Access & Authentication
This guide explains how authentication works for CloudRaya Container Registry and how to securely access your registry using standard container tooling.
CloudRaya Container Registry uses credential-based authentication.
Authentication Model Overview
CloudRaya Container Registry authentication is:
- Username and password based
- Private by default
- Scoped per registry
- Compatible with:
- Docker CLI
- Kubernetes (KubeRaya)
- CI/CD pipelines
- Third-party container tools
Each registry has its own credentials, independent from your CloudRaya account login and other registries.
Registry Endpoint
Each registry is assigned a unique endpoint when created.
This endpoint is used for:
- Docker login
- Image push
- Image pull
- Kubernetes image references
You will use this endpoint in all container and Kubernetes configurations.
Step 1: Obtain Registry Credentials
Registry credentials are defined during registry creation.
You will need:
-
Registry username
(Same as the registry name)
-
Registry password
(Set during creation or reset later)
CloudRaya does not display registry passwords after creation. If the password is lost or compromised, it must be reset from the Control Panel.
Step 2: Authenticate Using Docker CLI
Use the Docker CLI to authenticate against the registry.
docker login <registry-endpoint>Example:
docker login registry.cloudraya.comYou will be prompted for:
- Username
- Password
If authentication succeeds, Docker stores the credentials locally for future operations.
Where Credentials Are Stored (Local Machine)
Docker stores registry credentials in:
~/.docker/config.jsonDo not commit this file to source control. Treat it as a sensitive configuration file.
Authentication in CI/CD Pipelines
For automated environments, credentials should be injected securely using:
- CI/CD platform secrets
- Environment variables
- Secret management systems
Example (conceptual):
docker login \
-u $REGISTRY_USERNAME \
-p $REGISTRY_PASSWORD \
<registry-endpoint>🔐 Never hardcode credentials into pipeline scripts or repository files.
Kubernetes Authentication (Image Pull)
Kubernetes requires registry credentials to be stored as a Secret and referenced as an imagePullSecret.
High-Level Flow
KubeRaya (Kubernetes)
↓
imagePullSecret
↓
CloudRaya Container RegistryThis enables Kubernetes to pull private images securely during pod creation.
Typical use cases:
- Production workloads
- Private microservices
- CI/CD-driven deployments
📄 See: Integrate Container Registry with Kubernetes (KubeRaya)
Resetting Registry Credentials
If credentials are compromised, lost, or rotated for security, you can reset them at any time.
What Happens When You Reset Credentials
- A new password is generated
- Old credentials are immediately invalidated
- All clients must re-authenticate
Impact
- Running containers are not affected
- New image pulls will fail until credentials are updated
Access Control Scope
Registry credentials grant access to:
- Push images
- Pull images
- List repositories and tags within the registry
They do not grant access to:
- Other registries
Each registry is isolated by design.
Security Best Practices
- Use unique credentials per registry
- Rotate passwords periodically
- Store credentials in secret managers for automation
- Limit who has access to registry credentials
- Reset credentials immediately if exposure is suspected
Common Authentication Issues
| Issue | Cause | Resolution |
|---|---|---|
| Unauthorized | Incorrect username or password | Verify credentials and retry login |
| Access denied | Wrong registry endpoint | Confirm the registry URL |
| Image pull fails in Kubernetes | Missing imagePullSecret | Create or attach the correct secret |