An active token is required to pull images from the Minimus registry. Without an active token, the pull command will not work for any image, even the latest version. A token is a type of secret so, like with all secrets, you should ensure that the token isn’t stored where it can be leaked.

Authenticating in a pull command (inline token)

In Docker, you can insert the token directly in the pull command, directly before the image name. This approach works well for ad-hoc testing and execution of images.

# format
docker pull {minimus registry}/{token}/{image name}

# example
docker pull reg.mini.dev/mini_cyxp8ok43cebg2.ia2jfn561o1f_k430/nginx:latest

When you copy the pull command from the gallery, it will contain your default token.

Authenticating to the Minimus Registry

In some environments, you may wish to authenticate to the registry so you can pull images without an embedded token in the pull string. The Minimus container registry is located at: reg.mini.dev.

You have the option to use a direct authentication method or a credential store. The latter is more secure and highly recommended but lies outside of the scope of this guide. Learn more

Docker login command

First, you will need to authenticate to Docker using docker login. When performing a login, the username is always minimus.

docker login reg.mini.dev -u minimus
Password: {your minimus token}

Once logged in, you can pull any image you have access to. For example:

docker pull reg.mini.dev/nginx:latest
docker pull reg.mini.dev/nginx:latest-dev

Once the token used in the docker login command is expired or deleted, pulling images with an inline token will be blocked as well. Run docker logout reg.mini.dev to reset your access.

This is because authentication with the docker login command takes precedence over authentication with an inline token.

Creating a Kubernetes image pull secret

When deploying Minimus images to a Kubernetes cluster, you will want to avoid embedding tokens in artifacts such as Kubernetes YAML files or values.yaml for Helm deployments. The Kubernetes platform allows you to use ImagePullSecrets to manage credentials for pulling images from authenticated registries.

The first step is to create a Secret (which is a Kubernetes object used for storing secrets) in the namespace of the deployment. After logging on locally using the docker login steps above, a config.json is created locally with the value necessary to generate the Kubernetes Secret.

  1. Login to reg.mini.dev using the steps above.

  2. Execute cat ~/.docker/config.json | base64 -w 0 to base64 encode the credentials.

  3. Create a Kubernetes YAML file, minimus-pull-secret.yaml

    apiVersion: v1
kind: Secret
metadata:
  name: minimus-pull-secret
data:
  .dockerconfigjson: {paste your base64 encoded string}
type: kubernetes.io/dockerconfigjson

  4. Execute kubectl -n {namespace} -f minimus-pull-secret.yaml to create the Secret in the application namespace.

  5. Add the ImagePullSecret to your deployment by changing the spec as shown in the snippet below and redeploy:

        spec:
      containers:
      - name: nginx
        image: reg.mini.dev/nginx:latest
        
# add the next two lines
      imagePullSecrets:
      - name: minimus-pull-secret

Supported images

The images you have permissions to pull depend on the images included in your subscription. Learn more

Troubleshooting

Valid inline token returned unauthorized error

To fix the problem: Run docker logout reg.mini.dev to reset your access and try the pull command again.

Explanation: Most likely, you previously authenticated with the docker login command and the token has since expired or been deleted. The token from the docker login command takes precedence over the inline token and this is causing the error.