Private container registry requirements

IBM® Software Hub software images are accessible from the IBM Entitled Registry. In most situations, it is strongly recommended that you mirror the necessary software images from the IBM Entitled Registry to a private container registry.

Important:
You must mirror the IBM Software Hub software images to your private container registry in the following situations:
  • Your cluster is air-gapped (also called an offline or disconnected cluster).
  • Your cluster uses an allowlist to permit direct access by specific sites, and the allowlist does not include the IBM Entitled Registry.
  • Your cluster uses a blocklist to prevent direct access by specific sites, and the blocklist includes the IBM Entitled Registry.
Even if these situations do not apply to your environment, you should consider using a private container registry if you want to:
  • Run security scans against the software images before you install them on your cluster
  • Ensure that you have the same images available for multiple deployments, such as development or test environments and production environments

The only situation in which you might consider pulling images directly from the IBM Entitled Registry is when your cluster is not air-gapped, your network is extremely reliable, and latency is not a concern. However, for predictable and reliable performance, you should mirror the images to a private container registry.

If you decide to use a private container registry, review the guidance in the following sections:

Cluster requirements

To use a private container registry, your cluster must support image content source policies (ImageContentSourcePolicy) or image digest mirror sets (ImageDigestMirrorSet).

Setting up a private container registry

For details about private container registries you can use with Red Hat® OpenShift® Container Platform, see the Red Hat OpenShift Container Platform documentation:
  1. Review the guidance in OpenShift image registry overview:
  2. Ensure that you follow the guidelines for configuring the registry in Image configuration:
Your private container registry must meet the following requirements:
  • Support the Docker Image Manifest Version 2, Schema 2
  • Allow path separators in image names
  • Be in close proximity to your Red Hat OpenShift Container Platform cluster
  • Be accessible from all of the nodes in the cluster, and all of the nodes must have permission to push to and pull from the private container registry
  • Have an upload capacity of at least 50 GB
  • Allow image sizes greater than 40 GB
Restriction: You cannot use the integrated OpenShift Container Platform registry. It does not support multi-architecture images and is not compliant with the Docker Image Manifest Version 2, Schema 2.

Allowing required image prefixes

IBM Software Hub software uses the following prefixes to identify images:

Tag Used for
cp.icr.io/cp Images that are pulled from the IBM Entitled Registry that require an entitlement key to download.

Most of the IBM Software Hub software uses this tag.
icr.io/cpopen Publicly available images that are provided by IBM and that don't require an entitlement key to download.

The IBM Software Hub operators use this tag.
Ensure that the following statements are true:
  • The private container registry is configured to allow these prefixes
  • The credentials that you will use to push images to the registry can push images with these prefixes

Choosing a method for mirroring images

There are several ways that you can mirror images from the IBM Entitled Registry to your private container registry. Choose the most appropriate method for your environment by answering the following question:

Can you set up a client workstation that can connect to the internet and the private container registry?

Yes
You can mirror the images directly from the IBM Entitled Registry to the private container registry.
No, the private container registry is in a restricted network
You must mirror the images to an intermediary container registry before you can mirror the images to the private container registry.
The cpd-cli manage mirror-images command automatically sets up an intermediary container registry on the client workstation. You must be able to move the intermediary container registry behind your firewall. For example, you can use:
Options Details
Use a portable compute device, such as a laptop, that you can move behind your firewall.
You can use the same device to:
  • Mirror images from the IBM Entitled Registry to the intermediary container registry.
  • Mirror images from the intermediary container registry to the private container registry.
Use a portable storage device, such as a USB drive, that you can move behind your firewall.
You must set up two client workstations:
  • A workstation that can connect to the internet. From this workstation, you can mirror the images from the IBM Entitled Registry to the intermediary container registry on the portable storage device.
  • A workstation that can connect to the private container registry. After you move the portable storage device to this workstation, you can mirror the images from the intermediary container registry to the private container registry.
Use a file transfer protocol, such as scp or sftp, to move images behind your firewall.
You must set up two client workstations:
  • A workstation that can connect to the internet. From this workstation, you can mirror the images from the IBM Entitled Registry to the intermediary container registry.
  • A workstation that can connect to the private container registry. After you transfer the intermediary container registry to this workstation, you can mirror the images from the intermediary container registry to the private container registry.