Red Hat OpenShift
This is an OpenShift-specific guide on how to deploy Immuta with the following managed services:
- Cloud-managed PostgreSQL
- Cloud-managed Redis
- Cloud-managed ElasticSearch
Prerequisites
Review the following criteria before proceeding with deploying Immuta.
PostgreSQL
- The PostgreSQL instance has been provisioned and is actively running.
- The PostgreSQL instance's hostname/FQDN is resolvable from within the Kubernetes cluster.
- The PostgreSQL instance is accepting connections.
Redis
- The Redis instance has been provisioned and is actively running.
- The Redis instance's hostname/FQDN is resolvable from within the Kubernetes cluster.
- The Redis instance is accepting connections.
Elasticsearch
- The Elasticsearch instance has been provisioned and is actively running.
- The Elasticsearch instance's hostname/FQDN is resolvable from within the Kubernetes cluster.
- The Elasticsearch instance is accepting connections.
Authenticate with OCI registry
Helm chart availability
The deprecated Immuta Helm chart (IHC) is not available from ocir.immuta.com.
-
Copy the snippet below and replace the placeholder text with the credentials provided to you by your Customer Success Manager:
echo <token> | helm registry login --password-stdin --username <username> ocir.immuta.com
Setup
-
Create a new OpenShift project named
immutafor Immuta.oc new-project immuta -
Get the UID range allocated to the project. Each running container's UID must fall within this range. This value will be referenced later on.
oc get project immuta --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}' -
Get the GID range allocated to the project. Each running container's GID must fall within this range. This value will be referenced later on.
oc get project immuta --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}' -
Switch to project
immuta.oc project immuta -
Create a container registry pull secret.
Registry credentials
Contact your Immuta representative to obtain credentials to authenticate with ocir.immuta.com.
oc create secret docker-registry immuta-oci-registry \ --docker-server=https://ocir.immuta.com \ --docker-username="<username>" \ --docker-password="<token>" \ --email=support@immuta.com
Cloud-managed PostgreSQL
-
Connect to the database as superuser (postgres) by creating an ephemeral container inside the Kubernetes cluster.
Connecting to the database
There are numerous ways to connect to a PostgreSQL database. This step demonstrates how to connect by creating an ephemeral Kubernetes pod.
Interactive shell
A shell prompt will not be displayed after executing the
oc runcommand outlined below. Wait 5 seconds, and then proceed by entering a password.oc run pgclient \ --stdin \ --tty \ --rm \ --image docker.io/bitnami/postgresql -- \ psql --host <postgres-fqdn> --username postgres --port 5432 --password -
Create an
immutarole and database.CREATE ROLE immuta with login encrypted password '<postgres-password>'; GRANT immuta TO CURRENT_USER; CREATE DATABASE immuta OWNER immuta; GRANT all ON DATABASE immuta TO immuta; ALTER ROLE immuta SET search_path TO bometadata,public; -
Revoke privileges from
CURRENT_USERas they're no longer required.REVOKE immuta FROM CURRENT_USER; -
Enable the
pgcryptoextension.\c immuta CREATE EXTENSION pgcrypto; -
Type
\q, and then pressEnterto exit.
Install Immuta
This section demonstrates how to deploy Immuta using the Immuta Enterprise Helm chart once the prerequisite cloud-managed services are configured.
-
Create a Helm values file named
immuta-values.yamlwith the content below. Because the Ingress resource will be managed by an OpenShift route you will create when configuring Ingress and not the Immuta Enterprise Helm chart,ingressis set tofalsebelow. TLS comes pre-configured with OpenShift, sotlsis also set tofalse.immuta-values.yamlglobal: imageRegistry: ocir.immuta.com imagePullSecrets: - name: immuta-oci-registry audit: config: databaseConnectionString: postgres://immuta:<postgres-password>@pg-db-postgresql.immuta.svc.cluster.local:5432/immuta?schema=audit elasticsearchEndpoint: http://es-db-elasticsearch.immuta.svc.cluster.local:9200 elasticsearchUsername: <elasticsearch-username> elasticsearchPassword: <elasticsearch-password> deployment: podSecurityContext: # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}' runAsUser: <user-id> # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}' runAsGroup: <group-id> seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL discover: deployment: podSecurityContext: # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}' runAsUser: <user-id> # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}' runAsGroup: <group-id> seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL secure: extraEnvVars: - name: FeatureFlag_AuditService value: "true" - name: FeatureFlag_detect value: "true" - name: FeatureFlag_auditLegacyViewHide value: "true" ingress: enabled: false tls: false postgresql: host: <postgres-fqdn> port: 5432 database: immuta username: immuta password: <postgres-password> ssl: false web: podSecurityContext: # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}' runAsUser: <user-id> # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}' runAsGroup: <group-id> seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL backgroundWorker: podSecurityContext: # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.uid-range"}}{{"\n"}}' runAsUser: <user-id> # A number that is within the project range: # oc get project <project-name> --output template='{{index .metadata.annotations "openshift.io/sa.scc.supplemental-groups"}}{{"\n"}}' runAsGroup: <group-id> seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL -
Update all placeholder values in the
immuta-values.yamlfile. -
Deploy Immuta.
helm install immuta oci://ocir.immuta.com/stable/immuta-enterprise \ --values immuta-values.yaml \ --version 2024.2.3
Validation
-
Wait for all pods in the namespace to become ready.
oc wait --for=condition=Ready pods --all -
Determine the name of the Secure service.
oc get service --selector "app.kubernetes.io/component=secure" --output template='{{ .metadata.name }}' -
Listen on local port
8080, forwarding TCP traffic to the Secure service's port namedhttp.oc port-forward service/<name> 8080:http
Next steps
- Configure Ingress to complete your installation and access your Immuta application.
- Learn more about best practices for Immuta in Production.