Pulling images from the IBM Entitled Registry

The DataPower Operator supports automatically pulling IBM DataPower images from the IBM Entitled Registry using your entitlement key.

Image selection

When configuring the DataPowerService Custom Resource, there are two properties which will determine which image is pulled, and from what container registry:

The version property will decide which base firmware version should be used, while the license.use will determine which edition to use.

license.use Registry Image location
production IBM Entitled Registry cp.icr.io/cp/datapower/datapower-prod
nonproduction IBM Entitled Registry cp.icr.io/cp/datapower/datapower-nonprod
developers IBM Entitled Registry cp.icr.io/cp/datapower/datapower-deved
developers-limited IBM Container Registry icr.io/cpopen/datapower/datapower-limited

Note: When defining an image tag for DataPower, there is no latest tag. You must define a valid version. For more details, see Image Tags.

Note: When deploying within IBM Cloud Pak for Integration, the image location is always cp.icr.io/cp/datapower/datapower-cp4i.

For more details regarding this image, see Cloud Pak for Integration - Gateway instance.

Image Pull Secret

If the IBM DataPower image is to be pulled from the IBM Entitled Registry, an Entitlement Key must be used as an Image Pull Secret. You can obtain an Entitlement Key from My IBM.

Default Image Pull Secret

If you do not specify an Image Pull Secret in your DataPowerService Custom Resource spec, then the operator will look for a Secret named ibm-entitlement-key in the same namespace as the DataPowerService, and it will use this Secret to pull the IBM DataPower images. This is typically the method used to provide the Entitlement Key.

If you want to use your own Entitlement Key, then you can create it.

  • If you create it with the name ibm-entitlement-key in the same namespace as the DataPowerService, then you do not need to explicitly name it as the Image Pull Secret in your DataPowerService Custom Resource spec, because the operator will find it automatically.
  • If you create it with a different name, then you must explicitly name it as the Image Pull Secret in your DataPowerService Custom Resource spec, see imagePullSecrets.

Creating the Secret

If you want to create your own Entitlement Key as a Secret, you must create it in the same namespace as the DataPowerService.

  1. We recommend that you use the name ibm-entitlement-key
  2. Use cp as the username
  3. Use your Entitlement Key as the password
  4. Use cp.icr.io as the Docker server

For example:

oc create secret docker-registry \
  ibm-entitlement-key \
  --docker-username=cp \
  --docker-password=<entitlement-key> \
  --docker-server=cp.icr.io

For more information on creating Secrets using the Kubernetes command line, please see their documentation.

Using a custom Service Account

If you choose to provide your own custom Service Account via the serviceAccountName property on the DataPowerService spec, then the DataPower Operator will not automatically attempt to use a ibm-entitlement-key Secret. Instead, you should either add this Image Pull Secret to your Service Account, or provide it manually via the imagePullSecrets property.

Image Tags

DataPower image tags are always a defined DataPower version; there is no latest tag available.

You can see a list of all available tags using skopeo list-tags against the desired repository.

For example:

skopeo list-tags docker://icr.io/cpopen/datapower/datapower-limited
{
    "Repository": "icr.io/cpopen/datapower/datapower-limited",
    "Tags": [
        "10.0.0.0",
        "10.0.0.1",
        "10.0.1.0",
        "10.0.1.1",
        "10.0.1.10",
        "10.0.1.11",
        "10.0.1.12",
        ...
        "2018.4.1.5",
        "2018.4.1.6",
        "2018.4.1.7",
        "2018.4.1.8r",
        "2018.4.1.9"
    ]
}