IBM Cloud Container Registry (ICR) pull secrets
IBM Storage Scale container native images are hosted in the IBM Cloud Container Registry. Obtain an entitlement key from IBM container software library.
Entitlement keys determine whether the IBM Storage Scale operator can automatically pull the IBM Storage Scale container native images. Image pull failures may occur due to an invalid entitlement key or a key belonging to an account that does not have valid entitlement.
Adding IBM Cloud Container Registry credentials
For images to be properly pulled at the pod level, the Red Hat OpenShift global pull secrets must be modified to contain credentials to access the IBM Cloud Container Registry.
The following steps apply to clusters that can directly access IBM Cloud Container Registry. For air gap installs, see Disconnected installs
-
Create a base64 encoded string of the credentials used to access the image registry.
-
For using IBM Cloud Container Registry, the credentials must use the
cp
user along with the entitlement key.echo -n "cp:REPLACE_WITH_GENERATED_ENTITLEMENT_KEY" | base64 -w0
-
-
Create an
authority.json
to include the base64 encoded string of your credentials, the fixed usernamecp
(used to access thecp.icr.io
repository), and the entitlement key for the IBM Cloud Container Registry.{ "auth": "REPLACE_WITH_BASE64_ENCODED_KEY_FROM_PREVIOUS_STEP", "username":"cp", "password":"REPLACE_WITH_GENERATED_ENTITLEMENT_KEY" }
-
Enter the following command to include the
authority.json
as a new authority in your.dockerconfigjson
and store it astemp_config.json
:Using the IBM Cloud Container Registry as the authority, use
cp.icr.io
as the input key for the contents ofauthority.json
.oc get secret/pull-secret -n openshift-config -ojson | \ jq -r '.data[".dockerconfigjson"]' | \ base64 --decode | \ jq '.[]."cp.icr.io" += input' - authority.json > temp_config.json
This command is supported by
jq
1.5.-
Verify that your authority credentials are appended at the end of the file:
# cat temp_config.json { "auths": { ... ... ... "cp.icr.io": { "auth": "REPLACE_WITH_BASE64_ENCODED_KEY_FROM_PREVIOUS_STEP", "username": "cp", "password": "REPLACE_WITH_GENERATED_ENTITLEMENT_KEY" } } }
-
-
Use the contents of the
temp_config.json
file, and apply the updated config to the Red Hat OpenShift cluster.oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=temp_config.json
To verify that your pull-secret is updated with your new authority, issue the following command and confirm that your authority is present:
oc get secret/pull-secret -n openshift-config -ojson | \ jq -r '.data[".dockerconfigjson"]' | \ base64 -d -
-
This update is rolled out to all nodes. Use
oc get mcp
to track the progress of the roll out. -
Enter the following command to remove the temporary files that were created:
rm authority.json temp_config.json