Pulling images from the IBM Entitled Registry

The DataPower Operator supports automatically pulling IBM DataPower images from the IBM Entitled Registry using your entitlement key.

Image selection

When configuring the DataPowerService Custom Resource, there are two properties which will determine which image is pulled, and from what container registry:

The version property will decide which base firmware version should be used, while the license.use will determine which edition to use.

`license.use`	Registry	Image location
`production`	IBM Entitled Registry	`cp.icr.io/cp/datapower/datapower-prod`
`nonproduction`	IBM Entitled Registry	`cp.icr.io/cp/datapower/datapower-nonprod`
`developers`	IBM Entitled Registry	`cp.icr.io/cp/datapower/datapower-deved`
`developers-limited`	IBM Container Registry	`icr.io/integration/datapower/datapower-limited`

When deploying within IBM Cloud Pak for Integration, the image location is always cp.icr.io/cp/datapower/datapower-cp4i.

For more details regarding this image, see Cloud Pak for Integration: Gateway runtime.

Image Pull Secret

If the IBM DataPower image is to be pulled from the IBM Entitled Registry, an Entitlement Key must be used as an Image Pull Secret. You can obtain an Entitlement Key from My IBM.

Default Image Pull Secret

If you do not specify an Image Pull Secret in your DataPowerService Custom Resource spec, then the operator will look for a Secret named ibm-entitlement-key in the same namespace as the DataPowerService, and it will use this Secret to pull the IBM DataPower images. This is typically the method used to provide the Entitlement Key.

If you want to use your own Entitlement Key, then you can create it.

If you create it with the name ibm-entitlement-key in the same namespace as the DataPowerService, then you do not need to explicitly name it as the Image Pull Secret in your DataPowerService Custom Resource spec, because the operator will find it automatically.
If you create it with a different name, then you must explicitly name it as the Image Pull Secret in your DataPowerService Custom Resource spec, see imagePullSecrets.

Creating the Secret

If you want to create your own Entitlement Key as a Secret, you must create it in the same namespace as the DataPowerService.

We recommend that you use the name ibm-entitlement-key
Use cp as the username
Use your Entitlement Key as the password
Use cp.icr.io as the Docker server

For example:

oc create secret docker-registry \
  ibm-entitlement-key \
  --docker-username=cp \
  --docker-password=<entitlement-key> \
  --docker-server=cp.icr.io

For more information on creating Secrets using the Kubernetes command line, please see their documentation.

Using a custom Service Account

If you choose to provide your own custom Service Account via the serviceAccountName property on the DataPowerService spec, then the DataPower Operator will not automatically attempt to use a ibm-entitlement-key Secret. Instead, you should either add this Image Pull Secret to your Service Account, or provide it manually via the imagePullSecrets property.

Edit this page on GitHub

APIs: DataPowerMonitor

Features: Configuration Management