📚 Sync docs from alaudadevops/connectors-operator on 68a82bc175e642ec1895c9ca50f0c1c6915831db

Source: add release notes for release-1.1 (#109)
Author: kycheng
Ref: refs/heads/main
Commit: 68a82bc175e642ec1895c9ca50f0c1c6915831db

This commit automatically syncs documentation changes from the source-docs repository.

🔗 View source commit: AlaudaDevops/connectors-operator@68a82bc
🤖 Synced on 2025-07-11 10:23:44 UTC

Author: kycheng

.github/SYNC_INFO.md

@@ -1,15 +1,14 @@
 # Documentation Sync Information
 
-- **Last synced**: 2025-07-08 08:36:32 UTC
+- **Last synced**: 2025-07-11 10:23:44 UTC
 - **Source repository**: alaudadevops/connectors-operator
-- **Source commit**: [610601746c23c75326edb09c81d4d6b642a39d86](https://github.com/alaudadevops/connectors-operator/commit/610601746c23c75326edb09c81d4d6b642a39d86)
+- **Source commit**: [68a82bc175e642ec1895c9ca50f0c1c6915831db](https://github.com/alaudadevops/connectors-operator/commit/68a82bc175e642ec1895c9ca50f0c1c6915831db)
 - **Triggered by**: kycheng
-- **Workflow run**: [#4](https://github.com/alaudadevops/connectors-operator/actions/runs/16138230910)
+- **Workflow run**: [#6](https://github.com/alaudadevops/connectors-operator/actions/runs/16217760440)
 
 ## Files synced:
 - docs/
 - .yarn/
-- doom.config.yml
 - yarn.lock
 - tsconfig.json
 - package.json

docs/en/connectors-oci/concepts/oci_connectorclass.mdx

@@ -149,7 +149,7 @@ status:
   # . . .
   proxy:
     httpAddress:
-      url: http://c-dockerhub-demo.default.svc.cluster.local
+      url: http://dockerhub-demo.default.svc.cluster.local/namespaces/default/connectors/dockerhub-demo
 ```
 
 ### Configuration

docs/en/connectors-oci/how_to/using_oci_connector_in_k8s_job.mdx

@@ -14,7 +14,7 @@ This article will guide you on how to use the OCI Connector to build images with
 When using the OCI Connector within a Kubernetes Job, the following key points should be noted:
 
 - Change the address of the target image being built to the connector's proxy address. [What is the Connector Proxy Address](../concepts/oci_connectorclass.mdx#proxy)
-  - For example: harbor.example.cn/test/abc:v1 -> harbor.default.cluster.local/test/abc:v1
+  - For example: `harbor.example.cn/test/abc:v1` -> `harbor.default.cluster.local/namespaces/<connector-ns>/connectors/<connector-name>/test/abc:v1`
 - Mount the configuration provided by the Connector.
 - Configure `insecure registry` for the client tools.
 
@@ -115,7 +115,7 @@ spec:
       --opt filename=Dockerfile \
       --local context=/workspace \
       --local dockerfile=/workspace \
-      --output type=image,name=c-harbor.default.svc.cluster.local/test/test-cjt:v1,push=true \
+      --output type=image,name=c-harbor.default.svc.cluster.local/namespaces/oci-connector-demo/connectors/oci-connector/test-cjt:v1,push=true \
       --export-cache type=inline
     volumeMounts:
     - name: dockerfile

docs/en/connectors-oci/how_to/using_oci_connector_in_tekton_pipeline.mdx

@@ -14,7 +14,7 @@ This article will teach you how to use the OCI Connector in the `Tekton Pipeline
 When using the OCI Connector in Tekton Pipeline, there are several key points to note:
 
 - The address of the target image to be built is changed to the connector's proxy address.
-  - For example, build-harbor.alauda.cn/test/abc:v1 -> harbor.default.cluster.local/test/abc:v1
+  - For example: `harbor.example.cn/test/abc:v1` -> `harbor.default.cluster.local/namespaces/<connector-ns>/connectors/<connector-name>/test/abc:v1`
 - Mount the configuration provided by the Connector.
 - Configure `insecure registry` for the client tools.
 
@@ -151,7 +151,7 @@ spec:
           configuration.names: "buildkitd"
   params:
     - name: repository
-      value: "c-harbor.default.svc.cluster.local/test/demo:v1" # Push to proxy address
+      value: "c-harbor.default.svc.cluster.local/namespaces/oci-connector-demo/connectors/oci-connector/test/demo:v1" # Push to proxy address
 EOF
 ```
 

docs/en/connectors-oci/how_to/using_oci_connector_in_workload.mdx

@@ -0,0 +1,241 @@
+---
+weight: 60
+---
+
+# Using OCI Connector to Deploy Workloads in a Secretless Way
+
+In a Kubernetes cluster, pulling images from private registries typically requires distributing registry credentials to namespaces, which increases the risk of credential leakage.
+
+The OCI Connector provides a **secretless** solution by acting as a proxy for the registry. This allows users to access private registries without storing long-term passwords or robot tokens in every namespace, thereby maximizing credential security.
+
+This guide demonstrates how to use the OCI Connector to deploy workloads that need to pull images from private OCI registries. The OCI Connector functions as a reverse proxy between your Kubernetes cluster and the OCI registry, handling authentication and image retrieval.
+
+## Feature Overview
+
+When deploying workloads with the OCI Connector, keep the following key points in mind:
+
+- To enable image pulls via the OCI Connector proxy in the Kubernetes runtime, you must configure the ConnectorOCI to expose its service using either NodePort or Ingress. Refer to the [Installation Guide](../../../install) for detailed setup instructions.
+- The image address specified in your workload will be automatically rewritten to point to the OCI Connector proxy. Since the proxy uses HTTP, you must configure the runtime to allow insecure registries.
+- The OCI Connector acts as a reverse proxy for the OCI registry, handling authentication and image pulls on behalf of your workloads.
+- The OCI Connector proxy authenticates clients using their service account tokens, ensuring that only authorized workloads can access the specified connector.
+
+## Prerequisites
+
+- **ConnectorsCore is installed and running in the cluster:** Ensure that ConnectorsCore is deployed in your cluster.
+- **ConnectorOCI is installed and exposed externally (NodePort or Ingress):** Deploy ConnectorOCI and expose it outside the cluster. See the [Installation Guide](../../../install) for details.
+- **Access to a private OCI registry:** You must have valid credentials and access to the target registry.
+- **kubectl configured:** Ensure `kubectl` is installed and configured to access your cluster.
+
+With the OCI Connector, you can securely pull images from private registries in your Kubernetes cluster without storing credentials on the client side. This approach ensures that sensitive credentials are managed centrally and never exposed to individual workloads or users.
+
+The OCI Connector enables seamless, credential-free image pulls for pods by proxying authentication and image requests through a secure, centralized service.
+
+## Overview
+
+The process involves several key steps:
+1. Creating a Connector resource that defines the connection to your OCI registry.
+2. Setting up authentication secrets.
+3. Creating a ServiceAccount token for internal authentication.
+4. Configuring image pull secrets.
+5. Deploying the workload with the appropriate annotations.
+
+## Operational Steps
+
+### Step 1: Create Connector
+
+First, create a namespace for the demo:
+
+```bash
+kubectl create namespace oci-connector-demo
+```
+
+Next, create a Connector resource that defines the connection to your OCI registry. This resource will manage authentication and proxy operations.
+
+```bash
+kubectl apply -n oci-connector-demo -f - <<'EOF'
+apiVersion: connectors.alauda.io/v1alpha1
+kind: Connector
+metadata:
+  name: harbor
+spec:
+  address: https://harbor.example.com # Replace with your OCI registry address
+  auth:
+    name: tokenAuth
+    secretRef:
+      name: harbor-secret
+  connectorClassName: oci
+---
+apiVersion: v1
+stringData: # Replace with actual authentication information
+  password: robotsecret
+  username: robot$demo
+kind: Secret
+metadata:
+  name: harbor-secret
+type: cpaas.io/distribution-registry-token
+EOF
+```
+
+> **Recommendation:** Use a `robot account` for registry access instead of an `admin` account if your OCI registry supports it.
+
+**Explanation:**
+
+- The `Connector` resource defines the connection parameters including the registry address and authentication method
+- The `Secret` resource stores the registry credentials securely
+- The `connectorClassName: oci` specifies that this is an OCI-type connector
+- The `tokenAuth` authentication method is used for token-based authentication
+
+Now, we have created a connector in the namespace `oci-connector-demo`, and the connector status is `Ready`.
+
+```bash
+$ kubectl get connector.connectors -n oci-connector-demo
+NAME     CLASS   ADDRESS                      READY   REASON   AGE
+harbor   oci     https://harbor.example.com   True             30s
+```
+
+### Step 2: Create a ServiceAccount Token
+
+Generate a token for the default ServiceAccount in your namespace:
+
+```bash
+$ kubectl create token default -n oci-connector-demo
+eyJhbGciOiJSUzI1NiIsImtpZCI6xxxximJ0VNVV_GblYvYy3dg...
+```
+
+This token will be used for pulling images through the connector proxy. Any ServiceAccount with permission to access the connector can be used as a pull secret for the pod.
+For more information on Connector resource permissions, see [Connector Scope Permissions](../../connectors/concepts/connector_scope_permissions.html).
+
+**Explanation:**
+- This token will be used to authenticate requests to the connector proxy
+- The token is scoped to the specific namespace (`oci-connector-demo`)
+- Store this token securely as it will be used in the next step
+
+> **Note:** ServiceAccount tokens have an expiration time (default: 1 hour). You can use the `--duration` flag to extend the expiration. For more details, see the [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens).
+
+### Step 3: Create an Image Pull Secret
+
+Create a Docker registry secret using the ServiceAccount token:
+
+```bash
+kubectl create secret docker-registry oci-connector-secret \
+  --docker-server="192.168.x.x:31567" \
+  --docker-username="u" \
+  --docker-password="eyJhbGciOiJSUzI1NiIsImtpZCI6xxxximJ0VNVV_GblYvYy3dg" \
+  --docker-email=xxx@xxxx \
+  --namespace=oci-connector-demo
+```
+
+**Explanation:**
+
+- The `docker-server` points to the connector proxy service address in the cluster, you can get the address from the connector status
+
+```bash
+$ kubectl get connectors.connector harbor -n oci-connector-demo -o jsonpath='{.status.proxy.httpAddress.url}'
+http://192.168.x.x:31567/namespaces/oci-connector-demo/connectors/harbor
+```
+- The `docker-username` is set to "u" (a placeholder username)
+- The `docker-password` uses the Service Account token from the previous step
+- The `docker-email` can be any valid email address (used for Docker registry compatibility)
+
+### Step 4: Patch ServiceAccount with Image Pull Secret
+
+Attach the image pull secret to the ServiceAccount so that pods using this ServiceAccount can automatically use the secret for image pulling.
+
+```bash
+kubectl patch serviceaccount default -n oci-connector-demo -p "{\"imagePullSecrets\": [{\"name\": \"oci-connector-secret\"}]}"
+```
+
+**Explanation:**
+- This command adds the `oci-connector-secret` to the `imagePullSecrets` list of the default ServiceAccount
+- Any pod using this ServiceAccount will automatically use this secret for image pulling
+- This eliminates the need to specify the secret in each pod definition
+
+This ensures that any pod using this ServiceAccount will automatically use the secret for image pulls.
+
+### Step 5: Deploy the Workload
+
+Create a workload (Pod in this example) with the necessary annotations to use the OCI connector.
+
+```bash
+kubectl apply -n oci-connector-demo -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: oci-connector-pod
+  annotations:
+    connectors.cpaas.io/connector: oci-connector-demo/harbor
+  labels:
+    connectors.cpaas.io/proxy-inject: "true"
+spec:
+  containers:
+    - name: oci-connector-container
+      image: harbor.example.com/oci-connector-demo:v1
+  serviceAccountName: default
+EOF
+```
+
+- The `connectors.cpaas.io/connector` annotation specifies which connector to use (`namespace/connector-name`).
+- The `connectors.cpaas.io/proxy-inject: "true"` label enables proxy injection for this pod.
+- The `image` field should specify your original image address.
+- The `serviceAccountName: default` ensures the pod uses the ServiceAccount with the image pull secret.
+
+### Step 6: Verify Pod Status
+
+After the pod is created, you can see the image address in the pod is rewritten to the connector proxy address.
+
+```bash
+$ kubectl get pod oci-connector-pod -n oci-connector-demo -o jsonpath='{.spec.containers[0].image}'
+# Example output:
+# 192.168.x.x:31567/namespaces/oci-connector-demo/connectors/harbor/oci-connector-demo:v1
+```
+
+Then, check that the pod is running and has successfully pulled the image through the connector proxy:
+
+```bash
+kubectl get pod oci-connector-pod -n oci-connector-demo
+```
+
+**Expected Output:**
+```
+NAME                  READY   STATUS    RESTARTS   AGE
+oci-connector-pod     1/1     Running   0          2m
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Pod stuck in ImagePullBackOff:**
+   - Ensure the connector is properly configured and running.
+   - Verify the ServiceAccount token is valid and not expired.
+   - Confirm the image pull secret is correctly attached to the ServiceAccount.
+
+2. **Authentication failures:**
+   - Check the registry credentials in the `harbor-secret`.
+   - Ensure the connector address is accessible.
+   - Verify the repository parameter matches your actual repository.
+
+3. **Proxy injection not working:**
+   - Confirm the `connectors.cpaas.io/proxy-inject: "true"` label is present.
+   - Check that the connector annotation is correctly formatted.
+   - Ensure the connector exists in the specified namespace.
+
+### Verification Commands
+
+```bash
+# Check connector status
+kubectl get connector.connectors harbor -n oci-connector-demo
+
+# Verify secret exists
+kubectl get secret oci-connector-secret -n oci-connector-demo
+
+# Check ServiceAccount configuration
+kubectl get serviceaccount default -n oci-connector-demo -o yaml
+
+# View pod events for troubleshooting
+kubectl describe pod oci-connector-pod -n oci-connector-demo
+```
+
+## Conclusion
+
+You have now completed the process of using the OCI Connector to deploy workloads in a secretless way. This approach enhances security by centralizing credential management and eliminating the need to distribute sensitive information to individual workloads.

docs/en/connectors-oci/quick_start.mdx

@@ -155,7 +155,7 @@ spec:
           --frontend=dockerfile.v0 \
           --local context=/workspace \
           --local dockerfile=/workspace \
-          --output type=image,name=c-oci-connector.oci-connector-demo.svc.cluster.local/your-username/test-image:v1,push=true
+          --output type=image,name=c-oci-connector.oci-connector-demo.svc.cluster.local/namespaces/oci-connector-demo/connectors/oci-connector/your-username/test-image:v1,push=true
         volumeMounts:
         - name: dockerfile
           mountPath: /workspace
@@ -246,7 +246,7 @@ The connector generates three types of configuration files that serve different
    This configuration is essential for authentication and is required for all container operations.
 
 2. **buildkitd**: Creates a `buildkitd.toml` file that configures BuildKit to trust the insecure registry proxy
-   ```toml
+   ```
    insecure-entitlements = [ "network.host", "security.insecure" ]
    [registry."<proxy-address>"]
      http = true
@@ -311,4 +311,4 @@ After successfully pushing your first image using the OCI Connector, you can:
 - Use the connector in Kubernetes workloads to pull private images
 - Integrate with CI/CD pipelines to build and push images
 - Configure different container tools to work with the connector
-- Use the connector with different registry services
+- Use the connector with different registry services

docs/en/connectors-oci/trouble_shooting/csi_driver_issues.mdx

@@ -178,7 +178,7 @@ kubectl exec <pod-name> -n <namespace> -- cat /etc/buildkit/buildkitd.toml
 
 **Expected configuration elements**:
 
-```toml
+```
 insecure-entitlements = [ "network.host", "security.insecure" ]
 [registry."c-<connector-name>.<namespace>.svc.cluster.local"]
   http = true
@@ -259,4 +259,4 @@ spec:
 - [OCI Connector Quick Start](../quick_start.mdx)
 - [Connector Status Troubleshooting](../../connectors/trouble_shooting/connectors_issues.mdx)
 - [Using OCI Connector in Kubernetes Workloads](../how_to/using_oci_connector_in_k8s.mdx)
-- [Using OCI Connector in Tekton Pipeline](../how_to/using_oci_connector_in_tekton_pipeline.mdx) 
+- [Using OCI Connector in Tekton Pipeline](../how_to/using_oci_connector_in_tekton_pipeline.mdx) 

docs/en/connectors/concepts/connector.mdx

@@ -142,6 +142,26 @@ status:
       url: http://c-harbor.default.svc.cluster.local
 ```
 
+When the ConnectorClass has configured proxy resolver type is `path`, the format of the proxy address is `http://c-{connector-name}.{namespace}.svc.cluster.local/namespaces/{namespace}/connectors/{connector-name}`, where `{path}` is the path of the Connector.
+
+For example, the following example describes a connector with a proxy address:
+
+```yaml
+apiVersion: connectors.alauda.io/v1alpha1
+kind: Connector
+metadata:
+  name: harbor
+  namespace: default
+spec:
+  address: https://example.com
+status:
+ proxy:
+    httpAddress:
+      url: http://c-harbor.default.svc.cluster.local/namespaces/default/connectors/harbor
+```
+
+
+
 ## Status Information
 
 The status information of the Connector is recorded in the `status` field, containing the following content: