Configuring backup with a regular OCI-compatible registry

To use a regular OCI-compatible registry for backups, you need to provide registry credentials. Depending on your RBAC policy, the token can be provided via a secret in the Operator namespace or in each DevWorkspace namespace. Having the secret in the DevWorkspace namespace allows for using different registry accounts per namespace with more granular access control.

kind: DevWorkspaceOperatorConfig
apiVersion: controller.devfile.io/v1alpha1
metadata:
  name: devworkspace-operator-config
  namespace: $OPERATOR_INSTALL_NAMESPACE (1)
config:
  routing:
    defaultRoutingClass: basic
  workspace:
    backupCronJob:
      enable: true
      registry:
        authSecret: devworkspace-backup-registry-auth
        path: quay.io/my-company-org
      schedule: '0 */4 * * *'
    imagePullPolicy: Always

1	For Red Hat OpenShift, the default installation namespace for the DevWorkspace operator is `openshift-operators`. See the DevWorkspace operator overview.

The authSecret must be named devworkspace-backup-registry-auth. It must reference a Kubernetes Secret of type kubernetes.io/dockerconfigjson that contains credentials to access the registry. The secret should be created in the installation namespace for the DevWorkspace operator.

To create one, you can use the following command:

kubectl create secret docker-registry devworkspace-backup-registry-auth --from-file=config.json

The secret must contain a label controller.devfile.io/watch-secret=true to be recognized by the DevWorkspace Operator.

kubectl label secret devworkspace-backup-registry-auth controller.devfile.io/watch-secret=true

The DevWorkspace Operator copies the devworkspace-backup-registry-auth secret to each DevWorkspace namespace so that backups from user workspaces can be pushed to the registry. If you do not want that secret copied automatically, create a devworkspace-backup-registry-auth secret with user-specific credentials in each DevWorkspace namespace instead.