diff --git a/modules/administration-guide/pages/devworkspace-backup-regular-oci-registry.adoc b/modules/administration-guide/pages/devworkspace-backup-regular-oci-registry.adoc index bb680ddb79..3ebbacee1e 100644 --- a/modules/administration-guide/pages/devworkspace-backup-regular-oci-registry.adoc +++ b/modules/administration-guide/pages/devworkspace-backup-regular-oci-registry.adoc @@ -33,26 +33,32 @@ config: ---- <1> For Red Hat OpenShift, the default installation namespace for the {devworkspace} operator is `openshift-operators`. See the xref:devworkspace-operator.adoc[{devworkspace} operator overview]. -The `authSecret` must be named `devworkspace-backup-registry-auth`. It must reference a {kubernetes} Secret of type `kubernetes.io/dockerconfigjson` that contains credentials to access the registry. -The secret should be created in the installation {namespace} for the {devworkspace} operator. +The `authSecret` field specifies the name of a {kubernetes} Secret in the {devworkspace} operator installation {namespace}. This secret must be of type `kubernetes.io/dockerconfigjson` and contain credentials to access the registry. -To create one, you can use the following command: +To create the secret in the operator installation {namespace}, use the following commands: [source,shell,subs="+attributes,+quotes"] ---- -{orch-cli} create secret docker-registry devworkspace-backup-registry-auth --from-file=config.json +{orch-cli} create secret docker-registry devworkspace-backup-registry-auth \ + --namespace $OPERATOR_INSTALL_NAMESPACE \ + --from-file=config.json + +{orch-cli} label secret devworkspace-backup-registry-auth \ + --namespace $OPERATOR_INSTALL_NAMESPACE \ + controller.devfile.io/watch-secret=true ---- The secret must contain a label `controller.devfile.io/watch-secret=true` to be recognized by the {devworkspace} Operator. -[source,shell,subs="+attributes,+quotes"] ----- -kubectl label secret devworkspace-backup-registry-auth controller.devfile.io/watch-secret=true ----- +IMPORTANT: The {devworkspace} Operator conditionally copies the registry authentication secret to each {devworkspace} {namespace}. The secret is copied from the operator installation {namespace} to the workspace {namespace} with the canonical name `devworkspace-backup-registry-auth` only when all of the following conditions are met: + +* The `authSecret` field is configured in the `DevWorkspaceOperatorConfig`. +* No secret named `devworkspace-backup-registry-auth` already exists in the {devworkspace} {namespace}. + +The operator never overwrites existing secrets in {devworkspace} {namespaces}. If a user has already created a `devworkspace-backup-registry-auth` secret in their workspace {namespace}, that user-provided secret takes precedence and is used for backup operations. + +If the `authSecret` field is not configured, the backup job assumes anonymous registry access (for public registries). -[WARNING] -==== -The {devworkspace} Operator copies the `devworkspace-backup-registry-auth` secret to each {devworkspace} {namespace} so that backups from user workspaces can be pushed to the registry. If you do not want that secret copied automatically, create a `devworkspace-backup-registry-auth` secret with user-specific credentials in each {devworkspace} {namespace} instead. -==== +To use different registry credentials for specific {devworkspaces}, create a `devworkspace-backup-registry-auth` secret with user-specific credentials directly in each {devworkspace} {namespace} before the backup job runs. The operator will detect and use the user-provided secret instead of copying from the operator {namespace}. include::partial$snip_defining-dwo-namespace-for-backups.adoc[] diff --git a/modules/administration-guide/pages/devworkspace-backup.adoc b/modules/administration-guide/pages/devworkspace-backup.adoc index c4fc4ef0aa..82fea4e9ed 100644 --- a/modules/administration-guide/pages/devworkspace-backup.adoc +++ b/modules/administration-guide/pages/devworkspace-backup.adoc @@ -29,7 +29,7 @@ The value for `registry.path` is the first segment of the final location. The fu + `//:latest` -* `registry.authSecret`: (Optional) The name of the Kubernetes secret that contains credentials for the OCI registry. If you do not provide a secret, the system assumes the registry is public or uses the **Red Hat OpenShift** integrated registry. +* `registry.authSecret`: (Optional) The name of the Kubernetes secret in the {devworkspace} operator installation {namespace} that contains credentials for the OCI registry. When configured, the operator conditionally copies this secret to each {devworkspace} {namespace} (only if no user-provided secret already exists). If not configured, the backup job assumes anonymous registry access for public registries or uses the **Red Hat OpenShift** integrated registry. * `oras.extraArgs`: (Optional) Additional arguments for to the `oras` CLI tool during push and pull operations.