Developer Center
How to Set up DigitalOcean Container Registry
Cristian Marius Tiutiu, Bikram Gupta, and Easha Abid
Introduction
The DigitalOcean Container Registry (DOCR) is a private Docker image registry that comes with tooling support facilitating seamless integration with both your Docker environment and DigitalOcean Kubernetes clusters. This way you can get security and enhanced control over your container.
In this tutorial, you will learn to set up DigitalOcean Container Registry to securely store and distribute your Docker application images.
Table of Contents
- Prerequisites
- Step 1 - Creating a DOCR Repository
- Step 2 - Configuring DOKS for Private Registries
- Conclusion
Prerequisites
kubectlanddoctltools installed on your machine.- Authenticate DigitalOcean API for API calls.
- Create a DigitalOcean managed Kubernetes cluster.
Step 1 - Creating a DOCR Repository
In this step, you will create a basic DOCR repository for your DOKS cluster using the doctl utility.
First, explore the available options for working with DOCR repositories via doctl:
doctl registry -h
The output looks similar to:
The subcommands of `doctl registry` create, manage, and allow access to your private container registry.
Usage:
doctl registry [command]
Aliases:
registry, reg, r
Available Commands:
create Create a private container registry
delete Delete a container registry
docker-config Generate a docker auth configuration for a registry
garbage-collection Display commands for garbage collection for a container registry
get Retrieve details about a container registry
kubernetes-manifest Generate a Kubernetes secret manifest for a registry.
login Log in Docker to a container registry
logout Log out Docker from a container registry
options List available container registry options
repository Display commands for working with repositories in a container registry
...
To complete this step of the tutorial, you will focus on the create sub-command to create a basic private container registry:
doctl registry create starterkit-reg-1 --subscription-tier basic
The output looks similar to:
Name Endpoint
starterkit-reg-1 registry.digitalocean.com/starterkit-reg-1
You can have only 1 registry endpoint per account in DOCR. A repository in a registry refers to a collection of container images using different versions (tags).
Step 2 - Configuring DOKS for Private Registries
Given that the DOCR is a private endpoint, you need to configure the DOKS cluster to fetch images from the registry:
doctl registry kubernetes-manifest | kubectl apply -f -
The above command creates a Kubernetes secret in the default namespace.
Next, verify that the secret was created:
kubectl get secrets registry-starterkit-reg-1
The output looks similar to:
NAME TYPE DATA AGE
registry-starterkit-reg-1 kubernetes.io/dockerconfigjson 1 13s
Then, your application Pods can reference it using imagePullSecrets:
apiVersion: apps/v1
kind: Deployment
metadata:
name: starterkit-app
spec: null
replicas: 3
template:
metadata:
labels:
app: starterkit-app
spec: null
containers:
- name: starterkit-app
image: registry.digitalocean.com/myregistry/myimage
imagePullSecrets:
- name: registry-starterkit-reg-1
You can modify the default service account to always use the secret as an imagePullSecret when creating Pods or Deployments.
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-starterkit-reg-1"}]}'
Finally, verify the default service account configuration:
kubectl get serviceaccount default -o yaml
The output looks similar to the following snippet. Verify that the imagePullSecrets points to registry-starterkit-reg-1.
apiVersion: v1
imagePullSecrets:
- name: registry-starterkit-reg-1
kind: ServiceAccount
metadata:
creationTimestamp: '2021-09-17T12:05:46Z'
name: default
namespace: default
resourceVersion: '2017370'
uid: 677b1ef4-3cb5-418f-b798-9029a5641561
secrets:
- name: default-token-zbvww
From now on, any new Pod will have this automatically added to their spec:
...
spec:
imagePullSecrets:
- name: registry-starterkit-reg-1
...
For more information on patching the default service account to use imagePullSecrets, consult the Kubernetes documentation.
Conclusion
In this tutorial, you learned how to create a private DOCR registry for your DOKS cluster. Then, you learned how to patch secrets for DOKS to securely authenticate and pull Docker images for your applications running in the cluster.
Learn More
- Set Up a Private Docker Registry
- Set Up a Private Docker Registry on Top of DigitalOcean Spaces
- Integrate with a DigitalOcean Container Registry
Next, you will learn how to set up the Ambassador Edge Stack to act as an Ingress controller with some example backend applications to test the setup.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.