  enabled: true
  schema:
    createDatabase:
      enabled: false
  server:
    config:
      persistence:
        default:
          sql:
            database: temporal
            tls: 
              enabled: true
        visibility:
          sql:
            database: temporal_visibility
            tls:
              enabled: true

2. Deploy Immuta.

   Copy

   helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \
       --values immuta-values.yaml \
       --version 2025.1.0

3. Wait for all pods to become ready.

   Copy

   kubectl wait --for=condition=Ready pods --all

Validation

1. Determine the name of the Secure service.

   Copy

   kubectl get service --selector "app.kubernetes.io/component=secure" --output name

2. Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.

   Copy

   kubectl port-forward <service-name> 8080:http

4. Press Control+C to stop port forwarding.

Next steps