Private container registry requirements
IBM® Concert software images are accessible from the IBM Entitled Registry. In most situations, it is strongly recommended that you mirror the necessary software images from the IBM Entitled Registry to a private container registry.
- Installation phase
- Preparing your cluster
- Your cluster is air-gapped (also called an offline or disconnected cluster).
- Your cluster uses an allowlist to permit direct access by specific sites, and the allowlist does not include the IBM Entitled Registry.
- Your cluster uses a blocklist to prevent direct access by specific sites, and the blocklist includes the IBM Entitled Registry.
- Run security scans against the software images before you install them on your cluster
- Ensure that you have the same images available for multiple deployments, such as development or test environments and production environments
The only situation in which you might consider pulling images directly from the IBM Entitled Registry is when your cluster is not air-gapped, your network is extremely reliable, and latency is not a concern. However, for predictable and reliable performance, you should mirror the images to a private container registry.
Cluster requirements
To use a private container registry, your cluster must support image
content source policies (ImageContentSourcePolicy
).
Setting up a private container registry
- Review the guidance in OpenShift image registry overview:
- Ensure that you follow the guidelines for configuring the registry in Image configuration:
- Support the Docker Image Manifest Version 2, Schema 2
- Allow path separators in image names
- Be in close proximity to your Red Hat OpenShift Container Platform cluster
- Be accessible from all of the nodes in the cluster, and all of the nodes must have permission to push to and pull from the private container registry
Allowing required image prefixes
IBM Cloud Pak® software uses the following prefixes to identify images:
Tag | Used for |
---|---|
cp.icr.io/cp |
Images that are pulled from the IBM Entitled Registry
that require an entitlement key to download. Most of the IBM Concert software uses this tag. |
icr.io/cpopen |
Publicly available images that are provided by IBM and that don't require an entitlement
key to download. The IBM Concert operators use this tag. |
- The private container registry is configured to allow these prefixes
- The credentials that you will use to push images to the registry can push images with these prefixes
Mirror images directly from the IBM Entitled Registry
If you can set up a client workstation that can connect to the internet and the private container registry, you can mirror the images directly from the IBM Entitled Registry to the private container. Follow the steps in Mirroring images directly to the private container registry to set it up.