Finding and applying your entitlement key by using the CLI (online installation)

The IBM Entitled Registry contains software images for the capabilities in IBM Cloud Pak® for Integration. To allow the Cloud Pak for Integration operators to automatically pull those software images, you must first obtain your entitlement key, then add your entitlement key in a pull secret.

Obtaining your entitlement key

  1. Go to the Container software library.
  2. Click Copy key.
  3. Copy the entitlement key to a safe place so you can use it when you add the pull secret in the next section.
  4. (Optional) Verify the validity of the key by logging in to the IBM Entitled Registry by using a container tool.
    docker login cp.icr.io --username cp --password entitlement_key

Applying the pull secret

Your entitlement key must be added to the cluster as a pull secret to deploy Cloud Pak for Integration capabilities. You can either add a pull secret to each namespace you plan to use for Cloud Pak for Integration capabilities, or add a global pull secret, which enables deployment of Cloud Pak for Integration capabilities in all namespaces.
Restriction: Depending on which option you choose, the procedure must be performed by either an automation administrator or a cluster administrator (as indicated for each of the following options). For details on these roles, see Roles and permissions.

Adding a pull secret to a namespace using the CLI

This task must be performed by an automation administrator. For more information, see Roles and permissions

To deploy Cloud Pak for Integration capabilities in one or more (but not all) namespaces, run the following command. You must add the pull secret in each namespace where you intend to deploy capabilities.

Create a docker registry secret named ibm-entitlement-key, using the following command. In the third line, replace entitlement_key with the value of your entitlement key from the previous section. In the last line, replace target_namespace with the name of your target namespace:

oc create secret docker-registry ibm-entitlement-key \
    --docker-username=cp \
    --docker-password=entitlement_key \
    --docker-server=cp.icr.io \
    --namespace=target_namespace

Adding a global pull secret for all namespaces

This task must be performed by a cluster administrator. For more information, see Roles and permissions
Note: The following procedure cannot be used on an OpenShift cluster that is on IBM Cloud.

To add a pull secret for the whole cluster, perform the following steps:

  1. Extract the current global pull secret:
    oc extract secret/pull-secret -n openshift-config --keys=.dockerconfigjson --to=. --confirm
  2. Convert the extracted global pull secret using jq (this assumes you have already installed the jq command-line JSON processor):
    cat .dockerconfigjson | jq . >  .dockerconfigjson.orig
mv .dockerconfigjson.orig .dockerconfigjson
  3. Convert your entitlement key to an auth string. Replace entitlement_key with the value of your entitlement key from the preceding section, "Obtaining your entitlement key".
    echo -n "cp:entitlement_key" | base64
  4. Edit the .dockerconfigjson file: In the auths section, add the cp.icr.io object (as shown in the following example) to the list of objects. Replace auth_string with the value of the auth string returned in the previous step.
    Important: You must enter the value of auth_string as a single, continuous string. If there are any line breaks, you will get an error.
    {
   "auths": {
      "cp.icr.io" : {
         "auth": "auth_string"
      }
   }
}

    This action adds the new pull secret.

  5. Upload the new global pull secret:
    oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson
    After a successful upload, the system returns:
    secret/pull-secret data updated
    This update triggers a restart of all your cluster's nodes. It can take up to an hour for the change to take effect, depending on your cloud provider and the size of your cluster.
  6. When all nodes are back online, run this command (which makes status updates in real time) to confirm:
    oc get machineconfigpool -w