Skip to main content
Image pull secrets store registry credentials that MeshAgent uses to pull a private container image. They are separate from project keys secrets because they solve a different problem:
  • a project keys secret is a runtime application credential
  • an image pull secret is registry authentication used before the container starts
An image pull secret is not injected into the running container, and your application code cannot read it as an environment variable.

Before you start

These examples assume:

Create an image pull secret

Pick the command that matches your registry:
bash
# Docker-compatible registry
meshagent secret docker create \
  --name docker-hub \
  --server myregistry.docker.io \
  --username user \
  --password ****

# Azure Container Registry
meshagent secret acr create \
  --name my-acr \
  --server myregistry.azurecr.io \
  --username serviceprincipalid \
  --password ****

# Google Artifact Registry
meshagent secret gar create \
  --name gcp-registry \
  --server us-docker.pkg.dev \
  --json_key ****
Each command creates a project-level image pull secret and returns its secret ID.

Reference it from a service

Create a file like private-image-demo.yaml: 
version: v1
kind: Service
metadata:
  name: private-image-demo
container:
  image: registry.example.com/my-team/private-app:latest
  pull_secret: secret-abcdef123
Replace:
  • registry.example.com/my-team/private-app:latest with your real private image
  • secret-abcdef123 with the secret ID returned when you created the pull secret
  • add whatever command your private image needs, if it does not already have the correct entrypoint
container.pull_secret is checked before the container starts. MeshAgent uses it to authenticate to the registry, pull the image, and then start the container.

Deploy the service

bash
meshagent service create --file private-image-demo.yaml
This example is not universally runnable because it depends on your private registry, but the steps are complete: create the pull secret, reference it with container.pull_secret, then deploy the service.

Best practices

  • Use image pull secrets only for private registry access.
  • Do not treat an image pull secret as an application runtime secret.
  • Keep registry credentials separate from the credentials your application uses after startup.