eclipse-che · tolusha · May 11, 2026
@@ -33,26 +33,32 @@ config:
 ----
 <1> For Red Hat OpenShift, the default installation namespace for the {devworkspace} operator is `openshift-operators`. See the xref:devworkspace-operator.adoc[{devworkspace} operator overview].
 
-The `authSecret` must be named `devworkspace-backup-registry-auth`. It must reference a {kubernetes} Secret of type `kubernetes.io/dockerconfigjson` that contains credentials to access the registry.
-The secret should be created in the installation {namespace} for the {devworkspace} operator.
+The `authSecret` field specifies the name of a {kubernetes} Secret in the {devworkspace} operator installation {namespace}. This secret must be of type `kubernetes.io/dockerconfigjson` and contain credentials to access the registry.
 
-To create one, you can use the following command:
+To create the secret in the operator installation {namespace}, use the following commands:
 
 [source,shell,subs="+attributes,+quotes"]
 ----
-{orch-cli} create secret docker-registry devworkspace-backup-registry-auth --from-file=config.json
+{orch-cli} create secret docker-registry devworkspace-backup-registry-auth \
+  --namespace $OPERATOR_INSTALL_NAMESPACE \
+  --from-file=config.json
+
+{orch-cli} label secret devworkspace-backup-registry-auth \
+  --namespace $OPERATOR_INSTALL_NAMESPACE \
+  controller.devfile.io/watch-secret=true
 ----
 
 The secret must contain a label `controller.devfile.io/watch-secret=true` to be recognized by the {devworkspace} Operator.
 
-[source,shell,subs="+attributes,+quotes"]
-----
-kubectl label secret devworkspace-backup-registry-auth controller.devfile.io/watch-secret=true
-----
+IMPORTANT: The {devworkspace} Operator conditionally copies the registry authentication secret to each {devworkspace} {namespace}. The secret is copied from the operator installation {namespace} to the workspace {namespace} with the canonical name `devworkspace-backup-registry-auth` only when all of the following conditions are met:
+
+* The `authSecret` field is configured in the `DevWorkspaceOperatorConfig`.
+* No secret named `devworkspace-backup-registry-auth` already exists in the {devworkspace} {namespace}.
+
+The operator never overwrites existing secrets in {devworkspace} {namespaces}. If a user has already created a `devworkspace-backup-registry-auth` secret in their workspace {namespace}, that user-provided secret takes precedence and is used for backup operations.
+
+If the `authSecret` field is not configured, the backup job assumes anonymous registry access (for public registries).
 
-[WARNING]
-====
-The {devworkspace} Operator copies the `devworkspace-backup-registry-auth` secret to each {devworkspace} {namespace} so that backups from user workspaces can be pushed to the registry. If you do not want that secret copied automatically, create a `devworkspace-backup-registry-auth` secret with user-specific credentials in each {devworkspace} {namespace} instead.
-====
+To use different registry credentials for specific {devworkspaces}, create a `devworkspace-backup-registry-auth` secret with user-specific credentials directly in each {devworkspace} {namespace} before the backup job runs. The operator will detect and use the user-provided secret instead of copying from the operator {namespace}.
 
 include::partial$snip_defining-dwo-namespace-for-backups.adoc[]
@@ -29,7 +29,7 @@ The value for `registry.path` is the first segment of the final location. The fu
 +
 `<registry.path>/<namespace>/<devworkspace-name>:latest`
 
-* `registry.authSecret`: (Optional) The name of the Kubernetes secret that contains credentials for the OCI registry. If you do not provide a secret, the system assumes the registry is public or uses the **Red Hat OpenShift** integrated registry.
+* `registry.authSecret`: (Optional) The name of the Kubernetes secret in the {devworkspace} operator installation {namespace} that contains credentials for the OCI registry. When configured, the operator conditionally copies this secret to each {devworkspace} {namespace} (only if no user-provided secret already exists). If not configured, the backup job assumes anonymous registry access for public registries or uses the **Red Hat OpenShift** integrated registry.
 * `oras.extraArgs`: (Optional) Additional arguments for to the `oras` CLI tool during push and pull operations.