Preparing to run IBM Concert installations from a private container registry

If you plan to use a private container registry to host the IBM Concert software images, you must mirror the images from the IBM Entitled Registry and configure the cluster to pull the images from the private container registry.

Installation phase
You are not here. Preparing your cluster
You are not here. Obtaining your IBM entitlement API key
You are not here. Installing the Open Shift CLI
You are here icon. Preparing to run installs from a private container registry
You are not here. Creating an image pull secret
You are not here. Installing IBM Concert
Who needs to complete this task?

Concert operations team Cluster administrator Registry administrator The IBM Concert operations team should work with private container registry administrator and the cluster administrator to complete the appropriate tasks for your environment.

When to complete this task

One-time setup If you plan to install Concert from images in a private container registry, you must complete the tasks in this section. With careful planning, you can complete the tasks once. However, if you decide that you want to install additional services and the images are not in your private container registry, you might need to complete some of these tasks multiple times.

If you plan to pull images directly from the IBM Entitled Registry, you can skip this task and continue to Preparing your cluster for IBM Concert.

About this task

Important:
You must mirror the necessary images to your private container registry in the following situations:
  • Your cluster is air-gapped (also called an offline or disconnected cluster)
  • Your cluster uses an allowlist to permit direct access by specific sites and the allow list does not include the IBM Entitled Registry
  • Your cluster uses a blocklist to prevent direct access by specific sites and the blocklist includes the IBM Entitled Registry
Even if these situations do not apply to your environment, you should consider using a private container registry if you want to:
  • Run security scans against the software images before you install them on your cluster
  • Ensure that you have the same images available for multiple deployments, such as development or test environments and production environments

The only situation in which you might consider pulling images directly from the IBM Entitled Registry is when your cluster is not air-gapped, your network is extremely reliable, and latency is not a concern. However, for predictable and reliable performance, you should mirror the images to a private container registry.

Use the manage script, ibm-concert-manage.sh, to mirror images to your private registry. You can also access the script from the IBM Concert software GitHub repository. Run these steps from a device with access to the IBM entitlement registry and the private registry.

Procedure

To prepare to run installs from a private container registry:

  1. Set the following environment variables:
    export UTILS_IMG=icr.io/cpopen/ibm-aaf-utils:1.0.1
    export SERVICE_VERSION=1.0.1
    export DOCKER_EXE=
    export COMPONENTS=cpfs,ibm-licensing,ibm-cert-manager,concert
    export IBM_ENTITLEMENT_KEY=
    export PRIVATE_REGISTRY_LOCATION=<private registry location>
    export PRIVATE_REGISTRY_PUSH_USER=<private registry user>
    export PRIVATE_REGISTRY_PUSH_PASSWORD=<private registry password>
    Where the variables reflect the following values:
    UTILS_IMG
    The latest ibm-aaf-utils image
    SERVICE_VERSION
    IBM Concert version
    DOCKER_EXE
    podman or docker
    COMPONENTS
    List of components whose images are to be mirrored
    IBM_ENTITLEMENT_KEY
    IBM Entitlement API key
    PRIVATE_REGISTRY_LOCATION
    Location of Private registry where images are to be mirrored to
    PRIVATE_REGISTRY_PUSH_USER
    Name of user with push access to private registry
    PRIVATE_REGISTRY_PUSH_PASSWORD
    Password of above user
  2. Initialize the ibm-aaf-utils container:
    ./ibm-concert-manage.sh initialize
  3. Log in to the entitled and private registries:
    ./ibm-concert-manage.sh login-entitled-registry 
    
    ./ibm-concert-manage.sh login-private-registry
  4. List the images and mirror them to the private registry:
    ./ibm-concert-manage.sh list-images
    
    ./ibm-concert-manage.sh mirror-images 
  5. Verify that the images exist in the private registry.