Finding and applying your entitlement key by using the CLI (online installation)

The IBM Entitled Registry contains software images for the instances in IBM Cloud Pak® for Integration. To allow the operators to automatically pull those software images, you must first obtain your entitlement key, then add your entitlement key in a pull secret.

Obtaining your entitlement key

  1. Go to the Container software library.
  2. For any key that is listed, click Copy.
  3. Copy the entitlement key to a safe place so you can use it when you add the pull secret in the next section.
  4. (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry by using a container tool.
    docker login cp.icr.io --username cp --password entitlement_key

Applying the pull secret

Your entitlement key must be added to the OpenShift cluster as a pull secret to deploy instances. Adding a global pull secret enables deployment of instances in all namespaces. The alternative is to add a pull secret to each namespace in which you plan to deploy instances (any namespace with operators), plus the `openshift-operators` namespace. However, this option adds work to your installation process.

Important: If you installed the operators in all namespaces on the cluster, do one of the following:
  • In the openshift-operators namespace, create an entitlement key secret.
  • In the openshift-config namespace, update a secret called pullsecret with the entitlement key.

Adding a global pull secret for all namespaces on the cluster

Update the global pull secret of an OpenShift cluster with your IBM container entitlement.

Before you begin, log in as an OpenShift cluster administrator. For more information, see OpenShift roles and permissions
Note: The following procedure cannot be used on an OpenShift cluster that is on IBM Cloud.
  1. Extract the current global pull secret:
    oc extract secret/pull-secret -n openshift-config --keys=.dockerconfigjson --to=. --confirm
  2. Update the JSON with your icr.io credentials that were returned in the previous step: 
    oc registry login --registry="your_registry" --auth-basic="your_user:your_password" --to=your_target_file
    For example:
    oc registry login --registry="cp.icr.io" --auth-basic="cp:$1" --to=.dockerconfigjson
  3. Upload the new global pull secret to OpenShift Container Platform:
    oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson
    After a successful upload, the system returns:
    secret/pull-secret data updated
    This update triggers a restart of all nodes on your OpenShift cluster. It can take up to an hour for the change to take effect, depending on your cloud provider and the size of your cluster.
  4. When all nodes are back online, run this command (which makes status updates in real time) to confirm:
    oc get machineconfigpool -w

Adding a pull secret to a namespace using the CLI

You must be a namespace administrator to perform this task. For more information, see OpenShift roles and permissions.

To deploy instances in one or more (but not all) namespaces, run the following command. You must add the pull secret in each namespace in which you plan to deploy instances.

Create a docker registry secret named ibm-entitlement-key, using the following command. In the third line, replace entitlement_key with the value of your entitlement key from the previous section. In the last line, replace target_namespace with the name of your target namespace:

oc create secret docker-registry ibm-entitlement-key \
    --docker-username=cp \
    --docker-password=entitlement_key \
    --docker-server=cp.icr.io \
    --namespace=target_namespace

What to do next

You can now deploy the IBM Cloud Pak Platform UI using either the UI or CLI. For more information, see Deploying the Platform UI.