CrabGlamp

Deploy a private image

Deploy a container image from a private registry by saving a registry credential on your account and selecting it when you create the App VM. CrabGlamp verifies access before creation, authenticates the first pull, and reuses the credential on every later deploy so rotation happens in one place.

Last updated:

Save a registry credential

  1. Open Registry credentials in the dashboard sidebar.
  2. Enter the registry host (for example ghcr.io), a username, and an access token, then select Add credential.
  3. CrabGlamp verifies the credential against the registry before saving it. A rejected token fails with an explanation.

Credentials belong to your account: any App VM can use them, and updating one updates every App that references it on its next deploy.

Token requirements by registry

RegistryUsernameSecret
Docker Hub (docker.io)Your Docker IDPassword or access token
GitHub (ghcr.io)Your GitHub usernamePersonal access token with read:packages
GitLab (registry.gitlab.com)Your GitLab usernamePersonal access token with read_registry
Google Artifact Registry_json_keyA service-account JSON key with the Artifact Registry Reader role
Amazon ECRAWSOutput of aws ecr get-login-password — expires every 12 hours; update the credential on the Registry credentials page to refresh

Create the App VM

  1. Select Create App VM and enter your private image reference.
  2. Choose the credential under Registry credential, or add one inline.
  3. Submit. CrabGlamp checks that the image is reachable with that credential — a mistyped reference, a rejected token, or an image without a linux/amd64 variant fails immediately with a specific message instead of creating a broken App.

The first start authenticates with your credential. No redeploy step is needed.

Note on image verification: The pre-create check works by fetching the image manifest. For multi-platform images (manifest lists), CrabGlamp can confirm linux/amd64 is present. For single-platform images, the platform is not visible in the manifest alone — if an incompatible single-platform image is deployed, the failure appears as a failed first deploy rather than a creation error.

Change or remove a credential

  • To point an App at a different credential, use the Configuration card on the App's detail page and save — the App redeploys with the new credential.
  • A credential that is still referenced by an App cannot be deleted; reassign those Apps first.

If a pull fails after creation

A revoked or expired token surfaces as a failed deploy with the registry's error. Update the credential under Registry credentials, then redeploy from the App's detail page.

Related

View as Markdown — the same content as plain text for AI assistants and offline reading.

Was this helpful?