Control CoreDocs

🚀 Deployment Guide

Control Core deploys as two customer-managed services:

  1. Control Plane
  2. Bouncer (deploy Sandbox first, then Production)

Distribution is managed directly by Control Core. Contact info@controlcore.io to request deployment artifacts.

For hardened multi-infra production standards, see:

📌 60-minute runbook

PhaseActionTime
PrepareDNS, TLS, database, Redis, secrets, GitHub controls repo10 min
DeployControl Plane via Helm or Docker Compose15 min
ConnectDeploy Sandbox Bouncer and register resource10 min
ConfigureConnect controls repo and verify environment config10 min
ValidateRun /getting-started/wizard and enforce first control15 min

📌 Required inputs

  • CONTROL_PLANE_PUBLIC_URL (for example https://controlplane.customer-domain.com)
  • TLS cert/key or ingress-managed TLS for the Control Plane domain
  • DATABASE_URL and REDIS_URL
  • GitHub controls repo URL, branch, and token
  • Bouncer API keys for Sandbox and Production

🤖 Network and domain requirements

Use customer-owned DNS and TLS.

FlowSourceDestinationProtocol
Control Plane UI/APIOperatorsControl Plane domainHTTPS 443
Bouncer policy updatesBouncerControl Plane APIHTTPS 443
Policy repo syncControl PlaneGitHubHTTPS 443
Data store accessControl PlanePostgreSQL/RedisInternal network only

Recommended:

  • No public database or Redis endpoints.
  • Restrict ingress to required domains and paths.
  • Allow outbound from Control Plane only to approved endpoints (GitHub, optional telemetry endpoint).
  1. Extract deployment package.
  2. Update values file with your environment.
  3. Deploy chart.
helm upgrade --install controlcore ./controlcore \
  --namespace controlcore \
  --create-namespace \
  -f values.customer.yaml

Minimum values.customer.yaml pattern:

global:
  controlPlanePublicUrl: "https://controlplane.customer-domain.com"
  telemetryEndpoint: "https://business-admin.controlcore.io"

controlPlane:
  env:
    DATABASE_URL: "postgresql://<user>:<password>@<db-host>:5432/<db-name>"
    REDIS_URL: "redis://:<password>@<redis-host>:6379/0"
    SECRET_KEY: "<strong-random-secret>"
    JWT_SECRET_KEY: "<strong-random-jwt-secret>"
    GITHUB_REPO_URL: "https://github.com/<org>/<controls-repo>"
    GITHUB_BRANCH: "main"
    GITHUB_TOKEN: "<github-token>"

bouncer:
  enabled: true
  env:
    BOUNCER_ID: "bouncer-sandbox-01"
    BOUNCER_NAME: "Sandbox API Bouncer"
    BOUNCER_TYPE: "sidecar"
    ENVIRONMENT: "sandbox"
    PAP_API_URL: "https://controlplane.customer-domain.com"
    API_KEY: "<sandbox-api-key>"
    RESOURCE_NAME: "Customer API"
    RESOURCE_TYPE: "api"
    TARGET_HOST: "customer-api.default.svc.cluster.local:8080"
    ORIGINAL_HOST_URL: "https://api.customer-domain.com"
    SECURITY_POSTURE: "deny-all"

🚀 Docker Compose deployment

  1. Extract deployment package.
  2. Create .env.customer.
  3. Start stack with your env file.
docker compose --env-file .env.customer -f controlcore-compose.yml up -d

Minimum .env.customer pattern:

CONTROL_PLANE_PUBLIC_URL=https://controlplane.customer-domain.com
DATABASE_URL=postgresql://<user>:<password>@<db-host>:5432/<db-name>
REDIS_URL=redis://:<password>@<redis-host>:6379/0
SECRET_KEY=<strong-random-secret>
JWT_SECRET_KEY=<strong-random-jwt-secret>

GITHUB_REPO_URL=https://github.com/<org>/<controls-repo>
GITHUB_BRANCH=main
GITHUB_TOKEN=<github-token>

BOUNCER_ID=bouncer-sandbox-01
BOUNCER_NAME=Sandbox API Bouncer
BOUNCER_TYPE=sidecar
ENVIRONMENT=sandbox
PAP_API_URL=https://controlplane.customer-domain.com
API_KEY=<sandbox-api-key>
RESOURCE_NAME=Customer API
RESOURCE_TYPE=api
TARGET_HOST=customer-api:8080
ORIGINAL_HOST_URL=https://api.customer-domain.com
SECURITY_POSTURE=deny-all

📌 Bouncer resource auto-discovery parameters

These fields must be present for clean registration and linking:

  • BOUNCER_ID unique per deployment unit
  • BOUNCER_NAME human-readable label
  • BOUNCER_TYPE (sidecar, reverse-proxy, or planned future type)
  • ENVIRONMENT (sandbox or production)
  • PAP_API_URL Control Plane API URL
  • API_KEY environment-specific Bouncer key
  • RESOURCE_NAME stable logical resource name
  • RESOURCE_TYPE (api, webapp, database, ai-agent, mcp-server)
  • TARGET_HOST internal service endpoint protected by Bouncer
  • ORIGINAL_HOST_URL externally advertised endpoint
  • SECURITY_POSTURE recommended deny-all

Use the same RESOURCE_NAME for Sandbox and Production counterparts when they represent the same business resource.

📌 GitHub controls repository configuration

Control Plane requires:

  • GITHUB_REPO_URL
  • GITHUB_BRANCH
  • GITHUB_TOKEN with least-privilege read/write scope for controls management

Operational checks:

  1. Validate repo access from Control Plane runtime.
  2. Validate branch exists and is protected per your policy.
  3. Confirm controls sync status is healthy in the UI.

🔒 Security protocol baseline

  • TLS 1.2+ for all external traffic.
  • Customer-managed certificates and key rotation policy.
  • Secrets from enterprise secret manager, not static files in repos.
  • Environment-scoped API keys and scheduled rotation.
  • Least-privilege IAM/RBAC for deployment and runtime identities.
  • Backup and recovery policy for database and controls repository.

📌 Verification checklist

  1. Control Plane URL resolves and serves valid TLS cert.
  2. Health endpoint is successful from your network zone.
  3. Database and Redis connectivity checks pass.
  4. Sandbox Bouncer appears in Settings -> PEPs.
  5. Resource appears in Settings -> Resources with expected metadata.
  6. A Sandbox control is enforced and audit events are visible.
  7. /getting-started/wizard completes without failed checks.

📞 Support