Getting access to images from the public IBM Entitled Registry
To get access to the Cloud Pak container images from the IBM entitled registry, you must have a key to pull the images from the IBM registry.
About this task
To get the entitlement key, log in with the IBMid and password that is associated with the entitled software here My IBM Container Software Library. Click Add new key and then click Copy. Save the key in a text file.
The deployment script uses the entitlement key to create the secret to pull the images. Therefore, you do not need to create the image pull secret unless you want to create the secret yourself or you do not plan to use the scripts.
You can update the global pull secret for your cluster to ensure that all namespaces on your cluster have the necessary credentials to pull images.
openshift-config namespace or
the ibm-entitlement-key secret in the target namespace of the CP4BA instance. If
your deployment includes Business Team Service (BTS), then you must also create the
ibm-entitlement-key secret in the ibm-common-services namespace.
BTS is installed with BAA, BAI, BAW, ADP, and ADS. If BTS is included in your deployment and this
namespace does not exist, then create it.If you want to install a namespace-scoped instance of
foundational services and you plan to use the OCP cluster to install Cloud Pak for Business Automation, then you need to
create either a global pull-secret in the openshift-config namespace or the
ibm-entitlement-key secret in the namespace of the CP4BA operator.
cp.icr.io and icr.io, you must add the following hostnames
to your firewall rules:- dd0.icr.io
- dd2.icr.io
- dd4.icr.io
- dd6.icr.io
- dd1-icr.ibm-zh.com
- dd3-icr.ibm-zh.com
- dd5-icr.ibm-zh.com
- dd7-icr.ibm-zh.com
You can also add wildcard characters to hostnames in your allowlist, for example
*.icr.io and *.ibm-zh.com.
The following diagram shows the options:
Procedure
-
Choice 1: If you plan to use the deployment scripts and you do not want to use a global image pull secret, then you do not need to do anything as the secrets are created for you.
-
Choice 2: If you plan to use the OCP console to install, then you must create the secrets that you need in the appropriate namespaces.
- Click , click Create, and then select "image pull secret". Make sure that you are in the NAMESPACE where you want to create the secret.
- In the Create Image Pull Secret window, add the following details, and then
click Create.
Table 1. Image pull details for target namespace secrets Field Value Name ibm-entitlement-keyAuthentication Type Image Registry Credentials Registry Server Address cp.icr.ioUsername cpPassword Your IBM Entitlement Key Email Optional
-
Choice 3: If you want to use the global pull secret, add the IBM Entitled Registry to the pull secret.
Note: If a global pull secret exists forcp.icr.io, then the operator can already pull images from IBM Entitled Registry. If it does not exist, you must add it.Determine whether a global pull secret exists. From the OpenShift console, click and search for pull-secret in the openshift-config project.
Note: On OpenShift 4.10 and higher, you need to move the Show default projects slider to be able to select the openshift-config namespace.From the OCP CLI, the following command generates a JSON file .dockerconfigjson if it does not exist.
oc extract secret/pull-secret -n openshift-configTable 2. Add IBM Entitled Registry credentials to the global pull secret in the OpenShift console OpenShift console Click , and switch to the
openshift-confignamespace. If thepull-secretsecret does not exist, click Create, and then select "image pull secret".In the Create Image Pull Secret window, add the following details, and then click Create.- Name:
pull-secret - Registry Server Address:
cp.icr.io - Username:
cp - Password: Your IBM Entitlement Key
- Email: Optional
If it does exist, select the secret and then click . Then click Add credentials, enter the information, and click Save.
Table 3. Add IBM Entitled Registry credentials to the global pull secret from the command line OCP CLI If the .dockerconfigjson is empty.
- Set the following environment variables:
export REGISTRY_USER=cp export REGISTRY_PASSWORD=entitlement-key export REGISTRY_SERVER=cp.icr.ioReplace entitlement-key with your entitlement key.
- Run the following command to create the pull
secret:
oc create secret docker-registry \ --docker-server=${REGISTRY_SERVER} \ --docker-username=${REGISTRY_USER} \ --docker-password=${REGISTRY_PASSWORD} \ --docker-email=${REGISTRY_USER} \ -n openshift-config pull-secret
If the pull secret exists:
- Encode the username and password by using Base64 encoding:
echo -n "cp:entitlement-key" | base64Replace entitlement-key with your entitlement key.
- Add an entry for the container registry to the
authssection in the JSON file. The following example has an existing entry:{ "auths":{ "myregistry.example.com":{ "auth":"b3Blb=", "email":"not-used" } } }The new entry can be added to the
authssection:{ "auths":{ "registry-location":{ "auth":"base64-encoded-credentials", "email":"not-used" }, "myregistry.example.com":{ "auth":"b3Blb=", "email":"not-used" } } }Replace the following values:- registry-location
- The value is cp.icr.io.
- base64-encoded-credentials
- The encoded credentials that you generated in the previous step. For example, cmVnX3VzZXJuYW1lOnJlZ19wYXNzd29yZAo=.
- Apply the new configuration:
oc set data secret/pull-secret -n openshift-config \ --from-file=.dockerconfigjson
- Name:
Results
If you have a VPC Gen2 cluster and you use Portworx storage, see Portworx storage limitations before you reload your worker nodes.
What to do next
You can now set up the cluster. For more information, see Setting up the cluster.