Pulling images from the IBM Entitled Registry
The DataPower Operator supports automatically pulling IBM DataPower images from the IBM Entitled Registry using your entitlement key.
Image selection
When configuring the DataPowerService
Custom Resource, there are two properties which will determine which image is pulled, and from what container registry:
The version
property will decide which base firmware version should be used, while the license.use
will determine which edition to use.
license.use | Registry | Image location |
---|---|---|
production | IBM Entitled Registry | cp.icr.io/cp/datapower/datapower-prod |
nonproduction | IBM Entitled Registry | cp.icr.io/cp/datapower/datapower-nonprod |
developers | IBM Entitled Registry | cp.icr.io/cp/datapower/datapower-deved |
developers-limited | IBM Container Registry | icr.io/integration/datapower/datapower-limited |
Image Pull Secret
If the IBM DataPower image is to be pulled from the IBM Entitled Registry, an Entitlement Key must be used as an Image Pull Secret. You can obtain an Entitlement Key from My IBM.
Default Image Pull Secret
If you do not specify an Image Pull Secret in your DataPowerService Custom Resource spec
, then the operator will look for a Secret named ibm-entitlement-key
in the same namespace as the DataPowerService, and it will use this Secret to pull the IBM DataPower images. This is typically the method used to provide the Entitlement Key.
If you want to use your own Entitlement Key, then you can create it.
- If you create it with the name
ibm-entitlement-key
in the same namespace as the DataPowerService, then you do not need to explicitly name it as the Image Pull Secret in your DataPowerService Custom Resourcespec
, because the operator will find it automatically. - If you create it with a different name, then you must explicitly name it as the Image Pull Secret in your
DataPowerService
Custom Resource spec, see imagePullSecrets.
Creating the Secret
If you want to create your own Entitlement Key as a Secret, you must create it in the same namespace as the DataPowerService.
- We recommend that you use the name ibm-entitlement-key
- Use
cp
as the username - Use your Entitlement Key as the password
- Use
cp.icr.io
as the Docker server
For example:
oc create secret docker-registry \ibm-entitlement-key \--docker-username=cp \--docker-password=<entitlement-key> \--docker-server=cp.icr.io
For more information on creating Secrets using the Kubernetes command line, please see their documentation.
Using a custom Service Account
If you choose to provide your own custom Service Account via the serviceAccountName property on the DataPowerService
spec, then the DataPower Operator will not automatically attempt to use a ibm-entitlement-key
Secret. Instead, you should either add this Image Pull Secret to your Service Account, or provide it manually via the imagePullSecrets property.