Applying your entitlement key
To run software from the IBM Entitled Registry, you must add your entitlement key in a
Kubernetes pull secret. If you use the secret name ibm-entitlement-key
, IBM Cloud Pak® for Integration operators automatically use it to pull images from the IBM Entitled
Registry.
Obtaining your entitlement key
Obtain an entitlement key from IBM Container Library. You will use this key in the next section.
-
Click Get an entitlement key.
-
Copy the entitlement key presented to a safe place for use later.
- (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry using a
container
tool.
docker login cp.icr.io --username cp --password <your entitlement key>
Adding the pull secret
- its own namespace, add a pull secret to a namespace. You will need to create the secret in every namespace you want to install Cloud Pak for Integration components.
- all namespaces, add a global pull secret.
Adding a pull secret to a namespace
To install Cloud Pak for Integration in its own namespace, create a docker registry
secret named ibm-entitlement-key
, using the following command. In the third line,
replace <entitlement-key>
with the value of your entitlement key from the
previous section:
oc create secret docker-registry ibm-entitlement-key \
--docker-username=cp \
--docker-password=<entitlement-key> \
--docker-server=cp.icr.io \
--namespace=<target namespace>
Adding a global pull secret
To install Cloud Pak for Integration in all namespaces, follow these steps.
-
Extract the current global pull secret:
oc extract secret/pull-secret -n openshift-config --keys=.dockerconfigjson --to=. --confirm
-
Convert the extracted global pull secret using
jq
:cat .dockerconfigjson | jq > .dockerconfigjson.orig mv .dockerconfigjson.orig .dockerconfigjson
-
Convert your entitlement key to an auth string. Replace
<entitlement-key>
with the value of your entitlement key from the section above, "Obtaining your entitlement key".echo "cp:<entitlement key>" | base64
-
Using a text editor, add the new pull secret to the
auths
section. The value of<auth string>
is the auth string returned in the previous step.{ "auths": { "cp.icr.io" : { "auth": "<auth string>" } } }
-
Upload the new global pull secret:
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson
-
Wait for up to 15 minutes for changes to take effect:
watch oc get nodes
This update is rolled out to all nodes, which can take some time depending on the size of your cluster. During this time, nodes are drained and Pods are rescheduled on the remaining nodes.
You can also use the
kubectl
tool instead of theoc
tool to create the secret.