Configuration key values for installing Tanzu Mission Control Self-Managed
You use key-values to set up the configuration for installing Tanzu Mission Control Self-Managed.
The following table lists keys and the values that you can use in the values.yaml configuration file for installing Tanzu Mission Control Self-Managed.
| Key | Default | Type | Required | Description |
|---|---|---|---|---|
| alertmanager.criticalAlertReceiver | map[] | No | Critical alert receiver configuration for alert-manager | |
| alertmanager.warningAlertReceiver | map[] | No | Warning alert receiver configuration for alert-manager | |
| authenticationType | federated | string | No | Supported values are:
federated if you are using your organization’s Identity Provider (IDP), such as Okta for SSO. Use ldap if you are using your organization’s Active Directory or OpenLDAP for authentication. If the key is not specified the default value is used. |
| certificateImport | false | boolean | No | Enables the ability to manually assign certificates issued by existing CAs to externally accessible TMC endpoints. |
| clusterIssuer | string | Yes | Cert-Manager ClusterIssuer to use. | |
| contourEnvoy.loadBalancerIP | string | No | Load balancer IP for Contour’s Envoy. This is the legacy way to use a preferred IP for a K8s service of type loadBalancer. It is deprecated from Kubernetes version 1.24 onwards. |
|
| contourEnvoy.loadBalancerClass | string | No | Load Balancer Class to use for Contour’s Envoy | |
| contourEnvoy.nodeSelector | No | Node Label Selectors for Contour’s Envoy pod assignment | ||
| contourEnvoy.nodeTolerations | array | No | Tolerations for Contour’s Envoy pod assignment | |
| contourEnvoy.serviceAnnotations | No | Annotations to place on Contour’s Envoy Pods. Your load balancer controller specific annotations to use a preferred IP. See Service of type loadBalancer with preferred IP for a AVI Kubernetes Operator. | ||
| contourEnvoy.serviceType | string | Yes | Service Type for Contour’s Envoy. Must be either Loadbalancer or NodePort. | |
| dnsZone | string | Yes | Hosted DNS zone where the DNS A-records for Tanzu Mission Control Self-Managed service will reside | |
| harborProject | string | Yes | Harbor Project path where Tanzu Mission Control Self-Managed service images have been pushed using the push-images command. For example, harbor.tanzu.io/tmc |
|
| idpGroupRoles.admin | tmc:admin | string | No | Sets the initial admin group IDP mapping. This creates an initial access policy with the specified group allowed to operate TMC with admin-level permissions. The value for this key is case-sensitive, and must be the common name ( CN attribute) of the AD group. Changing this setting has no effect on an existing installation. |
| idpGroupRoles.member | tmc:member | string | No | Sets the initial Member group IDP mapping. This creates an initial access policy with this group allowed to operate TMC with member-level permissions. The value for this key is case-sensitive, and must be the common name ( CN attribute) of the AD group. Changing this setting has no effect on an existing installation. |
| ldap.domainName | string | Yes | Only required for Active Directory and OpenLDAP authentication. Value displayed to end users at the TMC login prompt where users enter their username and password. Note: This value can only contain lowercase alphanumeric characters (a-z, 0-9) and the ‘-’ or ‘.’ characters. |
|
| ldap.groupBaseDN | string | Yes | Only required for Active Directory and OpenLDAP authentication. The base distinguishedName used as the root for group searches. | |
| ldap.groupSearchFilter | string | No | Only required for Active Directory and OpenLDAP authentication. The filter to search for group membership. The default value for Active Directory is &(objectClass=group)(member={}).The default value for OpenLDAP is &(objectClass=groupOfNames)(member={}).In all types, the {} placeholder must occur in the filter at least once and is replaced by the user’s full distinguishedName. |
|
| ldap.host | string | Yes | Only required for Active Directory and OpenLDAP authentication. Host name and port of the server against which to authenticate (e.g. addc01.your.domain:636). Note: An encrypted port (636 and/or 3269 for AD Global Catalog) must be used with Active Directory. |
|
| ldap.password | string | Yes | Only required for Active Directory and OpenLDAP authentication. The password of your service/bind account. | |
| ldap.rootCA | string | Yes | Only required for Active Directory and OpenLDAP authentication. Root CA (in PEM format) for the issuer of the AD domain controller’s or OpenLDAP server’s certificate. | |
| ldap.type | string | Yes | Only required for Active Directory and OpenLDAP authentication. The type of the LDAP server. Valid values are:
|
|
| ldap.userBaseDN | string | Yes | Only required for Active Directory and OpenLDAP authentication. The base distinguishedName used as the root for user searches. | |
| ldap.username | string | Yes | Only required for Active Directory and OpenLDAP authentication. The full distinguishedName of your service/bind account. For Active Directory, this can be a normal Domain User with permissions to view the accounts that will be authenticating. | |
| ldap.userSearchFilter | string | No | Only required for Active Directory and OpenLDAP authentication. The filter to search for user accounts. The default value for Active Directory is (&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={})(mail={})(userPrincipalName={})(sAMAccountType=805306368)). This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account, and is not shown in advanced view.The default value for OpenLDAP is &(objectClass=groupOfNames)(uid={}).In all types, the {} placeholder must occur in the filter at least once and will be dynamically replaced by the username as entered by the end user. |
|
| ldap.userSearchAttributeUsername | mail |
string | No | Only required for Active Directory and OpenLDAP authentication. The field in the LDAP entry that should be used as username. This field can be used for looking up users to assign roles and permissions. This field allows customization of which field in the user’s LDAP entry should be used as the user’s username after successful authentication.Note:This field should be set only once during installation and should not be changed while performing upgrades as this can result in users losing permissions to TMC. |
| minio.username | string | Yes | Admin username to use for internal MinIO | |
| minio.password | string | Yes | Admin password to use for internal MinIO | |
| oidc.authorizationScopes | [“email”, “offline_access”] | array | No | A list of additional scopes to request in the token response. This setting corresponds to OIDCIdentityProvider.spec.authorizationConfig.additionalScopes in the Pinniped OIDCIdentityProvider custom resource. |
| oidc.claimGroups | groups | string | No | The claim name of your user groups. This is used to set name of user groups in the JSON Web Token (JWT) claim. The default value is groups. This setting corresponds to OIDCIdentityProvider.spec.claims.groups in the Pinniped OIDCIdentityProvider custom resource. |
| oidc.clientID | string | Yes | Only required when using the federated authenticationType. OIDC Client ID defined in your IDP. |
|
| oidc.clientSecret | string | Yes | Only required when using the federated authenticationType. OIDC Client Secret defined in your IDP. |
|
| oidc.issuerType | string | Yes | OIDC issuer type. pinniped is the only supported option. |
|
| oidc.issuerURL | string | Yes | OIDC issuer URL for your IDP. When using the ldap authenticationType, set this value to https://pinniped-supervisor.tmc.${YOUR.DOMAIN}/provider/pinniped. In the URL, ${YOUR.DOMAIN} is the DNS zone where TMC Self-Managed is being deployed. |
|
| pinnipedExtraEnvVars | [] | array | No | Extra Environment Variables to pass to Pinniped |
| postgres.userPassword | string | Yes | Password to use for securing internal Postgres connections | |
| postgres.maxConnections | 300 | integer | No | Maximum connections that the internal Postgres database should allow. This value should only be changed in consultation with VMware support. |
| prometheusVolumeSize | 5 GiB | string | Yes | Persistent volume size for Prometheus data volume. The value is generally given in Gibibytes (100 GiB) |
| size | small | string | No | The size of the stack. If the a value is not assigned, the default value is used. Acceptable values are small, medium. |
| supportFlags | [] | array | No | Flags a support engineer might ask you to add if you need support |
| tanzuStandard.relativePath | string | No | Relative path to the Tanzu Standard package repository with version | |
| tanzuStandard.imageRegistry | string | No | Image registry URL or host for your Tanzu Standard package repository | |
| telemetry.eanNumber | string | No | Entitlement Account Number on VMware Customer Connect | |
| telemetry.ceipAgreement | false | boolean | No | Indicates that you have read the CEIP terms and conditions through the product documentation |
| telemetry.ceipOptIn | false | boolean | No | CEIP opt in to send telemetry data |
| trustedCAs | map[] | No | Adds trusted CAs (in pem format) to the bundle used by services. This should be in a key value form |
