Configuring TIBCO Control Plane Helm Chart Values

Before you install TIBCO Control Plane Helm charts, you must configure the different values specific to your environment, such as service account, certificates, and storage. These values are used by TIBCO Control Plane during deployment.

Configuring platform-bootstrap Helm Chart Values

Sample Platform Bootstrap Helm Chart Values YAML file is available in the GitHub Repository. Update the file with values specific to your environment. Refer to the following table for more information about parameters in the values file.

Refer to the following table to learn more about the parameters used in the values.yaml file.

Parameter Required? Default Description

fluentbit:

enabled: true

 Mandatory true

Enable or disable Fluentbit sidecar deployment for log processing.

By default, Fluentbit log processing is enabled. If you disable this option, the logs from the Control Plane are not captured and forwarded to the log processor configured in the observability resource.

If your organization's current infrastructure already captures logs from all workloads, then you can disable this feature to reduce resource consumption.
serviceAccount Optional   Specify the service account name used for deploying TIBCO Control Plane components in your cluster. If not set, the chart creates a service account control-plane-sa. If you specify a service account and set rbac.infra=false, it is your responsibility to apply the necessary RBACs for the service account.

rbac:

infra: true

Mandatory true Set this to true to create RBAC resources for the service account (ClusterRole and Rolebinding). Set to false if the service account already has the RBACs created. By default this is set to true.

rbac.ingressController.kong

rbac.ingressController.traefik

Optional true

When you set rbac.ingressController.kong=true:

  • In TIBCO BusinessWorks Container Edition and TIBCO Flogo capabilities role definition, Kong resources will be added under rules. You can use Kong Ingress Controller.

When you set rbac.ingressController.kong=false:

  • In TIBCO BusinessWorks Container Edition and TIBCO Flogo capabilities role definition, Kong resources are not added under rules. You cannot use Kong ingress controller. You can use other ingress controllers like Traefik, NGINX.

You can use this parameter in the same way for other ingress controllers.
Parameters for Container Registry for TIBCO Components

containerRegistry:

url

username

password

Mandatory  

These are the values required to pull TIBCO Components images from the Jfrog repository. Account Owner must get these values by signing in to TIBCO Operated Control Plane environment.

If you want to use custom container registry, you must specify details of your private registry. You must also ensure to download and push all TIBCO component images to your registry.
Common Parameters
createNetworkPolicy Optional false Flag to enable or disable the creation of default network policies for TIBCO Control Plane namespace. The default value is false.
controlPlaneInstanceId Mandatory  

This is to identify multiple TIBCO Control Plane installations in the same cluster. The maximum characters allowed are five.

Example: prod, stag
dnsTunnelDomain Mandatory   Domain to be used by the tunnel in the Data Plane to connect to TIBCO Control Plane.
dnsDomain Mandatory  

Domain to be used for accessing TIBCO Control Plane.

The value must be in the format: <cp-env-info>.<some-identifier>.example.com

TIBCO Control Plane owns the first three subdomains. Here, <cp-env-info> can be a region identifier or unique word to identify Control Plane environment. Here, <some-identifier> can be some unique word or identifier. The example.com represents your own base domain and it can be much deeper than the minimum two levels.

Control Plane FQDN format is: <hostPrefix>.<cp-env-info>.<some-identifier>.<rest of domain>

<hostPrefix> is unique identifier configured when provisioning subscription.

For example: https://admin.us-west.my.example.com/

clusterInfo:

nodeCIDR:

podCIDR:

serviceCIDR:

Mandatory  

NodeIPCIDR is the IP range of Nodes VPC or the VNet address space (CIDR notation).

Example: 10.180.0.0/16

PodIPCIDR is IP range of Pod IP CIDR (CIDR notation).

Example: 192.168.0.0/16

serviceCIDR is the IP range of Service CIDR (CIDR notation).

The default value for serviceCIDR is 172.20.0.0/16.

Log server Configuration Values

endpoint Optional   The URL of the network proxy that provides access to the Elasticsearch endpoint URL.
username Optional   Username to connect to the Elasticsearch server.
index Optional   Specify the name of the index that matches the patterns of the Index template definition created on your Elasticsearch server.
password: Optional   Password to connect to the Elasticsearch server.
Storage Configuration Values
storageClassName Mandatory  

To create or use volumeName, uncomment the storageClassName and set a matching value as volume.

To use default storageClass, keep the storageClassName key commented.

To use preconfigured storageClass, uncomment storageClassName and pass the value.

Example: efs-sc
volumeName Optional   Specify the volume name
Proxy Configuration

proxy:

httpProxy: ""

httpsProxy: ""

noProxy: ""

 Optional   Proxy configurations used by TIBCO BusinessWorks Container Edition and TIBCO Flogo charts when pulling and extracting images on TIBCO Control Plane.

Configuration for Ingress and Load Balancer

The following configurations must be done in hybrid-proxy and router-operator chart values. Cluster IP services are enabled by default for hybrid proxy and router. If required, Ingress must be explicitly enabled for both. The service type for hybrid proxy can be set to load balancer. For more information about Kubernetes Service, see Kubernetes documentation. Refer to the following table for more information about configuration parameters for both Hybrid proxy and router.

Hybrid Proxy and Router service Configuration

Parameter Required? Default Description

service:

enabled: true

Mandatory true Enables the creation of a Service.

type: ClusterIP

Mandatory ClusterIP Type of service

type: LoadBalancer

loadBalancerIP: 1.2.3.4 loadBalancerSourceRanges: [] loadBalancerClass: ""

 Yes when type is LoadBalancer  

Load balancer class name.

IP address and source range for load balancer.

loadBalancerIP, loadBalancerSourceRanges, loadBalancerClass, allocateLoadBalancerNodePorts, externalTrafficPolicy and internalTrafficPolicy are only applicable when type: LoadBalancer.

allocateLoadBalancerNodePorts: false

(Applicable only when type is load balancer.)

 Optional true You can optionally disable NodePort allocation for a Service of type: LoadBalancer, by setting this field to false. This must be only used for load balancer implementations that route traffic directly to pods instead of node ports.

externalTrafficPolicy: Cluster

(Applicable only when type is load balancer.)

 Optional Cluster By default, Service of type 'LoadBalancer' is created setting 'externalTrafficPolicy: Cluster' unless other value is explicitly set. Possible values are Cluster or Local.
annotations: {} Optional   Additional annotations for network load balancer service
internalTrafficPolicy: Cluster Optional Local By default, Service is created setting internalTrafficPolicy: Local on mode as daemonset unless other value is explicitly set. Setting internalTrafficPolicy: Cluster on a daemonset is not recommended

Hybrid Proxy and Router ingress Configuration

For more information about Kubernetes ingress, see Kubernetes documentation.

ingress:

enabled: false

Optional false

Set this value to true to enable ingress.
annotations: {} Optional   Annotations to apply to the ingress
ingressClassName Mandatory if ingress is enabled  

Ingress Controller class name

Example: nginx

For more information about ingress resource fields, see Kubernetes documentation.
additionalIngresses: [] Optional  

Additional ingresses are only created if ingress.enabled is true. This is useful when different annotated ingress services are required. Each additional ingress needs a key "name" set to something unique.

Configuring platform-base Helm Chart Values

The sample Platform Base Helm Chart Values YAML file is available in the GitHub Repository. Update the file with the values specific to your environment. Refer to the following table for more information about parameters in the values file.

Before you begin
  • For SSL enabled database, you must create secret to store database SSL certificate before deploying platform-base helm chart. For more information, see Creating Kubernetes Secret for Database TLS Connection.

  • You must have access to an email service to send emails from TIBCO Control Plane. Currently, TIBCO Control Plane supports Amazon SES, SMTP, SendGrid, and Microsoft Graph.

  • If you are using the Amazon SES email service, you must have configured from and reply to email address. For more information, see Amazon SES documentation.

  • If using Microsoft Azure’s Graph API as an email service, you must have registered an App of type single tenant under Microsoft Entra and grant it the Application Permission of Mail.Send.

    1. Register a new App under Entra Admin Center of type “Accounts in this organizational directory only (single tenant)”. There is no need for a redirect URI because there is no user interaction.

    2. In the app’s Manage / API Permissions menu, add an Application Permission under Graph API section. The only required permission is Mail.Send permission. You need to grant admin consent for your organization to the app.

    3. Under Certificate and secrets establish the credentials for this app. You have a choice between certificates (public-private keys) or client secrets.

    4. App details need to be provided in the Helm chart values as specified in the following table.

Refer to the following table to learn more about the parameters used in the preceding values.yaml file.

Parameter Required?

Description
Global Configuration
db_ssl_root_cert_secretname Mandatory for SSL enabled database

Kubernetes secret name, which contains the certificate details for SSL connection to the database.

For more information about creating secret, see Creating Kubernetes Secret for Database TLS Connection.
db_ssl_root_cert_filename Mandatory for SSL enabled database

SSL certificate filename

Example: db_ssl_root.cert
Database details

db_host

Mandatory

Database host address

Example: platform-postgres-fs6b8-4cphb.cdqjgaolpoo0.us-west-2.rds.amazonaws.com

db_name

Mandatory

Database name

Example: postgres

db_port

Mandatory

Database port number

Example: 5432

db_username

Mandatory

Username to access the database

db_password

Mandatory

Password to access the database

db_secret_name

Mandatory

Database secret name which stores user credentials

Example: provider-cp-database-credentials
db_ssl_mode Optional

If you are connecting to a database instance over SSL, specify the DB SSL mode value.

Default: disable

Example: verify-full

For SSL enabled database, you must create a secret to store database SSL certificate before deploying platform-base helm chart. For more information, see Creating Kubernetes Secret for Database TLS Connection.
Email Service Configuration
emailServerType Mandatory

Type of email service you have set up for email notifications.

Supported values:

  • smtp

  • ses

  • sendgrid

  • graph

 
emailServer:
      ses:
        arn: ""

Mandatory if the type of email service is ses

If emailServerType is ses, then you must specify this value.

Amazon Resource Name (ARN) for Amazon SES.

Example: arn:aws:ses:us-east-1:123456789012:identity/user@example.com

 
emailServer:
  smtp:
    server: ""
    port: "25"
    username: ""
    password: ""
 Mandatory if type of email service is smtp

If emailServerType is smtp, then you must specify these values:

  • SMTP server address.

  • SMTP port (optional)

  • SMTP username (if applicable)

  • SMTP password (if applicable)

The default port value is 25. Use port 465 for TLS connections. Otherwise, the client switches to TLS connection if the server supports the STARTTLS command.

 
emailServer:
  graph:
    clientDetailsSecretName: name
 Mandatory if type of email service is graph

Details for calling the graph API should be specified inside a Kubernetes secret. The clientDetailsSecretName has the name of the Kubernetes secret in the same namespace as TIBCO Control Plane. Expected keys in the secret or its JSON content are:

  • tenant_id – required value from Azure
  • client_id – required id of the App
  • private_key – preferred alternative of client’s credentials; in either PEM or DER format
  • x509_cert – required if private_key is provided; in either PEM or DER format
  • client_secret – one alternative of client’s credentials, the other being private_key

For creating Kubernetes secret and rotating client’s credentials, see Providing and Updating Graph API Details in a Kubernetes Secret.

 
emailServer:
  graph:
      skipSentFolder: boolean
 Optional This property controls whether non-sensitive emails are saved in the Sent folder. Graph API leaves by default a copy of the emails in the Sent folder. Sensitive emails from TIBCO Control Plane, for example: to reset passwords or invites with activation links, will never appear on the Sent folder. The operator has the option to control the behavior for non-sensitive emails, for example: alerts. 
emailServer:
      sendgrid:
        apiKey: ""
 Mandatory if type of email service is sendgrid Key to authenticate access to SendGrid email services. You must specify this if you are using SendGrid email service.
fromAndReplyToEmailAddress Mandatory From and reply to an email address to be used by email service.
cronJobReportsEmailAlias Optional Cron Job reports are sent to this email alias if configured.
platformEmailNotificationCcAddresses Optional Optional email address to mark as CC for subscription email notifications.
TIBCO Platform Console Administrator user details

admin:

email:

Mandatory Email address of the administrator user. An initial email is sent to this email address with the link to sign in to TIBCO Platform Console for provisioning subscription.

admin:

firstname:

Mandatory First name of the administrator user

admin:

lastname:

Mandatory Last name of the administrator user

admin:

customerID:

Mandatory The Account owner must get this id by signing in to TIBCO Operated Control Plane environment. This id is available on the Settings > Account Details section.