Configuring backup with a regular OCI-compatible registry

To use a regular OCI-compatible registry for backups, you need to provide registry credentials. You can configure the DevWorkspace operator to automatically copy a registry authentication secret from the operator namespace to DevWorkspace {namespaces}, or you can manually create secrets in each DevWorkspace namespace. Having separate secrets in each DevWorkspace namespace allows for using different registry accounts per namespace with more granular access control.

kind: DevWorkspaceOperatorConfig
apiVersion: controller.devfile.io/v1alpha1
metadata:
  name: devworkspace-operator-config
  namespace: $OPERATOR_INSTALL_NAMESPACE (1)
config:
  routing:
    defaultRoutingClass: basic
  workspace:
    backupCronJob:
      enable: true
      copyOperatorAuthSecret: true (2)
      registry:
        authSecret: my-registry-auth (3)
        path: quay.io/my-company-org
      schedule: '0 */4 * * *'
    imagePullPolicy: Always

1	For Red Hat OpenShift, the default installation namespace for the DevWorkspace operator is `openshift-operators`. See the DevWorkspace operator overview.
2	Set to `true` to enable automatic copying of the registry authentication secret from the operator namespace to DevWorkspace {namespaces}. The default value is `false`.
3	The name of the secret in the operator namespace that contains registry credentials. This secret will be copied to DevWorkspace {namespaces} with the canonical name `devworkspace-backup-registry-auth`.

Configuring automatic secret copying

When copyOperatorAuthSecret is set to true, the operator automatically copies the registry authentication secret from the operator namespace to each DevWorkspace namespace.

The authSecret field specifies the name of the secret in the operator namespace. This secret must be of type kubernetes.io/dockerconfigjson and contain credentials to access the registry.

To create the secret in the operator namespace, use the following command:

kubectl create secret docker-registry my-registry-auth \
  --namespace $OPERATOR_INSTALL_NAMESPACE \
  --from-file=config.json

The secret must contain a label controller.devfile.io/watch-secret=true to be recognized by the DevWorkspace Operator:

kubectl label secret my-registry-auth \
  --namespace $OPERATOR_INSTALL_NAMESPACE \
  controller.devfile.io/watch-secret=true

The operator will copy this secret to each DevWorkspace namespace with the canonical name devworkspace-backup-registry-auth.

Manually creating secrets in workspace namespaces

If copyOperatorAuthSecret is set to false (the default), the operator will not automatically copy secrets. Instead, you must manually create a secret named devworkspace-backup-registry-auth in each DevWorkspace namespace.

To create the secret in a DevWorkspace namespace, use the following command:

kubectl create secret docker-registry devworkspace-backup-registry-auth \
  --namespace <workspace-namespace> \
  --from-file=config.json

This approach allows you to use different registry credentials for different DevWorkspace {namespaces}.

If a secret named devworkspace-backup-registry-auth already exists in a DevWorkspace namespace, the operator will never overwrite it, even when copyOperatorAuthSecret is set to true. This ensures that user-provided secrets are always respected.

If the installation namespace for the DevWorkspace operator is not openshift-operators, you must define it as an environment variable for the Eclipse Che dashboard in the CheCluster Custom Resource.

apiVersion: org.eclipse.che/v2
kind: CheCluster
spec:
  components:
    dashboard:
      deployment:
        containers:
          - env:
              - name: DWO_NAMESPACE
                value: $OPERATOR_INSTALL_NAMESPACE (1)
            name: che-dashboard

1	For Red Hat OpenShift, the default installation namespace for the DevWorkspace operator is `openshift-operators`. See the DevWorkspace operator overview.