Configure Platform Manager

This page outlines the configuration values for the Platform Manager deployed via Axual Governance Helm chart.

About Platform Manager

Platform Manager is the core component of the Axual Platform that allows to manage any Self-Service resource.

Platform Manager is based on Spring Boot 3.x

Platform Manager Configuration

Platform Manager requires configuration for interacting with all components defying the Axual Platform.

For a complete list of configurations, please refer to Platform Manager Configuration.

Platform Manager Repository Configuration

Initially, you can override the registry, tag, and pullPolicy for the Platform UI pod.

By default, these values come from the Axual Governance charts.

You can also override the imagePullSecrets; if not specify the Platform Manager pod will use the global.imagePullSecrets

values.yaml
platform-manager:

  image:
    registry: "docker.axual.io"
    pullPolicy: "Always"
    tag: "8.4.0"

  imagePullSecrets:
    - name: axualdockercred

TLS Configuration

If needed, you can specify secrets containing the PEM certificates for keystore generation:

  • Server keypair

  • Client keypair

  • Truststore

Here is an example of how you can configure it.

values.yaml
platform-manager:

  tls:
    # -- Enables keystore generation
    enabled: true
    # -- Creates server keypair from PEM
    createServerKeypairSecret: true
    # -- PEM used to generate the server keypair if `createServerKeypairSecret` is true
    serverCertificatePem: <server-certificate>
    # -- PEM used to generate the server keypair if `createServerKeypairSecret` is true
    serverKeyPem: <server-key>

    # -- Creates client keypair from PEM
    createClientKeypairSecret: true
    # -- PEM used to generate the client keypair if `createClientKeypairSecret` is true
    clientCertificatePem: <client-certificate>
    # -- PEM used to generate the client keypair if `createClientKeypairSecret` is true
    clientKeyPem: <client-key>

    # -- Creates truststore from PEMs
    createTruststoreCaSecret: true
    # -- Set of PEMs used to generate the truststore if `createTruststoreCaSecret` is true
    caCerts:
      ca_one.crt:  <first-cert>
      ca_two.crt: <second-cert>

For more information on the secrets defined above, refer to TLS secrets.

Application Configuration

Platform Manager is a Spring Boot application. Spring Boot applications can be configured with application.yml files. What is present under config in the yml file, gets injected in a ConfigMap and mounted as an application.yml file.

values.yaml
platform-manager:
  config: {}

Spring Datasource Configuration

Platform Manager requires a database to persist the Self-Service resources. Since it’s a Spring Boot application, we use the spring.datasource property to configure the database connection.

values.yaml
platform-manager:
  config:
    spring:
      # Spring Datasource
      datasource:
        # -- Datasource Name
        name: "platform-manager"
        # -- Datasource Url with Database
        url: "jdbc:mysql://platform-manager-mysql:3306/selfservice-db"
        # -- Datasource Username
        username: "platform-manager-username"
        # -- Datasource Password
        password: "platform-manager-password"
        # -- Datasource Driver Class Name
        driver-class-name: "com.mysql.cj.jdbc.Driver"
      # Spring JPA
      jpa:
        # -- Database Platform
        database-platform: "org.hibernate.dialect.MySQLDialect"
      # Flyway Configuration
      flyway:
        # -- Flyway Script Location (`mariadb` or `mysql`)
#        locations: "classpath:db/migration/mariadb"
        locations: "classpath:db/migration/mysql"

Axual and Governance Configuration

Platform Manager interacts with multiple Axual services and requires configuration for each service.

You can configure most of them using the axual and governance entries, for example, here we are configuring the Platform Manager to use the new architecture to interact with Kafka clusters.

We disable the interaction with the Instance API and configure the Platform Manager to retrieve governance secrets from the HashiCorp Vault.

values.yaml
platform-manager:

  config:
    # Axual Platform Manager
    axual:
      # Instance Manager Configuration
      instance-api:
        available: false

    # Governance Vault Configuration
    governance:
      vault:
        enabled: true
        # -- Define the URI of the Vault
        uri: "http://platform-manager-vault:8200"
        # -- Define the path of the KV Secret in the Vault
        path: "governance"
        # -- RoleID of the platform-manager policy to access the KV Secret
        roleId: "role-id-for-platform-manager-policy"
        # -- SecretID of the platform-manager policy to access the KV Secret
        secretId: "secret-id-for-platform-manager-policy"
        # -- (Optional) The Namespace of the Vault
        # namespace: "[your-governance-vault-namespace]"

Connect Configuration

In case you want to configure the Platform Manager to interact with an Axual Connect, you can use the axual.connect entry.

For each {tenant}-{instance} it’s possible to define the instance-connect-credentials.

values.yaml
platform-manager:

  config:
    # Axual Platform Manager
    axual:
      # Connect Configuration
      connect:
        # -- Enable Connect Support
        available: true
        # -- Connect Instance Credentials for each Tenant-Instance
        instanceConnectCredentials:
          tenant-instance1:
            authorizer: basic
            username: "[your-connect-username]"
            password: "[your-connect-password]"
          tenant-instance2:
            authorizer: basic
            username: "[your-connect-username-2]"
            password: "[your-connect-password-2]"
The Axual Connect URL will be retrieved by the Instance definition in the Self-Service.

Connect Vault Configuration

Each Axual Connect requires an HashiCorp Vault to store the connectors secrets.

Each Axual Connect can use a different HashiCorp Vault, so the Platform Manager should be able to switch between different HashiCorp Vault to store the connectors secrets.

values.yaml
platform-manager:

  config:
    # Connectors Vault Configuration
    connectorVault:
      # -- Enable Connect Support
      enabled: true
      # -- Vault Instance for each Tenant-Instance
      instances:
        tenant-instance1:
          # -- The URI of the Vault for the Tenant-Instance
          uri: "http://vault-instance:8200"
          # -- (Optional) The Namespace of the Vault for the Tenant-Instance
          namespace: "[your-connect-namespace]"
          # -- The path of the `connectors` KV secrets defined for the Tenant-Instance
          connectorsPath: "connectors"
          # -- The RoleID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
          roleId: "[your-connect-role-id]"
          # -- The SecretID of the Vault policy to access the `connectors` KV secrets for this Tenant-Instance
          secretId: "[your-connect-secret-id]"
          # -- The Name identifying the `private.key` of the Connector for the Tenant-Instance
          privateKeyName: "private.key"
          # -- The Name identifying the `certificate.chain` of the Connector for the Tenant-Instance
          certChainKeyName: "certificate.chain"
        tenant-instance2:
          uri: "http://vault-instance2:8200"
          connectorsPath: "connectors"
          roleId: "[your-connect-role-id]"
          secretId: "[your-connect-secret-id]"
          privateKeyName: "private.key"
          certChainKeyName: "certificate.chain"

Other Configuration

Check Platform Manager Configuration to view all others possible configurations.