Build DigitalOcean Container Registry configurations with repositories and garbage collection.
Last verified: May 2026
Build DigitalOcean Container Registry configurations with repositories, garbage collection, Kubernetes integration, and tier settings.
Required Fields
namesubscription_tierOutput will appear here...The builder collects registry name, region, subscription tier (Starter, Basic, Professional — each with different storage and bandwidth allowances), and garbage collection schedule. It validates the tier against current DO offerings and emits a `digitalocean_container_registry` Terraform resource plus an optional `digitalocean_container_registry_docker_credentials` block. The output also includes the `doctl registry login` command for adding registry credentials to local Docker.
DigitalOcean Container Registry is a private Docker registry tied to a DO account, with subscription tiers based on storage capacity. The DO Container Registry Config Builder generates a registry definition including subscription tier, region, repository organization conventions, and garbage collection schedule. Output covers Terraform `digitalocean_container_registry` resources and the doctl commands needed to authenticate Docker clients against the registry.
Your registry has been on the Basic tier for two years; storage has crept up to 95% of its limit because nobody set up garbage collection. CI starts failing on pushes when the registry is full. You schedule GC weekly through the builder's config, run a one-time manual GC to recover the space, and storage drops from 49 GB to 12 GB overnight. The registry stays on the Basic tier (and inside its budget) for another year.
Tag images with both a semver-ish version (v2.3.4) and the git SHA. Tagging only `latest` makes rollback impossible; tagging only the SHA makes it hard for humans to talk about versions. Both give you the best of both.
Set up integration with DOKS once and pull secrets are managed automatically. Re-rotating registry credentials and updating image-pull secrets across many namespaces by hand is a routine 30-minute outage waiting to happen.
Garbage collection identifies images whose tags are no longer referenced (orphaned manifests) and deletes them after a configurable retention window. It is the only way to recover space from old image versions — pushing a new tag to an existing name does not delete the old image, it just orphans it. Run garbage collection on a schedule (daily or weekly) to keep storage costs predictable.
DO Container Registry endpoints are reachable over the public internet, secured by authentication tokens. The transit is TLS-encrypted; the auth scope is limited to push/pull on specific repositories. For tighter network controls, attach to specific Droplets via Cloud Firewall rules — but the registry itself is not VPC-private in the same sense as a managed database.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.