Platform configuration structure

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. Overview

The Platform for state registries stores its settings in the configuration changes review and storage service (Gerrit) according to the GitOps approach.

The GitOps approach relies on the Git repository as the sole source of the subsystem configuration files when orchestrating the Platform infrastructure and deploying registries. GitOps provides automated deployment, streamlined version control, effortless change reversals, and enhanced visibility of system changes through Git-based workflows and declarative descriptions of the desired state of the Platform and registry.

Platform configuration
Configuration level	Repository	Path	Description
Platform	`cluster-mgmt`	`/deploy-templates/values.yaml`	Contains general Platform settings. Configured by the administrator through the admin console.
		`/deploy-templates/values.gotmpl`	Contains templates and default values for system parameters. In most cases, no adjustments are required.
		`/deploy-templates/console-versions.yaml`	Contains information about the versions of the Platform and registries management console.

For details on configuration deployment processes, see Subsystem for deploying and configuring the Platform and registries and Platform and registries management subsystem.

2. Platform custom yaml configuration specification (values.yaml)

This section provides a list of general Platform settings that administrators configure via the admin console or a commit to the repository.

2.1. General Platform settings

The following table provides the Platform’s root parameters.

Use links to the corresponding child tables for convenient navigation through the object specification hierarchy.

General Platform settings
Name	Type	Default value	Required	Description
`global`	object	❌	✅	Global Platform settings.
`cdPipelineName`	string	platform	✅	The name of the Platform CD pipeline. This is an EDP entity and part of the servicing pipeline of the Platform deployment processes.
`cdPipelineStageName`	string	main	✅	The name of the Platform CD pipeline stage. This is an EDP entity and part of the servicing pipeline of the Platform deployment processes.
`source_catalog_version`	string	4.6	✅	❌ A deprecated parameter. Will be discontinued in the future Platform versions.
`administrators`	[]object	❌	✅	The list of users with the Platform administrator role (`cp-cluster-mgmt-admin`).
`keycloak`	object	❌	❌	General Keycloak component settings.
`digitalSignature`	object	❌	✅	The Users and roles management subsystem’s Digital signature service settings.
`velero`	object	❌	❌	Velero Platform backup service settings.

2.2. Global Platform settings

The global group contains the Platform’s global parameters that are not classified into separate groups.

global | Return to parent table
Name	Type	Default value	Required	Description
`deploymentMode`	string	development	✅	The Platform deployment mode. Determines whether `external-integration-mocks` are present or not.
`whiteListIP`	object	❌	✅	Platform services access parameters.

2.3. Platform service access parameters

The whiteListIP group contains access parameters for the administrative service routes.

global.whiteListIP | Return to parent table
Name	Type	Default value	Required	Description
`adminRoutes`	string	0.0.0.0/0	✅	The Platform’s administrative service route access parameters.

global specification example

deploymentMode: production
whiteListIP:
    adminRoutes: 0.0.0.0/0

2.4. Platform administrators configuration parameters

The administrators group contains a list of Platform administrators.

administrators | Return to parent table
Name	Type	Default value	Required	Description
`email`	string	❌	✅	The email address that identifies the user.
`firstName`	string	❌	✅	User’s first name.
`lastName`	string	❌	✅	User’s last name.
`passwordVaultSecret`	string	❌	✅	The path to the temporary password in the Hashicorp Vault Secrets and encryption management service.
`passwordVaultSecretKey`	string	❌	✅	The key to finding the temporary password in the Hashicorp Vault Secrets and encryption management service.
`username`	string	❌	✅	User account name. Equals the `email` field.

Administrators configuration example

administrators:
    - email: user@company.com
      firstName: user
      lastName: user
      passwordVaultSecret: registry-kv/cluster/user@company.com
      passwordVaultSecretKey: password
      username: user@company.com

2.5. User and role management service configuration parameters

The customHosts group contains a list of alternative DNS names for Keycloak.

keycloak | Return to parent table
Name	Type	Default value	Required	Description
`customHosts`	[]object	❌	❌	A list of alternative DNS names for Keycloak.

The customHosts group contains a list of alternative DNS names for Keycloak and paths to their certificates.

keycloak.customHosts | Return to parent table
Name	Type	Default value	Required	Description
`certificatePath`	string	❌	✅	The path to the TLS/SSL certificate in the Hashicorp Vault Secrets and encryption management service.
`host`	string	❌	✅	The hostname of the alternative DNS name.

Secrets and encryption management service configuration example

keycloak:
  customHosts:
    - certificatePath: registry-kv/cluster/domains/example-keycloak.openshift.company.com/20230505T085919Z
      host: example-keycloak.openshift.company.com

2.6. Digital signature service configuration parameters

The digitalSignature group contains the Platform’s Digital signature service settings.

digitalSignature | Return to parent table
Name	Type	Default value	Required	Description
`data`	object	❌	✅	The Platform’s Digital signature service key settings.
`env`	object	❌	✅	The Platform’s Digital signature service environment settings.

digitalSignature.data | Return to parent table
Name	Type	Default value	Required	Description
`Key-6-dat`	string	❌	✅	The path to the organization’s private file key in the Hashicorp Vault Secrets and encryption management service.
`allowed-keys-yml`	string	❌	✅	The path to the file listing the attributes of authorized or previously issued keys in the Hashicorp Vault Secrets and encryption management service.
`osplm.ini`	string	❌	✅	The path to the configuration file of the hardware and software cryptomodule in the Hashicorp Vault Secrets and encryption management service. Only used with the hardware key type.

digitalSignature.env | Return to parent table
Name	Type	Default value	Required	Description
`sign.key.device-type`	string	❌	✅	The type of the key used by the Platform. Possible values are `file` or `hardware`.
`sign.key.file.issuer`	string	❌	✅	The path to information about the issuer of the organization’s private key in the Hashicorp Vault Secrets and encryption management service.
`sign.key.file.password`	string	❌	✅	The path to the organization’s private key password in the Hashicorp Vault Secrets and encryption management service.
`sign.key.hardware.device`	string	❌	✅	The path to information about the serial number, host, and port of the hardware cryptomodule device in the Hashicorp Vault Secrets and encryption management service. Only used with the hardware key type.
`sign.key.hardware.password`	string	❌	✅	The path to the hardware cryptomodule device password in the Hashicorp Vault Secrets and encryption management service. Only used with the hardware key type.
`sign.key.hardware.type`	string	❌	✅	The path to the hardware crypto-module device type in the Hashicorp Vault Secrets and encryption management service. Only used with the hardware key type.

Platform’s Digital signature service configuration example

digital-signature:
    data:
        Key-6-dat: registry-kv/cluster/key-management-20231608T063220Z
        allowed-keys-yml: registry-kv/cluster/key-management-20231608T063220Z
        osplm.ini: ""
    env:
        sign.key.device-type: file
        sign.key.file.issuer: registry-kv/cluster/key-management-20231608T063220Z
        sign.key.file.password: registry-kv/cluster/key-management-20231608T063220Z
        sign.key.hardware.device: ""
        sign.key.hardware.password: ""
        sign.key.hardware.type: ""

2.7. Backup and restore service configuration parameters

The velero group contains the Backup and restore service settings.

velero | Return to parent table
Name	Type	Default value	Required	Description
`backup`	object	❌	❌	The backup configuration of the Platform components.

velero.backup | Return to parent table
Name	Type	Default value	Required	Description
`controlPlane`	object	❌	❌	The backup configuration of the Platform and registries management subsystem’s components.
`controlPlaneNexus`	object	❌	❌	The backup configuration of the Platform artifacts repository in the Platform and registries deployment and configuration subsystem.
`monitoring`	object	❌	❌	The backup configuration of the Event monitoring and notification subsystem’s components.
`userManagement`	object	❌	❌	The backup configuration of the Users and roles management subsystem’s components.

velero.backup.<component_name> | Return to parent table
Name	Type	Default value	Required	Description
`expires_in_days`	string	❌	❌	The number of days to store the backup copy of the Platform service.
`schedule`	string	❌	❌	The backup schedule definition in the UNIX cron format.

Velero Platform backup service configuration example

velero:
    backup:
        controlPlane:
            expires_in_days: 7
            schedule: 15 9 * * *
        controlPlaneNexus:
            expires_in_days: 7
            schedule: 0 9 * * *
        monitoring:
            expires_in_days: 7
            schedule: 45 9 * * *
        userManagement:
            expires_in_days: 7
            schedule: 30 9 * * *

3. Platform technical yaml configuration specification (values.gotmpl)

This section lists the technical parameters of the Platform. Their values are set using parameterization templates, which can take one of the following forms:

{{ env "<variable_name>" }} to get values from environment variables.
{{ $cluster_version := exec … }} to execute a command during pipeline execution.

We do not recommend making changes to this file manually.

Platform technical parameters
Name	Type	Required	Description
`global`	object	✅	Global Platform settings.
`vault`	object	✅	Contains settings for the Platform’s central Secrets management service.
`namespace`	string	✅	Defines the name of the OKD namespace for deploying subsystem components and configurations from the `codebase` specification based on whether they belong to the Platform or registry.
`baseDomain`	string	✅	Receives and sets the base domain of the OKD cluster — for example, `openshift.example.com`. All managed DNS records in the cluster become subdomains of the base domain. After the OKD cluster is deployed, this value cannot be changed.
`dnsWildcard`	string	✅	A subdomain of the base domain of the OKD cluster for routing traffic to Platform and registry applications — for example, `apps.openshift.example.com`.
`cdPipelineName`	string	✅	The name of the Platform CD pipeline. This is an EDP entity and part of the servicing pipeline of the Platform deployment processes.
`dockerRegistry`	string	✅	The URL for the `control-plane-nexus` Platform artifacts repository.
`dockerProxyRegistry`	string	✅	The URL for the `control-plane-nexus` Platform artifacts repository.
`edpProject`	string	✅	Defines the name of the OKD namespace for deploying subsystem components and configurations from the technical pipeline parameters based on whether they belong to the Platform or registry.
`globalNexusNamespace`	string	✅	The OKD namespace for the Platform artifacts repository.
`ACCESS_KEY_ID`	string	✅	❌ A deprecated parameter. Will be discontinued in the future Platform versions.
`SECRET_ACCESS_KEY`	string	✅	❌ A deprecated parameter. Will be discontinued in the future Platform versions.
`backupBucket`	string	✅	❌ A deprecated parameter. Will be discontinued in the future Platform versions.

global | Return to parent table
Name	Type	Required	Description
`clusterVersion`	string	✅	Automatically determines the current version of the OKD cluster.
`storageClass`	string	✅	Contains the `StorageClass` name used in the OKD cluster by default.
`imageRegistry`	string	✅	The URL for the `control-plane-nexus` Platform artifacts repository.

vault | Return to parent table
Name	Type	Required	Description
`platformVaultToken`	string	✅	The access token for the Platform’s central Secrets management service.
`openshiftApiUrl`	string	✅	The OKD API server URL.
`centralVaultUrl`	string	✅	The Platform’s central Secrets management service URL.

3.1. Admin console settings

The consoleVersions group contains the registry-version-to-admin-console-version mapping parameters for the release.

consoleVersions | Return to parent table
Name	Type	Default value	Required	Description
`consoleVersion`	string	❌	✅	The admin console version.
`stream`	string	❌	✅	The console deployment branch.
`registryVersion`	string	❌	✅	The registry version.

The consoleVersion parameter contains technical values that are updated together with the Platform, so there is no need to change them.

consoleVersions specification example

consoleVersions:
    - consoleVersion: 1.9.0.67
      registryVersion: 1.9.4
      stream: master
    - consoleVersion: 1.9.6.33
      registryVersion: 1.9.6
      stream: master