How to Use Your Private DigitalOcean Container Registry with Docker and Kubernetes Early Availability

Configure Docker to Push to and Pull from the Registry

To interact with your registry using the docker command-line interface (CLI), you'll need to first configure docker using the DigitalOcean command-line tool, doctl. Install doctl and authenticate it with an API token.

Then, call the following command:

doctl registry login

This command adds credentials to docker so that pull and push commands to your DigitalOcean registry will be authenticated.

Note

Under the hood, this generates a DigitalOcean token that grants docker access to your account. This can be revoked at any time by navigating to API in the DigitalOcean control panel. If you're in an environment that doesn't have doctl or want to use an existing API token, you can simulate what doctl registry login does by using an API token string as the username and password when calling docker login. For example:

docker login -u ZDRhYzzzz -p ZDRhYzzzz registry.digitalocean.com

You can then use the docker tag command to tag your image with the fully qualified destination path, and docker push to upload it:

   docker tag <my-image> registry.digitalocean.com/<my-registry>/<my-image>
   docker push registry.digitalocean.com/<my-registry>/<my-image>

Configure Your DigitalOcean Kubernetes cluster

There are two ways to upload the credentials for your registry to your cluster:

  1. Upload credentials using doctl
  2. Obtain credentials from the control panel and upload them manually

Option 1: Upload Credentials Using doctl

Run the following command to download the credentials for your registry and upload them to your cluster as a secret:

doctl registry kubernetes-manifest | kubectl apply -f -

The secret will be named registry-<your-registry-name>.

Option 2: Use Credentials Obtained from the Control Panel

To download credentials from the control panel, navigate to Images and click on the Container Registry tab. Then, click Download Docker Credentials to download the credentials as a JSON file.

Once you have the credentials on your machine, upload them to your cluster as a secret. Here, we've named the secret do-registry:

kubectl create secret generic do-registry \
  --from-file=.dockerconfigjson=docker-config.json \
  --type=kubernetes.io/dockerconfigjson

Use Images from Your Registry in Your Cluster

To use the images stored in your registry, reference the secret you just uploaded as an imagePullSecret. There are two ways to do this:

  1. Set an imagePullSecret on a per-Pod or per-Deployment basis
  2. Set an imagePullSecret as the default for all Pods and Deployments

Option 1: Setting an imagePullSecrets value for a Single Pod or Deployment

In the previous control panel-based example, the secret was given the name do-registry, so that name is also used here. If you used the doctl-based instructions, the secret will be registry-<my-registry> instead.

    
        
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  replicas: 3
  template:
    metadata:
      labels:
        app: hello
    spec:
      containers:
      - name: hello
        image: registry.digitalocean.com/myregistry/myimage
      imagePullSecrets:
      - name: do-registry

    

For more information on configuring Pods to connect to private registries, consult the Kubernetes documentation.

Option 2: Setting imagePullSecrets as the Default for all Pods and Deployments

You can modify the default service account to always use the secret as an imagePullSecret when creating Pods or Deployments.

In the previous control panel-based example, the secret was given the name do-registry, so that name is also used here. If you used the doctl-based instructions, the secret will be registry-<my-registry> instead.

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "do-registry"}]}'

From then on, any new Pods will have this automatically added to their spec:

spec:
  imagePullSecrets:
  - name: do-registry

For more information on patching the default service account to use imagePullSecrets, consult the Kubernetes documentation.