Private container registry requirements

IBM® Concert software images are accessible from the IBM Entitled Registry. In most situations, it is strongly recommended that you mirror the necessary software images from the IBM Entitled Registry to a private container registry.

Installation phase
You are here icon. Preparing your cluster
You are not here. Obtaining your IBM entitlement API key
You are not here. Installing the Open Shift CLI
You are not here. Preparing to run installs from a private container registry
You are not here. Creating an image pull secret
You are not here. Installing IBM Concert
Important:
You must mirror the Concert software images to your private container registry in the following situations:
  • Your cluster is air-gapped (also called an offline or disconnected cluster).
  • Your cluster uses an allowlist to permit direct access by specific sites, and the allowlist does not include the IBM Entitled Registry.
  • Your cluster uses a blocklist to prevent direct access by specific sites, and the blocklist includes the IBM Entitled Registry.
Even if these situations do not apply to your environment, you should consider using a private container registry if you want to:
  • Run security scans against the software images before you install them on your cluster
  • Ensure that you have the same images available for multiple deployments, such as development or test environments and production environments

The only situation in which you might consider pulling images directly from the IBM Entitled Registry is when your cluster is not air-gapped, your network is extremely reliable, and latency is not a concern. However, for predictable and reliable performance, you should mirror the images to a private container registry.

If you decide to use a private container registry, review the guidance in the following sections:

Cluster requirements

To use a private container registry, your cluster must support image content source policies (ImageContentSourcePolicy).

Setting up a private container registry

For details about private container registries you can use with Red Hat® OpenShift® Container Platform, see the Red Hat OpenShift Container Platform documentation:
  1. Review the guidance in OpenShift image registry overview:
  2. Ensure that you follow the guidelines for configuring the registry in Image configuration:
Your private container registry must meet the following requirements:
  • Support the Docker Image Manifest Version 2, Schema 2
  • Allow path separators in image names
  • Be in close proximity to your Red Hat OpenShift Container Platform cluster
  • Be accessible from all of the nodes in the cluster, and all of the nodes must have permission to push to and pull from the private container registry
Restriction: You cannot use the integrated OpenShift Container Platform registry. It does not support multi-architecture images and is not compliant with the Docker Image Manifest Version 2, Schema 2.

Allowing required image prefixes

IBM Cloud Pak® software uses the following prefixes to identify images:

Tag Used for
cp.icr.io/cp Images that are pulled from the IBM Entitled Registry that require an entitlement key to download.

Most of the IBM Concert software uses this tag.

icr.io/cpopen Publicly available images that are provided by IBM and that don't require an entitlement key to download.

The IBM Concert operators use this tag.

Ensure that the following statements are true:
  • The private container registry is configured to allow these prefixes
  • The credentials that you will use to push images to the registry can push images with these prefixes

Mirror images directly from the IBM Entitled Registry

If you can set up a client workstation that can connect to the internet and the private container registry, you can mirror the images directly from the IBM Entitled Registry to the private container. Follow the steps in Mirroring images directly to the private container registry to set it up.