Registries

A registry stores the credentials Bahriya uses to pull container images from a private OCI registry. Any OCI-compliant registry is supported: Docker Hub, GitHub Container Registry (ghcr.io), GitLab Container Registry, AWS Elastic Container Registry, self-hosted Harbor, and so on.

When you need a registry

Add a registry when your container image is in a private repository that requires authentication. Common examples:

• A private repository on Docker Hub
• GitHub Container Registry with a private image
• GitLab Container Registry
• AWS Elastic Container Registry
• Your own self-hosted registry

Public images (e.g. nginx:latest on Docker Hub) do not need a registry entry — Bahriya pulls them directly.

Fields

How credentials are stored

Registry credentials are encrypted before they ever land on disk. The console and API surface metadata only — server, username, version count, attached projects — never the password. The plaintext is materialised only at deployment time, inside the isolated environment that configures image pulling, and discarded immediately after.

Versioning and rotation

Registries are versioned. The first set of credentials you save is v1. Rotating creates v2 with the new credentials and marks it current — older versions are retained for rollback.

Rotation is the right tool whenever you:

• Rotate an access token on a schedule
• Replace a compromised credential
• Move from one set of credentials to another for the same registry server

After rotation, containers that already mount the registry pick up the new credentials on their next deploy. If a rotation goes wrong, activate a previous version to roll back instantly — no need to re-enter the old credentials by hand.

Attaching to a project

Registries live at the organisation level so multiple projects can share the same set of credentials. A project can only use a registry that has been attached to it. Two-step model: create at the org, attach to the project, then wire to the container.

Attach a registry from:

• The console — Project → Attachments → Registries
• Reis CLI — reis project:attach <project-id> registries <handle>
• Terraform — bahriya_project_registry_attachment
• The API — POST /organisations/{org}/projects/{project}/attach/registries/{handle}

Detach reverses the operation; the API rejects detach if any running container in the project still references the registry.

Wiring to a container

On a container, the top-level registry field names the attached registry by handle:

kind: container
type: http
handle: my-api
image: ghcr.io/my-org/my-api:1.4.0
project: prod
registry: ghcr-deploy
regions:
  - falkenstein-1

A single registry can be wired to any number of containers in the same project.

Updating credentials

To replace the username or password, rotate the registry. The next deployment of any container that references it picks up the new credentials. If you want to verify the change immediately, redeploy from the container detail page.

The legacy update flow that overwrote credentials in place is gone — every change goes through rotation so the previous credentials remain available for rollback.

Deleting a registry

Deleting a registry removes the credentials and detaches it from every project it was attached to. Containers still referencing it will fail to pull images on their next deployment, so detach from all projects (and remove the reference from the containers using it) before deleting.

The handle is permanently consumed once used — even after deletion, you cannot create a new registry with the same handle.

Pricing

Registries are billed at $0.02 per month while they exist in the organisation, plus $0.02 per region per month while attached to a project.

See also

• Vault overview
• Secrets
• Registry commands in Reis (CLI reference)
• Registries with Terraform