From bd87f0973b634c5d5ca9cfbb19411a47e006d0cf Mon Sep 17 00:00:00 2001 From: Dan Pock Date: Thu, 18 Jul 2024 11:32:44 -0400 Subject: [PATCH 01/11] Add info about Private Registry Credentials covering backup labels --- .../global-default-private-registry.md | 16 ++++++++++++++-- .../global-default-private-registry.md | 16 ++++++++++++++-- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 419b6cba216..b6204cce737 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -54,8 +54,20 @@ Since the private registry cannot be configured after the cluster is created, yo 1. Select **☰ > Cluster Management**. 1. On the **Clusters** page, click **Create**. 1. Choose a cluster type. -1. In the **Cluster Configuration** go to the **Registries** tab and select **Pull images for Rancher from a private registry**. -1. Enter the registry hostname and credentials. +1. In the **Cluster Configuration** go to the **Registries** tab. +1. Check the box next to **Enable cluster scoped container registry for Rancher system container images**. +1. Enter the registry hostname. +1. Under **Authentication** select **Create a HTTP Basic Auth Secret** and fill in the credential fields. 1. Click **Create**. **Result:** The new cluster pulls images from the private registry. + +### Working with Private Registry Credentials + +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations. + +However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. + +For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures this secret providing easy restoration if needed. + +By following this guidance, you can ensure that all your private registry credentials are backed up and easily accessible in the event of a restore or migration. diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 419b6cba216..b6204cce737 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -54,8 +54,20 @@ Since the private registry cannot be configured after the cluster is created, yo 1. Select **☰ > Cluster Management**. 1. On the **Clusters** page, click **Create**. 1. Choose a cluster type. -1. In the **Cluster Configuration** go to the **Registries** tab and select **Pull images for Rancher from a private registry**. -1. Enter the registry hostname and credentials. +1. In the **Cluster Configuration** go to the **Registries** tab. +1. Check the box next to **Enable cluster scoped container registry for Rancher system container images**. +1. Enter the registry hostname. +1. Under **Authentication** select **Create a HTTP Basic Auth Secret** and fill in the credential fields. 1. Click **Create**. **Result:** The new cluster pulls images from the private registry. + +### Working with Private Registry Credentials + +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations. + +However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. + +For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures this secret providing easy restoration if needed. + +By following this guidance, you can ensure that all your private registry credentials are backed up and easily accessible in the event of a restore or migration. From bee7f2e8929721f7fb501577fdbd58fa5ab2b3fd Mon Sep 17 00:00:00 2001 From: Dan Pock Date: Thu, 18 Jul 2024 12:37:18 -0400 Subject: [PATCH 02/11] Clarify the backup in question is BRO --- .../global-default-private-registry.md | 2 +- .../global-default-private-registry.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index b6204cce737..095a331d5c7 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -64,7 +64,7 @@ Since the private registry cannot be configured after the cluster is created, yo ### Working with Private Registry Credentials -When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations. +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations using Rancher Backups. However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index b6204cce737..095a331d5c7 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -64,7 +64,7 @@ Since the private registry cannot be configured after the cluster is created, yo ### Working with Private Registry Credentials -When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations. +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations using Rancher Backups. However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. From 6112a7b128582aa6fe0bb0cb2e03ac4cb2307e40 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 13:25:49 -0400 Subject: [PATCH 03/11] Update versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 095a331d5c7..24ec0695113 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -70,4 +70,4 @@ However, if you create credential secrets outside of the Rancher GUI (using kube For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures this secret providing easy restoration if needed. -By following this guidance, you can ensure that all your private registry credentials are backed up and easily accessible in the event of a restore or migration. +By following this guidance, you can ensure that all of your private registry credentials are backed up and easily accessible in the event of a restore or migration. From 38a442100cfc1ba9ef4bd8c8a564643e6b30850e Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 13:26:26 -0400 Subject: [PATCH 04/11] Update versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 24ec0695113..50bda11fac7 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -68,6 +68,6 @@ When working with private registries, it is important to ensure that any secrets However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. -For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures this secret providing easy restoration if needed. +For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures the secret, providing easy restoration if needed. By following this guidance, you can ensure that all of your private registry credentials are backed up and easily accessible in the event of a restore or migration. From 45bf343dba0dee87c2d10a2707821b0a1262bfe2 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 13:26:45 -0400 Subject: [PATCH 05/11] Update versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 50bda11fac7..57b4092a144 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -66,7 +66,7 @@ Since the private registry cannot be configured after the cluster is created, yo When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations using Rancher Backups. -However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. +However, if you create a credential secret outside of the Rancher GUI, such as by using kubectl or Terraform, you must add the `fleet.cattle.io/managed=true` label to indicate that the secret should be included in backups created by Rancher Backups. For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures the secret, providing easy restoration if needed. From ee9876f04a1383f622034d8e5a10f3a7823a5fa8 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 13:27:23 -0400 Subject: [PATCH 06/11] Update versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 57b4092a144..7aaaa2c2ecb 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -64,7 +64,7 @@ Since the private registry cannot be configured after the cluster is created, yo ### Working with Private Registry Credentials -When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations using Rancher Backups. +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. When you add a private registry credential secret through the Rancher GUI, the secret is included in backup operations using Rancher Backups. However, if you create a credential secret outside of the Rancher GUI, such as by using kubectl or Terraform, you must add the `fleet.cattle.io/managed=true` label to indicate that the secret should be included in backups created by Rancher Backups. From 9ae6f022fcef0bf1ba5a5e91678eaad0992f8358 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 13:27:30 -0400 Subject: [PATCH 07/11] Update docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 095a331d5c7..24ec0695113 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -70,4 +70,4 @@ However, if you create credential secrets outside of the Rancher GUI (using kube For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures this secret providing easy restoration if needed. -By following this guidance, you can ensure that all your private registry credentials are backed up and easily accessible in the event of a restore or migration. +By following this guidance, you can ensure that all of your private registry credentials are backed up and easily accessible in the event of a restore or migration. From 0ca00b121dad9b5d230dc4f632e1e3c1c7d1e526 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 13:32:10 -0400 Subject: [PATCH 08/11] Update docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 24ec0695113..50bda11fac7 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -68,6 +68,6 @@ When working with private registries, it is important to ensure that any secrets However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. -For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures this secret providing easy restoration if needed. +For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures the secret, providing easy restoration if needed. By following this guidance, you can ensure that all of your private registry credentials are backed up and easily accessible in the event of a restore or migration. From 1e93509c845704c8557e98a3a12b1ecda8cecf17 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 13:32:39 -0400 Subject: [PATCH 09/11] Update docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 50bda11fac7..57b4092a144 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -66,7 +66,7 @@ Since the private registry cannot be configured after the cluster is created, yo When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations using Rancher Backups. -However, if you create credential secrets outside of the Rancher GUI (using kubectl, or Terraform), you must take an extra step to ensure they are backed up effectively. When creating these secrets, make sure to add the `fleet.cattle.io/managed=true` label to indicate that this secret should be included in backups created by Rancher Backups. +However, if you create a credential secret outside of the Rancher GUI, such as by using kubectl or Terraform, you must add the `fleet.cattle.io/managed=true` label to indicate that the secret should be included in backups created by Rancher Backups. For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures the secret, providing easy restoration if needed. From 6fd409221d4be5bbe43e34f59aa6b418e2f00b80 Mon Sep 17 00:00:00 2001 From: Dan Date: Fri, 19 Jul 2024 15:06:43 -0400 Subject: [PATCH 10/11] Update docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md Co-authored-by: Marty Hernandez Avedon --- .../global-default-private-registry.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 57b4092a144..b9847ee8d9f 100644 --- a/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/docs/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -64,7 +64,7 @@ Since the private registry cannot be configured after the cluster is created, yo ### Working with Private Registry Credentials -When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. By default, when you add a private registry credential secret through the process outlined above, it is included in backup operations using Rancher Backups. +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. When you add a private registry credential secret through the Rancher GUI and select **Create a HTTP Basic Auth Secret**, the secret is included in backup operations using Rancher Backups. However, if you create a credential secret outside of the Rancher GUI, such as by using kubectl or Terraform, you must add the `fleet.cattle.io/managed=true` label to indicate that the secret should be included in backups created by Rancher Backups. From 011085ac2d77e674919e7c20f73708b720c7e451 Mon Sep 17 00:00:00 2001 From: Dan Pock Date: Fri, 19 Jul 2024 20:05:09 -0400 Subject: [PATCH 11/11] Sync versioned docs pages --- .../global-default-private-registry.md | 2 +- .../global-default-private-registry.md | 31 +++++++++---------- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 7aaaa2c2ecb..b9847ee8d9f 100644 --- a/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.8/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -64,7 +64,7 @@ Since the private registry cannot be configured after the cluster is created, yo ### Working with Private Registry Credentials -When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. When you add a private registry credential secret through the Rancher GUI, the secret is included in backup operations using Rancher Backups. +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. When you add a private registry credential secret through the Rancher GUI and select **Create a HTTP Basic Auth Secret**, the secret is included in backup operations using Rancher Backups. However, if you create a credential secret outside of the Rancher GUI, such as by using kubectl or Terraform, you must add the `fleet.cattle.io/managed=true` label to indicate that the secret should be included in backups created by Rancher Backups. diff --git a/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md b/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md index 419b6cba216..2e1629ef4b0 100644 --- a/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md +++ b/versioned_docs/version-2.9/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/global-default-private-registry.md @@ -39,23 +39,20 @@ However, you'll need to do some additional steps if you're trying to set a names 1. Select **☰ > Cluster Management**. 1. Find the RKE2 cluster in the list and click **⋮ >Edit Config**. -1. From the **Cluster config** menu, select **Registries**. -1. In the **Registries** pane, select the **Configure advanced containerd mirroring and registry authentication options** option. -1. In the text fields under **Mirrors**, enter the **Registry Hostname** and **Mirror Endpoints**. -1. Click **Save**. -1. Repeat as necessary for each downstream RKE2 cluster. - -## Configure a Private Registry with Credentials when Creating a Cluster - -There is no global way to set up a private registry with authorization for every Rancher-provisioned cluster. Therefore, if you want a Rancher-provisioned cluster to pull images from a private registry that requires credentials, you'll have to pass the registry credentials through the advanced cluster options every time you create a new cluster. - -Since the private registry cannot be configured after the cluster is created, you'll need to perform these steps during initial cluster setup. - -1. Select **☰ > Cluster Management**. -1. On the **Clusters** page, click **Create**. -1. Choose a cluster type. -1. In the **Cluster Configuration** go to the **Registries** tab and select **Pull images for Rancher from a private registry**. -1. Enter the registry hostname and credentials. +1. In the **Cluster Configuration** go to the **Registries** tab. +1. Check the box next to **Enable cluster scoped container registry for Rancher system container images**. +1. Enter the registry hostname. +1. Under **Authentication** select **Create a HTTP Basic Auth Secret** and fill in the credential fields. 1. Click **Create**. **Result:** The new cluster pulls images from the private registry. + +### Working with Private Registry Credentials + +When working with private registries, it is important to ensure that any secrets created for these registries are properly backed up. When you add a private registry credential secret through the Rancher GUI and select **Create a HTTP Basic Auth Secret**, the secret is included in backup operations using Rancher Backups. + +However, if you create a credential secret outside of the Rancher GUI, such as by using kubectl or Terraform, you must add the `fleet.cattle.io/managed=true` label to indicate that the secret should be included in backups created by Rancher Backups. + +For example, if you have a custom private registry named "my-private-registry" and create a secret called "my-reg-creds" for it, apply the `fleet.cattle.io/managed=true` label to this secret. This ensures that your backup process captures the secret, providing easy restoration if needed. + +By following this guidance, you can ensure that all of your private registry credentials are backed up and easily accessible in the event of a restore or migration.