Configuring TIBCO Control Plane Helm Chart Values

Before you install TIBCO Control Plane Helm charts, you must configure the different values specific to your environment, such as service account, certificates, and storage. These values are used by TIBCO Control Plane during deployment.

Configuring tibco-cp-base Helm Chart Values

The sample tibco-cp-base Helm Chart Values YAML file is available in the GitHub Repository. Update the file with the values specific to your environment. Refer to the following table for more information about parameters in the values file.

Before you begin

You must create the secret required for the chart. The default secret name is session-keys and key names are TSC_SESSION_KEY and DOMAIN_SESSION_KEY as referenced in values.yaml.

Run this command to create the session-keys secret with random 32-character alphanumeric keys:

kubectl create secret generic session-keys -n <Control_Plane_Namespace> \
  --from-literal=TSC_SESSION_KEY=$(openssl rand -base64 48 | tr -dc A-Za-z0-9 | head -c32) \
  --from-literal=DOMAIN_SESSION_KEY=$(openssl rand -base64 48 | tr -dc A-Za-z0-9 | head -c32)

If you want to use a different secret for both TSC_SESSION_KEY and DOMAIN_SESSION_KEY or if you want to use different secret names then it can be passed using values when installing tibco-cp-base chart.

--set router-operator.tscSessionKey.secretName=session-key-tsc --set router-operator.tscSessionKey.key=TSC_SESSION_KEY_NEW --set router-operator.domainSessionKey.secretName=session-key-domain --set router-operator.domainSessionKey.key=DOMAIN_SESSION_KEY_NEW

You must create the secret required by the tibco-cp-base chart in the Control Plane namespace. The default secret name referenced by values file is cporch-encryption-secret. The secret name and key inside is controlled by the following entry in the values.yaml.

cpEncryptionSecretName: "cporch-encryption-secret"
cpEncryptionSecretKey: "CP_ENCRYPTION_SECRET"

Sample file to create secret:

apiVersion: v1 
data: 
CP_ENCRYPTION_SECRET: cmFuZC1Lbkt6cVR5d0xqeTZnZU5CUGdZdGtJaE5qODNSQ3RwaXhZRXhPM3JTU2xKcw== 
kind: Secret 
metadata: 
name: cporch-encryption-secret
namespace: cp1-ns 
type: Opaque

Run this command to create the cporch-encryption-secret secret:

kubectl create secret -n <Control_Plane_Namespace> generic cporch-encryption-secret --from-literal=CP_ENCRYPTION_SECRET=$(openssl rand -base64 48 | tr -dc A-Za-z0-9 | head -c44)

For SSL enabled database, you must create secret to store database SSL certificate before deploying tibco-cp-base helm chart. For more information, see Creating Kubernetes Secret for Database TLS Connection.
You must have access to an email service to send emails from TIBCO Control Plane. Currently, TIBCO Control Plane supports Amazon SES, SMTP, SendGrid, and Microsoft Graph.
If you are using the Amazon SES email service, you must have configured from and reply to email address. For more information, see Amazon SES documentation.
If using Microsoft Azure’s Graph API as an email service, you must have registered an App of type single tenant under Microsoft Entra and grant it the Application Permission of Mail.Send.
1. Register a new App under Entra Admin Center of type “Accounts in this organizational directory only (single tenant)”. There is no need for a redirect URI because there is no user interaction.
2. In the app’s Manage / API Permissions menu, add an Application Permission under Graph API section. The only required permission is Mail.Send permission. You need to grant admin consent for your organization to the app.
3. Under Certificate and secrets establish the credentials for this app. You have a choice between certificates (public-private keys) or client secrets.
4. App details need to be provided in the Helm chart values as specified in the following table.

Refer to the following table to learn more about the parameters used in the preceding values.yaml file.

Parameter	Required?	Description
Global Configuration
`adminHostPrefix: "admin"`	Optional	The Platform Console hostname is now configurable using the `adminHostPrefix` Helm value. Previously, this value was hardcoded as "admin". Platform console can be named once during installtion. Default: `admin` Resulting hostname format will be: `<adminHostPrefix>.<dnsDomain>` The `adminHostPrefix` must follow the same validation rules as any Control Plane host prefix: Allowed characters: Only lowercase letters (a–z), digits (0–9), and hyphens (-). Cannot start or end with a hyphen. Must begin and end with a letter or digit. Maximum length: 63 characters. Minimum length: 1 character. Case-insensitive: Uppercase letters are automatically converted to lowercase. Whitespace ignored: Leading and trailing spaces are trimmed automatically. Reserved names: The value admin is reserved and cannot be used as a host prefix. Control plane host prefix can no longer be set to "admin" as "admin" is reserved for the Platform Console.
`hybridConnectivity` `enabled: true`	Optional	Enables or disables hybrid connectivity. This must be disabled only when data plane is reachable from Control Plane. This configuration is applied to all data planes registered in the Control Plane. By default this is set to true. Note: Disabling hybrid connectivity is applicable for new Control Plane installation. Upgrading from earlier version to TIBCO Control Plane 1.15 with hybrid connectivity disabled is not supported.
`serviceAccount`	Optional	Specify the service account name used for deploying TIBCO Control Plane components in your cluster. If not set, the chart creates a service account `control-plane-sa`. If you specify a service account and set `rbac.infra=false`, it is your responsibility to apply the necessary RBACs for the service account.
`rbac`: `infra: true`	Mandatory	Set this to true to create RBAC resources for the service account (ClusterRole and Rolebinding). Set to false if the service account already has the RBACs created. By default this is set to true.
`rbac.ingressController.kong` `rbac.ingressController.traefik`	Optional	When you set `rbac.ingressController.kong=true:` In TIBCO BusinessWorks Container Edition and TIBCO Flogo capabilities role definition, Kong resources will be added under rules. You can use Kong Ingress Controller. When you set `rbac.ingressController.kong=false:` In TIBCO BusinessWorks Container Edition and TIBCO Flogo capabilities role definition, Kong resources are not added under rules. You cannot use Kong ingress controller. You can use other ingress controllers like Traefik, NGINX. You can use this parameter in the same way for other ingress controllers.
Parameters for Container Registry for TIBCO Components
containerRegistry: certificateSecret: password: repository: url: username:	Mandatory	These are the values required to pull TIBCO Components images from the Jfrog repository. Account Owner must get these values by signing in to TIBCO Operated Control Plane environment. If you want to use custom container registry, you must specify details of your private registry. You must also ensure to download and push all TIBCO component images to your registry. (Optional) If custom container registry is configured with custom certificate, specify secret name which contains custom certificate of container registry. For more information about creating Kubernetes secret with custom certificate, see Using Custom Certificate.
`createNetworkPolicy`	Optional	Flag to enable or disable the creation of default network policies for TIBCO Control Plane namespace. The default value is false.
`manageDbSchema`	Optional	Flag to enable or disable database jobs (upgrade and cleanup). Set this to false to disable DB script execution if you want to run scripts manually outside of the chart. Default value is true. If set to false, the chart does not manage database schemas. You must use the script provided in GitHub repository to create, upgrade, and delete databases externally. For more information, see PostgreSQL Database Management Script.
`controlPlaneInstanceId: ""`	Mandatory	This is to identify multiple TIBCO Control Plane installations in the same cluster. The maximum characters allowed are five. Example: prod, stag
Proxy Configuration
proxy: httpProxy: "" httpsProxy: "" noProxy: ""	Optional	Proxy configurations used by TIBCO BusinessWorks 6 (Containers)and TIBCO Flogo charts when pulling and extracting images on TIBCO Control Plane.
`fluentbit:` `enabled: true`	Mandatory	Enable or disable Fluentbit sidecar deployment for log processing. By default, Fluentbit log processing is enabled. If you disable this option, the logs from the Control Plane are not captured and forwarded to the log processor configured in the observability resource. If your organization's current infrastructure already captures logs from all workloads, then you can disable this feature to reduce resource consumption.
`db_ssl_root_cert_secretname`	Mandatory for SSL enabled database	Kubernetes secret name, which contains the certificate details for SSL connection to the database. For more information about creating secret, see Creating Kubernetes Secret for Database TLS Connection.
`db_ssl_root_cert_filename`	Mandatory for SSL enabled database	SSL certificate filename Example: `db_ssl_root.cert`
Database details
`db_host`	Mandatory	Database host address Example: `platform-postgres-fs6b8-4cphb.cdqjgaolpoo0.us-west-2.rds.amazonaws.com`
`db_name`	Mandatory	Database name Example: `postgres`
`db_port`	Mandatory	Database port number Example: `5432`
`db_username`	Optional	Username to access the database
`db_password`	Optional	Password to access the database
`db_secret_name`	Mandatory	Database secret name which stores user credentials Example: `provider-cp-database-credentials`
`db_ssl_mode`	Optional	If you are connecting to a database instance over SSL, specify the DB SSL mode value. Default: disable Example: verify-full For SSL enabled database, you must create a secret to store database SSL certificate before deploying `tibco-cp-base` helm chart. For more information, see Creating Kubernetes Secret for Database TLS Connection.
Email Service Configuration
`emailServerType`	Optional	Type of email service you have set up for email notifications. Supported values: smtp ses sendgrid graph Default: SES
emailServer: ses: arn: ""	Mandatory if the type of email service is ses	If emailServerType is ses, then you must specify this value. Amazon Resource Name (ARN) for Amazon SES. Example: `arn:aws:ses:us-east-1:123456789012:identity/user@example.com`
emailServer: smtp: server: "" port: "25" username: "" password: "" customCertsSecretName: "" insecureSkipVerifyTls: "false"	Mandatory if type of email service is smtp	If emailServerType is smtp, then you must specify these values: SMTP server address. SMTP port (optional) SMTP username (if applicable) SMTP password (if applicable) The default port value is 25. Use a port ending in 465 or 443 for TLS connections. Otherwise, the client switches to TLS connection if the server supports the `STARTTLS` command. Set the `customCertsSecretName` to the name of the secret containing SMTP TLS certificates. This option is only required for certificates which are not issued by well-known CAs. Both PEM and DER formats are supported. In limited, controlled environments, you can use the `insecureSkipVerifyTls` option to bypass TLS certificate validation. This option can be used if the certificate is invalid and trusting it explicitly by adding into the secret does not help. The encryption will protect you from a passive observer but not from active man-in-the-middle attack. It is insecure and must not be used in production.
emailServer: graph: clientDetailsSecretName: name	Mandatory if type of email service is graph	Details for calling the graph API should be specified inside a Kubernetes secret. The clientDetailsSecretName has the name of the Kubernetes secret in the same namespace as TIBCO Control Plane. Expected keys in the secret or its JSON content are: `tenant_id` – required value from Azure `client_id` – required id of the App `private_key` – preferred alternative of client’s credentials; in either PEM or DER format `x509_cert` – required if private_key is provided; in either PEM or DER format `client_secret` – one alternative of client’s credentials, the other being private_key For creating Kubernetes secret and rotating client’s credentials, see Providing and Updating Graph API Details in a Kubernetes Secret.
emailServer: graph: skipSentFolder: boolean	Optional	This property controls whether non-sensitive emails are saved in the Sent folder. Graph API leaves by default a copy of the emails in the Sent folder. Sensitive emails from TIBCO Control Plane, for example: to reset passwords or invites with activation links, will never appear on the Sent folder. The operator has the option to control the behavior for non-sensitive emails, for example: alerts.
emailServer: sendgrid: apiKey: ""	Mandatory if type of email service is sendgrid	Key to authenticate access to SendGrid email services. You must specify this if you are using SendGrid email service.
`fromAndReplyToEmailAddress`	Mandatory	From and reply to an email address to be used by email service.
`cronJobReportsEmailAlias`	Optional	Cron Job reports are sent to this email alias if configured.
`platformEmailNotificationCcAddresses`	Optional	Optional email address to mark as CC for subscription email notifications.
TIBCO Platform Console Administrator user details
`admin:` `email:`	Mandatory	Email address of the administrator user.
`admin:` `firstname:`	Mandatory	First name of the administrator user
`admin:` `lastname:`	Mandatory	Last name of the administrator user
`admin:` `customerID:`	Mandatory	The Account owner must get this id by signing in to TIBCO Operated Control Plane environment. This id is available on the Settings > Account Details section.
adminInitialPassword: ""	Optional	Admin user does not receive an activation email whether the email service is configured or not. This is the temporary password you can specify for initial login to TIBCO Platform Console. If the password is not set during deployment, you can retrieve the password for the first admin user by using steps mentioned in Signing in to TIBCO Platform Console.
`enable_api_based_initialization`	Optional	Flag to enable or disable API-based initialization for Platform Console Subscription provisioning. Set this to true to enable API-based initialization. Default value is false. If set to true, the Platform Console Subscription is not provisioned automatically. You must provision it explicitly via the API using the credentials configured using the above settings with Basic Authorization. Warning: If enabled, logging in via the browser before provisioning the Platform Console Subscription will disable API-based initialization. You must re-deploy Control Plane to restore it.
Common Parameters
`dnsTunnelDomain`	Mandatory	Domain to be used by the tunnel in the Data Plane to connect to TIBCO Control Plane. Both dnsDomain and dnsTunnelDomain can share same DNS domains. Previously, two separate domains were needed. Alternatively, they can also be different if you want to separate web and tunnel traffic. Example (Same as dnsDomain): cp.company.com Example (Different from dnsDomain): tunnel.company.com
`dnsDomain`	Mandatory	Domain to be used for accessing TIBCO Control Plane. TIBCO Control Plane owns the first level subdomain. TIBCO Control plane no longer owns the first three subdomain levels. The company.com represents your own base domain. Example: cp.company.com DNS Records Examples: Platform Console: admin.cp.company.com Control Plane subscription1: dev.cp.company.com Control Plane subscription2: stag.cp.company.com Here dev and stag are unique host prefixes for subscriptions. Important: You must not create other DNS records at this first level that conflict with Control Plane prefixes, as this may cause service disruption and instability
`clusterInfo:` `nodeCIDR:` `podCIDR:` `serviceCIDR:`	Mandatory	`NodeIPCIDR` is the IP range of Nodes VPC or the VNet address space (CIDR notation). Example: 10.180.0.0/16 `PodIPCIDR` is IP range of Pod IP CIDR (CIDR notation). Example: 192.168.0.0/16 serviceCIDR is the IP range of Service CIDR (CIDR notation). The default value for serviceCIDR is 172.20.0.0/16.
Log server Configuration Values
`endpoint`	Optional	The URL of the network proxy that provides access to the Elasticsearch endpoint URL
`username`	Optional	Username to connect to the Elasticsearch server
`index`	Optional	Specify the name of the index that matches the patterns of the Index template definition created on your Elasticsearch server
`password`	Optional	Password to connect to the Elasticsearch server
Storage Configuration
pvcName	Optional	You can specify the PersistentVolumeClaim (PVC) in one of the following ways: 1. Use an existing PVC: Uncomment `pvcName` and specify the name of the PVC you want to use, ensure that volumeName and storageClassName are commented. 2. Use a custom name for the default PVC: If you want to rename the default PVC created by the TIBCO charts (control-plane-pvc), uncomment `pvcName` and specify the custom PVC name.
`storageClassName`	Mandatory	To create or use volumeName, uncomment the storageClassName and set a matching value as volume. Note: TIBCO Control Plane needs a shared storage. To use default storageClass, keep the storageClassName key commented. To use preconfigured storageClass, uncomment storageClassName and pass the value. Example: `efs-sc`
`volumeName`	Optional	Specify the volume name
MCP Server documentation
web-server: cpmcpserver: enabled: false	Optional	To deploy TIBCO Control Plane MCP server, set `enabled: true`. By default MCP server is not deployed.
tp-cp-o11y: o11ymcpserver: enabled: false	Optional	To deploy Observability MCP server, set `enabled: true`. By default MCP server is not deployed.
bw-webserver: bwmcpserver: enabled: false	Optional	To deploy BW5 (Containers) or BW6 (Containers) MCP server, set `enabled: true`. By default MCP server is not deployed.
flogo-webserver: mcpserver: enabled: false	Optional	To deploy TIBCO Flogo MCP server, set `enabled: true`. By default MCP server is not deployed.

Configuration for Ingress and Load Balancer

The following configurations must be done in hybrid-proxy and router-operator chart values. Cluster IP services are enabled by default for hybrid proxy and router. If required, Ingress must be explicitly enabled for both. The service type for hybrid proxy can be set to load balancer. For more information about Kubernetes Service, see Kubernetes documentation. Refer to the following table for more information about configuration parameters for both Hybrid proxy and router.

Hybrid Proxy and Router service Configuration

Parameter	Required?	Default	Description
`service:` `enabled: true`	Mandatory	true	Enables the creation of a Service.
`type: ClusterIP`	Mandatory	ClusterIP	Type of service
`type: LoadBalancer` `loadBalancerIP: 1.2.3.4` `loadBalancerSourceRanges: []` `loadBalancerClass: ""`	Yes when type is LoadBalancer		Load balancer class name. IP address and source range for load balancer. `loadBalancerIP`, `loadBalancerSourceRanges`, `loadBalancerClass`, `allocateLoadBalancerNodePorts`, `externalTrafficPolicy` and `internalTrafficPolicy` are only applicable when `type:LoadBalancer`.
`allocateLoadBalancerNodePorts: false` (Applicable only when type is load balancer.)	Optional	true	You can optionally disable NodePort allocation for a Service of type: LoadBalancer, by setting this field to false. This must be only used for load balancer implementations that route traffic directly to pods instead of node ports.
`externalTrafficPolicy: Cluster` (Applicable only when type is load balancer.)	Optional	Cluster	By default, Service of type 'LoadBalancer' is created setting 'externalTrafficPolicy: Cluster' unless other value is explicitly set. Possible values are Cluster or Local.
`annotations: {}`	Optional		Additional annotations for network load balancer service
`internalTrafficPolicy: Cluster`	Optional	Local	By default, Service is created setting `internalTrafficPolicy: Local` on mode as daemonset unless other value is explicitly set. Setting `internalTrafficPolicy: Cluster` on a daemonset is not recommended
Hybrid Proxy and Router ingress Configuration For more information about Kubernetes ingress, see Kubernetes documentation.
`ingress:` `enabled: false`	Optional	false	Set this value to true to enable ingress.
`annotations: {}`	Optional		Annotations to apply to the ingress
`ingressClassName`	Mandatory if ingress is enabled		Ingress Controller class name Example: `traefik` For more information about ingress resource fields, see Kubernetes documentation.
`additionalIngresses: []`	Optional		Additional ingresses are only created if `ingress.enabled` is true. This is useful when different annotated ingress services are required. Each additional ingress needs a key "name" set to something unique.

Subtopics

Did you find this helpful?

Yes No