Configuration key values for installing Tanzu Mission Control Self-Managed

You use key-values to set up the configuration for installing Tanzu Mission Control Self-Managed.

The following table lists keys and the values that you can use in the values.yaml configuration file for installing Tanzu Mission Control Self-Managed.

Key Default Type Required Description
alertmanager.criticalAlertReceiver map[] No Critical alert receiver configuration for alert-manager
alertmanager.warningAlertReceiver map[] No Warning alert receiver configuration for alert-manager
authenticationType federated string No Supported values are:
  • federated
  • ldap
Use federated if you are using your organization’s Identity Provider (IDP), such as Okta for SSO.
Use ldap if you are using your organization’s Active Directory or OpenLDAP for authentication.
If the key is not specified the default value is used.
certificateImport false boolean No Enables the ability to manually assign certificates issued by existing CAs to externally accessible TMC endpoints.
clusterIssuer string Yes Cert-Manager ClusterIssuer to use.
contourEnvoy.loadBalancerIP string No Load balancer IP for Contour’s Envoy. This is the legacy way to use a preferred IP for a K8s service of type loadBalancer. It is deprecated from Kubernetes version 1.24 onwards.
contourEnvoy.loadBalancerClass string No Load Balancer Class to use for Contour’s Envoy
contourEnvoy.nodeSelector No Node Label Selectors for Contour’s Envoy pod assignment
contourEnvoy.nodeTolerations array No Tolerations for Contour’s Envoy pod assignment
contourEnvoy.serviceAnnotations No Annotations to place on Contour’s Envoy Pods. Your load balancer controller specific annotations to use a preferred IP. See Service of type loadBalancer with preferred IP for a AVI Kubernetes Operator.
contourEnvoy.serviceType string Yes Service Type for Contour’s Envoy. Must be either Loadbalancer or NodePort.
dnsZone string Yes Hosted DNS zone where the DNS A-records for Tanzu Mission Control Self-Managed service will reside
harborProject string Yes Harbor Project path where Tanzu Mission Control Self-Managed service images have been pushed using the push-images command. For example, harbor.tanzu.io/tmc
idpGroupRoles.admin tmc:admin string No Sets the initial admin group IDP mapping.
This creates an initial access policy with the specified group allowed to operate TMC with admin-level permissions.
The value for this key is case-sensitive, and must be the common name (CN attribute) of the AD group.
Changing this setting has no effect on an existing installation.
idpGroupRoles.member tmc:member string No Sets the initial Member group IDP mapping.
This creates an initial access policy with this group allowed to operate TMC with member-level permissions.
The value for this key is case-sensitive, and must be the common name (CN attribute) of the AD group.
Changing this setting has no effect on an existing installation.
ldap.domainName string Yes Only required for Active Directory and OpenLDAP authentication. Value displayed to end users at the TMC login prompt where users enter their username and password.
Note: This value can only contain lowercase alphanumeric characters (a-z, 0-9) and the ‘-’ or ‘.’ characters.
ldap.groupBaseDN string Yes Only required for Active Directory and OpenLDAP authentication. The base distinguishedName used as the root for group searches.
ldap.groupSearchFilter string No Only required for Active Directory and OpenLDAP authentication. The filter to search for group membership.
The default value for Active Directory is &(objectClass=group)(member={}).
The default value for OpenLDAP is &(objectClass=groupOfNames)(member={}).
In all types, the {} placeholder must occur in the filter at least once and is replaced by the user’s full distinguishedName.
ldap.host string Yes Only required for Active Directory and OpenLDAP authentication. Host name and port of the server against which to authenticate (e.g. addc01.your.domain:636).
Note: An encrypted port (636 and/or 3269 for AD Global Catalog) must be used with Active Directory.
ldap.password string Yes Only required for Active Directory and OpenLDAP authentication. The password of your service/bind account.
ldap.rootCA string Yes Only required for Active Directory and OpenLDAP authentication. Root CA (in PEM format) for the issuer of the AD domain controller’s or OpenLDAP server’s certificate.
ldap.type string Yes Only required for Active Directory and OpenLDAP authentication. The type of the LDAP server. Valid values are:
  • activedirectory
  • ldap
ldap.userBaseDN string Yes Only required for Active Directory and OpenLDAP authentication. The base distinguishedName used as the root for user searches.
ldap.username string Yes Only required for Active Directory and OpenLDAP authentication. The full distinguishedName of your service/bind account. For Active Directory, this can be a normal Domain User with permissions to view the accounts that will be authenticating.
ldap.userSearchFilter string No Only required for Active Directory and OpenLDAP authentication. The filter to search for user accounts.
The default value for Active Directory is (&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={})(userPrincipalName={})(sAMAccountType=805306368)). This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view.
The default value for OpenLDAP is &(objectClass=groupOfNames)(uid={}).
In all types, the {} placeholder must occur in the filter at least once and will be dynamically replaced by the username as entered by the end user.
ldap.userSearchAttributeUsername mail string No Only required for Active Directory and OpenLDAP authentication. The field in the LDAP entry that should be used as username.   
This field can be used for looking up users to assign roles and permissions.
This field allows customization of which field in the user’s LDAP entry should be used as the user’s username after successful authentication.
Note:This field should be set only once during installation and should not be changed while performing upgrades as this can result in users losing permissions to TMC.
minio.username string Yes Admin username to use for internal MinIO
minio.password string Yes Admin password to use for internal MinIO
oidc.clientID string Yes Only required when using the federated authenticationType. OIDC Client ID defined in your IDP.
oidc.clientSecret string Yes Only required when using the federated authenticationType. OIDC Client Secret defined in your IDP.
oidc.issuerType string Yes OIDC issuer type. pinniped is the only supported option.
oidc.issuerURL string Yes OIDC issuer URL for your IDP. When using the ldap authenticationType, set this value to https://pinniped-supervisor.tmc.${YOUR.DOMAIN}/provider/pinniped. In the URL, ${YOUR.DOMAIN} is the DNS zone where TMC Self-Managed is being deployed.
pinnipedExtraEnvVars [] array No Extra Environment Variables to pass to Pinniped
postgres.userPassword string Yes Password to use for securing internal Postgres connections
postgres.maxConnections 300 integer No Maximum connections that the internal Postgres database should allow. This value should only be changed in consultation with VMware support.
prometheusVolumeSize 5 GiB string Yes Persistent volume size for Prometheus data volume. The value is generally given in Gibibytes (100 GiB)
size small string No The size of the stack. If the a value is not assigned, the default value is used. Acceptable values are small, medium.
supportFlags [] array No Flags a support engineer might ask you to add if you need support
tanzuStandard.relativePath string No Relative path to the Tanzu Standard package repository with version
tanzuStandard.imageRegistry string No Image registry URL or host for your Tanzu Standard package repository
telemetry.eanNumber string No Entitlement Account Number on VMware Customer Connect
telemetry.ceipAgreement false boolean No Indicates that you have read the CEIP terms and conditions through the product documentation
telemetry.ceipOptIn false boolean No CEIP opt in to send telemetry data
trustedCAs map[] No Adds trusted CAs (in pem format) to the bundle used by services. This should be in a key value form

check-circle-line exclamation-circle-line close-line
Scroll to top icon