IBM Cloud Container Registry (ICR) pull secrets

IBM Storage Scale container native images are hosted in the IBM Cloud Container Registry. Obtain an entitlement key from IBM container software library.

Entitlement keys determine whether the IBM Storage Scale operator can automatically pull the IBM Storage Scale container native images. Image pull failures may occur due to an invalid entitlement key or a key belonging to an account that does not have valid entitlement.

Adding IBM Cloud Container Registry credentials

For images to be properly pulled at the pod level, the Red Hat OpenShift global pull secrets must be modified to contain credentials to access the IBM Cloud Container Registry.

The following steps apply to clusters that can directly access IBM Cloud Container Registry. For air gap installs, see Disconnected installs

1. Create a base64 encoded string of the credentials used to access the image registry.

   • For using IBM Cloud Container Registry, the credentials must use the cp user along with the entitlement key.

     echo -n "cp:REPLACE_WITH_GENERATED_ENTITLEMENT_KEY" | base64 -w0
     

2. Create an authority.json to include the base64 encoded string of your credentials, the fixed username cp (used to access the cp.icr.io repository), and the entitlement key for the IBM Cloud Container Registry.

   {
     "auth": "REPLACE_WITH_BASE64_ENCODED_KEY_FROM_PREVIOUS_STEP",
     "username":"cp",
     "password":"REPLACE_WITH_GENERATED_ENTITLEMENT_KEY"
   }
   

3. Enter the following command to include the authority.json as a new authority in your .dockerconfigjson and store it as temp_config.json:

   Using the IBM Cloud Container Registry as the authority, use cp.icr.io as the input key for the contents of authority.json.

   oc get secret/pull-secret -n openshift-config -ojson | \
   jq -r '.data[".dockerconfigjson"]' | \
   base64 --decode | \
   jq '.[]."cp.icr.io" += input' - authority.json > temp_config.json
   

   This command is supported by jq 1.5.

   • Verify that your authority credentials are appended at the end of the file:

        # cat temp_config.json
        {
           "auths": {
              ...
              ...
              ...
              "cp.icr.io": {
                 "auth": "REPLACE_WITH_BASE64_ENCODED_KEY_FROM_PREVIOUS_STEP",
                 "username": "cp",
                 "password": "REPLACE_WITH_GENERATED_ENTITLEMENT_KEY"
              }
           }
        }
     

4. Use the contents of the temp_config.json file, and apply the updated config to the Red Hat OpenShift cluster.

   oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=temp_config.json
   

   To verify that your pull-secret is updated with your new authority, issue the following command and confirm that your authority is present:

   oc get secret/pull-secret -n openshift-config -ojson | \
   jq -r '.data[".dockerconfigjson"]' | \
   base64 -d -
   

5. This update is rolled out to all nodes. Use oc get mcp to track the progress of the roll out.

6. Enter the following command to remove the temporary files that were created:

   rm authority.json temp_config.json