Container Registry

Manage Access Credentials

Manage authentication credentials for your container registry

Manage Access Credentials

Learn how to manage authentication credentials and access control for your DCR registry.

Default Credentials

When you create a registry, default credentials are automatically generated and displayed:

Username: Provided in the creation confirmation
Password/Token: Securely generated access token

Important: Save these credentials immediately. You'll need them to authenticate with your registry.Screenshot Placeholder: Default credentials display after registry creation

Viewing Credentials

Via Console

Log in to the Nexqloud Console
Navigate to Container → DCR Container Registry
Click on your registry name
Go to the Settings or Credentials tab

Screenshot Placeholder: Registry settings/credentials page

Storing Credentials Securely

Local Credential Store

Docker stores credentials in ~/.docker/config.json after login:

docker login dcr.nexqloud.io/your-registry-name

For additional security, use a credential helper:

# macOS Keychain
brew install docker-credential-helper

Environment Variables

Store credentials as environment variables:

export DCR_USERNAME="your-username"
export DCR_PASSWORD="your-password"
export DCR_REGISTRY="dcr.nexqloud.io/your-registry-name"

Use in scripts:

echo "$DCR_PASSWORD" | docker login "$DCR_REGISTRY" -u "$DCR_USERNAME" --password-stdin

CI/CD Secrets

Store credentials securely in your CI/CD platform:

GitHub Actions

Add as repository secrets:

DCR_USERNAME
DCR_PASSWORD
DCR_REGISTRY

Use in workflow:

- name: Login to DCR
  run: |
    echo "${{ secrets.DCR_PASSWORD }}" | docker login ${{ secrets.DCR_REGISTRY }} \
      -u ${{ secrets.DCR_USERNAME }} --password-stdin

GitLab CI

Add as CI/CD variables:

DCR_USERNAME
DCR_PASSWORD
DCR_REGISTRY

Use in pipeline:

before_script:
  - echo "$DCR_PASSWORD" | docker login "$DCR_REGISTRY" -u "$DCR_USERNAME" --password-stdin

Jenkins

Store credentials in Jenkins Credential Manager and reference in pipeline:

withCredentials([usernamePassword(
  credentialsId: 'dcr-credentials',
  usernameVariable: 'DCR_USERNAME',
  passwordVariable: 'DCR_PASSWORD'
)]) {
  sh 'echo $DCR_PASSWORD | docker login dcr.nexqloud.io/your-registry-name -u $DCR_USERNAME --password-stdin'
}

Rotating Credentials

Regular credential rotation improves security:

Generate New Credentials

Navigate to your registry settings
Click Generate New Credentials or Rotate Credentials
Save the new credentials securely
Update all systems using the old credentials

Old credentials will be invalidated after rotation. Ensure all systems are updated.

Access Control

Private Registry Access

Private registries (current default) require authentication:

All push operations require valid credentials
All pull operations require valid credentials
Credentials are validated on each request

Future: Public Registries

When public registries become available:

Pull operations won't require authentication
Push operations will still require authentication
Read-only public access for images

Multiple User Access

To provide registry access to team members:

Generate separate credentials for each user (when multi-user support is available)
Share credentials securely (use password managers)
Track credential usage per user
Revoke access by rotating credentials

Kubernetes Integration

Create Image Pull Secret

Store credentials as a Kubernetes secret:

kubectl create secret docker-registry dcr-credentials \
  --docker-server=dcr.nexqloud.io/your-registry-name \
  --docker-username=<username> \
  --docker-password=<password> \
  --docker-email=<email>

Use in Deployments

Reference the secret in pod specifications:

apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
  - name: myapp
    image: dcr.nexqloud.io/your-registry-name/myapp:latest
  imagePullSecrets:
  - name: dcr-credentials

Default Service Account

Configure the default service account to use the secret:

kubectl patch serviceaccount default \
  -p '{"imagePullSecrets": [{"name": "dcr-credentials"}]}'

Credential Troubleshooting

Authentication Failed

If authentication fails:

Verify credentials: Check username and password are correct
Check registry name: Ensure registry name is spelled correctly
Test credentials: Try logging in via CLI
Regenerate: Generate new credentials if needed

# Test login
docker login dcr.nexqloud.io/your-registry-name -u username

Credentials Expired

If credentials have expired:

Generate new credentials in the console
Update local credential store
Update CI/CD secrets
Update Kubernetes secrets

# Update Kubernetes secret
kubectl delete secret dcr-credentials
kubectl create secret docker-registry dcr-credentials \
  --docker-server=dcr.nexqloud.io/your-registry-name \
  --docker-username=<new-username> \
  --docker-password=<new-password>

Permission Denied

If you get permission errors:

Verify you have access to the registry
Check account permissions in console
Confirm credentials are for the correct registry
Contact support if issues persist

Security Best Practices

Credential Management

Never commit credentials: Don't store credentials in code
Use secrets management: Store in vault services or CI/CD secrets
Rotate regularly: Change credentials periodically
Limit exposure: Share credentials only with necessary users
Monitor usage: Track credential usage and access patterns

Access Control

Principle of least privilege: Grant minimum necessary permissions
Separate credentials: Use different credentials for different environments
Audit access: Regularly review who has access
Revoke unused: Remove access for inactive users/systems

Network Security

Use TLS: Always use HTTPS (enforced by DCR)
Private networks: Access registry from secure networks when possible
Firewall rules: Restrict access to known IP ranges if needed

Next Steps

Manage Repositories

View and manage your container image repositories

API Keys

Manage API keys for programmatic access