Immuta Helm Chart Options
The Helm Chart includes components that make up your Immuta infrastructure, and you can change these values to tailor your Immuta infrastructure to suit your needs. The tables below include parameter descriptions and default values for all components in the Helm Chart.
When installing Immuta, download this immuta-values.yaml and update the values to your preferred settings. See the Helm installation page for guidance and best practices.
Global
| Parameter |
Description |
Default |
immutaVersion |
Version of Immuta |
<Current Immuta Version> |
imageTag |
Docker image tag |
<Current Version Tag> |
imagePullPolicy |
Image pull policy |
IfNotPresent |
imagePullSecrets |
List of image pull secrets to use |
[immuta-registry] |
existingSecret |
Name of an existing Kubernetes Secret for the Helm install to use. A managed Secret is not created when this value is set. |
nil |
externalHostname |
External hostname assigned to this immuta instance. |
nil |
podSecurityContext |
Pod level security features on all pods. |
{} |
containerSecurityContext |
Container level security features on all containers. |
{} |
global.imageRegistry |
Global override for image registry. |
registry.immuta.com |
global.podAnnotations |
Annotations to be set on all pods. |
{} |
global.podLabels |
Labels that will be set on all pods. |
{} |
Backup
| Parameter |
Description |
Default |
backup.enabled |
Whether or not to turn on automatic backups |
true |
backup.restore.enabled |
Whether or not to restore from backups if present |
false |
backup.type |
Backup storage type. Must be defined if backup.enabled is true. Must be one of: s3, gs, or azblob. |
nil |
backup.cronJob.nodeSelector |
Node selector for backup cron job. |
{"kubernetes.io/os": "linux"} |
backup.cronJob.resources |
Container resources. |
{} |
backup.cronJob.tolerations |
Tolerations for backup CronJob. |
nil |
backup.extraEnv |
Mapping of key-value pairs to be set on backup Job containers. |
{} |
backup.failedJobsHistoryLimit |
Number of failed jobs to exist before stopping |
1 |
backup.keepBackupVolumes |
Whether or not to delete backup volumes when uninstalling Immuta |
false |
backup.maxBackupCount |
Max number of backups to exist at a given time. |
10 |
backup.podAnnotations |
Annotations to add to all pods associated with backups |
nil |
backup.podLabels |
Labels to add to all pods associated with backups. |
nil |
backup.restore.databaseFile |
Name of the file in the database backup folder to restore from. |
nil |
backup.restore.queryEngineFile |
Name of the file in the query-engine backup folder to restore from. |
nil |
backup.schedule |
Kubernetes CronJob schedule expression. |
0 0 * * * |
backup.securityContext |
SecurityContext for backup Pods. |
{} |
backup.serviceAccountAnnotations |
Annotations to add to all ServiceAccounts associated with backups. |
nil |
backup.successfulJobsHistoryLimit |
Number of successful jobs to exist before cleanup. |
3 |
backup.podSecurityContext |
Pod level security features. |
{} |
backup.containerSecurityContext |
Container level security. |
{} |
AWS S3 Backups
These values are used when backup.type=s3.
| Parameter |
Description |
Default |
backup.s3.awsAccessKeyId |
AWS Access Key ID. |
nil |
backup.s3.awsSecretAccessKey |
AWS Secret Access Key. |
nil |
backup.s3.awsRegion |
AWS Region. |
nil |
backup.s3.bucket |
S3 Bucket to store backups in. |
nil |
backup.s3.bucketPrefix |
Prefix to append to all backups. |
nil |
backup.s3.endpoint |
Endpoint URL of an s3-compatible server. |
nil |
backup.s3.caBundle |
CA bundle in PEM format. Used to verify TLS certificates of custom s3 endpoint. |
nil |
backup.s3.forcePathStyle |
Set to "true" to force the use of path-style addressing. |
nil |
backup.s3.disableSSL |
Set to "true" to disable SSL connections for the s3 endpoint. |
nil |
Azure Blob Storage
These values are used when backup.type=azblob.
| Parameter |
Description |
Default |
backup.azblob.azStorageAccount |
Azure Storage Account Name |
nil |
backup.azblob.azStorageKey |
Azure Storage Account Key |
nil |
backup.azblob.azStorageSASToken |
Azure Storage Account SAS Token |
nil |
backup.azblob.container |
Azure Storage Account Container Name |
nil |
backup.azblob.containerPrefix |
Prefix to append to all backups |
nil |
Google Cloud Storage
These values are used when backup.type=gs.
| Parameter |
Description |
Default |
backup.gs.gsKeySecretName |
Kubernetes Secret containing key.json for Google Service Account |
nil |
backup.gs.bucket |
Google Cloud Storage Bucket |
nil |
backup.gs.bucketPrefix |
Prefix to append to all backups |
nil |
Immuta TLS
| Parameter |
Description |
Default |
tls.enabled |
Whether or not to use TLS. |
true |
tls.create |
Whether or not to generate TLS certificates. |
true |
tls.manageGeneratedSecret |
When true, the generated TLS secret will be created as a resource of the Helm Chart. |
false |
tls.secretName |
Secret name to use for internal and external communication. (For self-provided certs only) |
nil |
tls.enabledInternal |
Whether or not to use TLS for all internal communication. |
true |
tls.internalSecretName |
Secret name to use for internal communication. (For self-provided certs only) |
nil |
tls.enabledExternal |
Whether or not to use TLS for all external communication. |
true |
tls.externalSecretName |
Secret name to use for external communication. (For self-provided certs only) |
nil |
tls.manageGeneratedSecret may cause issues with helm install.
In most cases, tls.manageGeneratedSecret should only be set to true when
Helm is not being used to install the release (i.e., Argo CD).
If tls.manageGeneratedSecret is set to true when used with the default TLS
generation hook configuration, you will encounter an error similar to the
following.
Error: secrets "immuta-tls" already exists
You can work around this error by configuring the TLS generation hook to run
as a post-install hook.
hooks:
tlsGeneration:
hookAnnotations:
helm.sh/hook: post-install
However, this configuration is not compatible with helm install --wait.
If the --wait flag is used, the command will timeout and fail.
Web Service
| Parameter |
Description |
Default |
web.extraEnv |
Mapping of key-value pairs to be set on web containers. |
{} |
web.extraVolumeMounts |
List of extra volume mounts to be added to web containers. |
[] |
web.extraVolumes |
List of extra volumes to be added to web containers. |
[] |
web.image.registry |
Image registry for the Immuta service image. |
Value from global.imageRegistry |
web.image.repository |
Image repository for the Immuta service image. |
immuta/immuta-service |
web.image.tag |
Image tag for the Immuta service image. |
Value from imageTag or immutaVersion |
web.image.digest |
Image digest for the Immuta service image in format of sha256:<DIGEST>. |
|
web.imagePullPolicy |
ImagePullPolicy for the Immuta service container. |
{{ .Values.imageTag }} |
web.imageRepository deprecated |
Use web.image.registry and web.image.repository. |
nil |
web.imageTag deprecated |
Use web.image.tag. |
nil |
web.replicas |
Number of replicas of web service to deploy. Maximum: 3 |
1 |
web.workerCount |
Number of web service worker processes to deploy. |
2 |
web.threadPoolSize |
Number of threads to use for each NodeJS process. |
nil |
web.ingress.enabled |
Controls the creation of an Ingress resource for the web service. |
true |
web.ingress.clientMaxBodySize |
client_max_body_size passed through to nginx. |
1g |
web.resources |
Container resources. |
{} |
web.podAnnotations |
Additional annotations to apply to web pods. |
{} |
web.podLabels |
Additional labels to apply to web pods. |
{} |
web.nodeSelector |
Node selector for web pods. |
{"kubernetes.io/os": "linux"} |
web.serviceAccountAnnotations |
Annotations for the web ServiceAccount. |
{} |
web.tolerations |
Tolerations for web pods. |
nil |
web.podSecurityContext |
Pod level security features. |
{} |
web.containerSecurityContext |
Container level security features. |
{} |
Fingerprint Service
| Parameter |
Description |
Default |
fingerprint.image.registry |
Image registry for the Immuta fingerprint image. |
Value from global.imageRegistry |
fingerprint.image.repository |
Image repository for the Immuta fingerprint image. |
immuta/immuta-fingerprint |
fingerprint.image.tag |
Image tag for the Immuta fingerprint image. |
Value from imageTag or immutaVersion |
fingerprint.image.digest |
Image digest for the Immuta fingerprint image in format of sha256:<DIGEST>. |
|
fingerprint.imagePullPolicy |
ImagePullPolicy for the Immuta fingerprint container. |
{{ .Values.imageTag }} |
fingerprint.imageRepository deprecated |
Use fingerprint.image.registry and fingerprint.image.repository. |
nil |
fingerprint.imageTag deprecated |
Use fingerprint.image.tag. |
nil |
fingerprint.replicas |
Number of replicas of fingerprint service to deploy. |
1 |
fingerprint.logLevel |
Log level for the Fingerprint service. |
WARNING |
fingerprint.extraConfig |
Object containing configuration options for the Immuta Fingerprint service. |
{} |
fingerprint.resources |
Container resources. |
{} |
fingerprint.podAnnotations |
Additional annotations to apply to fingerprint Pods. |
{} |
fingerprint.podLabels |
Additional labels to apply to fingerprint Pods. |
{} |
fingerprint.nodeSelector |
Node selector for fingerprint Pods. |
{"kubernetes.io/os": "linux"} |
fingerprint.serviceAccountAnnotations |
Annotations for the fingerprint ServiceAccount. |
{} |
fingerprint.tolerations |
Tolerations for fingerprint Pods. |
nil |
<component>.podSecurityContext |
Pod level security features. |
|
<component>.containerSecurityContext |
Container level security features. |
|
The Metadata Database component can be configured to use either the built-in
Kubernetes deployment or an external PostgreSQL database.
The following Helm values are shared between both built-in and external
databases.
| Parameter |
Description |
Default |
database.enabled |
Enabled flag. Used to disable the built-in database when an external database is used. |
true |
database.image.registry |
Image registry for the Immuta database image. |
Value from global.imageRegistry |
database.image.repository |
Image repository for the Immuta database image. |
immuta/immuta-db |
database.image.tag |
Image tag for the Immuta database image. |
Value from imageTag or immutaVersion |
database.image.digest |
Image digest for the Immuta database image in format of sha256:<DIGEST>. |
|
database.imagePullPolicy |
ImagePullPolicy for the Immuta database container. |
{{ .Values.imageTag }} |
database.imageRepository deprecated |
Use database.image.registry and database.image.repository. |
nil |
database.imageTag deprecated |
Use database.image.tag. |
nil |
Built-in Database
These values are used when database.enabled=true.
| Parameter |
Description |
Default |
database.extraEnv |
Mapping of key-value pairs to be set on database containers. |
{} |
database.extraVolumeMounts |
List of extra volume mounts to be added to database containers. |
[] |
database.extraVolumes |
List of extra volumes to be added to database containers. |
[] |
database.nodeSelector |
Node selector for database pods. |
{"kubernetes.io/os": "linux"} |
database.password |
Password for immuta metadata database |
secret |
database.patroniApiPassword |
Password for Patroni REST API. |
secret |
database.patroniKubernetes |
Patroni Kubernetes settings. |
{"use_endpoints": true} |
database.persistence.enabled |
Set this to true to enable data persistence on all database pods. It should be set to true for all non-testing environments. |
false |
database.podAnnotations |
Additional annotations to apply to database pods. |
{} |
database.podLabels |
Additional labels to apply to database pods. |
{} |
database.replicas |
Number of database replicas. |
1 |
database.replicationPassword |
Password for replication user. |
secret |
database.resources |
Container resources. |
{} |
database.sharedMemoryVolume.enabled |
Enable the use of a memory-backed emptyDir volume for /dev/shm. |
false |
database.sharedMemoryVolume.sizeLimit |
Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled. |
nil |
database.superuserPassword |
Password for PostgreSQL superuser. |
secret |
database.tolerations |
Tolerations for database pods. |
nil |
database.podSecurityContext |
Pod level security features. |
{} |
database.containerSecurityContext |
Container level security features. |
{} |
External Database
These values are used when database.enabled=false.
| Parameter |
Description |
Default |
externalDatabase.host required |
Hostname of the external database instance. |
nil |
externalDatabase.port |
Port for the external database instance. |
5432 |
externalDatabase.sslmode |
PostgreSQL sslmode option for the external database connection. Behavior when unset is require. |
nil |
externalDatabase.dbname |
Immuta database name. |
bometadata |
externalDatabase.username |
Immuta database username. |
bometa |
externalDatabase.password required |
Immuta database user password. |
nil |
externalDatabase.superuser.username required |
Username for the superuser used to initialize the database instance. |
true |
externalDatabase.superuser.password required |
Password for the superuser used to initialize the database instance. |
true |
externalDatabase.backup.enabled |
(Deprecated) Enable flag for external database backups. Refer to backup.enabled=true. |
true |
externalDatabase.restore.enabled |
(Deprecated) Enable flag for the external database restore. Refer to backup.restore.enabled=true. |
true |
Query Engine
| Parameter |
Description |
Default |
queryEngine.extraEnv |
Mapping of key-value pairs to be set on Query Engine containers. |
{} |
queryEngine.extraVolumeMounts |
List of extra volume mounts to be added to Query Engine containers. |
[] |
queryEngine.extraVolumes |
List of extra volumes to be added to Query Engine containers. |
[] |
queryEngine.image.registry |
Image registry for the Immuta Query Engine image. |
Value from global.imageRegistry |
queryEngine.image.repository |
Image repository for the Immuta Query Engine image. |
immuta/immuta-db |
queryEngine.image.tag |
Image tag for the Immuta Query Engine image. |
Value from imageTag or immutaVersion |
queryEngine.image.digest |
Image digest for the Immuta Query Engine image in format of sha256:<DIGEST>. |
|
queryEngine.imagePullPolicy |
ImagePullPolicy for the Immuta Query Engine container. |
{{ .Values.imageTag }} |
queryEngine.imageRepository deprecated |
Use queryEngine.image.registry and queryEngine.image.repository. |
nil |
queryEngine.imageTag deprecated |
Use queryEngine.image.tag. |
nil |
queryEngine.replicas |
Number of database replicas |
1 |
queryEngine.password |
Password for immuta feature store database |
secret |
queryEngine.superuserPassword |
Password for PostgreSQL superuser. |
secret |
queryEngine.replicationPassword |
Password for replication user. |
secret |
queryEngine.patroniApiPassword |
Password for Patroni REST API. |
secret |
queryEngine.patroniKubernetes |
Patroni Kubernetes settings. |
{"use_endpoints": true} |
queryEngine.persistence.enabled |
This should be set to true for all non-testing environments. |
false |
queryEngine.resources |
Container resources. |
{} |
queryEngine.service |
Service configuration for Query Engine service if not using an Ingress Controller. |
|
queryEngine.podAnnotations |
Additional annotations to apply to Query Engine pods. |
{} |
queryEngine.podLabels |
Additional labels to apply to Query Engine pods. |
{} |
queryEngine.nodeSelector |
Node selector for Query Engine pods. |
{"kubernetes.io/os": "linux"} |
queryEngine.sharedMemoryVolume.enabled |
Enable the use of a memory-backed emptyDir volume for /dev/shm. |
false |
queryEngine.sharedMemoryVolume.sizeLimit |
Size limit for the shared memory volume. Only available when the SizeMemoryBackedVolumes feature gate is enabled. |
nil |
queryEngine.tolerations |
Tolerations for Query Engine pods. |
nil |
queryEngine.podSecurityContext |
Pod level security features. |
{} |
queryEngine.containerSecurityContext |
Container level security features. |
{} |
Query Engine Port
If you will only use integrations,
port 5432 is optional. Using the built-in Ingress Nginx Controller, you can disable it by setting the value
to false.
| Parameter |
Description |
Default |
queryEngine.publishPort |
Controls whether or not the Query Engine port (5432) is published on the built-in Ingress Controller service. |
true |
Chart Hooks
Cleanup
The Cleanup hook is a Helm post-delete hook that is responsible for cleaning up
some resources that are not deleted by Helm.
| Parameter |
Description |
Default |
hooks.cleanup.resources |
Container resources. |
{} |
hooks.cleanup.serviceAccountAnnotations |
Annotations for the cleanup hook ServiceAccount. |
{} |
hooks.cleanup.nodeSelector |
Node selector for pods. |
{"kubernetes.io/os": "linux"} |
hooks.cleanup.tolerations |
Tolerations for pods. |
nil |
hooks.cleanup.podSecurityContext |
Pod level security features. |
|
hooks.cleanup.containerSecurityContext |
Container level security features. |
|
Database Initialize
The database initialize hook is used to initialize the external database when
database.enabled=false.
| Parameter |
Description |
Default |
hooks.databaseInitialize.resources |
Container resources. |
{} |
hooks.databaseInitialize.serviceAccountAnnotations |
Annotations for the database initialize hook ServiceAccount. |
{} |
hooks.databaseInitialize.verbose |
Flag to enable or disable verbose logging in the database initialize hook. |
true |
hooks.databaseInitialize.nodeSelector |
Node selector for pods. |
{"kubernetes.io/os": "linux"} |
hooks.databaseInitialize.tolerations |
Tolerations for pods. |
nil |
hooks.databaseInitialize.podSecurityContext |
Pod level security features. |
|
hooks.databaseInitialize.containerSecurityContext |
Container level security features. |
|
TLS Generation
The TLS generation hook is a Helm pre-install hook that is responsible for
generating TLS certificates used for connections between the Immuta pods.
| Parameter |
Description |
Default |
hooks.tlsGeneration.hookAnnotations."helm.sh/hook-delete-policy" |
Delete policy for the TLS generation hook. |
"before-hook-creation,hook-succeeded" |
hooks.tlsGeneration.resources |
Container resources. |
{} |
hooks.tlsGeneration.serviceAccountAnnotations |
Annotations for the cleanup hook ServiceAccount. |
{} |
hooks.tlsGeneration.nodeSelector |
Node selector for pods. |
{"kubernetes.io/os": "linux"} |
hooks.tlsGeneration.tolerations |
Tolerations for pods. |
nil |
hooks.tlsGeneration.podSecurityContext |
Pod level security features. |
|
hooks.tlsGeneration.containerSecurityContext |
Container level security features. |
|
Cache
| Parameter |
Description |
Default |
cache.type |
Type to use for the cache. Valid values are memcached. |
memcached |
cache.replicas |
Number of replicas. |
1 |
cache.resources |
Container resources. |
{} |
cache.nodeSelector |
Node selector for pods. |
{"kubernetes.io/os": "linux"} |
cache.podSecurityContext |
SecurityContext for cache Pods. |
{"runAsUser": 65532} |
cache.containerSecurityContext |
Container level security features. |
{} |
cache.updateStrategy |
UpdateStrategy Spec for cache workloads. |
{} |
cache.tolerations |
Tolerations for pods. |
nil |
cache.memcached.image.registry |
Image registry for Memcached image. |
Value from global.imageRegistry |
cache.memcached.image.repository |
Image repository for Memcached image. |
memcached |
cache.memcached.image.tag |
Image tag for Memcached image. |
1.6-alpine |
cache.memcached.image.digest |
Image digest for the Immuta Memcached image in format of sha256:<DIGEST>. |
|
cache.memcached.imagePullPolicy |
Image pull policy. |
Value from imagePullPolicy |
cache.memcached.maxItemMemory |
Limit for max item memory in cache (in MB). |
64 |
| Parameter |
Description |
Default |
deployTools.image.registry |
Image registry for Immuta deploy tools image. |
Value from global.imageRegistry |
deployTools.image.repository |
Image repository for Immuta deploy tools image. |
immuta/immuta-deploy-tools |
deployTools.image.tag |
Image tag for Immuta deploy tools image. |
2.4.3 |
deployTools.image.digest |
Image digest for the Immuta deploy tools image in format of sha256:<DIGEST>. |
|
deployTools.imagePullPolicy |
Image pull policy. |
Value from imagePullPolicy |
Ingress Controller
| Parameter |
Description |
Default |
nginxIngress.enabled |
Enable nginx ingress deployment |
true |
nginxIngress.podSecurityContext |
Pod level security features. |
{} |
nginxIngress.containerSecurityContext |
Container level security features. |
{capabilities: {drop: [ALL], add: [NET_BIND_SERVICE]}, runAsUser: 101} |
nginxIngress.controller.image.registry |
Image registry for the Nginx Ingress controller image. |
Value from global.imageRegistry |
nginxIngress.controller.image.repository |
Image repository for the Nginx Ingress controller image. |
ingress-nginx-controller |
nginxIngress.controller.image.tag |
Image tag for the Nginx Ingress controller image. |
v1.1.0 |
nginxIngress.controller.image.digest |
Image digest for the Immuta Nginx Ingress controller image in format of sha256:<DIGEST>. |
|
nginxIngress.controller.imagePullPolicy |
ImagePullPolicy for the Nginx Ingress controller container. |
{{ .Values.imageTag }} |
nginxIngress.controller.imageRepository deprecated |
Use nginxIngress.controller.image.registry and nginxIngress.controller.image.repository. |
nil |
nginxIngress.controller.imageTag deprecated |
Use nginxIngress.controller.image.tag. |
nil |
nginxIngress.controller.service.annotations |
Used to set arbitrary annotations on the Nginx Ingress Service. |
{} |
nginxIngress.controller.service.type |
Controller service type. |
LoadBalancer |
nginxIngress.controller.service.isInternal |
Whether or not to use an internal ELB |
false |
nginxIngress.controller.service.acmCertArn |
ARN for ACM certificate |
|
nginxIngress.controller.replicas |
Number of controller replicas |
1 |
nginxIngress.controller.minReadySeconds |
Minimum ready seconds |
0 |
nginxIngress.controller.electionID |
Election ID for nginx ingress controller |
ingress-controller-leader |
nginxIngress.controller.hostNetwork |
Run nginx ingress controller on host network |
false |
nginxIngress.controller.config.proxy-read-timeout |
Controller proxy read timeout. |
300 |
nginxIngress.controller.config.proxy-send-timeout |
Controller proxy send timeout. |
300 |
nginxIngress.controller.podAnnotations |
Additional annotations to apply to nginx ingress controller pods. |
{} |
nginxIngress.controller.podLabels |
Additional labels to apply to nginx ingress controller pods. |
{} |
nginxIngress.controller.nodeSelector |
Node selector for nginx ingress controller pods. |
{"kubernetes.io/os": "linux"} |
nginxIngress.controller.tolerations |
Tolerations for nginx ingress controller pods. |
nil |
nginxIngress.controller.resources |
Container resources. |
{} |
Memcached
Deprecation Warning
The following values are deprecated. Values should be migrated to cache and cache.memcached. See Cache for replacement values.
| Parameter |
Description |
Default |
memcached.pdbMinAvailable |
Minimum pdb available. |
1 |
memcached.maxItemMemory |
Limit for max item memory in cache (in MB). |
64 |
memcached.resources |
Container resources. |
{requests: {memory: 64Mi}} |
memcached.podAnnotations |
Additional annotations to apply to memcached pods. |
{} |
memcached.podLabels |
Additional labels to apply to memcached pods. |
{} |
memcached.nodeSelector |
Node selector for memcached pods. |
{"kubernetes.io/os": "linux"} |
memcached.tolerations |
Tolerations for memcached pods. |
nil |