Shared configuration

You must set the parameters in the custom resource file to access the Docker images in your environment.

The following tables list the configurable parameters. The parameters are either mandatory <Required> or optional in a custom resource file. If a parameter is absent or has no value, it means that the operator refers to the default value. You can overwrite the default value by entering a new value in your custom resource. Parameters that are mandatory must always be present and you must enter a valid value.

Table 1. Shared configuration parameters: spec
Parameter Description Example value Required
appVersion The version of the current release. 26.0.0 Yes
content_optional_components Specify which component to include (true) or omit (false).
  • cpe: true
  • graphql: true
  • cmis: false
  • css: false
  • es: false
  • tm: false
  • ban: true
  • iccsap: false
  • ier: false
 No
license.accept Must exist to accept the IBM license. The only valid value is "true". true Yes
Table 2. Shared configuration parameters: spec.shared_configuration
Parameters Description Default Values Required
enable_fips Enable or disable FIPS mode for the deployment. false No
external_tls_certificate_secret Shared custom TLS secret that is used to sign all external routes, if defined. If the parameter is not defined, all external routes are signed with root_ca_secret.   No
image_pull_secrets List of shared image pull secrets. ibm-entitlement-key No
root_ca_secret If you provide your own root certificate, enter the value. fncm-root-ca No
sc_content_initialization

Enable or disable content initialization (creation of Content Cortex domain, creation of object stores, creation of CSS servers, and initialization of Navigator (ICN)). If not set, the parameter takes the default value.

If the parameter value is true, you must define the initialize_configuration section in the CR as the operator uses the parameters within the section for configuration.

If the parameter value is false, the operator ignores the initialize_configuration section that is defined in the CR.

 false No
sc_content_verification

Enable or disable the content verification (creation of test folder, creation of test document, execution of CBR search, and creation of Navigator demo repository and desktop). If not set, the parameter takes the default value.

If the parameter value is true, you must define the verify_configuration section in the CR as the operator uses the parameters within the section for configuration.

If the parameter value is false, the operator ignores the verify_configuration section that is defined in the CR.
Note: If you are upgrading or migrating, set this parameter to false since the environment is already verified.
 false No
sc_deployment_context Do not change this default setting. CCx Yes
sc_deployment_platform Enter the platform type. OCP
  • Use "OCP" for the Red Hat® OpenShift® Container Platform.
  • Use "ROKS" if the platform is Red Hat OpenShift on IBM Cloud®.
 Yes
sc_deployment_profile_size

For a production deployment type, the default is small. You can change the profile to medium or large, as required. For more information, see Identifying the infrastructure requirements.

 small No
sc_deployment_type Do not change this default setting. production Yes
sc_ecm_ltpa_secret_name If you created a custom ltpa-secret name, specify the name here. The value is required for deploying geographically dispersed CCx clusters. {{ meta.name }}-ecm-ltpa No
sc_generate_sample_network_policies

Use the parameter to generate network policy templates that you can install for an CCx deployment. The default is not to generate network policies that restrict access to external systems.

Set the value of sc_generate_sample_network_policies to true in your custom resource for CCx to generate sample network policies. The templates restrict access for all pods to external systems. You can customize your network policy or use specific policies with 'matchLabels' to set exceptions.

If set to false, network policy templates are not generated.

Important: Without network policies installed, the pods have unrestricted network access to external systems.

The sample network policies are generated when the value of sc_generate_sample_network_policies is true. When installed, the network policies restrict the pods from accessing any external system other than the known addresses for databases and LDAPs.

The default for sc_generate_sample_network_policies is false, if not defined. No
sc_fncm_license_model
  • Choose one of these license models if you are using a license from Content Cortex or IBM Content Foundation:

    The expected values are ICF.PVUNonProd, ICF.PVUProd, ICF.UVU, CCx.PVUNonProd, CCx.PVUProd, CCx.UVU, or CCx.CU.

  • Choose one of these licensing models if you are using a license for IBM Cloud Pak® for Business Automation to deploy the stand-alone IBM Content Cortex containers.

    Valid values depend on your license terms; select from CP4BA.NonProd, CP4BA.Prod, CP4BA.User

   Yes
sc_image_repository All components must use the same docker image repository. For IBM Entitlement Registry use cp.icr.io. For a local docker image repository, set the parameter to the value of the URL, for example, myimageregistry.com/project_name. For an air gap installation, make sure that the parameter is set to the default value. cp.icr.io No
sc_is_multiple_az If a cluster is configured for multiple availability zones (AZ) and the parameter sc_is_multiple_az is set to true, then the pods are spread across all the zones. By default, the sc_is_multiple_az parameter is set to false. When the value is set to true, the pods of the CCx deployment are spread across your user-defined topology domains. The pod API includes a spec.topologySpreadConstraints field, which is used by the operator to configure it. For more information, see Controlling pod placement by using pod topology spread constraints External link opens a new window or tab. false No
sc_run_as_user The parameter is optional and only applicable for non-Open Shift Cloud Platform installations. Specify a RunAs user for the security of the pod. The value is usually a numerical ID.   No
sc_fs_group The parameter is optional and only applicable for non-Open Shift Cloud Platform installations. Specify a value for fsGroup for the security of the pod. The value is usually a numerical ID.   No
sc_seccomp_profile.localhost_profile Specify the local path of the seccomp profile file. This parameter is required if sc_seccomp_profile.type is set to Localhost. The value of sc_seccomp_profile.localhost_profile is ignored if sc_seccomp_profile.type is set to anything other than Localhost. For more information, see Configuring seccomp profiles External link opens a new window or tab. Example value profiles/audit.json Only if sc_seccomp_profile.type is set to Localhost
sc_seccomp_profile.type Specify the type of seccomp profile to be used by the pods. Possible values are UnconfinedRuntimeDefault, and Localhost. For more information about seccomp profile, see the Restrict a Container's Syscalls with seccomp External link opens a new window or tab . Default value Localhost. No
storage_configuration
  • sc_fast_file_storage_classname
  • sc_medium_file_storage_classname
  • sc_slow_file_storage_classname
 Three storage classes are needed for slow, medium, and fast storage. If one storage class is defined, then you can use that one storage class for all three parameters. None Yes
sc_service_ip_family_policy The parameter value corresponds to the ipFamilyPolicy property of the Kubernetes service object that CCx creates. Possible values include SingleStack, PreferDualStack, or RequireDualStack for a dual-stack enabled cluster that supports both IPv4 and IPv6. If you do not set the parameter, then Kubernetes defaults to the cluster-level settings.
Warning: If you set the parameter to a value that your cluster does not support, the CCx deployment fails. For example, if your cluster supports only one IP family, setting the parameter value to RequireDualStack causes the deployment to fail.

The value for sc_service_ip_family_policy is case-sensitive, and must be in the exact case as shown in the allowed values and examples.

 
shared_configuration:
  sc_service_ip_families:
  - IPv4
  - IPv6
  sc_service_ip_family_policy: PreferDualStack
 No
sc_service_ip_families The parameter is used to define a list of values that correspond to the ipFamilies property of the Kubernetes service object that CCx creates. The parameter value is case-sensitive. If you have a dual-stack enabled cluster that supports both IPv4 and IPv6, then you can add a list with "IPv4" or "IPv6" to control the IP families of the IP addresses that are assigned to the CCx services. If you do not set the parameter, then Kubernetes defaults to the cluster-level settings. See also the sc_service_ip_family_policy parameter.
Warning:

If you set the parameter to a value that your cluster does not support, the CCx deployment fails. For example, if your cluster supports only IPv4, setting the parameter value to IPv6 causes the deployment to fail. The value for sc_service_ip_families is case-sensitive, and must be in the exact case as shown in the allowed values and examples.

sc_service_ip_families is only supported for the initial deployment. If you update the primary IP family by changing "IPv4" to "IPv6", or "IPv6" to "IPv4" after the services are created, it causes instability and requires a manual restart of certain pods.

For more information, see the topic in the Kubernetes documentation External link opens a new window or tab.		 
shared_configuration:
  sc_service_ip_families:
  - IPv6
  sc_service_ip_family_policy: SingleStack
 No
sc_vault_configuration.enable_external_secret_store This parameter is used to enable integration with HashiCorp Vault. If the parameter is not defined, then the default value is "false". If the parameter is not defined, then the default value is "false".

Set the value to "true" if you want to integrate with an external vault and have already completed the mandatory prerequisites for the vault integration.

If you set the value to "true" without completing the mandatory prerequisites to integrate with an external, it breaks the CP4BA deployment. 

    sc_vault_configuration:
      enable_external_secret_store: false
 No
trusted_certificate_list If you plan to connect to an external service over SSL, use the certificate file to create a secret and then add the secret name for this parameter. [] No
images.keytool_init_container.repository Image name for TLS init container. cp.icr.io/cp/cp4a/common/dba-keytool-initcontainer No
images.keytool_init_container.tag Image tag for TLS init container.

26.0.0

 No
custom_annotations Values in this field are used as annotations in all generated pods. They must be valid annotation key-value pairs. customAnnotationKey: customAnnotationValue No
custom_labels Values in this field are used as labels in all generated pods. They must be valid label key-value pairs. customLabelKey: customLabelValue No