Getting access to the container images

To get access to the container images, you must have an IBM entitlement registry key to pull the images from the IBM docker registry (Option 1) or download the .tgz package file from Passport Advantage (PPA) (Option 2). If you download the images (Option 2), you must push the images to a local docker registry.

About this task

The scripts and Kubernetes descriptors in the GitHub repository are needed to install the containers.

Airgap scenario

For users with a cluster in a private network that doesn’t have public internet access, use Option 2 in Step 2 of the procedure.


  1. In your local clone of the GitHub repository, go to the container-samples directory.
  2. Get your entitlement key or download the images from PPA.
    • Option 1: Get your entitlement key for the IBM Cloud Entitled Registry.
      1. Log in to MyIBM Container Software Library with the IBMid and password that is associated with the entitled software.
      2. In the Container software library tile, verify your entitlement on the View library page, and then go to Get entitlement key to retrieve the key.
      3. Create a pull secret for the entitlement key, for example:
        $ kubectl create secret docker-registry admin.registrykey --docker-username=cp --docker-password="<ENTITLEMENT_KEY_GENERATED>"
        Note: The value for the docker-server parameter is the only registry domain name that contains the images. Use “cp” for the docker-username. The docker-email has to be a valid email address (associated to your IBM ID). Make sure you are copying the Entitlement Key in the docker-password field within double-quotes.
      4. Take a note of the secret and the server values so that you can set them to the pullSecrets and repository parameters when you run the operator for your containers.
    • Option 2: Download the packages from PPA and load the images.

      IBM Passport Advantage (PPA) provides archives (.tgz) for the software. To view the list of Passport Advantage eAssembly installation images, refer to the download document.

      1. Download one or more PPA packages to a server that is connected to your Docker registry.
      2. Log in to your cluster.
      3. Check that you can run a docker or podman command.
        docker ps
        podman ps
      4. Log in to the Docker registry with a token:
        docker login <registry url> -u <ADMINISTRATOR> -p <password>
        Or, with Open Shift:
        podman login $(oc registry info) -u <administrator> -p $(oc whoami -t) 
        Note: You can connect to a node in the cluster to resolve the docker-registry.default.svc parameter.
      5. Run a kubectl command to make sure that you can use Kubernetes.
        kubectl cluster-info
      6. Run the scripts/ script to load the images into your Docker registry. Specify the two mandatory parameters in the command line.
        -p  PPA archive files location or archive file name
        -r  Target Docker registry and namespace
        -l  Optional: Target a local registry

        The following example shows the input values in the command line.

        cd scripts
        ./ -p <PPA-ARCHIVE>.tgz -r docker-registry.default.svc:5000/<project-name>
        Note: The project-name variable is the name of the project that you created when you set up your cluster. If you want to use an external Docker registry, take a note of the docker registry service name or the URL so that you can enter it during deployment. If you connect remotely to the cluster from a Linux host/VM, then you must have Docker and the OpenShift command line interface (CLI) installed on OCP. If you have access to the master node on the cluster, the OCP CLI and Docker are already installed.
        Or, with Open Shift:
        ./ -p <PPA-ARCHIVE>.tgz  -r $(oc get route default-route -n openshift-image-registry --template='{{ }}')/my_project_name
      7. Check that the images are pushed correctly to the registry. Using the OpenShift CLI:
        oc get is
      8. In your target namespace, create a Docker registry secret if you want to use an external Docker registry or reuse a secret in the target project if you want to use an internal Docker registry.
        If you want to pull directly from the IBM entitled registry, reuse the secret that you created in Step 1 Option 1:
           name: "admin.registrykey"
        Note: The secret_name must match the parameter in the operator deployment (.yaml) file, for example, admin.registrykey.
        Create a secret to access an external Docker registry:
        $ oc create secret docker-registry admin.registrykey --docker-server=<registry_url> --docker-username=<your_account> --docker-password=<your_password>
        For an internal Docker registry:
        $ oc project <my-project>
        $ oc get secret
  3. In your target namespace, at deployment time, verify that the secret that you created for your image pull secret is still valid and has not expired. If needed, delete and recreate the secret as applicable in the previous steps.

What to do next

To deploy your operator, see topic Deploying the operator.