Control CoreDocs

šŸš€ Enterprise Deployment

šŸ“Œ Cloud Infrastructure Requirements

Minimum System Requirements

Control Core Enterprise requires specific cloud infrastructure to ensure optimal performance and reliability. The following specifications are based on production workloads and should be adjusted based on your specific use case.

Kickstart Deployment (Self-hosted)

  • Instance Type: t3.medium or equivalent
  • CPU: 2 vCPUs minimum, 4 vCPUs recommended
  • Memory: 4GB RAM minimum, 8GB RAM recommended
  • Storage: 20GB SSD minimum, 50GB SSD recommended
  • Network: 1 Gbps network bandwidth
  • Operating System: Ubuntu 20.04 LTS or later

Pro Deployment (Hybrid)

  • Instance Type: t3.small or equivalent
  • CPU: 1 vCPU minimum, 2 vCPUs recommended
  • Memory: 2GB RAM minimum, 4GB RAM recommended
  • Storage: 10GB SSD minimum, 20GB SSD recommended
  • Network: 1 Gbps network bandwidth
  • Operating System: Ubuntu 20.04 LTS or later

Custom Deployment (Enterprise)

  • Instance Type: c5.xlarge or equivalent
  • CPU: 4 vCPUs minimum, 8 vCPUs recommended
  • Memory: 8GB RAM minimum, 16GB RAM recommended
  • Storage: 50GB SSD minimum, 100GB SSD recommended
  • Network: 10 Gbps network bandwidth
  • Operating System: Ubuntu 20.04 LTS or later

Cloud Provider Recommendations

Amazon Web Services (AWS)

  • Recommended Instance Types:
    • Kickstart: t3.medium or t3.large
    • Pro: t3.small or t3.medium
    • Custom: c5.xlarge or c5.2xlarge
  • Storage: EBS gp3 volumes (SSD)
  • Network: VPC with public/private subnets
  • Load Balancer: Application Load Balancer (ALB)
  • Database: RDS PostgreSQL (for Custom deployments)

Microsoft Azure

  • Recommended VM Sizes:
    • Kickstart: Standard_B2s or Standard_B2ms
    • Pro: Standard_B1s or Standard_B2s
    • Custom: Standard_D4s_v3 or Standard_D8s_v3
  • Storage: Premium SSD
  • Network: Virtual Network with subnets
  • Load Balancer: Azure Load Balancer
  • Database: Azure Database for PostgreSQL (for Custom deployments)

Google Cloud Platform (GCP)

  • Recommended Machine Types:
    • Kickstart: e2-medium or e2-standard-2
    • Pro: e2-small or e2-medium
    • Custom: c2-standard-4 or c2-standard-8
  • Storage: Persistent SSD
  • Network: VPC with subnets
  • Load Balancer: Google Cloud Load Balancing
  • Database: Cloud SQL for PostgreSQL (for Custom deployments)

Network Requirements

Port Configuration

  • 3000: Control Core Admin UI (HTTP/HTTPS)
  • 8080: The Bouncer - Policy Enforcement Point (HTTP/HTTPS)
  • 8082: PAP API - Policy Administration Point (HTTP/HTTPS)
  • 7000: Policy Bridge - Policy Synchronization (HTTP/HTTPS)
  • 5432: PostgreSQL Database (TCP)
  • 9090: Metrics and Monitoring (HTTP/HTTPS)

Security Groups/Firewall Rules

  • Inbound Rules:
    • HTTP (80) and HTTPS (443) from internet
    • SSH (22) from management IPs
    • Custom ports for internal communication
  • Outbound Rules:
    • HTTPS (443) to internet for updates
    • DNS (53) for name resolution
    • NTP (123) for time synchronization

Storage Requirements

Database Storage

  • Kickstart: 20GB minimum, 50GB recommended
  • Pro: 10GB minimum, 20GB recommended
  • Custom: 50GB minimum, 100GB recommended
  • Type: SSD storage for optimal performance
  • Backup: Automated daily backups with 30-day retention

Application Storage

  • Container Images: 5GB for base images
  • Logs: 10GB for log retention
  • Configuration: 1GB for configuration files
  • Temporary: 5GB for temporary files

High Availability Requirements

Multi-AZ Deployment

  • Deploy across multiple Availability Zones
  • Use load balancers for traffic distribution
  • Implement health checks and auto-recovery
  • Configure database replication

Backup and Recovery

  • Database Backups: Daily automated backups
  • Configuration Backups: Weekly configuration snapshots
  • Disaster Recovery: Cross-region backup replication
  • Recovery Time Objective (RTO): < 4 hours
  • Recovery Point Objective (RPO): < 1 hour

Security Requirements

Network Security

  • VPC/Private networks for internal communication
  • Security groups/firewall rules for access control
  • VPN or bastion hosts for administrative access
  • SSL/TLS certificates for all external communications

Data Protection

  • Encryption at rest for all data storage
  • Encryption in transit for all communications
  • Regular security updates and patches
  • Access logging and monitoring

Performance Optimization

Resource Scaling

  • CPU: Monitor CPU utilization, scale when > 70%
  • Memory: Monitor memory usage, scale when > 80%
  • Network: Monitor bandwidth usage, scale when > 80%
  • Storage: Monitor I/O performance, scale when needed

Auto-scaling Configuration

  • Frontend: 1-5 replicas based on CPU/memory
  • PAP API: 1-8 replicas based on request load
  • Bouncer: 1-10 replicas based on traffic
  • Database: Read replicas for high-traffic scenarios

šŸ“Œ Prerequisite

šŸ“Œ Step-by-Step instructions to run controlcore helm charts

1. Login into ECR using your ControlCore Enterprise creds

# Ensure you already ran `aws configure` and set you ACCESS_KEY_ID, SECRET and REGION.
aws ecr get-login-password --region ca-central-1 | docker login --username AWS --password-stdin 12345.dkr.ecr.ca-central-1.amazonaws.com

2. Pull the images

docker pull 12345.dkr.ecr.ca-central-1.amazonaws.com/controlcoreio/control-plane-frontend:latest
docker pull 12345.dkr.ecr.ca-central-1.amazonaws.com/controlcoreio/policy-admin-server:latest
docker pull 12345.dkr.ecr.ca-central-1.amazonaws.com/controlcoreio/control-plane-ui:latest
docker pull 12345.dkr.ecr.ca-central-1.amazonaws.com/controlcoreio/control-plane-api:latest
docker pull 12345.dkr.ecr.ca-central-1.amazonaws.com/controlcoreio/control-core-bouncer:latest
docker pull permitio/policy-bridge-server:latest

3. Update githubToken

vi helm-chart/controlcore/values.yaml

and update the githubToken with your token.

global:  
 githubToken: ""

4. Helm install controlcore chart

helm upgrade --install controlcore ./controlcore

# For arm64 architecture images use
helm upgrade --install controlcore ./controlcore -f ./controlcore/values-arm64.yaml

# Note - you can override with custom values as shown below
helm upgrade --install controlcore ./controlcore -f ./controlcore/values-dev.yaml #Override values by creating a new file
helm upgrade --install controlcore ./controlcore -f ./controlcore/values-qa.yaml #Override values by creating a new file

To uninstall the controlcore

helm uninstall controlcore

5. Ensure all pods are up and running without any issues.

kubectl get all 

# Sample output
ā•°$ kubectl get all
NAME                                          READY   STATUS    RESTARTS   AGE
pod/control-plane-frontend-67d9c497bf-nbkkj              1/1     Running   0          125m
pod/control-core-bouncer-dd598f49b-r8h2f                 1/1     Running   0          125m
pod/control-plane-api-5bdccb4d54-bq2wc      1/1     Running   0          18m
pod/control-plane-client-7c598c7d8d-9xj9q   1/1     Running   0          125m
pod/policy-bridge-service-57c6c75896-htbmr   1/1     Running   0          18m

NAME                             TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
service/control-plane-frontend              ClusterIP   10.96.171.76    <none>        7600/TCP            125m
service/control-plane-ui                   ClusterIP   10.96.31.133    <none>        8082/TCP            125m
service/control-core-bouncer                ClusterIP   10.96.102.172   <none>        8081/TCP            125m
service/control-plane-client   ClusterIP   10.96.59.85     <none>        8083/TCP,8181/TCP   125m
service/policy-bridge-service   ClusterIP   10.96.55.16     <none>        7002/TCP            125m
service/kubernetes               ClusterIP   10.96.0.1       <none>        443/TCP             3h9m

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/control-plane-frontend              1/1     1            1           125m
deployment.apps/control-core-bouncer                1/1     1            1           125m
deployment.apps/control-plane-api      1/1     1            1           125m
deployment.apps/control-plane-client   1/1     1            1           125m
deployment.apps/policy-bridge-service   1/1     1            1           125m

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/control-plane-frontend-67d9c497bf              1         1         1       125m
replicaset.apps/control-core-bouncer-dd598f49b                 1         1         1       125m
replicaset.apps/control-plane-api-59bdc977f8      0         0         0       27m
replicaset.apps/control-plane-api-5bdccb4d54      1         1         1       18m
replicaset.apps/control-plane-api-64f78c7dbd      0         0         0       125m
replicaset.apps/control-plane-api-688f786bbb      0         0         0       21m
replicaset.apps/control-plane-client-7c598c7d8d   1         1         1       125m
replicaset.apps/policy-bridge-service-57c6c75896   1         1         1       18m
replicaset.apps/policy-bridge-service-7748ddc686   0         0         0       27m
replicaset.apps/policy-bridge-service-86788ffc4b   0         0         0       125m

šŸ“Œ Test

Go to your ingress point to see if the GUI is up and running.

šŸ› ļø Troubleshooting

IssueWhat to check
Pods not starting or CrashLoopBackOffCheck resource limits, image pull secrets, and dependency services (e.g. Postgres, Redis).
Review pod logs and events.
Control Plane or API unreachableVerify ingress, service, and network policies.
Ensure TLS and DNS are configured correctly.
Policy or bouncer not syncingConfirm Policy Bridge URL and API key in values.
Check connectivity from cluster to Control Plane.

For more, see the Troubleshooting Guide.