Container Registry
Configure pull credentials for GHCR, Docker Hub, ECR, and other private registries.
When deploying from a pre-built image (instead of building from Git), you need to configure registry credentials so the orchestrator can pull the image. The platform supports all major container registries.
Supported Registries
| Registry | Type Key | Required Credentials |
|---|---|---|
| GitHub Container Registry | GHCR | username, token |
| Docker Hub | Docker | username, password |
| Amazon ECR | ECR | accessKeyId, secretAccessKey, region |
| Azure Container Registry | ACR | loginServer, username, password |
| Google Container Registry | GCR | serviceAccountKey |
| Google Artifact Registry | GAR | serviceAccountKey, region |
| Red Hat Quay | Quay | username, token |
| Custom / Self-hosted | Custom | url, username, password |
| Public (no auth) | Public | None |
Adding a Registry
Navigate to Registries
Go to Settings > Container Registries and click Add Registry.
Choose the Registry Type
Select the provider from the dropdown. The form adapts to show the required credential fields for that type.
Enter Credentials
name: "My GHCR"
type: GHCR
credentials:
username: "myorg"
token: "ghp_xxxxxxxxxxxx" # Personal access token or fine-grained tokenUse a token with read:packages scope (or write:packages if pushing).
name: "Docker Hub"
type: Docker
credentials:
username: "myuser"
password: "dckr_pat_xxxxxxxxxxxx" # Access token, not your passwordname: "Production ECR"
type: ECR
credentials:
accessKeyId: "AKIAIOSFODNN7EXAMPLE"
secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
region: "us-east-1"Use an IAM user with ecr:GetAuthorizationToken, ecr:BatchGetImage, and ecr:GetDownloadUrlForLayer permissions.
name: "Internal Registry"
type: Custom
credentials:
url: "https://registry.internal.example.com"
username: "deploy"
password: "secret"Test Connectivity
Click Test Connection to validate credentials before saving. The platform checks that all required fields are present and structurally valid.
Save
The registry is now available when creating or updating containers. Select it from the registry dropdown and specify the image name and tag.
Using a Registry in Deployments
When creating a container with sourceType: registry, reference the saved registry:
sourceType: registry
registryConfig:
registryId: "reg-abc123" # links to the saved registry
imageName: "ghcr.io/myorg/api"
imageTag: "v2.1.0"The platform passes the registry credentials to the orchestrator:
- Kubernetes: Creates an
imagePullSecretin the namespace - Docker Swarm: Passes credentials via
docker loginon the node - Docker Compose: Runs
docker loginbefore pulling
Pull Secrets on Kubernetes
For K8s clusters, the platform automatically manages imagePullSecret resources:
# Auto-generated by the platform:
apiVersion: v1
kind: Secret
metadata:
name: ghcr-creds
namespace: env-production
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64-encoded credentials>The secret is referenced in every pod spec that uses images from that registry.
Pull secrets are scoped to the environment namespace. Each environment gets its own copy to maintain isolation.
Public Images
For public images (Docker Hub public repos, ghcr.io public packages), no credentials are needed:
sourceType: registry
registryConfig:
imageName: "postgres"
imageTag: "17-alpine"Select the Public registry type or leave registryId empty.
Updating Credentials
To rotate credentials, navigate to Settings > Container Registries, select the registry, and update the credential fields. Existing containers using this registry will use the new credentials on their next deployment.
Updating registry credentials does not trigger a redeployment. Running containers continue using the image already pulled. The new credentials take effect on the next image pull (deploy, scale, or pod restart).
Deleting a Registry
Only the user who created a registry can delete it. Before deleting, ensure no active containers reference the registry — otherwise image pulls will fail on the next deployment.
registry.delete({ registryId: "reg-abc123" })How is this guide?
Last updated on