Control CoreDocs

📘 Configuration Guide

This guide provides the production parameter map for DevOps teams deploying Control Core. It focuses only on customer-operable settings.

🤖 Configuration domains

  • Control Plane runtime and ingress
  • Bouncer registration and resource mapping
  • Database and Redis connectivity
  • GitHub controls repository sync
  • Security controls and key rotation
  • Licensing and telemetry behavior

📌 Control Plane required parameters

Minimum set:

  • CONTROL_PLANE_PUBLIC_URL
  • DATABASE_URL
  • REDIS_URL
  • SECRET_KEY
  • JWT_SECRET_KEY
  • GITHUB_REPO_URL
  • GITHUB_BRANCH
  • GITHUB_TOKEN

Recommended additions:

  • CONTROL_PLANE_HEALTH_URL
  • CORS_ORIGINS
  • LOG_LEVEL
  • BACKUP_SCHEDULE

📌 Bouncer required parameters

Minimum set:

  • BOUNCER_ID
  • BOUNCER_NAME
  • BOUNCER_TYPE
  • ENVIRONMENT (sandbox or production)
  • PAP_API_URL
  • API_KEY
  • RESOURCE_NAME
  • RESOURCE_TYPE
  • TARGET_HOST
  • ORIGINAL_HOST_URL
  • SECURITY_POSTURE

Recommended additions:

  • DEPLOYMENT_PLATFORM
  • BOUNCER_PUBLIC_URL
  • LOG_LEVEL
  • HEARTBEAT_INTERVAL

📌 Bouncer and resource discovery mapping

For clean resource registration:

  • Keep RESOURCE_NAME stable for Sandbox and Production counterparts.
  • Set RESOURCE_TYPE to actual workload category (api, webapp, database, ai-agent, mcp-server).
  • Use internal address in TARGET_HOST.
  • Use externally reachable URL in ORIGINAL_HOST_URL.
  • Use environment-specific API_KEY.

📌 GitHub controls sync configuration

Control Plane must have:

  • GITHUB_REPO_URL (controls repository)
  • GITHUB_BRANCH (deployment branch)
  • GITHUB_TOKEN (least-privilege token)

Operational guardrails:

  • Branch protection enabled for controls branch.
  • Token stored in secret manager, not committed files.
  • Repo access test included in deployment validation.

📌 Helm values pattern

global:
  controlPlanePublicUrl: "https://controlplane.customer-domain.com"

controlPlane:
  env:
    DATABASE_URL: "postgresql://<user>:<password>@<db-host>:5432/<db-name>"
    REDIS_URL: "redis://:<password>@<redis-host>:6379/0"
    SECRET_KEY: "<strong-random-secret>"
    JWT_SECRET_KEY: "<strong-random-jwt-secret>"
    GITHUB_REPO_URL: "https://github.com/<org>/<controls-repo>"
    GITHUB_BRANCH: "main"
    GITHUB_TOKEN: "<github-token>"

bouncer:
  env:
    BOUNCER_ID: "bouncer-sandbox-01"
    BOUNCER_NAME: "Sandbox API Bouncer"
    BOUNCER_TYPE: "sidecar"
    ENVIRONMENT: "sandbox"
    PAP_API_URL: "https://controlplane.customer-domain.com"
    API_KEY: "<sandbox-api-key>"
    RESOURCE_NAME: "Customer API"
    RESOURCE_TYPE: "api"
    TARGET_HOST: "customer-api.default.svc.cluster.local:8080"
    ORIGINAL_HOST_URL: "https://api.customer-domain.com"
    SECURITY_POSTURE: "deny-all"

📌 Docker Compose env pattern

CONTROL_PLANE_PUBLIC_URL=https://controlplane.customer-domain.com
DATABASE_URL=postgresql://<user>:<password>@<db-host>:5432/<db-name>
REDIS_URL=redis://:<password>@<redis-host>:6379/0
SECRET_KEY=<strong-random-secret>
JWT_SECRET_KEY=<strong-random-jwt-secret>

GITHUB_REPO_URL=https://github.com/<org>/<controls-repo>
GITHUB_BRANCH=main
GITHUB_TOKEN=<github-token>

BOUNCER_ID=bouncer-sandbox-01
BOUNCER_NAME=Sandbox API Bouncer
BOUNCER_TYPE=sidecar
ENVIRONMENT=sandbox
PAP_API_URL=https://controlplane.customer-domain.com
API_KEY=<sandbox-api-key>
RESOURCE_NAME=Customer API
RESOURCE_TYPE=api
TARGET_HOST=customer-api:8080
ORIGINAL_HOST_URL=https://api.customer-domain.com
SECURITY_POSTURE=deny-all

🔒 Security and domain baseline

  • TLS 1.2+ on all external domains.
  • Customer-managed certificates and secret rotation.
  • Private network-only database and Redis.
  • Environment-scoped API keys with regular rotation.
  • Least-privilege deployment identities.

👁️ Licensing and telemetry

  • Trial default: 90 days.
  • Extension codes applied in Settings -> Subscription.
  • Telemetry endpoint is configurable; offline extension workflow remains available.