Developer Center

How to Set up DigitalOcean Container Registry

How to Set up DigitalOcean Container Registry


The DigitalOcean Container Registry (DOCR) is a private Docker image registry that comes with tooling support facilitating seamless integration with both your Docker environment and DigitalOcean Kubernetes clusters. This way you can get security and enhanced control over your container.

In this tutorial, you will learn to set up DigitalOcean Container Registry to securely store and distribute your Docker application images.

Table of Contents


Step 1 - Creating a DOCR Repository

In this step, you will create a basic DOCR repository for your DOKS cluster using the doctl utility.

First, explore the available options for working with DOCR repositories via doctl:

doctl registry -h

The output looks similar to:

The subcommands of `doctl registry` create, manage, and allow access to your private container registry.

  doctl registry [command]

  registry, reg, r

Available Commands:
  create              Create a private container registry
  delete              Delete a container registry
  docker-config       Generate a docker auth configuration for a registry
  garbage-collection  Display commands for garbage collection for a container registry
  get                 Retrieve details about a container registry
  kubernetes-manifest Generate a Kubernetes secret manifest for a registry.
  login               Log in Docker to a container registry
  logout              Log out Docker from a container registry
  options             List available container registry options
  repository          Display commands for working with repositories in a container registry

To complete this step of the tutorial, you will focus on the create sub-command to create a basic private container registry:

doctl registry create starterkit-reg-1 --subscription-tier basic

The output looks similar to:

Name                Endpoint

You can have only 1 registry endpoint per account in DOCR. A repository in a registry refers to a collection of container images using different versions (tags).

Step 2 - Configuring DOKS for Private Registries

Given that the DOCR is a private endpoint, you need to configure the DOKS cluster to fetch images from the registry:

doctl registry kubernetes-manifest | kubectl apply -f -

The above command creates a Kubernetes secret in the default namespace.

Next, verify that the secret was created:

kubectl get secrets registry-starterkit-reg-1

The output looks similar to:

NAME                        TYPE                             DATA   AGE
registry-starterkit-reg-1   1      13s

Then, your application Pods can reference it using imagePullSecrets:

apiVersion: apps/v1
kind: Deployment
  name: starterkit-app
  spec: null
  replicas: 3
        app: starterkit-app
        spec: null
          - name: starterkit-app
          - name: registry-starterkit-reg-1

You can modify the default service account to always use the secret as an imagePullSecret when creating Pods or Deployments.

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-starterkit-reg-1"}]}'

Finally, verify the default service account configuration:

kubectl get serviceaccount default -o yaml

The output looks similar to the following snippet. Verify that the imagePullSecrets points to registry-starterkit-reg-1.

apiVersion: v1
  - name: registry-starterkit-reg-1
kind: ServiceAccount
  creationTimestamp: '2021-09-17T12:05:46Z'
  name: default
  namespace: default
  resourceVersion: '2017370'
  uid: 677b1ef4-3cb5-418f-b798-9029a5641561
  - name: default-token-zbvww

From now on, any new Pod will have this automatically added to their spec:

    - name: registry-starterkit-reg-1

For more information on patching the default service account to use imagePullSecrets, consult the Kubernetes documentation.


In this tutorial, you learned how to create a private DOCR registry for your DOKS cluster. Then, you learned how to patch secrets for DOKS to securely authenticate and pull Docker images for your applications running in the cluster.

Learn More

Next, you will learn how to set up the Ambassador Edge Stack to act as an Ingress controller with some example backend applications to test the setup.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
Cristian Marius Tiutiu


Default avatar

Technical Writer

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
Leave a comment

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel