Preparing the image pull secrets

If you plan to use the Operator Hub and the Form view, you must create the secrets to pull the images from the IBM Entitled Registry.

Before you begin

Make sure you prepared your cluster with the necessary infrastructure and software. For more information, see Preparing for a starter deployment.

About this task

You must choose to use either a global secret to pull the images or add an image pull secret to your target deployment namespace.

Note: If you want to share a single instance of Cloud Pak foundational services between Cloud Pak for Business Automation deployments, then you need to create either a global pull-secret in the openshift-config namespace or the ibm-entitlement-key secret in the target namespace of the CP4BA instance. If your deployment includes Business Team Service (BTS), then you must also create the ibm-entitlement-key secret in the ibm-common-services namespace. BTS is installed with BAA, BAI, ADP, and ADS. If BTS is included in your deployment and this namespace does not exist, then create it.

If you want to install a namespace-scoped instance of foundational services, then you need to create either a global pull-secret in the openshift-config namespace or the ibm-entitlement-key secret in the namespace of the CP4BA operator.

Important: If you use a public network to access the IBM Entitled Registry by using the domains cp.icr.io and icr.io, you must add the following hostnames to your firewall rules:
  • dd0.icr.io
  • dd2.icr.io
  • dd4.icr.io
  • dd6.icr.io
Users that are located in China, must also allow the following hostnames:
  • dd1-icr.ibm-zh.com
  • dd3-icr.ibm-zh.com
  • dd5-icr.ibm-zh.com
  • dd7-icr.ibm-zh.com

You can also add wildcard characters to hostnames in your allowlist, for example *.icr.io and *.ibm-zh.com.

The following diagram shows the options:

image pull secret options

Procedure

  1. Login to your OCP console with an ID that has cluster-admin permissions.
  2. Go to the Kubernetes namespace (cp4ba-starter) that you created for the Cloud Pak operator.
    On the left panel in your OCP console, click Home > projects, and select the name of your namespace.

    For an all namespaces installation the namespace is always openshift-operators.

  3. Choose one of the two options:
    • Choice 1: If you want to update the global pull secret for your cluster to ensure that all namespaces on your cluster have the necessary credentials to pull images, you can either replace the current pull secret or append a new pull secret.

      Note: If a global pull secret exists for cp.icr.io, then the operator can already pull images from IBM Entitled Registry. If it does not exist, you must add it. If you choose to update the global pull secret, you do not need to create a docker-registry secret in each deployment namespace.
      1. Switch to the openshift-config namespace.
      2. From the OpenShift console, click Workloads > Secrets and search for pull-secret in the openshift-config project.

        If the secret exists, but does not include credentials to pull images from IBM Entitled Registry, select the secret and click Actions > Edit Secret. Then click Add credentials, enter the following information, and click Save.

        Table 1. Image pull details for global secret
        Field Value
        Authentication Type Image Registry Credentials
        Registry Server Address cp.icr.io
        Username cp
        Password Your IBM Entitlement Key
        Email Optional
      3. If the pull-secret does not exist, create the secret by clicking Create, and then select "image pull secret". In the Create Image Pull Secret window, add the following details, and then click Create.
        Table 2. Image pull details for global secret
        Field Value
        Name pull-secret
        Authentication Type Image Registry Credentials
        Registry Server Address cp.icr.io
        Username cp
        Password Your IBM Entitlement Key
        Email Optional
        pull-secret
    • Choice 2: If you do not want to use a global pull secret, then you must create a secret to pull the images (ibm-entitlement-key) in your target namespace. If your deployment includes Business Team Service (BTS) and foundational services is cluster-scoped then you also need the ibm-entitlement-key secret in the ibm-common-services namespace.

      1. Click Workloads > Secrets, click Create, and then select "image pull secret". Make sure that you are in the NAMESPACE where you want to create the secret.
      2. In the Create Image Pull Secret window, add the following details, and then click Create.
        Table 3. Image pull details for target namespace secrets
        Field Value
        Name ibm-entitlement-key
        Authentication Type Image Registry Credentials
        Registry Server Address cp.icr.io
        Username cp
        Password Your IBM Entitlement Key
        Email Optional

What to do next

Go to and complete the next step in Installing the IBM Cloud Pak catalogs and operators.