Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. Use credentials and configurations in workspaces

Mount Git credentials, SSH keys, image pull secrets, and configuration files into OpenShift Dev Spaces workspaces so that tools authenticate and configure automatically.

7.1. Credentials and configurations in workspaces
Copy link

Mount credentials and configurations into your workspaces so that tools such as Git, Maven, and cloud CLIs authenticate automatically without manual setup each time you start a workspace.

To do so, mount your credentials and configurations to the Dev Workspace containers in the OpenShift cluster of your organization’s OpenShift Dev Spaces instance:

  • Mount your credentials and sensitive configurations as Kubernetes Secrets.
  • Mount your non-sensitive configurations as Kubernetes ConfigMaps.

If you need to allow the Dev Workspace Pods in the cluster to access container registries that require authentication, create an image pull Secret for the Dev Workspace Pods.

The mounting process uses the standard Kubernetes mounting mechanism and requires applying additional labels and annotations to your existing resources. Resources are mounted when starting a new workspace or restarting an existing one.

You can create permanent mount points for various components:

  • Maven configuration, such as the user-specific settings.xml file
  • Secure Shell (SSH) key pairs
  • Git-provider access tokens
  • Git configuration
  • AWS authorization tokens
  • Configuration files
  • Persistent storage

7.2. Mount Secrets
Copy link

Mount Kubernetes Secrets into workspace containers to provide sensitive configuration data such as credentials, API keys, and certificates.

Prerequisites

  • You have an active oc session with your project. See Getting started with the CLI.

    Warning

    Applying or modifying a Secret with the controller.devfile.io/mount-to-devworkspace: 'true' label restarts all running workspaces in the project. Save your work before you apply these changes.

Procedure

  1. Create a Secret with the required labels and annotations: 

    kind: Secret
apiVersion: v1
metadata:
  name: my-credentials
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-secret: 'true'
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /etc/my-credentials
type: Opaque
data:
  api-key: <base64_encoded_api_key>

    where:

    controller.devfile.io/mount-to-devworkspace
    Required label to mount the Secret to all workspaces.
    controller.devfile.io/watch-secret
    Watch the Secret for changes and update mounted files.
    controller.devfile.io/mount-as
    Mount type: file, subpath, or env.
    controller.devfile.io/mount-path
    Path where the Secret data is mounted.

  2. Apply the Secret to your project: 

    $ oc apply -f my-credentials.yaml -n <your_namespace>

  3. Optional: Add annotations to the Secret to customize the mounting behavior.

    Expand
    Table 7.1. Secret mounting annotations
    AnnotationDescription

    controller.devfile.io/mount-path: <path>

    Overrides the default mount path. The default mount path is /etc/secret/<Secret_name>.

    controller.devfile.io/mount-as: file

    Each key in the Secret data becomes a file in the mount path directory.

    controller.devfile.io/mount-as: subpath

    Similar to file, but uses subPath volumes for better compatibility.

    controller.devfile.io/mount-as: env

    Each key-value pair becomes an environment variable in all workspace containers.

    For example, to mount Secret data as environment variables: 

    kind: Secret
apiVersion: v1
metadata:
  name: my-env-secret
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-secret: 'true'
  annotations:
    controller.devfile.io/mount-as: env
type: Opaque
stringData:
  DATABASE_URL: postgresql://localhost:5432/mydb
  API_SECRET: my-secret-key

    For example, to mount a Maven settings.xml file to the /home/user/.m2/ path using subpath: 

    kind: Secret
apiVersion: v1
metadata:
  name: maven-settings
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-secret: 'true'
  annotations:
    controller.devfile.io/mount-path: /home/user/.m2/
    controller.devfile.io/mount-as: subpath
type: Opaque
stringData:
  settings.xml: |
    <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
    </settings>

    After the workspace starts, the /home/user/.m2/settings.xml file is available in the Dev Workspace containers. To use a custom path with Maven, run mvn --settings /home/user/.m2/settings.xml clean install.

  4. Start or restart your workspace to apply the mounted Secret.

Verification

  • For file or subpath mounts, verify the Secret data is available at the mount path: 

    $ ls /etc/my-credentials

  • For env mounts, verify the environment variables are set: 

    $ echo $DATABASE_URL

7.3. Create an image pull Secret with oc
Copy link

Create an image pull Secret with oc to allow Dev Workspace Pods to access container registries that require authentication.

Prerequisites

Procedure

  1. In your user project, create an image pull Secret with your private container registry details and credentials: 

    $ oc create secret docker-registry <Secret_name> \
    --docker-server=<registry_server> \
    --docker-username=<username> \
    --docker-password=<password> \
    --docker-email=<email_address>

  2. Add the required labels to the image pull Secret: 

    $ oc label secret <Secret_name> controller.devfile.io/devworkspace_pullsecret=true controller.devfile.io/watch-secret=true

Verification

  • Verify the Secret exists and has the required labels: 

    $ oc get secret <Secret_name> --show-labels

Create an image pull Secret from an existing .dockercfg file to allow Dev Workspace Pods to access container registries that require authentication.

Prerequisites

  • You have an active oc session with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
  • You have base64 command-line tools installed.

Procedure

  1. Encode the .dockercfg file to Base64: 

    $ cat .dockercfg | base64 | tr -d '\n'

  2. Create a new OpenShift Secret in your user project: 

    apiVersion: v1
kind: Secret
metadata:
  name: <Secret_name>
  labels:
    controller.devfile.io/devworkspace_pullsecret: 'true'
    controller.devfile.io/watch-secret: 'true'
data:
  .dockercfg: <Base64_content_of_.dockercfg>
type: kubernetes.io/dockercfg

  3. Apply the Secret: 

    $ oc apply -f - <<EOF
<Secret_prepared_in_the_previous_step>
EOF

Verification

  • Verify the Secret exists and has the required labels: 

    $ oc get secret <Secret_name> --show-labels

Create an image pull Secret from an existing $HOME/.docker/config.json file to allow Dev Workspace Pods to access container registries that require authentication.

Prerequisites

  • You have an active oc session with administrative permissions to the destination OpenShift cluster. See Getting started with the CLI.
  • You have base64 command-line tools installed.

Procedure

  1. Encode the $HOME/.docker/config.json file to Base64: 

    $ cat config.json | base64 | tr -d '\n'

  2. Create a new OpenShift Secret in your user project: 

    apiVersion: v1
kind: Secret
metadata:
  name: <Secret_name>
  labels:
    controller.devfile.io/devworkspace_pullsecret: 'true'
    controller.devfile.io/watch-secret: 'true'
data:
  .dockerconfigjson: <Base64_content_of_config.json>
type: kubernetes.io/dockerconfigjson

  3. Apply the Secret: 

    $ oc apply -f - <<EOF
<Secret_prepared_in_the_previous_step>
EOF

Verification

  • Verify the Secret exists and has the required labels: 

    $ oc get secret <Secret_name> --show-labels

7.6. Use a Git provider access token
Copy link

Configure a personal access token to authenticate to Git providers for private repository access. This is useful when your administrator has not configured OAuth for your Git provider.

Prerequisites

Procedure

  1. Create a Kubernetes Secret with your access token: 

    kind: Secret
apiVersion: v1
metadata:
  name: personal-access-token-<git_provider>
  labels:
    controller.devfile.io/git-credential: 'true'
    controller.devfile.io/watch-secret: 'true'
  annotations:
    controller.devfile.io/git-credential-host: <git_provider_host>
type: Opaque
stringData:
  token: <your_personal_access_token>

    where:

    controller.devfile.io/git-credential
    Required label for Git credentials.
    controller.devfile.io/git-credential-host
    The hostname of your Git provider (e.g., github.com, gitlab.com).
    token

    Your personal access token.

    Example for GitHub: 

    kind: Secret
apiVersion: v1
metadata:
  name: personal-access-token-github
  labels:
    controller.devfile.io/git-credential: 'true'
    controller.devfile.io/watch-secret: 'true'
  annotations:
    controller.devfile.io/git-credential-host: github.com
type: Opaque
stringData:
  token: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  2. Apply the Secret to your project: 

    $ oc apply -f personal-access-token.yaml -n <your_namespace>
  3. Start or restart your workspace.

Verification

  1. Open a terminal in your workspace.

  2. Clone a private repository or push to a repository to verify authentication: 

    $ git clone https://github.com/<org>/<private-repo>.git

7.7. Mount ConfigMaps
Copy link

Mount Kubernetes ConfigMaps into workspace containers to provide non-sensitive configuration data.

Prerequisites

  • You have an active oc session with your project. See Getting started with the CLI.

    Warning

    Applying or modifying a ConfigMap with the controller.devfile.io/mount-to-devworkspace: 'true' label restarts all running workspaces in the project. Save your work before you apply these changes.

Procedure

  1. Create a ConfigMap with the required labels and annotations: 

    kind: ConfigMap
apiVersion: v1
metadata:
  name: my-config
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: file
    controller.devfile.io/mount-path: /etc/my-config
data:
  settings.json: |
    {
      "editor.fontSize": 14,
      "editor.tabSize": 2
    }

    where:

    controller.devfile.io/mount-to-devworkspace
    Required label to mount the ConfigMap to all workspaces.
    controller.devfile.io/watch-configmap
    Watch the ConfigMap for changes and update mounted files.
    controller.devfile.io/mount-as
    Mount type: file, subpath, or env.
    controller.devfile.io/mount-path
    Path where the ConfigMap data is mounted.

  2. Apply the ConfigMap to your project: 

    $ oc apply -f my-config.yaml -n <your_namespace>

  3. Optional: Add annotations to the ConfigMap to customize the mounting behavior.

    Expand
    Table 7.2. ConfigMap mounting annotations
    AnnotationDescription

    controller.devfile.io/mount-path: <path>

    Overrides the default mount path. The default mount path is /etc/config/<ConfigMap_name>.

    controller.devfile.io/mount-as: file

    Each key in the ConfigMap data becomes a file in the mount path directory.

    controller.devfile.io/mount-as: subpath

    Similar to file, but uses subPath volumes for better compatibility.

    controller.devfile.io/mount-as: env

    Each key-value pair becomes an environment variable in all workspace containers.

    For example, to mount ConfigMap data as environment variables: 

    kind: ConfigMap
apiVersion: v1
metadata:
  name: my-env-config
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: env
data:
  LOG_LEVEL: debug
  MAX_CONNECTIONS: "100"
  4. Start or restart your workspace to apply the mounted ConfigMap.

Verification

  • For file or subpath mounts, verify the ConfigMap data is available at the mount path: 

    $ cat /etc/my-config/settings.json

  • For env mounts, verify the environment variables are set: 

    $ echo $LOG_LEVEL

7.8. Mount Git configuration
Copy link

Mount your Git configuration into workspaces to set your Git identity and preferences.

Note

The user.name and user.email fields are set automatically to the gitconfig content from a git provider that is connected to OpenShift Dev Spaces. This connection requires a Git-provider access token or a token generated via OAuth, and you must set the username and email on the provider’s user profile page.

Prerequisites

Procedure

  1. Create a ConfigMap with your Git configuration: 

    kind: ConfigMap
apiVersion: v1
metadata:
  name: workspace-userdata-gitconfig-configmap
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /home/user
data:
  .gitconfig: |
    [user]
      name = Your Name
      email = your.email@example.com
    [core]
      editor = vim
    [pull]
      rebase = true

  2. Apply the ConfigMap to your project: 

    $ oc apply -f gitconfig.yaml -n <your_namespace>
  3. Start or restart your workspace.

Verification

  1. Open a terminal in your workspace.

  2. Verify the Git configuration: 

    $ git config --list

7.9. Mount SSH configuration
Copy link

Mount custom SSH configurations into workspaces by using a ConfigMap. Extend the default SSH settings with additional parameters or host-specific configurations.

Note

The system sets the default SSH configuration automatically from the SSH secret in User Preferences. You can extend it by mounting an additional .conf file to /etc/ssh/ssh_config.d/.

Prerequisites

Procedure

  1. Create a ConfigMap with the SSH configuration: 

    kind: ConfigMap
apiVersion: v1
metadata:
  name: workspace-userdata-sshconfig-configmap
  namespace: <your_namespace>
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /etc/ssh/ssh_config.d/
data:
  ssh-config.conf: |
    <ssh_config_content>

    where:

    <your_namespace>
    Your project name. To find your project, go to https://__<openshift_dev_spaces_fqdn>__/api/kubernetes/namespace.
    <ssh_config_content>
    The SSH configuration file content, for example Host, IdentityFile, or ProxyCommand directives.

  2. Apply the ConfigMap: 

    oc apply -f - <<EOF
kind: ConfigMap
apiVersion: v1
metadata:
  name: workspace-userdata-sshconfig-configmap
  namespace: <your_namespace>
  labels:
    controller.devfile.io/mount-to-devworkspace: 'true'
    controller.devfile.io/watch-configmap: 'true'
  annotations:
    controller.devfile.io/mount-as: subpath
    controller.devfile.io/mount-path: /etc/ssh/ssh_config.d/
data:
  ssh-config.conf: |
    <ssh_config_content>
EOF

Verification

  • Start a workspace and verify the SSH configuration file is mounted: 

    $ cat /etc/ssh/ssh_config.d/ssh-config.conf
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top