Implement Online Entitlement Validation for cp.icr.io Images Before Deployment

[luigimolinaro]

During Cloud Pak Deployer installations, the entitlement key for cp.icr.io is currently validated only through a login test (e.g., skopeo login). However, successful login does not guarantee that the entitlement key has permission to pull the specific images required for the deployment.

In multiple POC scenarios, we observed the following behavior:

podman login cp.icr.io → Login Succeeded

podman pull cp.icr.io/cp/cpd/<image>@sha256:<digest> → denied: You are not authorized to access this resource

This results in:

Installation failing later during Software Hub or component deployment

Describe the solution you'd like

Implement a pre-flight entitlement validation step in Cloud Pak Deployer that performs an image-level authorization check using:

skopeo inspect docker://cp.icr.io/@

(or tag-based if digest not available)

For every image defined in the deployment configuration:

Run skopeo inspect

If the command fails with an authorization error:

Immediately fail the deployment

Provide a clear and actionable error message

Example expected error output:

ERROR: Entitlement key does not grant access to the following image:

• cp.icr.io/cp/cpd/edb-postgres-license-provider@sha256:...

Please verify that the entitlement key includes the required Cloud Pak permissions.

This validation should:

Run before installation begins
Check unique images only (avoid duplicates)
Stop execution on first unauthorized image

[fketelaars]

I agree that this enhancement would be useful. However, I suggest to make this an optional flag in global_config. From past experiences, the checking of the images can take a very long time.

Also, it appears that list-images already has the ability to inspect images.

# Ensure that you have access to the images in the IBM Entitled Registry for the
# specified components. Requires a connection to the internet.
 list-images --release=5.3.0 --components=cpfs,cpd_platform,ws,spss
--inspect_source_registry=true

[fketelaars]

@luigimolinaro I ran a test with --inspect_source_registry=true for cpd_platform and wkc. For your information, the process of inspecting all 642 images takes ~10:30 minutes. From what I can tell, the inspection is done one by one.

You may want to look into oc image mirror to see if this allows you to inspect images in parallel.

[luigimolinaro]

My proposal is to streamline our deployment process by

• identifying the specific Cloud Paks to be used
• pre-validating access to their representative images and test it with skopeo

By doing this, I believe we can reduce our setup time by 80% or more.
Maybe add a specific check under cloud pak deployer ?

--check-entitlment
--check-images to avoid doing this every time ?

or using config of deployer like :

entitlement_validation:
  enabled: true       # Toggle pre-flight checks
  fail_on_error: true # Stop execution on failure vs. warning only
  sample_size: 3      # Smart sampling to keep validation under 1 minute

[fketelaars]

I would suggest --check-images (entitlement has a different meaning) and also add this option to the global_config. Agreed with the optimization for sample_size, good idea! For sample_size I would also consider adding a value all which causes all images to be checked.