Applying your entitlement key (online installation)
The IBM Entitled Registry contains software images for the capabilities in IBM Cloud Pak® for Integration. To allow the Cloud Pak for Integration operators to automatically pull those software images, you must first obtain your entitlement key, then add your entitlement key in a pull secret.
Obtaining your entitlement key
- Go to the Container software library.
- Click Copy key.
- Copy the entitlement key to a safe place so you can use it when you add the pull secret in the next section.
- (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a
container
tool.
docker login cp.icr.io --username cp --password entitlement_key
Applying the pull secret
Your entitlement key must be added to the cluster as a pull secret to deploy Cloud Pak for Integration capabilities. You can either add a pull secret to each namespace you plan to use for Cloud Pak for Integration capabilities, or add a global pull secret, which enables deployment of Cloud Pak for Integration capabilities in all namespaces.
- Adding the pull secret to a namespace using the OpenShift web console
- Adding a pull secret to a namespace using the CLI
- Adding a global pull secret for all namespaces
Adding the pull secret to a namespace using the OpenShift web console
This task must be performed by an automation administrator.
- Log in to the OpenShift web console and ensure you are in the Administrator perspective.
- In the left navigation, click Workloads > Secrets.
- Ensure that the Project is set to the namespace where you intend to install Cloud Pak for Integration capabilities.
- Click Create and select Image pull secret.
- Set the following parameters for the secret:
Parameter Value Secret name ibm-entitlement-key
Authentication type Image registry credentials Registry server address cp.icr.io
Username cp
Password Value of the entitlement key you copied when you obtained your entitlement key. Email (Optional value) - Click Create to create the secret.
Adding a pull secret to a namespace using the CLI
This task must be performed by an automation administrator.
To deploy Cloud Pak for Integration capabilities in one or more (but not all) namespaces, run the following command. Note that you must add the pull secret in each namespace where you intend to deploy capabilities.
Create a docker registry secret named ibm-entitlement-key
, using the following
command. In the third line, replace entitlement_key with the value of your
entitlement key from the previous section. In the last line, replace
target_namespace with the name of your target namespace:
oc create secret docker-registry ibm-entitlement-key \
--docker-username=cp \
--docker-password=entitlement_key \
--docker-server=cp.icr.io \
--namespace=target_namespace
Adding a global pull secret for all namespaces
This task must be performed by a cluster administrator.
To add a pull secret for the whole cluster, perform the following steps.
- Extract the current global pull
secret:
oc extract secret/pull-secret -n openshift-config --keys=.dockerconfigjson --to=. --confirm
- Convert the extracted global pull secret using
jq
(this assumes you have already installed the jq command-line JSON processor):cat .dockerconfigjson | jq . > .dockerconfigjson.orig mv .dockerconfigjson.orig .dockerconfigjson
- Convert your entitlement key to an auth string. Replace entitlement_key with
the value of your entitlement key from the preceding section, "Obtaining your entitlement
key".
echo "cp:entitlement_key" | base64
- Edit the .dockerconfigjson file: In the
auths
section, add thecp.icr.io
object (as shown in the following example) to the list of objects that already exist. Replace auth_string with the value of the auth string returned in the previous step.Important: You must enter the value ofauth_string
as a single, continuous string. If there are any line breaks, you will get an error.{ "auths": "cp.icr.io" : { "auth": "auth_string" } } }
This action adds the new pull secret.
- Upload the new global pull
secret:
After a successful upload, the system returns:oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson
This update triggers a restart of all your cluster's nodes. It may take up to 15 minutes for changes to take effect, depending on the size of your cluster. During this time, nodes are drained and pods are rescheduled on the remaining nodes.secret/pull-secret data updated
- When all nodes are back online, run this command (which makes status updates in real time) to
confirm:
oc get machineconfigpool -w