Skip to main content
Version: 2026.04

Docker Pull Secret

The Istari Platform and its dependencies (Zitadel, SpiceDB) require a docker pull secret to pull container images from the Istari Digital artifact registry (istaridigital.jfrog.io). Obtain the registry username and password from the Istari Customer Portal: use your organization’s JFrog service account name and a token generated from the portal (for example via Generate ready-to-use commands on a Docker image asset). The docker pull secret should be created in the Kubernetes cluster before installing any of these components.

ISTARI_ARTIFACTORY_USERNAME=
ISTARI_ARTIFACTORY_PASSWORD=
kubectl create secret docker-registry docker-pull-secret \
  --docker-server="istaridigital.jfrog.io" \
  --docker-email="${ISTARI_ARTIFACTORY_USERNAME}" \
  --docker-username="${ISTARI_ARTIFACTORY_USERNAME}" \
  --docker-password="${ISTARI_ARTIFACTORY_PASSWORD}"
info

Set ISTARI_ARTIFACTORY_USERNAME and ISTARI_ARTIFACTORY_PASSWORD to the JFrog service account username and token from the Customer Portal—not a personal portal login, unless Istari Digital has instructed otherwise.

Alternatively, if using a private repository, customers will need to create a Docker registry secret in Kubernetes for the custom container registry (e.g., a private repository on Docker Hub, GitHub Container Registry, ECR, Harbor, etc.).

DOCKER_SERVER=
DOCKER_USERNAME=
DOCKER_PASSWORD=
kubectl create secret docker-registry docker-pull-secret \
  --docker-server="${DOCKER_SERVER}" \
  --docker-email="${DOCKER_USERNAME}" \
  --docker-username="${DOCKER_USERNAME}" \
  --docker-password="${DOCKER_PASSWORD}"

Verify that the secret was created successfully:

kubectl describe secret docker-pull-secret