#### Default execution environments from private registries In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments. The secret should be formatted as follows: ```yaml --- apiVersion: v1 kind: Secret metadata: name: -ee-pull-credentials namespace: stringData: url: username: password: ssl_verify: type: Opaque ``` ##### Control plane ee from private registry The images listed in "ee_images" will be added as globally available Execution Environments. The "control_plane_ee_image" will be used to run project updates. In order to use a private image for any of these you'll need to use `image_pull_secrets` to provide a list of k8s pull secrets to access it. Currently the same secret is used for any of these images supplied at install time. You can create `image_pull_secret` ``` kubectl create secret -cp-pull-credentials regcred --docker-server= --docker-username= --docker-password= --docker-email= ``` If you need more control (for example, to set a namespace or a label on the new secret) then you can customize the Secret before storing it Example spec file extra-config ```yaml --- apiVersion: v1 kind: Secret metadata: name: -cp-pull-credentials namespace: data: .dockerconfigjson: type: kubernetes.io/dockerconfigjson ```