Shared configuration

You must set the parameters in the custom resource file to access the Docker images in your environment.

The following tables list the configurable parameters. The parameters are either mandatory <Required> or optional in a custom resource file. If a parameter is absent or has no value, it means that the operator refers to the default value. You can overwrite the default value by entering a new value in your custom resource. Parameters that are mandatory must always be present and you must enter a valid value.

Table 1. Shared configuration parameters: spec
Parameter Description Example value Required
appVersion The version of the current release. 24.0.0 Yes
content_optional_components Specify which component to include (true) or omit (false).
  • cpe: true
  • graphql: true
  • cmis: false
  • css: false
  • es: false
  • tm: false
  • ban: true
  • iccsap: false
  • ier: false
No
license.accept Must exist to accept the IBM license. The only valid value is "true". true Yes
Table 2. Shared configuration parameters: spec.shared_configuration
Parameters Description Default Values Required
enable_fips Enable/disable FIPS mode for the deployment. false No
external_tls_certificate_secret Shared custom TLS secret that is used to sign all external routes, if defined. If this is not defined, all external routes are signed with root_ca_secret.   No
image_pull_secrets List of shared image pull secrets. ibm-entitlement-key No
root_ca_secret If you provide your own root certificate, enter the value. fncm-root-ca No
sc_content_initialization

Enable/disable content initialization (creation of P8 domain, creation of object stores, creation of CSS servers, and initialization of Navigator (ICN)). If not set, the parameter takes the default value.

If the parameter value is true, you must define the initialize_configuration section in the CR as the operator uses the parameters within the section for configuration.

If the parameter value is false, the operator ignores the initialize_configuration section that is defined in the CR.

false No
sc_content_verification

Enable/disable the content verification (creation of test folder, creation of test document, execution of CBR search, and creation of Navigator demo repository and desktop). If not set, the parameter takes the default value.

If the parameter value is true, you must define the verify_configuration section in the CR as the operator uses the parameters within the section for configuration.

If the parameter value is false, the operator ignores the verify_configuration section that is defined in the CR.
Note: If you are upgrading or migrating, set this parameter to false since the environment is already verified.
false No
sc_deployment_context Do not change this default setting. FNCM Yes
sc_deployment_platform Enter your certified Kubernetes platform type OCP
  • Use "OCP" for Red Hat OpenShift Container Platform
  • Use "ROKS" if the platform is Red Hat OpenShift on IBM Cloud®.
  • Use " other" for to deploy on non-OCP Kubernetes based platforms.
Yes
sc_deployment_profile_size

For a production deployment type, the default is small. You can change the profile to medium or large, as required. For more information, see Identifying the infrastructure requirements.

small No
sc_deployment_type Do not change this default setting. production Yes
sc_ecm_ltpa_secret_name If you created a custom ltpa-secret name, specify the name here. The value is required for deploying geographically dispersed FNCM clusters. {{ meta.name }}-ecm-ltpa No
sc_egress_configuration
  • sc_restricted_internet_access
  • sc_api_namespace
  • sc_api_port
  • sc_dns_namespace
  • sc_dns_port
To enable or disable egress access to external systems. The default is to restrict access to external systems.

Set the value of sc_restricted_internet_access to false to provide all pods access to external systems. You can customize your network policy or use specific policies with 'matchLabels' to set exceptions. For more information, see Configuring cluster security.

If set to false, all the pods have unrestricted network access to external systems.

Important: When the value of sc_restricted_internet_access is true, none of the pods can access any external system other than the known addresses for databases, LDAPs, and federated systems. For more information, see Configuring cluster security.
  • The default for sc_restricted_internet_access is true, if not defined.
  • The default for sc_api_namespace is "openshift-kube-apiserver", "openshift-apiserver". Use a comma-separated list of namespaces or "{}" can also be used as a value when you see "(\"dial tcp XXX.XX.X.X:443: i/o timeout\")" error in the operator log. It is equivalent to all namespaces (namespaceSelector:{}).
  • The default for sc_api_port is 443,6443.
  • The default for sc_dns_namespace is "openshift-dns". It can be a comma-separated list of namespaces or "{}" can also be used as a value. It is equivalent to all namespaces (namespaceSelector:{}).
  • The default for sc_dns_port is 53,5353.
No
sc_fncm_license_model
  • Choose one of these license models if you are using a license from FileNet Content Manager or IBM Content Foundation:

    The expected values are ICF.PVUNonProd, ICF.PVUProd, ICF.UVU, FNCM.PVUNonProd, FNCM.PVUProd, FNCM.UVU, or FNCM.CU.

  • Choose one of these licensing models if you are using a license for IBM Cloud Pak® for Business Automation to deploy the standalone IBM® FileNet® Content Manager containers.

    Valid values depend on your license terms; select from: CP4BA.NonProd, CP4BA.Prod, CP4BA.User

  Yes
sc_image_repository All components must use the same docker image repository. For IBM Entitlement Registry use cp.icr.io. For a local docker image repository, set the parameter to the value of the URL, for example, myimageregistry.com/project_name. For an air gap installation, make sure that the parameter is set to the default value. cp.icr.io No
sc_ingress_enable For ROKS and CNCF clusters, this is used to enable Ingress. The default value is "false" which creates routes instead of Ingress. false No
sc_ingress_tls_secret_name This secret provides TLS for the Ingress controller. Empty Yes
sc_is_multiple_az If a cluster is configured for multiple availability zones (AZ) and the parameter sc_is_multiple_az is set to true, then the pods are spread across all the zones. By default, the sc_is_multiple_az parameter is set to false. When the value is set to true, the pods of the FNCM deployment are spread across your user-defined topology domains. The pod API includes a spec.topologySpreadConstraints field, which is used by the operator to configure it. For more information, see Controlling pod placement by using pod topology spread constraints. false No
sc_run_as_user Optional and only applicable for non-Open Shift Cloud Platform installations. Specify a RunAs user for the security of the pod. This is usually a numerical ID.   No
sc_seccomp_profile.localhost_profile Specify the local path of the seccomp profile file. This parameter is required if sc_seccomp_profile.type is set to Localhost. The value of sc_seccomp_profile.localhost_profile is ignored if sc_seccomp_profile.type is set to anything other than Localhost. For more information, see Configuring seccomp profiles. Example: profiles/audit.json Only if sc_seccomp_profile.type is set to Localhost
sc_seccomp_profile.type Specify the type of seccomp profile to be used by the pods. Possible values are: UnconfinedRuntimeDefaultLocalhost. For more information about seccomp profile, see the Restrict a Container's Syscalls with seccomp. Default value:
  • RuntimeDefault on OCP 4.11 and later
  • empty on other platforms
Example: Localhost
No
storage_configuration
  • sc_fast_file_storage_classname
  • sc_medium_file_storage_classname
  • sc_slow_file_storage_classname
Three storage classes are needed for slow, medium, and fast storage. If one storage class is defined, then you can use that one storage class for all three parameters. None Yes
trusted_certificate_list If connecting to an external service over SSL, use the certificate file to create a secret and then add the secret name for this parameter. [] No
images.keytool_init_container.repository Image name for TLS init container. cp.icr.io/cp/cp4a/common/dba-keytool-initcontainer No
images.keytool_init_container.tag Image tag for TLS init container.

24.0.0

No