Configuration Guide

Complete guide to configuring IBM GCM 2.0.1 for your environment

VM Network Configuration

Configure network settings for your GCM virtual machine using the automated configuration wizard.

Configuration Wizard: Run ./01-configure_vm.sh to launch the interactive network configuration wizard.

Network Settings

You'll need to provide the following network information:

Setting Example Description
IP Address 192.168.1.10 Static IP address for the VM (or use DHCP)
Subnet Mask 255.255.255.0 Network subnet mask
Gateway 192.168.1.1 Default gateway IP address
Primary DNS 192.168.1.2 Primary DNS server
Secondary DNS 8.9.9.9 Secondary DNS server (optional)

Manual Network Configuration

If you need to configure networking manually:

bash 
nmcli con mod ens192 ipv4.addresses 192.168.1.10/24
nmcli con mod ens192 ipv4.gateway 192.168.1.1
nmcli con mod ens192 ipv4.dns '192.168.1.2 8.9.9.9'
nmcli con mod ens192 ipv4.method manual
nmcli con up ens192
Note: Replace ens192 with your actual network interface name. Use ip link to list interfaces.

Hostname & DNS Configuration

Set the hostname and FQDN for your GCM system.

Hostname Components

Component Example Description
Short Hostname gcm-prod Short name for the system
Domain Name company.com DNS domain name
FQDN gcm-prod.company.com Fully qualified domain name

Set Hostname

bash 
hostnamectl set-hostname gcm-prod.company.com

Verify Hostname

bash 
hostnamectl
hostname
hostname -f
DNS Requirement: Ensure your FQDN resolves correctly in DNS. GCM requires proper DNS resolution for OIDC authentication.

Time & NTP Configuration

Configure timezone and NTP synchronization for accurate timekeeping.

Set Timezone

bash 
# List available timezones
timedatectl list-timezones

# Set timezone
timedatectl set-timezone America/New_York

Configure NTP

bash 
# Enable NTP
timedatectl set-ntp true

# Configure NTP server (optional)
echo 'server ntp.company.com iburst' >> /etc/chrony.conf
systemctl restart chronyd

# Verify time sync
timedatectl status
chronyc sources

Firewall Configuration

Configure firewall rules to allow access to GCM services.

Required Ports

Port Protocol Service Description
22 TCP SSH Remote administration
30443 TCP OIDC Authentication service
31443 TCP GCM App GCM web interface
6443 TCP K3s API Kubernetes API (internal)

Configure Firewall

bash 
# Open required ports
firewall-cmd --permanent --add-port=30443/tcp
firewall-cmd --permanent --add-port=31443/tcp

# Reload firewall
firewall-cmd --reload

# Verify rules
firewall-cmd --list-all
Security Note: Only open ports 30443 and 31443 to trusted networks. SSH (port 22) should be restricted to management networks.

GCM Sizing Models

Choose the appropriate sizing model based on your workload requirements.

Model vCPU RAM Storage Use Case
xsmall 24 48 GB 150 GB PoC, Testing, Development
small 32 64 GB 300 GB Small Production (< 100 keys)
medium 48 96 GB 500 GB Medium Production (100-500 keys)
large 64 128 GB 1 TB Large Production (500+ keys)
Recommendation: Start with xsmall for testing, then scale to small or medium for production based on your key management requirements.

Configure Sizing

The configuration wizard will prompt you to select a sizing model:

bash 
./02-configure_gcm.sh

Storage Configuration

GCM requires specific storage classes for application and database storage.

Storage Options

💾

local-path

Simple local storage using host filesystem. Best for single-node deployments and testing.

Recommended for Quick Start
🗄️

rook-ceph

Distributed storage with Rook Ceph. Provides high availability and requires a second disk.

Recommended for Production
⚙️

custom

Use your own storage classes. Must provide both filesystem and block storage classes.

Advanced Users

Required Storage Classes

GCM requires TWO storage classes:

Storage Class Type Purpose
rook-cephfs Filesystem Application storage (shared files)
rook-ceph-block Block Database storage (PostgreSQL)
Critical: Both storage classes are MANDATORY. The GCM installer is hardcoded to look for these specific names.

Verify Storage Classes

bash 
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
kubectl get storageclass

Platform Versions

GCM 2.0.1 has been validated with specific platform versions.

Component Version Status
K3s v1.30.5+k3s1 ✅ IBM Validated
Rook Ceph v1.15.5 ✅ IBM Validated
Ceph v18.2.4 ✅ IBM Validated
RHEL 9.x ✅ Supported
Note: The configuration wizard automatically uses IBM-validated versions. Manual version selection is available for advanced users.

Advanced Configuration Options

Additional configuration options for advanced deployments.

Custom Registry

Use a private container registry:

bash 
# Edit configuration
vi /etc/gcm/gcm-config.env

# Set custom registry
CONTAINER_REGISTRY=registry.company.com

Custom Storage Classes

Specify custom storage class names:

bash 
# Edit configuration
vi /etc/gcm/gcm-config.env

# Set custom storage classes
STORAGE_CLASS_FS=my-filesystem-class
STORAGE_CLASS_BLOCK=my-block-class

Resource Limits

Adjust resource limits for GCM pods:

bash 
# Edit GCM values
vi /root/gcm-values.yaml

# Adjust resource limits
resources:
  limits:
    cpu: 4000m
    memory: 8Gi
  requests:
    cpu: 2000m
    memory: 4Gi

Verify Configuration

Validate your configuration before proceeding with installation.

Run Validation Script

bash 
./03-validate_config.sh

Manual Verification

  • Network connectivity verified
  • DNS resolution working
  • Hostname configured correctly
  • Firewall rules applied
  • Time synchronized via NTP
  • Storage classes available
  • GCM package present
  • Configuration files saved

    • View Configuration

    bash 
    # View VM configuration
cat /etc/gcm/vm-config.env

# View GCM configuration
cat /etc/gcm/gcm-config.env

    Access GCM After Installation

    Once installation is complete, access your GCM instance.

    GCM URLs

    Service URL Purpose
    GCM Web UI https://:31443 Main application interface
    OIDC Provider https://:30443 Authentication service

    Default Credentials

    Security: Change default credentials immediately after first login!
    bash 
    # Get admin password
kubectl get secret gcm-admin-secret -n gcm -o jsonpath='{.data.password}' | base64 -d

    Backup Configuration

    Backup your configuration files for disaster recovery.

    Configuration Files to Backup

    • /etc/gcm/vm-config.env - VM network configuration
    • /etc/gcm/gcm-config.env - GCM application configuration
    • /root/gcm-values.yaml - GCM Helm values
    • /etc/rancher/k3s/k3s.yaml - Kubernetes config

    Create Backup

    bash 
    # Create backup directory
mkdir -p /root/gcm-backup-$(date +%Y%m%d)

# Backup configuration files
cp /etc/gcm/*.env /root/gcm-backup-$(date +%Y%m%d)/
cp /root/gcm-values.yaml /root/gcm-backup-$(date +%Y%m%d)/
cp /etc/rancher/k3s/k3s.yaml /root/gcm-backup-$(date +%Y%m%d)/

# Create tarball
tar -czf /root/gcm-backup-$(date +%Y%m%d).tar.gz /root/gcm-backup-$(date +%Y%m%d)/
    Best Practice: Store backups on a separate system or storage location for disaster recovery.

    Next Steps

    📦

    Installation Guide

    Complete installation instructions for GCM 2.0.1

    View Guide
    🔧

    Troubleshooting

    Common issues and solutions

    Get Help
    ⬇️

    Downloads

    Get scripts, templates, and documentation

    Download Now