Applying your entitlement key

To run software from the IBM Entitled Registry, you must add your entitlement key in a Kubernetes pull secret. If you use the secret name ibm-entitlement-key, IBM Cloud Pak® for Integration operators automatically use it to pull images from the IBM Entitled Registry.

Obtaining your entitlement key

Obtain an entitlement key from IBM Container Library. You will use this key in the next section.

  1. Click Get an entitlement key.

  2. Copy the entitlement key presented to a safe place for use later.

  3. (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a container tool.
    docker login cp.icr.io --username cp --password <your entitlement key>

Adding the pull secret

If you plan to install Cloud Pak for Integration in:
  • its own namespace, add a pull secret to a namespace. You will need to create the secret in every namespace you want to install Cloud Pak for Integration components.
  • all namespaces, add a global pull secret.

Adding a pull secret to a namespace

To install Cloud Pak for Integration in its own namespace, create a docker registry secret named ibm-entitlement-key, using the following command. In the third line, replace <entitlement-key> with the value of your entitlement key from the previous section:

oc create secret docker-registry ibm-entitlement-key \
    --docker-username=cp \
    --docker-password=<entitlement-key> \
    --docker-server=cp.icr.io \
    --namespace=<target namespace>

Adding a global pull secret

To install Cloud Pak for Integration in all namespaces, follow these steps.

  1. Extract the current global pull secret:

    oc extract secret/pull-secret -n openshift-config --keys=.dockerconfigjson --to=. --confirm

  2. Convert the extracted global pull secret using jq:

    cat .dockerconfigjson | jq > .dockerconfigjson.orig
mv .dockerconfigjson.orig .dockerconfigjson

  3. Convert your entitlement key to an auth string. Replace <entitlement-key> with the value of your entitlement key from the section above, "Obtaining your entitlement key".

    echo "cp:<entitlement key>" | base64
  4. Using a text editor, add the new pull secret to the auths section. The value of <auth string> is the auth string returned in the previous step.
    {
   "auths": {
      "cp.icr.io" : {
         "auth": "<auth string>"
      }
   }
}

  5. Upload the new global pull secret:

    oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson

  6. Wait for up to 15 minutes for changes to take effect:

    watch oc get nodes

    This update is rolled out to all nodes, which can take some time depending on the size of your cluster. During this time, nodes are drained and Pods are rescheduled on the remaining nodes.

    You can also use the kubectl tool instead of the oc tool to create the secret.