📦 Installation Guide

This guide is for DevOps teams installing customer-managed Control Core.

Deployment model:

1. Control Plane
2. Bouncer (Sandbox first)

Distribution is managed directly by Control Core. Contact info@controlcore.io to request deployment artifacts.

📌 Preflight checklist

• Kubernetes + Helm or Docker + Compose
• PostgreSQL 13+ (HA recommended for production)
• Redis 6+ (managed service recommended for production)
• Customer DNS for Control Plane and protected resource domains
• TLS cert strategy (ingress-managed or customer cert/key)
• GitHub controls repo access token
• Secret manager path for runtime secrets

📌 Required configuration set

Control Plane:

• CONTROL_PLANE_PUBLIC_URL
• DATABASE_URL
• REDIS_URL
• SECRET_KEY
• JWT_SECRET_KEY
• GITHUB_REPO_URL
• GITHUB_BRANCH
• GITHUB_TOKEN

Bouncer:

• BOUNCER_ID
• BOUNCER_NAME
• BOUNCER_TYPE
• ENVIRONMENT
• PAP_API_URL
• API_KEY
• RESOURCE_NAME
• RESOURCE_TYPE
• TARGET_HOST
• ORIGINAL_HOST_URL
• SECURITY_POSTURE

🏗️ Installation flow

1. Request release artifacts from info@controlcore.io.
2. Populate customer env/values files with your domain and secret values.
3. Deploy Control Plane.
4. Confirm health and sign-in.
5. Deploy Sandbox Bouncer with resource metadata.
6. Connect GitHub controls repo.
7. Run /getting-started/wizard.
8. Deploy first Sandbox control and validate decisions.
9. Add Production Bouncer after Sandbox validation.

🤖 Domain and TLS setup

• Configure CONTROL_PLANE_PUBLIC_URL as an HTTPS endpoint.
• Ensure certificate chain is trusted by operator and workload networks.
• Configure protected resource domains in ORIGINAL_HOST_URL.
• Keep internal service addresses in TARGET_HOST (do not use public DNS for internal backends unless required by your topology).

🔒 Security protocol requirements

• TLS 1.2+ for all external and cross-zone traffic.
• No plaintext secrets in version control.
• Database and Redis endpoints restricted to private networks.
• Environment-scoped Bouncer API keys (Sandbox and Production).
• Scheduled key and secret rotation.

📌 Trial and extension model

• Default trial window: 90 days from deployment bootstrap.
• Extension codes can be applied in Settings -> Subscription.
• Workflow supports offline extension application when telemetry is unavailable.

📌 DevOps validation checks

• Control Plane health endpoint is reachable.
• Database migration and connectivity checks are successful.
• Redis connectivity is successful.
• Sandbox Bouncer registers in Settings -> PEPs.
• Resource auto-discovery appears in Settings -> Resources.
• GitHub controls sync status is healthy.
• First policy decision and audit event are visible.

📌 Next steps

• Continue with the Deployment Guide for command-level rollout and environment patterns.
• Review Configuration Guide for parameter mapping.
• Use Troubleshooting for failed checks.