> ## Documentation Index
> Fetch the complete documentation index at: https://docs.minimus.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Authenticating to the Minimus Registry
> How to log into the Minimus registry to pull and verify images
The Minimus container registry is located at: `reg.mini.dev`. An active token is required to pull images from the Minimus registry. With an active token, you can pull any of the Minimus images included in your subscription (or available without a subscription).
A token is a type of secret so, like with all secrets, you should ensure that the token isn't stored where it can be leaked.
## Overview
The following article details different methods of authenticating to the Minimus registry in Docker, Kubernetes, and with Helm charts. Visit the [token page](https://images.minimus.io/manage/tokens) in your Minimus console to copy a few useful authentication commands:
* `docker login`
* `kubectl create secret` (Creates K8s secret)
* Package access
[Learn more about managing tokens](/manage/token)
## Docker environment
### Insert token inline (on-demand authentication)
Insert your Minimus token directly in the `docker pull` / `docker run` command to login to the Minimus registry on demand. The token isn’t persisted in Docker’s credential store. This approach works well for ad-hoc testing.
```shellscript inline token format theme={null}
# reg.mini.dev is the minimus registry
docker pull reg.mini.dev/{token}/{image name}
docker run reg.mini.dev/{token}/{image name}
```
```shellscript example theme={null}
docker pull reg.mini.dev/{token}/nginx-fips:latest
docker run reg.mini.dev/{token}/nginx-fips:latest
```
When you copy the pull command from the [gallery](https://images.minimus.io/), it will contain an inline token.
### `docker login` command (persistent authentication)
Authenticate to the Minimus registry using the docker login command to keep your session active until the token expires. This way you will not need to use an inline token.
```shellscript stdin (recommended) theme={null}
echo "{token}" | docker login reg.mini.dev -u minimus --password-stdin
```
```shellscript shortform theme={null}
docker login reg.mini.dev -u minimus -p {token}
# The username is always minimus
```
```shellscript longform theme={null}
docker login reg.mini.dev
# Username: minimus
# Password: {token}
```
It's a security best practice to pass the token via stdin because it avoids exposing the token in the command history, process lists, and logs.
Once authenticated to the Minimus registry, you can pull any image included in your subscription (and any image tag that doesn't require a subscription). For example:
```shellscript theme={null}
docker pull reg.mini.dev/nginx:latest
docker pull reg.mini.dev/nginx:latest-dev
```
Once your token expires, you will need to run `docker login` again with an active token to continue working. A valid inline token will not work since `docker login` takes priority.
You can run `docker logout reg.mini.dev` to reset your access if you prefer to work with an inline token.
### Using a credential store
You have the option to use a credential store for additional security. [Learn more from Docker](https://docs.docker.com/reference/cli/docker/login/)
## Kubernetes environment
### Create Kubernetes Secret (K8s Secret)
To avoid embedding tokens in Kubernetes files or Helm charts, we can reference a Kubernetes Secret. The Kubernetes Secret must be created in the same namespace as the deployment.
Run the following to create a Kubernetes Secret of type `docker-registry`. Once created, you can reference this Secret to let Kubernetes pull images from the Minimus registry automatically. Throughout the Minimus documentation, we assume the K8s Secret is named `minimus-registry`.
```shellscript general format theme={null}
kubectl create secret docker-registry minimus-registry \
--docker-server=reg.mini.dev \
--docker-username=minimus \
--docker-password={token} \
--namespace={same namespace as your helm chart}
```
```shellscript create kubernetes secret named minimus-registry theme={null}
kubectl create secret docker-registry minimus-registry \
--docker-server=reg.mini.dev \
--docker-username=minimus \
--docker-password={token} \
--namespace=default
```
### Create Kubernetes Secret using an encoded file
After logging in using the `docker login` steps above, we can create an encoded `config.json` file locally with the value necessary to generate the Kubernetes Secret.
1. Login to `reg.mini.dev` using the steps above.
2. Execute `cat ~/.docker/config.json | base64 -w 0` to base64 encode the credentials.
3. Create a Kubernetes YAML file named `minimus-registry.yaml`.
```yaml minimus-registry.yaml theme={null}
apiVersion: v1
kind: Secret
metadata:
name: minimus-registry
data:
.dockerconfigjson: {paste your base64 encoded string}
type: kubernetes.io/dockerconfigjson
```
4. Create the K8s Secret in the application namespace:
```powershell theme={null}
kubectl apply -n {namespace} -f minimus-registry.yaml
```
5. Add the `ImagePullSecret` parameter to your deployment by changing the spec as shown in the snippet below and redeploy:
```yaml theme={null}
spec:
containers:
- name: nginx
image: reg.mini.dev/nginx:latest
# add the next two lines
imagePullSecrets:
- name: minimus-registry
```
## Helm charts
### Insert token inline (on-demand)
You can insert the token directly in the `helm install` command. The token can either be inserted as part of the registry, or image, depending on the structure of the Helm chart. See the following examples.
```powershell example 1 theme={null}
# token prepended to image in image.repository
helm install mongodb bitnami/mongodb \
--set image.registry=reg.mini.dev \
--set image.repository={token}/mongo-advanced \
--set image.tag=latest \
--set global.security.allowInsecureImages=true
```
```powershell example 2 theme={null}
# token added after image.registry
helm install linkerd-viz linkerd/linkerd-viz \
--set tap.image.registry=reg.mini.dev/{token} \
--set tap.image.tag=latest \
--set tap.image.name=linkerd-tap-fips
```
```powershell example 3 theme={null}
# token inserted in image.repository
helm install solr-operator apache-solr/solr-operator \
--set image.repository=reg.mini.dev/{token}/solr-operator \
--set image.tag=latest
```
### Reference Kubernetes Secret on-demand
Assuming your Kubernetes secret is named `minimus-registry` as in the above example, you can add the following flag to your Helm install/upgrade commands:
`--set=global.imagePullSecrets[0].name=minimus-registry`.
```yaml flag theme={null}
--set=global.imagePullSecrets[0].name={K8s secret}
```
```shellscript example in context theme={null}
# using existing Kubernetes Secret `minimus-registry`
helm install prometheus-stack prometheus-community/kube-prometheus-stack \
--set=prometheusOperator.image.registry=reg.mini.dev \
--set=prometheusOperator.image.repository=prometheus-operator \
--set=prometheusOperator.image.tag=latest \
--set=global.imagePullSecrets[0].name=minimus-registry
```
The flag overrides the value in the chart without editing the `values.yaml`.
### Add `imagePullSecrets` to `values.yaml`
You can edit the `values.yaml` file to override the values in the chart. To deploy Minimus images to a Kubernetes cluster, add the `ImagePullSecrets` parameter to point to the `minimus-registry` K8s Secret:
```yaml example of values.yaml theme={null}
spec:
containers:
- name: nginx
image: reg.mini.dev/nginx:1.29.0
# add the next two lines
imagePullSecrets:
- name: minimus-registry
```
## Supported images
The images you have permissions to pull depend on the images included in your subscription. [Learn more](/introduction/subscription)
## Troubleshooting
### Valid inline token returned unauthorized error
**To fix the problem**: Run `docker logout reg.mini.dev` to reset your access and try the pull command again.
**Explanation**: Most likely, you previously authenticated with the `docker login` command and the token has since expired or been deleted. The token from the `docker login` command takes precedence over the inline token and this is causing the error.