Registry Connections
Manage container registry credentials for pulling private images
What you see
URL: /registry-connections
The registry connections page lists all configured container registries. Each connection stores the registry URL and authentication details, providing centralized credential management for pulling private container images.
Fields / columns
| Column | Description |
|---|---|
| Name | Unique identifier for this connection (used in workload definitions) |
| URL | Registry endpoint (e.g. registry.example.com, ghcr.io) |
| Auth type | Authentication method: basic (username/password), token, or none |
| Credentials | Whether username and password are stored |
Available actions
| Action | Where | What it does |
|---|---|---|
| Create | Toolbar | Add a new registry connection |
| Edit | Row | Update URL, auth type, or credentials |
| Test | Row | Verify connectivity by hitting the registry's /v2/ endpoint |
| Delete | Row | Remove the connection and its stored credentials. Requires admin role |
How credentials are stored
Registry credentials (username and password) are stored in PodWarden's encrypted secrets store (app_secrets), not in the database. The database only stores the connection name, URL, and auth type.
Credential keys follow the pattern:
{name}_registry_user{name}_registry_password
This matches the existing convention used by workload definitions that reference registry_credentials.
Using with workloads
When deploying a workload that pulls from a private registry:
- Create a registry connection with the correct URL and credentials
- In the workload definition, set Registry credentials to the connection name
- PodWarden automatically creates a Kubernetes
imagePullSecretin the target namespace
Previously, registry credentials had to be added as individual secrets following a naming convention. Registry connections formalize this into a managed object with validation and testing.
Testing a connection
The Test button sends an HTTP GET request to {url}/v2/ with the stored credentials:
| Result | Meaning |
|---|---|
| Reachable and authenticated | Registry is online and credentials are valid |
| Reachable but credentials rejected | Registry is online but returned 401 — check username/password |
| Connection failed | Registry is unreachable — check URL and network connectivity |
Related docs
- Storage — Storage connections follow the same pattern
- Workloads — How workload definitions reference registries
- Deploy Harbor Registry — Deploy your own private registry