GitHubContribute in GitHub: Edit online

copyright: years: 2023 lastupdated: "2023-04-24"

Accessing Voice Gateway images from Kubernetes or OpenShift

For IBM Voice Gateway deployed in the IBM Cloud Kubernetes Service, only the image references need to be changed. No credentials need to be set up to access the images.

Accessing images from a Kubernetes or OpenShift cluster requires setting up a Kubernetes Image Pull Secret that uses an IBM Cloud API Key.

The following steps cover how to create an IBM Cloud service ID with access to the container registry and provision an API Key. More detailed steps can be found in Other Registry Accounts.

  1. Log in to IBM Cloud and the Container Registry

    ibmcloud login --sso

  2. Create an IBM Cloud IAM service ID for the cluster that is used for the IAM policies and API key credentials in the image pull secret. Enter a description for the service ID that helps you remember and retrieve later.

    ibmcloud iam service-id-create public-icr-registry-id --description "Service ID for IBM Cloud Container Registry public namespace"

  3. Create a custom IBM Cloud IAM policy for your cluster service ID that grants access to IBM Cloud Container Registry.

    ibmcloud iam service-policy-create <service-id> --roles Reader --service-name container-registry

    service-id is the ID generated from the previous command.

  4. Create an API key for the service ID. Name the API key similar to the service ID you previously created, and include the service ID public-icr-registry-id. Enter a description for the API key that helps you remember and retrieve later.

    ibmcloud iam service-api-key-create public-icr-registry-key public-icr-registry-id --description "API key for service ID <service_id> to access the IBM Cloud Container registry"

  5. Retrieve your API Key value from the output of the previous command.

    Please preserve the API key! It can't be retrieved after it's created.

Name          public-icr-registry-key
Description   <Description>   
Bound To      crn:v1:bluemix:public:iam-identity::a/1bb222bb2b33333ddd3d3333ee4ee444::serviceid:ServiceId-ff55555f-5fff-6666-g6g6-777777h7h7hh   
Created At    2019-02-01T19:06+0000   
API Key       i-8i88ii8jjjj9jjj99kkkkkkkkk_k9-llllll11mmm1   
Locked        false   
UUID          ApiKey-222nn2n2-o3o3-3o3o-4p44-oo444o44o4o4

  6. Create an image pull secret to store the API key credentials in the cluster namespace. Repeat this step for each namespace of each cluster for each icr.io domain that you want to pull images from.

    kubectl --namespace <namespace> create secret docker-registry public-icr-io --docker-server=icr.io --docker-username=iamapikey --docker-password=<api_key_value>

    • --namespace <namespace> Required. Specify the Kubernetes namespace of the cluster.

    • --docker-password <token_value> Required. Enter the value of the API Key that you previously retrieved.

  7. Verify that the secret was created successfully. Replace with the namespace from which you created the image pull secret. 

    kubectl get secret public-icr-io --namespace <namespace>

  8. Add the secret as an imagePullSecret in your Kubernetes or OpenShift deployment.

    apiVersion: v1
kind: Deployment
...
spec:
  containers:
    imagePullSecrets:
    - name: public-icr-io

  9. Continue following the Deploying to Kubernetes guide.