Skip to content

You are viewing documentation for Immuta version 2023.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Immuta Helm Chart Options

The Helm Chart includes components that make up your Immuta infrastructure, and you can change these values to tailor your Immuta infrastructure to suit your needs. The tables below include parameter descriptions and default values for all components in the Helm Chart.

When installing Immuta, download this immuta-values.yaml and update the values to your preferred settings. See the Helm installation page for guidance and best practices.

Global

Parameter Description Default
immutaVersion Version of Immuta <Current Immuta Version>
imageTag Docker image tag <Current Version Tag>
imagePullPolicy Image pull policy IfNotPresent
imagePullSecrets List of image pull secrets to use [immuta-registry]
existingSecret Name of an existing Kubernetes Secret for the Helm install to use. A managed Secret is not created when this value is set. nil
externalHostname External hostname assigned to this immuta instance. nil
podSecurityContext Pod level security features on all pods. {}
containerSecurityContext Container level security features on all containers. {}
global.imageRegistry Global override for image registry. registry.immuta.com
global.podAnnotations Annotations to be set on all pods. {}
global.podLabels Labels that will be set on all pods. {}

Backup

Parameter Description Default
backup.enabled Whether or not to turn on automatic backups true
backup.restore.enabled Whether or not to restore from backups if present false
backup.type Backup storage type. Must be defined if backup.enabled is true. Must be one of: s3, gs, or azblob. nil
backup.cronJob.nodeSelector Node selector for backup cron job. {"kubernetes.io/os": "linux"}
backup.cronJob.resources Container resources. {}
backup.cronJob.tolerations Tolerations for backup CronJob. nil
backup.extraEnv Mapping of key-value pairs to be set on backup Job containers. {}
backup.failedJobsHistoryLimit Number of failed jobs to exist before stopping 1
backup.keepBackupVolumes Whether or not to delete backup volumes when uninstalling Immuta false
backup.maxBackupCount Max number of backups to exist at a given time. 10
backup.podAnnotations Annotations to add to all pods associated with backups nil
backup.podLabels Labels to add to all pods associated with backups. nil
backup.restore.databaseFile Name of the file in the database backup folder to restore from. nil
backup.restore.queryEngineFile Name of the file in the query-engine backup folder to restore from. nil
backup.schedule Kubernetes CronJob schedule expression. 0 0 * * *
backup.securityContext SecurityContext for backup Pods. {}
backup.serviceAccountAnnotations Annotations to add to all ServiceAccounts associated with backups. nil
backup.successfulJobsHistoryLimit Number of successful jobs to exist before cleanup. 3
backup.podSecurityContext Pod level security features. {}
backup.containerSecurityContext Container level security. {}

AWS S3 Backups

These values are used when backup.type=s3.

Parameter Description Default
backup.s3.awsAccessKeyId AWS Access Key ID. nil
backup.s3.awsSecretAccessKey AWS Secret Access Key. nil
backup.s3.awsRegion AWS Region. nil
backup.s3.bucket S3 Bucket to store backups in. nil
backup.s3.bucketPrefix Prefix to append to all backups. nil
backup.s3.endpoint Endpoint URL of an s3-compatible server. nil
backup.s3.caBundle CA bundle in PEM format. Used to verify TLS certificates of custom s3 endpoint. nil
backup.s3.forcePathStyle Set to "true" to force the use of path-style addressing. nil
backup.s3.disableSSL Set to "true" to disable SSL connections for the s3 endpoint. nil

Azure Blob Storage

These values are used when backup.type=azblob.

Parameter Description Default
backup.azblob.azStorageAccount Azure Storage Account Name nil
backup.azblob.azStorageKey Azure Storage Account Key nil
backup.azblob.azStorageSASToken Azure Storage Account SAS Token nil
backup.azblob.container Azure Storage Account Container Name nil
backup.azblob.containerPrefix Prefix to append to all backups nil

Google Cloud Storage

These values are used when backup.type=gs.

Parameter Description Default
backup.gs.gsKeySecretName Kubernetes Secret containing key.json for Google Service Account nil
backup.gs.bucket Google Cloud Storage Bucket nil
backup.gs.bucketPrefix Prefix to append to all backups nil

Immuta TLS

Parameter Description Default
tls.enabled Whether or not to use TLS. true
tls.create Whether or not to generate TLS certificates. true
tls.manageGeneratedSecret When true, the generated TLS secret will be created as a resource of the Helm Chart. false
tls.secretName Secret name to use for internal and external communication. (For self-provided certs only) nil
tls.enabledInternal Whether or not to use TLS for all internal communication. true
tls.internalSecretName Secret name to use for internal communication. (For self-provided certs only) nil
tls.enabledExternal Whether or not to use TLS for all external communication. true
tls.externalSecretName Secret name to use for external communication. (For self-provided certs only) nil
tls.manageGeneratedSecret may cause issues with helm install.

In most cases, tls.manageGeneratedSecret should only be set to true when Helm is not being used to install the release (i.e., Argo CD).

If tls.manageGeneratedSecret is set to true when used with the default TLS generation hook configuration, you will encounter an error similar to the following.

Error: secrets "immuta-tls" already exists

You can work around this error by configuring the TLS generation hook to run as a post-install hook.

hooks:
  tlsGeneration:
    hookAnnotations:
      helm.sh/hook: post-install

However, this configuration is not compatible with helm install --wait. If the --wait flag is used, the command will timeout and fail.

Web Service

Parameter Description Default
web.extraEnv Mapping of key-value pairs to be set on web containers. {}
web.extraVolumeMounts List of extra volume mounts to be added to web containers. []
web.extraVolumes List of extra volumes to be added to web containers. []
web.image.registry Image registry for the Immuta service image. Value from global.imageRegistry
web.image.repository Image repository for the Immuta service image. immuta/immuta-service
web.image.tag Image tag for the Immuta service image. Value from imageTag or immutaVersion
web.image.digest Image digest for the Immuta service image in format of sha256:<DIGEST>.
web.imagePullPolicy ImagePullPolicy for the Immuta service container. {{ .Values.imageTag }}
web.imageRepository deprecated Use web.image.registry and web.image.repository. nil
web.imageTag deprecated Use web.image.tag. nil
web.replicas Number of replicas of web service to deploy. Maximum: 3 1
web.workerCount Number of web service worker processes to deploy. 2
web.threadPoolSize Number of threads to use for each NodeJS process. nil
web.ingress.enabled Controls the creation of an Ingress resource for the web service. true
web.ingress.clientMaxBodySize client_max_body_size passed through to nginx. 1g
web.resources Container resources. {}
web.podAnnotations Additional annotations to apply to web pods. {}
web.podLabels Additional labels to apply to web pods. {}
web.nodeSelector Node selector for web pods. {"kubernetes.io/os": "linux"}
web.serviceAccountAnnotations Annotations for the web ServiceAccount. {}
web.tolerations Tolerations for web pods. nil
web.podSecurityContext Pod level security features. {}
web.containerSecurityContext Container level security features. {}

Fingerprint Service

Parameter Description Default
fingerprint.image.registry Image registry for the Immuta fingerprint image. Value from global.imageRegistry
fingerprint.image.repository Image repository for the Immuta fingerprint image. immuta/immuta-fingerprint
fingerprint.image.tag Image tag for the Immuta fingerprint image. Value from imageTag or immutaVersion
fingerprint.image.digest Image digest for the Immuta fingerprint image in format of sha256:<DIGEST>.
fingerprint.imagePullPolicy ImagePullPolicy for the Immuta fingerprint container. {{ .Values.imageTag }}
fingerprint.imageRepository deprecated Use fingerprint.image.registry and fingerprint.image.repository. nil
fingerprint.imageTag deprecated Use fingerprint.image.tag. nil
fingerprint.replicas Number of replicas of fingerprint service to deploy. 1
fingerprint.logLevel Log level for the Fingerprint service. WARNING
fingerprint.extraConfig Object containing configuration options for the Immuta Fingerprint service. {}
fingerprint.resources Container resources. {}
fingerprint.podAnnotations Additional annotations to apply to fingerprint Pods. {}
fingerprint.podLabels Additional labels to apply to fingerprint Pods. {}
fingerprint.nodeSelector Node selector for fingerprint Pods. {"kubernetes.io/os": "linux"}
fingerprint.serviceAccountAnnotations Annotations for the fingerprint ServiceAccount. {}
fingerprint.tolerations Tolerations for fingerprint Pods. nil
<component>.podSecurityContext Pod level security features.
<component>.containerSecurityContext Container level security features.

Metadata Database

The Metadata Database component can be configured to use either the built-in Kubernetes deployment or an external PostgreSQL database.

The following Helm values are shared between both built-in and external databases.

Parameter Description Default
database.enabled Enabled flag. Used to disable the built-in database when an external database is used. true
database.image.registry Image registry for the Immuta database image. Value from global.imageRegistry
database.image.repository Image repository for the Immuta database image. immuta/immuta-db
database.image.tag Image tag for the Immuta database image. Value from imageTag or immutaVersion
database.image.digest Image digest for the Immuta database image in format of sha256:<DIGEST>.
database.imagePullPolicy ImagePullPolicy for the Immuta database container. {{ .Values.imageTag }}
database.imageRepository deprecated Use database.image.registry and database.image.repository. nil
database.imageTag deprecated Use database.image.tag. nil

Built-in Database

These values are used when database.enabled=true.

Parameter Description Default
database.extraEnv Mapping of key-value pairs to be set on database containers. {}
database.extraVolumeMounts List of extra volume mounts to be added to database containers. []
database.extraVolumes List of extra volumes to be added to database containers. []
database.nodeSelector Node selector for database pods. {"kubernetes.io/os": "linux"}
database.password Password for immuta metadata database secret
database.patroniApiPassword Password for Patroni REST API. secret
database.patroniKubernetes Patroni Kubernetes settings. {"use_endpoints": true}
database.persistence.enabled Set this to true to enable data persistence on all database pods. It should be set to true for all non-testing environments. false
database.podAnnotations Additional annotations to apply to database pods. {}
database.podLabels Additional labels to apply to database pods. {}
database.replicas Number of database replicas. 1
database.replicationPassword Password for replication user. secret
database.resources Container resources. {}
database.sharedMemoryVolume.enabled Enable the use of a memory-backed emptyDir volume for /dev/shm. false
database.sharedMemoryVolume.sizeLimit Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled. nil
database.superuserPassword Password for PostgreSQL superuser. secret
database.tolerations Tolerations for database pods. nil
database.podSecurityContext Pod level security features. {}
database.containerSecurityContext Container level security features. {}

External Database

These values are used when database.enabled=false.

Parameter Description Default
externalDatabase.host required Hostname of the external database instance. nil
externalDatabase.port Port for the external database instance. 5432
externalDatabase.sslmode PostgreSQL sslmode option for the external database connection. Behavior when unset is require. nil
externalDatabase.dbname Immuta database name. bometadata
externalDatabase.username Immuta database username. bometa
externalDatabase.password required Immuta database user password. nil
externalDatabase.superuser.username required Username for the superuser used to initialize the database instance. true
externalDatabase.superuser.password required Password for the superuser used to initialize the database instance. true
externalDatabase.backup.enabled (Deprecated) Enable flag for external database backups. Refer to backup.enabled=true. true
externalDatabase.restore.enabled (Deprecated) Enable flag for the external database restore. Refer to backup.restore.enabled=true. true

Query Engine

Parameter Description Default
queryEngine.extraEnv Mapping of key-value pairs to be set on Query Engine containers. {}
queryEngine.extraVolumeMounts List of extra volume mounts to be added to Query Engine containers. []
queryEngine.extraVolumes List of extra volumes to be added to Query Engine containers. []
queryEngine.image.registry Image registry for the Immuta Query Engine image. Value from global.imageRegistry
queryEngine.image.repository Image repository for the Immuta Query Engine image. immuta/immuta-db
queryEngine.image.tag Image tag for the Immuta Query Engine image. Value from imageTag or immutaVersion
queryEngine.image.digest Image digest for the Immuta Query Engine image in format of sha256:<DIGEST>.
queryEngine.imagePullPolicy ImagePullPolicy for the Immuta Query Engine container. {{ .Values.imageTag }}
queryEngine.imageRepository deprecated Use queryEngine.image.registry and queryEngine.image.repository. nil
queryEngine.imageTag deprecated Use queryEngine.image.tag. nil
queryEngine.replicas Number of database replicas 1
queryEngine.password Password for immuta feature store database secret
queryEngine.superuserPassword Password for PostgreSQL superuser. secret
queryEngine.replicationPassword Password for replication user. secret
queryEngine.patroniApiPassword Password for Patroni REST API. secret
queryEngine.patroniKubernetes Patroni Kubernetes settings. {"use_endpoints": true}
queryEngine.persistence.enabled This should be set to true for all non-testing environments. false
queryEngine.resources Container resources. {}
queryEngine.service Service configuration for Query Engine service if not using an Ingress Controller.
queryEngine.podAnnotations Additional annotations to apply to Query Engine pods. {}
queryEngine.podLabels Additional labels to apply to Query Engine pods. {}
queryEngine.nodeSelector Node selector for Query Engine pods. {"kubernetes.io/os": "linux"}
queryEngine.sharedMemoryVolume.enabled Enable the use of a memory-backed emptyDir volume for /dev/shm. false
queryEngine.sharedMemoryVolume.sizeLimit Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled. nil
queryEngine.tolerations Tolerations for Query Engine pods. nil
queryEngine.podSecurityContext Pod level security features. {}
queryEngine.containerSecurityContext Container level security features. {}

Query Engine Port

If you will only use integrations, port 5432 is optional. Using the built-in Ingress Nginx Controller, you can disable it by setting the value to false.

Parameter Description Default
queryEngine.publishPort Controls whether or not the Query Engine port (5432) is published on the built-in Ingress Controller service. true

Chart Hooks

Cleanup

The Cleanup hook is a Helm post-delete hook that is responsible for cleaning up some resources that are not deleted by Helm.

Parameter Description Default
hooks.cleanup.resources Container resources. {}
hooks.cleanup.serviceAccountAnnotations Annotations for the cleanup hook ServiceAccount. {}
hooks.cleanup.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
hooks.cleanup.tolerations Tolerations for pods. nil
hooks.cleanup.podSecurityContext Pod level security features.
hooks.cleanup.containerSecurityContext Container level security features.

Database Initialize

The database initialize hook is used to initialize the external database when database.enabled=false.

Parameter Description Default
hooks.databaseInitialize.resources Container resources. {}
hooks.databaseInitialize.serviceAccountAnnotations Annotations for the database initialize hook ServiceAccount. {}
hooks.databaseInitialize.verbose Flag to enable or disable verbose logging in the database initialize hook. true
hooks.databaseInitialize.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
hooks.databaseInitialize.tolerations Tolerations for pods. nil
hooks.databaseInitialize.podSecurityContext Pod level security features.
hooks.databaseInitialize.containerSecurityContext Container level security features.

TLS Generation

The TLS generation hook is a Helm pre-install hook that is responsible for generating TLS certificates used for connections between the Immuta pods.

Parameter Description Default
hooks.tlsGeneration.hookAnnotations."helm.sh/hook-delete-policy" Delete policy for the TLS generation hook. "before-hook-creation,hook-succeeded"
hooks.tlsGeneration.resources Container resources. {}
hooks.tlsGeneration.serviceAccountAnnotations Annotations for the cleanup hook ServiceAccount. {}
hooks.tlsGeneration.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
hooks.tlsGeneration.tolerations Tolerations for pods. nil
hooks.tlsGeneration.podSecurityContext Pod level security features.
hooks.tlsGeneration.containerSecurityContext Container level security features.

Cache

Parameter Description Default
cache.type Type to use for the cache. Valid values are memcached. memcached
cache.replicas Number of replicas. 1
cache.resources Container resources. {}
cache.nodeSelector Node selector for pods. {"kubernetes.io/os": "linux"}
cache.podSecurityContext SecurityContext for cache Pods. {"runAsUser": 65532}
cache.containerSecurityContext Container level security features. {}
cache.updateStrategy UpdateStrategy Spec for cache workloads. {}
cache.tolerations Tolerations for pods. nil
cache.memcached.image.registry Image registry for Memcached image. Value from global.imageRegistry
cache.memcached.image.repository Image repository for Memcached image. memcached
cache.memcached.image.tag Image tag for Memcached image. 1.6-alpine
cache.memcached.image.digest Image digest for the Immuta Memcached image in format of sha256:<DIGEST>.
cache.memcached.imagePullPolicy Image pull policy. Value from imagePullPolicy
cache.memcached.maxItemMemory Limit for max item memory in cache (in MB). 64

Deploy Tools

Parameter Description Default
deployTools.image.registry Image registry for Immuta deploy tools image. Value from global.imageRegistry
deployTools.image.repository Image repository for Immuta deploy tools image. immuta/immuta-deploy-tools
deployTools.image.tag Image tag for Immuta deploy tools image. 2.4.3
deployTools.image.digest Image digest for the Immuta deploy tools image in format of sha256:<DIGEST>.
deployTools.imagePullPolicy Image pull policy. Value from imagePullPolicy

Ingress Controller

Parameter Description Default
nginxIngress.enabled Enable nginx ingress deployment true
nginxIngress.podSecurityContext Pod level security features. {}
nginxIngress.containerSecurityContext Container level security features. {capabilities: {drop: [ALL], add: [NET_BIND_SERVICE]}, runAsUser: 101}
nginxIngress.controller.image.registry Image registry for the Nginx Ingress controller image. Value from global.imageRegistry
nginxIngress.controller.image.repository Image repository for the Nginx Ingress controller image. ingress-nginx-controller
nginxIngress.controller.image.tag Image tag for the Nginx Ingress controller image. v1.1.0
nginxIngress.controller.image.digest Image digest for the Immuta Nginx Ingress controller image in format of sha256:<DIGEST>.
nginxIngress.controller.imagePullPolicy ImagePullPolicy for the Nginx Ingress controller container. {{ .Values.imageTag }}
nginxIngress.controller.imageRepository deprecated Use nginxIngress.controller.image.registry and nginxIngress.controller.image.repository. nil
nginxIngress.controller.imageTag deprecated Use nginxIngress.controller.image.tag. nil
nginxIngress.controller.service.annotations Used to set arbitrary annotations on the Nginx Ingress Service. {}
nginxIngress.controller.service.type Controller service type. LoadBalancer
nginxIngress.controller.service.isInternal Whether or not to use an internal ELB false
nginxIngress.controller.service.acmCertArn ARN for ACM certificate
nginxIngress.controller.replicas Number of controller replicas 1
nginxIngress.controller.minReadySeconds Minimum ready seconds 0
nginxIngress.controller.electionID Election ID for nginx ingress controller ingress-controller-leader
nginxIngress.controller.hostNetwork Run nginx ingress controller on host network false
nginxIngress.controller.config.proxy-read-timeout Controller proxy read timeout. 300
nginxIngress.controller.config.proxy-send-timeout Controller proxy send timeout. 300
nginxIngress.controller.podAnnotations Additional annotations to apply to nginx ingress controller pods. {}
nginxIngress.controller.podLabels Additional labels to apply to nginx ingress controller pods. {}
nginxIngress.controller.nodeSelector Node selector for nginx ingress controller pods. {"kubernetes.io/os": "linux"}
nginxIngress.controller.tolerations Tolerations for nginx ingress controller pods. nil
nginxIngress.controller.resources Container resources. {}

Memcached

Deprecation Warning

The following values are deprecated. Values should be migrated to cache and cache.memcached. See Cache for replacement values.

Parameter Description Default
memcached.pdbMinAvailable Minimum pdb available. 1
memcached.maxItemMemory Limit for max item memory in cache (in MB). 64
memcached.resources Container resources. {requests: {memory: 64Mi}}
memcached.podAnnotations Additional annotations to apply to memcached pods. {}
memcached.podLabels Additional labels to apply to memcached pods. {}
memcached.nodeSelector Node selector for memcached pods. {"kubernetes.io/os": "linux"}
memcached.tolerations Tolerations for memcached pods. nil