Skip to content

Restoring workspaces does not use pull secret #1607

Open
Open
Restoring workspaces does not use pull secret#1607
@dkwon17

Description

@dkwon17
dkwon17
opened on Mar 26, 2026

Description

When a workspace is to be restored, the DWO does not mount the pull secret into the workspace-restore init container, unless, the pull secret is named devworkspace-backup-registry-auth

How To Reproduce

  1. Create a a pull secret containing credentials to a private image registry:
kind: Secret
apiVersion: v1
metadata:
  name: my-secret
  namespace: openshift-operators
  labels:
    controller.devfile.io/watch-secret: 'true'
data:
  .dockerconfigjson: <redacted>
type: kubernetes.io/dockerconfigjson
  1. Enable backups using the global DWOC:
kind: DevWorkspaceOperatorConfig
apiVersion: controller.devfile.io/v1alpha1
metadata:
  name: devworkspace-operator-config
  namespace: $OPERATOR_INSTALL_NAMESPACE
config:
  workspace:
    backupCronJob:
      enable: true
      registry:
        authSecret: my-secret
        path: quay.io/<username>
      schedule: '*/2 * * * *'
    imagePullPolicy: Always
  1. Start a simple non-ephemeral workspace:
curl -sL https://raw.githubusercontent.com/devfile/devworkspace-operator/refs/heads/main/samples/per-workspace-storage.yaml | oc apply -f -
  1. Once the workspace stops running, stop it.
  2. Wait for up to 2 minutes to allow the backup to occur.
  3. Once backup has been completed, create an empty workspace with the restore attributes::
apiVersion: workspace.devfile.io/v1alpha2
kind: DevWorkspace
metadata:
  name: plain-devworkspace
spec:
  routingClass: basic
  started: true
  template:
    attributes:
      controller.devfile.io/restore-source-image: '<your backup image>'
      controller.devfile.io/restore-workspace: 'true'
    components:
      - container:
          command:
            - tail
            - '-f'
            - /dev/null
          image: 'quay.io/wto/web-terminal-tooling:next'
          memoryLimit: 512Mi
          memoryRequest: 256Mi
          mountSources: true
          sourceMapping: /projects
        name: web-terminal

The workspace will fail to start because the workspace pod will not have the pull secret mount.

Expected behavior

The pull secret should be mounted such that the workspace-restore init container is able to use it.

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions