Getting access to images from an offline (private) image registry

To get access to the Cloud Pak container images, you can download the Cloud Pak packages (.tgz files) from Passport Advantage® (PPA) or Fix Central. You must then push the images to your registry. The deployment script asks for the user credentials for your registry.

About this task

For more information about the client-side tools you might need, see Preparing to install enterprise containers.

Important: The deployment script creates the secret to pull the images from the chosen registry based on the local image registry information. Therefore, you do not need to create the image pull secret unless you want to create the secret yourself or you do not plan to use the script. To create the pull secret yourself, run a kubectl create secret command and make sure that you use admin.registrykey as the secret name.
kubectl create secret docker-registry admin.registrykey --docker-server=<server_name> --docker-username=<user_name> --docker-password="<user_password>" --docker-email=<user_email>

If you plan to make a manual installation, take a note of the secret and the server values so that you can set them to the pullSecrets and repository parameters when you install the operator.


  1. Find a client machine that can access the internet and download the PPA packages.
    When you download the files, ensure that the name of the maintenance file is not changed. This change might be intentional, or it might be an inadvertent change that is caused by certain web browsers or download utilities. Make a note of the <ARCHIVE> file names of your images. The platform Foundation, which is always installed with another pattern needs the following images, as a minimum.
    • "Business Automation Application Engine" for the Resource Registry.
    • "Content Navigator" for Business Automation Navigator.
    Note: Other images of the Foundation are also needed when you choose the component explicitly with the deployment script, or a selected pattern includes them. For more information, see Capabilities for evaluation deployments.

    For 20.0.2 and 20.0.3, IBM Passport Advantage (PPA) provides archives (.tgz) for the software. To view the list of Passport Advantage eAssembly installation images, refer to the download document.

    For 20.0.2 IF001, go to Fix Central to find and download the image updates.
    • From the Select product tab, select WebSphere as your product group, then select IBM Cloud Pak for Automation, 20.0.2 for the installed version and Linux x86 for the platform, and click Continue.
    • Click Continue again to request the full list of fixes.
    • If you already registered for My support, sign in and skip to the next step. If you have not registered, click Register now. Complete the registration form using your email address as your IBM ID and click Submit.

    If the client machine cannot access the target image registry, transfer the files to another machine that can. If the machines are not on the same network you can use a physical device, like a portable hard disk, to transfer the files.

  2. Download the scripts from GitHub.
    1. Log in to the target cluster as the <cluster-admin> user.

      Using the OpenShift CLI:

      oc login https://<cluster-ip>:<port> -u <cluster-admin> -p <password>
    2. Download the appropriate GitHub repository to a Linux® based machine (RHEL, CentOS, and macOS) and go to the cert-kubernetes directory.

      The following command clones the latest version.

      git clone

      The following links can be used to download a specific version.

  3. Load the images by running a script.
    Note: If you connect remotely to the cluster from a Linux host/VM, then you must have Docker or Podman and the OpenShift command line interface (CLI) installed on OCP. If you have access to the master node on the OCP cluster, they are already installed. You can install Podman by running the following command.
    yum -y install podman

    When you have all of the files for the images that you want to install, run the following commands.

    1. Get your access token.
      oc whoami -t
    2. Run a kubectl command to make sure that you can use Kubernetes.
      kubectl cluster-info
    3. Check that you can run a docker or Pod Manager (podman) command, depending on your environment.
      docker ps
      podman ps -a
    4. Get the registry route.
      oc registry info --public

      If the command has no output or the output is an internal service URL, it means that the route is not enabled. To enable the registry route on the cluster run the following command.

      oc patch --type merge -p '{"spec":{"defaultRoute":true}}'

      For more information about exposing routes on OCP 4.6, see Exposing the registry. Use the OCP version menu to find your specific version in the OpenShift documentation.

    5. Log in to the image registry by using the registry route that returns from the "oc registry info --public" command.
      docker login $(oc registry info --public) -u $(oc whoami) -p $(oc whoami -t)
      podman login $(oc registry info --public) -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false
      Note: If you are logged in to the cluster as "kubeadmin", the "oc whoami" command returns "kube:admin", which does not work. You must use "kubeadmin" as the login user.
      podman login $(oc registry info --public) -u kubeadmin -p $(oc whoami -t) --tls-verify=false
    6. Run the scripts/ script to load the images into your registry.
      -p  The archive files location or archive file name
      -r  Target image registry and namespace

      The following example shows the input values in the command line.

      cd scripts
      ./ -p <ARCHIVE> -r $(oc registry info --public)/<project-name>
      Note: The <project-name> variable is the name of the project that you created when you prepared the operator storage. Take a note of the image registry route so that you can enter it in the deployment script.

      If you want to load the images into another project that can be referenced across namespaces, then you must allow pods to reference images from that project.

      For example, to allow any service account in a project that is named cp4a-project to reference images in another project named cp4a-images-project, use the oc policy add-role-to-group parameter.

      oc policy add-role-to-group \
         system:image-puller system:serviceaccounts:cp4a-project \

      For more information, see Allowing pods to reference images across projects.

    7. Check that the images are pushed correctly to the registry. Using the OpenShift CLI:
      oc get is