# Woodpecker: allow pulling from private registry

Woodpecker pipelines run as Kubernetes pods in the `woodpecker` namespace. If pipeline step images use `registry.nxtgauge.com/...` (private, Basic auth), kubelet needs an `imagePullSecret`.

This is required for base images (example `registry.nxtgauge.com/rust:alpine`) and also for any mirrored plugin images (example `registry.nxtgauge.com/kaniko:2.1.1`).

## Required secret

Create this once:

```bash
kubectl -n woodpecker create secret docker-registry registry-nxtgauge-pull \
  --docker-server=registry.nxtgauge.com \
  --docker-username="<REGISTRY_USERNAME>" \
  --docker-password="<REGISTRY_PASSWORD>" \
  --docker-email="ci@nxtgauge.com"
```

## Mirroring common plugin images (optional)

If your pipelines reference plugin images from the internal registry (example `registry.nxtgauge.com/kaniko:2.1.1`) make sure those images exist in the registry.

Example mirror from Docker Hub to internal:

```bash
docker pull woodpeckerci/plugin-kaniko:2.1.1
docker tag woodpeckerci/plugin-kaniko:2.1.1 registry.nxtgauge.com/kaniko:2.1.1
docker push registry.nxtgauge.com/kaniko:2.1.1
```

## What this kustomize applies

It patches/ensures the `default` ServiceAccount in `woodpecker` includes:

- `imagePullSecrets: [registry-nxtgauge-pull]`