Skip to main content

Configuration parameters

  • All the below parameters can be updated by following the configuration update procedure.
  • Majority of them can be updated at any time. Parameters impacting the ThingPark Enterprise operation are explicitly highlighted
  • See a complete example in files under the examples/customization folder of configuration repository. Be sure to have selected the appropriate tag version.

Instance identification and basic customization

NameMandatoryDescriptionValueDefault Value
global.installationIdyesInstallationID obtained at instance registrationstring""
global.supportEmailyesSet the support contact email for your instanceemail address"support@actility.com"
global.logonoMain logo displayed in the login page and top menu. The image should be in PNG format and less than 50 kB. Recommended size is 300 x 100 px. Logo must be provided as base64 encoded string.stringActility Logo

Hostname and Inbound flows

NameMandatoryDescriptionValueDefault Value
global.dnsHostnameyesSet your desired hostnamefqdn""
global.ingress.hostsnoReplace default use of global.dnsHostname for ingress by the provided list of hosts["fqdn"]Undefined
networkPolicy.ingress.enablednoAllow to isolate workload running in the ThingPark deployment namespace from others.booleanfalse
ingress-nginx.controller.service.annotationsnoService to use to add annotation allowing DNS dynamic provisioningobject{"service.beta.kubernetes.io/azure-dns-label-name": "thingpark-enterprise"}
or
{"external-dns.alpha.kubernetes.io/hostname": "dnsHostname,enterprise.mycompany.org" }
ingress-nginx.tcp.2022yesSupport ssh inbound. Set namespace regarding your deploymentstring"<namespace>/support-inbound:22"
ingress-nginx.tcp.3001yesLRC tls inbounds. Set namespace regarding your deploymentstring"<namespace>/lrc-proxy:3001"
ingress-nginx.tcp.3101yesLRC tls inbounds. Set namespace regarding your deploymentstring"<namespace>/lrc-proxy:3101"
ingress-nginx.tcp.3002yesLRC sftp over tls inbound Set namespace regarding your deploymentstring"<namespace>/lrc-proxy:3002"
ingress-nginx.tcp.4443yesBasics Station LNS inbound. Set only if global.featuresActivation.basicsStation is set to true. Set namespace regarding your deploymentstring"<namespace>/lrc-proxy-lns:8443"
global.ingress.lnsPublicPortnoOptional override of load balancer exposed port for lns endpoint. Should be updated in a coordinated way with ingress-nginx.tcp.4443int4443
DNS hostname

global.dnsHostname FQDN is used:

  • by ingress-nginx to allow access the TPE portal GUI and API
  • by base stations to reach ThingPark Enterprise in TLS security mode
WARNING
  • Changing global.dnsHostname FQDN of your TPE instance has an impact on all the Base Stations configured on the TPE instance:
    • You MUST re-generate all your Base Stations certificate.
    • Then, you MUST reconfigure the Base Stations with the new dnsHostName fqdn address on the Suplog menu.
  • You MUST obtain this https certificate from a trusted https certificate provider or force trust in you browser if default autosigned one is used.
  • If you wish to use a certificate generated by your own, it is mandatory to provide one in line with this domain name.
Use cloud DNS provisioning services

AZURE:

  • global.dnsHostname should be composed of Azure DNS alias followed by Azure region domain name (i.e. thingpark-enterprise.westeurope.cloudapp.azure.com)
  • Azure DNS alias is specified using service annotation: service.beta.kubernetes.io/azure-dns-label-name: thingpark-enterprise

AMAZON:

  • Use external-dns controller to manage a Route 53 subdomain
  • Configure provisioning by using the external-dns.alpha.kubernetes.io/hostname with theglobal.dnsHostname : external-dns.alpha.kubernetes.io/hostname:thingpark-enterprise.mycompany.org
Network Isolation

Once your cluster uses a networking plugin which supports NetworkPolicy, you can start to filter thingpark workloads ingress. Enable networkPolicy.ingress.enabled allows to isolate workload running in the ThingPark deployment namespace from other. Only flow exposed by ingress controller are allowed.

Integration behind a reverse proxy

To allow usage of reverse proxy

  • Configure the public hostname as global.dnsHostname
  • The Load Balancer front of reverse proxy MUST also forward base stations TCP flows
  • To use a internal FQDN to reach Kubernetes Load Balancer and an appropriate certificate, you have to use the global.ingress.hosts parameter to override with this custom host.

TLS Certificate for HTTP traffic

NameDescriptionValueDefault Value
global.ingress.tls.issuerSelect an issuer for https inbound flow certificate. A certificate can be:
- an externally generated one.
- a selfsigned one automatically generated by deployment,
- a letsencrypt generated one, public access to ingress and a public resolved dnsHostname are required
"external", "selfsigned", "letsencrypt""selfsigned"
global.ingress.tls.certificateServer certificate when you use your own (external issuer)PEM certificateUndefined (-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE----\n-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE----\n)
global.ingress.tls.keyServer certificate private key when you use your own (external issuer)PEM private keyUndefined (-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n)
global.ingress.tls.caCertificateRoot Certificate of Public Key Infrastructure that have issued the server certificate. Mandatory when Basics Station feature is enabled and global.ingress.tls.issuer: "external" or "letsencrypt"PEM certificateUndefined (-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE----\n-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE----\n)
global.ingress.tls.acmeEmailEmail address used by Let's Encrypt to contact you about expiringemail"foo@example.com"
global.ingress.tls.acmeSolversACME Challenge configuration to obtain certificate. See cert-manager documentation to configure other oneobject[{"http01": {"ingress": {"class": "nginx-tpe"}}}]
tp-gui.ingress.items.gui.annotationsRequired annotation allowing cert-manager to trigger certificate generation for tpe ingressobject (cert-manager letsencrypt issuer){"cert-manager.io/issuer": "letsencrypt-prod"} when letsencrypt issuer used
info
  • With default global.ingress.tls.issuer: "selfsigned", don't omit to add {"cert-manager.io/issuer": "internal-ca-issuer"} annotation to tp-gui.ingress.items.gui.annotations
  • With global.ingress.tls.issuer: "letsencrypt",don't omit to add {"cert-manager.io/issuer": "letsencrypt-prod"} annotation to tp-gui.ingress.items.gui.annotations.
  • Using global.ingress.tls.issuer: "external", global.ingress.tls.certificateMUST include the server certificate first, and next all intermediate certificates of the chain of trust.
Basics Station TLS requirements
  • Changing global.ingress.tls.issuer will break Basics Station connections! You have to take in account the update of trusts on Gateway side.
  • global.ingress.tls.caCertificate certificate is:
    • Empty default TLS configuration (global.ingress.tls.issuer: "selfsign"),
    • The root certificate of Letsencrypt authority(Default ISRG Root X1) that have signed server certificate with global.ingress.tls.issuer: "letsencrypt" (Root CA Name can be obtained using kubectl get secrets ingress-tls -o jsonpath="{.data['tls\.crt']}"|base64 -d | sed '1,/-----END CERTIFICATE-----/d'|openssl x509 -in - -issuer -noout),
    • The root certificate of authority that have signed your own server certificate with global.ingress.tls.issuer: "external" .

Repositories

Only for custom deployments
NameDescriptionValueDefault Value
global.repositoriesRepository configurations. No additional configuration required for a partner deploymentobject
global.repositories.containerImagesRegistry.fqdnContainer registry hostname FQDNfqdn"repository.thingpark.com"
global.repositories.containerImagesRegistry.namespaceContainer registry Namespacestring"thingpark-kubernetes"
global.repositories.containerImagesRegistry.pullPolicyContainer image pullPolicy to use for all deployed workloadsstring in imagePullPolicy"IfNotPresent"
global.repositories.containerImagesRegistry.auth.usernameUsername to authenticate against container registry. Set with InstallationID when default Actility registry usedstringinstallationId
global.repositories.containerImagesRegistry.auth.passwordPassword to authenticate against container registry. Set with InstallationID when default Actility registry usedstringinstallationId
global.repositories.thingparkResources.urlBase stations firmware and documentation repository URL.
This URL should be reachable from web browser
url"https://repository.thingpark.com"
global.repositories.thingparkCatalogs.urlCatalogs repository URL. Serve RF regions, devices and base station profiles and drivers' catalogs.
This URL must be reachable from the ThingPark Enterprise servers
url"https://repository.thingpark.com"

Feature settings

To save server resources and following your need, some services may be enabled/disabled or scaled depending your needs.

NameDescriptionValueDefault Value
global.featuresActivation.dxApiDX API activationbooleantrue
global.featuresActivation.iotFlowIoT Flow activationbooleantrue
global.featuresActivation.nodeRedNode-REDbooleanfalse
global.featuresActivation.basicsStationBasics Station components activationbooleanfalse

Mail settings

NameMandatoryDescriptionValueDefault Value
global.outgoingMailnoDefault empty configuration not need any mail relayobject{}
global.outgoingMail.smtpServeryesHostname or IP address of the SMTP server to use to send emails.fqdn or ip-address"smtp.example.com"
global.outgoingMail.smtpAuthnoAuthentication activation when no empty block is providedobject{}
global.outgoingMail.smtpAuth.loginyesLogin used to authenticate against SMTP serverstring""
global.outgoingMail.smtpAuth.passwordyesPassword used to authenticate against SMTP serverstring""
global.outgoingMail.portyesSMTP server portint465
global.outgoingMail.noReplyEmailyesemail sender "From" of all emails sent by the TPE instance.email"noreply@example.com"
global.outgoingMail.smtpSecurityyesselect one of the available options (None, SSL or TLS) depending on the SMTP server you will use.string in "clear", "ssl", "tls""ssl"
global.outgoingMail.actionTokenGeneratedByUserLifespannoMaximum time in minutes before an action permit sent by a user (e.g. forgot password e-mail) is expired. This value is recommended to be short because it is expected that the user would react to self-created action quickly.int15
global.outgoingMail.actionTokenGeneratedByAdminLifespannoMaximum time in minutes before an action permit sent to a user by admin (e.g. account creation) is expired. This value is recommended to be long to allow admins send e-mails for users that are currently offlinestring60
Features requiring email

"Alarms notification", "activation of users account", "password recovery" and "Contact us" features require a valid smtp configuration.


Proxy settings

NameDescriptionValueDefault Value
global.outgoingProxyProxy configuration bloc, disabled by defaultobject{}
global.outgoingProxy.urlURL of the proxy server used for ThingPark Enterprise resources repository accessurl"http://192.168.1.1:8080"
global.outgoingProxy.authProxy authentication configuration block (optional)object{}
global.outgoingProxy.auth.usernameUsername of the proxy accountstring""
global.outgoingProxy.auth.passwordPassword of the proxy accountstring""
global.outgoingProxy.useForLrcUplinksEnable proxy for LRC uplinks: enable if you want to use the proxy for LRC uplinks on the tunneling interfacebooleantrue
Below the list of Cipher suites supported for an access through HTTPS proxy:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_AES_128_GCM_SHA256
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_256_GCM_SHA384

Oauth federation settings

NameDescriptionValueDefault Value
global.oauthFederationOAuth configuration bloc, disabled by defaultobject{}
global.oauthFederation.issuerOAuth identity provider issuer urlurl""
global.oauthFederation.clientIdOAuth identity provider client IDstring""
global.oauthFederation.clientSecretOAuth identity provider client Secretstring""
WARNING

First installation MUST always be done without any oauthFederation configuration. See Authentication Federation for more details.


Device and base station alarm notification

NameDescriptionValueDefault Value
global.snmp.trap.serverSNMP trap destination server. Hostname or IP address of the SNMP trap destination serverfqdn or ip-address""
global.snmp.trap.communitySNMP trap communitystring"public"

Base station security

NameDescriptionValueDefault Value
global.ingress.baseStation.keyInstallerPasswordHashHash of the password configured in the base stations to connect the key-installer service. This password should be set only if base stations are flashed with custom images.The hash must be provided in the SHA512 format, for example using the openssl passwd -6 command.Undefined
wireless-pki.certProfiles.lrrClient.validityBase station client certificates validity period. This property is taken into account when a certificate is issued. Certificates issued before this property is changed should be revoked to use the new validity period(*y *mo *d) y=365 days, mo=30 days3y

Basics Station

NameDescriptionValuesDefault Value (example)
ingress-nginx.tcp.4443ingress-nginx TCP service port configurationobject({ 4443: thingpark-enterprise/lrc-proxy-lns:8443})
global.basicsStation.lnsPublicPortOptional override of load balancer exposed port for lns endpointint4443
global.basicsStation.cupsTrustRootCertRoot certificate of authority that have signed the server certificate of basics station cups endpoint. Not required if external or letsencrypt certificate is usedPEM formatted certificateUndefined (-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE----\n)
global.basicsStation.tcTrustRootCertRoot certificate of authority that have signed the server certificate of basics station cups endpoint. Not required if external or letsencrypt certificate is usedPEM formatted certificateUndefined (-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE----\n)
Configuration tips
  • Overall activation is governed by global.featuresActivation.basicsStation flag
  • In order to be able to reach Lns endpoint, ingress-nginx.tcp.4443 have to be uncommented in custom-values.yaml file. If global.basicsStation.lnsPublicPort is overridden, port number coordinated with ingress-nginx.tcp.4443 key number.
  • Both global.basicsStation.cupsTrustRootCert and global.basicsStation.tcTrustRootCert are the same certificates:
    • Without TLS configuration (global.ingress.tls.issuer: "selfsign"), there is nothing to do
    • With global.ingress.tls.issuer: "external", the root certificate of authority that have signed server certificate must be used.
    • With global.ingress.tls.issuer: "letsencrypt", the root certificate of letsencrypt authority(Default ISRG Root X1) that have signed server certificate must be used.

AS security level

NameDescriptionValuesDefault Value
global.asSecurityWhen set to 'strict' (default), auto-signed certificates are rejected. This configuration applies only to HTTPS ASstring in strict, loose"strict"

LoRa configuration

WARNING:

Please update carefully below Lora configuration

NameDescriptionValueDefault Value
global.lora.ismBandChoose the desired ISM Band (also known as Regional RF profile) for your deployment.
The Base Station and Device Catalogs will be automatically filtered on the TPE Portal GUI according to this setting.
On the TPE Portal GUI, it will be possible to create Base Stations and Devices that match the ISM Bands set here.

This configuration should be done during the TPE instance initialization ONLY. Anyway, it can be updated afterwards, but you must keep consistency with the deployments of your Base Stations and Devices.
["string"]["eu868"]
global.lora.netIdConfigure the LoRaWAN™ 24 bits network identifier.
A dedicated NetID assigned by the LoRa Alliance® is required when roamout is enabled. Possible values are 6 hexadecimal digits (case insensitive) restricted to the following list:

- Default value: 000001
- 000000 (shared NetID 0) – forbidden if roam out is enabled
- 000001 (shared NetID 1) – forbidden if roam out is enabled
- 000002-00003F (dedicated NetID type 0)
- 600000-7FFFFF (dedicated NetID type 3)
- C00000-DFFFFF (dedicated NetID type 6)

string"000001"
global.lora.roamingConfigure the LoRaWAN™ Activation and passive roaming. Configuration block can be changed anytime.objectSee below
global.lora.roaming.integrationModeConfigure the roaming mode. The possible values are:
- none: default value.
- Activation only: allows the activation of devices pre-commissioned on agreed external join servers.
- Activation and roaming in: allows devices from agreed foreign networks to use local base stations for uplink and downlink communications (in addition to LoRaWAN™ Activation).
- Activation, roaming in and out: allows local devices to use base stations from agreed foreign networks for uplink and downlink communications (in addition to LoRaWAN™ Activation).
string in "none","activation", "roam-in", "roam-in-out""none"
global.lora.roaming.nsIdWhen Roaming and/or Activation is enabled, LoRaWAN™ 64 bits network server identifier. This information is part of the ThingPark Exchange (TEX) subscription.string""
global.lora.roaming.tex.urlWhen Roaming and/or Activation is enabled, URL of ThingPark Exchange (TEX).url"https://exchange.thingpark.com/"
global.lora.roaming.tex.hubIdWhen Roaming and/or Activation is enabled, HubID of ThingPark Exchange (TEX).string""
global.lora.roaming.tex.outgoingAuth.usernameWhen Roaming and/or Activation is enabled, Username of the ThingPark Exchange (TEX) account.string""
global.lora.roaming.tex.outgoingAuth.passwordWhen Roaming and/or Activation is enabled, Password of the ThingPark Exchange (TEX) account.string""
global.lora.roaming.tex.incomingAuthWhen Roaming and/or Activation is enabled, AUth of the ThingPark Exchange (TEX) account.objectin sync with global.lora.roaming.tex.outgoingAuth
global.lora.otaaDevAddrPoolBlockConfigure a DevAddr range to be used for OTAA devices. The DevAddr range is expressed as a hexadecimal prefix followed by a slash (/) and the number of bits. This range must match the configured NetID.

This parameter is optional and can be configured if you want to do roaming between TPE instances sharing the same NetID. In such case, you can define a dedicated OTAA DevAddr range to each TPE instance. See below for configuration details.
string""
info

TEX synchronization status with LRC can be monitored using this Administration Procedure.

OTAA DevAddr range configuration

This parameter allows to configure a DevAddr range to be used for OTAA devices. The DevAddr range is expressed as a hexadecimal prefix followed by a slash (/) and the number of bits. This range must match the configured NetID. Can be changed anytime.

This parameter is optional and can be configured if you want to do roaming between TPE instances sharing the same NetID. In such case, you can define a dedicated OTAA DevAddr range to each TPE instance.

OTAA DevAddr range validation is done as follows:

  1. The binary NetID DevAddr prefix is computed based on the configured NetID:
    • NetID DevAddr prefix is Type | NwkID
    • If NetID is type 0 (3 MSB are 0b000):
      • Type is 0b0
      • NwkID is the 6 LSB of NetID
    • Else if NetID is type 3 (3 MSB are 0b011):
      • Type is 0b1110
      • NwkID is the 11 LSB of NetID
    • Else if NetID is type 6 (3 MSB are 0b110):
      • Type is 0b1111110
      • NwkID is the 15 LSB of NetID
  2. The binary SubNetID DevAddr prefix is computed based on the configured OTAA DevAddr range:
    • Left part is translated from hexadecimal to binary.
    • Only the number of MSB specified in the right part are kept.
  3. OTAA DevAddr range is valid if SubNetID DevAddr prefix binary string starts with NetID DevAddr prefix binary string.

Below some valid and invalid OTAA DevAddr range configuration based on configured NetID:

  • Example #1: NetID 000002 (type 0) / OTAA DevAddr range 040/12

    1. NetID DevAddr prefix: 0b0000010
      • Type is 0b0
      • NwkID is 0b000010
    2. SubNetID DevAddr prefix: 0b000001000000
    3. OTAA DevAddr range is valid
  • Example #2: NetID 60000F (type 3) / OTAA DevAddr range E01E0/20

    1. NetID DevAddr prefix: 0b111000000001111
      • Type is 0b1110
      • NwkID is 0b00000001111
    2. SubNetID DevAddr prefix: 0b11100000000111100000
    3. OTAA DevAddr range is valid
  • Example #3: NetID C0000F (type 6) / OTAA DevAddr range FC0038/24

    1. NetID DevAddr prefix: 0b1111110000000000001111
      • Type is 0b1111110
      • NwkID is 0b000000000001111
    2. SubNetID DevAddr prefix: 0b111111000000000000111000
    3. OTAA DevAddr range is invalid

Wireless configuration

NameDescriptionValueDefault Value
global.wireless.deviceHistoryExpirationSet the lifespan of LoRaWAN uplink and downlink frames. The default value of 15 days is enough for a normal usage of ThingPark Enterprise. Extending the default value consumes hardware resources (RAM, Disk space), please contact your support before any change.integer (in days)15

Iot Flow settings

NameDescriptionValueDefault Value
global.iotFlow.maxConnectionsSet the maximum number of IoT flow connections allowed simultaneously. As each connection consumes hardware resources (CPU, RAM), this value should be set carefullyintegerDepend hardware sizing
tpx-flow.kafka.topicConfigRetentionMsIotFlow connection topics retention duration between 6 hours and 240 hoursint, 21600000 to 864000000 ms21600000
info

tpx-flow.kafka.topicConfigRetentionMs parameter update is not applied to existing IotFlow connections. Relating topics configuration must be updated after the configuration have been applied. See Update IotFlow connection topics retentions procedure.

Maps settings

NameDescriptionValueDefault Value
global.mapServiceMap service used by the applications, leave empty to disable. When disabled, all map widgets are deactivated and Network Survey application cannot be usedobject{}
global.mapService.defaultLocationDefault map location used on map widgetsstring""
global.mapService.apiMap API to use, either Google Maps or Openstreet Mapsstring in gmaps,osm""
global.mapService.apiKeyApi key, required for Google Mapsstring""
global.mapService.osmTileLeaflet tile layer URL template, required for Openstreet Mapsurl""
global.mapService.osmNominatimNominatim search URL, required for Openstreet Mapsurl""

Backup settings

WARNING
  • A storage is MANDATORY to allow to backup during upgrades
  • Scheduled backup is optional
NameDescriptionValueDefault value (example)
global.backup.scheduleBackup scheduling configuration, disabled by defaultcron expressionUndefined ("30 2 * * *")
global.backup.s3CompatBackup configuration to use a s3 compatible backend (ex: minio)objectUndefined
global.backup.s3Compat.urlurl to use to reach s3 storage apiurl""
global.backup.s3Compat.accessKeyAccess Key to use to authenticate against apistring""
global.backup.s3Compat.secretAccessKeySecret Access Key to use to authenticate against apistring""
global.backup.s3Compat.bucketBucket name to use to store backup archivesstring("thingpark-enterprise-backup")
global.backup.amazonBackup configuration to use an Amazon s3 bucketobject-
global.backup.amazon.accessKeyAccess Key to use to authenticate against api. Optional, if not provided, EKS Node Group IAM Role must allow get/put to S3 backup bucketstring""
global.backup.amazon.secretAccessKeySecret Access Key to use to authenticate against api. Optional, if not provided, EKS Node Group IAM Role must allow get/put to S3 backup bucketstring""
global.backup.amazon.bucketBucket name to use to store backup archivesstring("thingpark-enterprise-backup")
global.backup.amazon.regionBucket regionstring("us-east-2")
global.backup.azureBackup configuration to use an Amazon s3 bucketobjectUndefined
global.backup.azure.resourceGroupstring""
global.backup.azure.storageAccountbucketstring""
global.backup.azure.blobContainerurl("thingpark-enterprise-backup")
global.backup.azure.subscriptionIdstring""
global.backup.azure.tenantIdstring""
global.backup.azure.clientIdstring""
global.backup.azure.clientSecretstring""