Getting Started
The instructions and how-to guides on this page illustrate how to install Immuta in your Kubernetes environment. If you are upgrading Immuta, navigate to the Upgrade section instead.
Prerequisites and requirements
- Use a supported version of Kubernetes.
- Use Helm 3.2.0 or newer (When using a Helm version older than 3.8.0, enable OCI experimental mode by exporting environment variable
HELM_EXPERIMENTAL_OCI=1
). - Deploy the services listed on the Deployment requirements guide. See the recommendations table for guidance for specific cloud providers.
- Grant RBAC permissions to create Kubernetes resources in the cluster.
Pull the Helm chart
Consult the upgrade overview if unsure which helm chart to use.
ocir.immuta.com
Helm chart availability
The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.
-
Copy the snippet below and replace the placeholder text with the credentials provided to you by your Customer Success Manager:
echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
(Deprecated) archives.immuta.com
Deprecation of archives.immuta.com
The preferred means of installing the Immuta Enterprise Helm chart (IEHC) is via ocir.immuta.com. The IEHC will continue to be published to archives.immuta.com for the foreseeable future.
- Reach out to your Immuta support professional to obtain the Kubernetes Helm Installation Credentials to authenticate with Immuta's Helm registry.
-
Copy the snippet below and replace the placeholder text with the credentials you obtained in the previous step to add the Helm repository:
echo <token> | helm repo add --username <username> --password-stdin immuta https://archives.immuta.com/charts
--pass-credentials flag
If you encounter an unauthorized error when adding the Immuta Enterprise Helm chart (IEHC), run
helm repo add --pass-credentials
.Usernames and passwords are only passed to the URL location of the Helm repository by default. The username and password are scoped to the scheme, host, and port of the Helm repository. To pass the username and password to other domains Helm may encounter when it goes to retrieve a chart, the new
--pass-credentials
flag can be used. This flag restores the old behavior for a single repository as an opt-in behavior.If you use a username and password for a Helm repository, you can audit the Helm repository in order to check for another domain that could have received the credentials. In the
index.yaml
file for that repository, look for another domain in the URL's list for the chart versions. If there is another domain found and that chart version is pulled or installed, the credentials will be passed on. -
(Optional) Fetch the latest chart information from the repository:
helm repo update immuta
-
List all available versions of the chart:
helm search repo --regexp 'immuta/immuta-enterprise\v' --versions
helm search repo --regexp 'immuta/immuta\v' --versions
Install Immuta
Immuta can be installed on any Kubernetes cluster. Select a guide below that corresponds to your Kubernetes distribution to install Immuta. If your distribution is not listed below (such as K3s or RKE2), follow the generic installation instructions:
- Managed public cloud: This guide includes instructions for
- Amazon Elastic Kubernetes Service (EKS)
- Google Kubernetes Engine (GKE)
- Microsoft Azure Kubernetes Service (AKS)
- Red Hat OpenShift
- Generic installation
Configure Ingress
To complete your installation and access the Immuta application, configure Ingress.
Additional recommendations
The configuration section includes guidance for various scenarios you may encounter during and post-deployment. Below are several guides from that section that most customers follow to complete their deployment of Immuta, but none of these is a requirement for the Immuta installation to work.
- TLS configuration: Secure your Ingress by specifying a Secret that contains a TLS private key and certificate.
- Immuta in production: Follow these best practices for configuring your deployment for a production environment.
- External cache configuration: The Immuta Enterprise Helm chart manages its own Memcached deployment inside the cluster. However, you can opt to externalize the key-value cache post-installation.