Skip to main contentIBM DataPower Operator Documentation

Pulling images from the IBM Entitled Registry

The DataPower Operator supports automatically pulling IBM DataPower images from the IBM Entitled Registry using your entitlement key.

Image selection

When configuring the DataPowerService Custom Resource, there are two properties which will determine which image is pulled, and from what container registry:

The version property will decide which base firmware version should be used, while the license.use will determine which edition to use.

license.useRegistryImage location
productionIBM Entitled Registrycp.icr.io/cp/datapower/datapower-prod
nonproductionIBM Entitled Registrycp.icr.io/cp/datapower/datapower-nonprod
developersIBM Entitled Registrycp.icr.io/cp/datapower/datapower-deved
developers-limitedIBM Container Registryicr.io/integration/datapower/datapower-limited

Image Pull Secret

If the IBM DataPower image is to be pulled from the IBM Entitled Registry, an Entitlement Key must be used as an Image Pull Secret. You can obtain an Entitlement Key from My IBM.

Default Image Pull Secret

If you do not specify an Image Pull Secret in your DataPowerService Custom Resource spec, then the operator will look for a Secret named ibm-entitlement-key in the same namespace as the DataPowerService, and it will use this Secret to pull the IBM DataPower images. This is typically the method used to provide the Entitlement Key.

If you want to use your own Entitlement Key, then you can create it.

  • If you create it with the name ibm-entitlement-key in the same namespace as the DataPowerService, then you do not need to explicitly name it as the Image Pull Secret in your DataPowerService Custom Resource spec, because the operator will find it automatically.
  • If you create it with a different name, then you must explicitly name it as the Image Pull Secret in your DataPowerService Custom Resource spec, see imagePullSecrets.

Creating the Secret

If you want to create your own Entitlement Key as a Secret, you must create it in the same namespace as the DataPowerService.

  1. We recommend that you use the name ibm-entitlement-key
  2. Use cp as the username
  3. Use your Entitlement Key as the password
  4. Use cp.icr.io as the Docker server

For example:

oc create secret docker-registry \
ibm-entitlement-key \
--docker-username=cp \
--docker-password=<entitlement-key> \
--docker-server=cp.icr.io

For more information on creating Secrets using the Kubernetes command line, please see their documentation.

Using a custom Service Account

If you choose to provide your own custom Service Account via the serviceAccountName property on the DataPowerService spec, then the DataPower Operator will not automatically attempt to use a ibm-entitlement-key Secret. Instead, you should either add this Image Pull Secret to your Service Account, or provide it manually via the imagePullSecrets property.