Skip to content

You are viewing documentation for Immuta version 2.8.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Helm Installation Prerequisites

Audience: System Administrators

Content Summary: This page outlines the prerequisites for installing Helm.

Software Versions

Helm and Immuta's Helm Chart

Immuta uses Helm to manage and orchestrate Kubernetes deployments.

  • Helm 2.16+ is only supported for current Immuta installations.
  • New installations of Immuta must use the latest version of Helm 3 and Immuta's latest Chart.

The table below shows the supported combinations of Helm, Immuta's Chart, and Immuta versions.

Immuta Helm Chart Version Supported Helm Versions Supported Immuta Versions
4.3.x 2.16.0+ or 3.0.0+ 2.6.0+
4.2.x 2.9.0+ or 3.0.0+ 2.5.0+


Database Backups

Database backups for the metadata database and Query Engine may be stored in either cloud-based blob storage or a Persistent Volume in Kubernetes.

Backups may be stored using one of the following cloud-based blob storage services:

  • AWS S3
    • Supports authentication via AWS Access Key ID / Secret Key, IAM Roles via kube2iam or kiam, or IAM Roles in EKS.
  • Azure Blob Storage
    • Supports authentication via Azure Storage Key or Azure SAS Token.
  • Google Cloud Storage
    • Supports authentication via Google Service Account Key

Using Persistent Volumes

Backups may be stored in a Kubernetes Persistent Volume. The Persistent Volume must be backed by a storage technology that supports the "ReadWriteMany" access mode.


The Immuta Helm Chart supports RBAC and will try to create all needed RBAC roles by default.


Immuta needs Ingress for two services:

  1. Immuta Web Service (HTTP)
  2. Immuta Query Engine (TCP)

The Immuta Helm Chart creates Ingress resources for HTTP services (the Immuta Web Service), but because of limitations with Kubernetes Ingress resources TCP ingress must be configured separately. The configuration for TCP ingress is dependent on the Ingress Controller that you are using in your cluster. Immuta recommends that you use the Nginx Ingress Controller because it supports both HTTP and TCP ingress.

To simplify the configuration for cluster Ingress, the Immuta Helm Chart contains an optional Nginx Ingress component that may be used to configure a Nginx Ingress Controller to be used specifically for Immuta. Contact your Immuta Support Professional for more information.

Worker Node Size

Immuta’s suggested minimum node size is the equivalent of an AWS m5.large (2 vCPU, 8GB RAM, >128 GB persistent disk). The default Immuta Helm deployment requires at least 3 nodes. It is not recommended, but smaller deployments are possible by decreasing the replica count for each Immuta component.

TLS Certificates

All Immuta services use TLS certificates to enable communication over HTTPS. In order to support many configurations, the Immuta Helm chart has the ability to configure internal and external communication independently. If TLS is enabled, by default, a certificate authority will be generated then used to sign a certificate for both internal and external communications. See Enabling TLS for instructions to configuring TLS.

Internal HTTPS communication refers to all communication between Immuta services. External HTTPS communication refers to communication between clients and the Immuta Query Engine and Web Service, which is configured using a Kubernetes Ingress resource.