From 0c3133f2d05c3d0af79f57b56945af3b85126cbc Mon Sep 17 00:00:00 2001
From: Jan Kristof Nidzwetzki <jnidzwetzki@gmx.de>
Date: Wed, 25 Dec 2019 21:58:19 +0100
Subject: [PATCH] Documented private registries

---
 docs/private-registries.md | 54 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/docs/private-registries.md b/docs/private-registries.md
index c86ef7c..4136c48 100644
--- a/docs/private-registries.md
+++ b/docs/private-registries.md
@@ -1,4 +1,56 @@
-Some private docker registries (the most prominent probably being AWS ECR) use non-standard ways of authentication.
+Watchtower supports private Docker image registries. In many cases, accessing a private registry requires a valid username and password (i.e., _credentials_). In order to operate in such an environment, watchtower needs to know the credentials to access the registry. 
+
+The credentials can be provided to watchtower in a configuration file called `config.json`. There are two ways to generate this configuration file:
+
+* The configuration file can be created manually.
+* Call `docker login $REGISTRY_NAME` and share the resulting configuration file.
+
+### Create the configuration file manually
+Create a new configuration file with the following syntax and a base64 encoded username and password `auth` string:
+```json
+{
+    "auths": {
+        "$REGISTRY_NAME": {
+            "auth": "XXXXXXX"
+        }
+    }
+}
+```
+
+`$REGISTRY_NAME` needs to be replaced by the name of your private registry (e.g., `my-private-registry.example.org`)
+
+The required `auth` string can be generated as follows:
+```bash
+echo -n 'username:password' | base64
+```
+
+When the watchtower Docker container is stared, the created configuration file (`<PATH>/config.json` in this example) needs to be passed to the container:
+```bash
+docker run [...] -v <PATH>/config.json:/config.json containrrr/watchtower
+```
+
+### Share the Docker configuration file
+To pull an image from a private registry, `docker login` needs to be called first, to get access to the registry. The provided credentials are stored in a configuration file called `<PATH_TO_HOME_DIR>/.docker/config.json`. This configuration file can be directly used by watchtower. In this case, the creation of an additional configuration file is not necessary.
+
+When the Docker container is started, pass the configuration file to watchtower:
+```bash
+docker run [...] -v <PATH_TO_HOME_DIR>/.docker/config.json:/config.json containrrr/watchtower
+```
+
+When creating the watchtower container via docker-compose, use the following lines:
+```yaml
+version: "3"
+[...]
+watchtower:
+  image: index.docker.io/containrrr/watchtower:latest
+  volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - <PATH_TO_HOME_DIR>/.docker/config.json:/config.json
+[...]
+```
+
+## Credential helpers
+Some private Docker registries (the most prominent probably being AWS ECR) use non-standard ways of authentication.
 To be able to use this together with watchtower, we need to use a credential helper.
 
 To keep the image size small we've decided to not include any helpers in the watchtower image, instead we'll put the