Deploy Immuta without ElasticSearch

Feature availability

If you deploy Immuta without ElasticSearch, several core services and features will be unavailable. See the Deployment requirements page for details.

The guides below outline how to deploy Immuta without ElasticSearch.

This is a guide on how to deploy Immuta on Kubernetes in the following managed public cloud providers:

  • Amazon Web Services (AWS)

  • Microsoft Azure

  • Google Cloud Platform (GCP)

Prerequisites

The following cloud-managed services must be provisioned before proceeding:

Validation

  1. The PostgreSQL instance's hostname/FQDN is resolvable from within the Kubernetes cluster.

  2. The PostgreSQL instance is accepting connections.

Authenticate with OCI registry

Copy the snippet below and replace the placeholder text with the credentials provided to you by your customer success manager:

echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com

Setup

  1. Create a Kubernetes namespace named immuta for Immuta.

    kubectl create namespace immuta
  2. Switch to namespace immuta.

    kubectl config set-context --current --namespace=immuta
  3. Create a container registry pull secret. Contact your Immuta representative to obtain credentials to authenticate with ocir.immuta.com.

    kubectl create secret docker-registry immuta-oci-registry \
        --docker-server=https://ocir.immuta.com \
        --docker-username="<username>" \
        --docker-password="<token>" \
        --docker-email=support@immuta.com

PostgreSQL

Connecting to the database

There are numerous ways to connect to a PostgreSQL database. This step demonstrates how to connect by creating an ephemeral Kubernetes pod.

  1. Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster. A shell prompt will not be displayed after executing the kubectl run command outlined below. Wait 5 seconds, and then proceed by entering a password.

    kubectl run pgclient \
        --stdin \
        --tty \
        --rm \
        --image docker.io/bitnami/postgresql -- \
        psql --host <postgres-fqdn> --username postgres --port 5432 --password
  2. Create necessary databases and role.

    CREATE ROLE immuta with login encrypted password '<postgres-password>';
    
    GRANT immuta TO CURRENT_USER;
    
    CREATE DATABASE immuta OWNER immuta;
    CREATE DATABASE temporal OWNER immuta;
    CREATE DATABASE temporal_visibility OWNER immuta;
    
    GRANT all ON DATABASE immuta TO immuta;
    GRANT all ON DATABASE temporal TO immuta;
    GRANT all ON DATABASE temporal_visibility TO immuta;
    ALTER ROLE immuta SET search_path TO bometadata,public;
  3. Revoke privileges from CURRENT_USER as they're no longer required.

    REVOKE immuta FROM CURRENT_USER;
  4. Enable the pgcrypto extension.

    \c immuta
    CREATE EXTENSION pgcrypto;
  5. Type \q, and then press Enter to exit.

Install Immuta

This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.

  1. Create a Helm values file named immuta-values.yaml with the following content:

    global:
      imageRegistry: ocir.immuta.com
      imagePullSecrets:
        - name: immuta-oci-registry
      imageRepositoryMap:
        immuta/immuta-service: stable/immuta-service
        immuta/immuta-db: stable/immuta-db
        immuta/immuta-fingerprint: stable/immuta-fingerprint
        immuta/audit-service: stable/audit-service
        immuta/audit-export-cronjob: stable/audit-export-cronjob
        immuta/classify-service: stable/classify-service
        immuta/cache: stable/cache
      featureFlags:
        AuditService: false
        detect: false
        auditLegacyViewHide: false
      postgresql:
        host: <postgres-fqdn>
        port: 5432
        username: immuta
        password: <postgres-password>
    
    
    audit:
      enabled: false
    
    secure:
      ingress:
        enabled: false
        tls: false
    
      postgresql:
        database: immuta
        ssl: true
  2. Update all placeholder values in the immuta-values.yaml file.

  3. Deploy Immuta.

    helm install immuta immuta/immuta-enterprise \
        --values immuta-values.yaml

Validation

  1. Wait for all pods in the namespace to become ready.

    kubectl wait --for=condition=Ready pods --all
  2. Determine the name of the Secure service.

    kubectl get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}'
  3. Listen on local port 8080, forwarding TCP traffic to the Secure service's port named http.

    kubectl port-forward service/<name> 8080:http

Next steps

Last updated

Copyright © 2014-2024 Immuta Inc. All rights reserved.