fix: fall back to canonical backup auth secret name on restore

[akurinnoy]

What does this PR do?

When a workspace is backed up to a private registry, CopySecret copies the registry auth secret into the workspace namespace using a hardcoded name (devworkspace-backup-registry-auth), regardless of the name configured in the DWOC. During restore, GetNamespaceRegistryAuthSecret looks for the configured name, doesn't find it, and returns nil - so the workspace-restore init container has no credentials and crashes with CrashLoopBackOff.

This PR adds a fallback lookup in HandleRegistryAuthSecret: when called from the restore path (operatorConfigNamespace == ""), if the configured secret name is not found in the workspace namespace, it also
checks for the canonical devworkspace-backup-registry-auth name that CopySecret always uses.

Note: This is a surgical workaround. See #1615 for a root-cause fix that changes the secret naming in CopySecret instead.

What issues does this PR fix or reference?

CRW-10591

Is it tested? How?

New unit tests added.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Bug Fixes

  • Improved registry authentication secret fallback logic to enhance reliability when the configured secret is unavailable.

• Tests

  • Added comprehensive test coverage for registry authentication secret handling and fallback behavior.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: akurinnoy
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

The HandleRegistryAuthSecret function in backup.go is enhanced with a fallback lookup mechanism. When no operator config namespace is provided and the configured secret name differs from the canonical name, the function attempts to retrieve the secret using the canonical name from the workspace namespace. Corresponding test coverage validates this new behavior.

Changes

Cohort / File(s)	Summary
Secret Fallback Lookup Implementation pkg/secrets/backup.go	Added conditional fallback logic to HandleRegistryAuthSecret: when configured secret is not found in workspace namespace and its name differs from the canonical constant, the function attempts to retrieve the secret using the canonical name. Returns nil, nil immediately if configured name already equals canonical name.
Fallback Lookup Test Suite pkg/secrets/backup_test.go	New comprehensive test file with five test cases validating: configured secret retrieval, fallback to canonical secret name, handling missing secrets, avoiding duplicate lookups when names match, and error propagation from failed fallback attempts. Includes test helpers for DevWorkspace, OperatorConfiguration, and Secret objects.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A secret once lost finds a second chance,
With fallback names in a nimble dance,
When configs don't guide the way,
Canonical paths save the day,
And tests ensure none take a wrong advance! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding a fallback to the canonical backup auth secret name during the restore operation.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/secrets/backup_test.go (1)

146-159: “No duplicate query” is not actually asserted.

The test name claims query deduplication, but current assertions only check returned secret correctness. Consider either renaming the test or instrumenting Get call counting to assert the single-lookup behavior explicitly.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/secrets/backup_test.go` around lines 146 - 159, The test claims "no
duplicate query" but never asserts Get call count; update the test to assert a
single Get by replacing or wrapping the fakeClient with a small counting
decorator that implements client.Client and increments a counter inside its Get
method, then call secrets.HandleRegistryAuthSecret and
Expect(counter).To(Equal(1)); reference the used symbols: fakeClient (or the
decorated client), secrets.HandleRegistryAuthSecret, and
constants.DevWorkspaceBackupAuthSecretName so the instrumentation targets the
same fake client used in the test. Ensure all other client methods delegate to
the underlying fake.NewClientBuilder().WithScheme(...).WithObjects(...).Build()
instance.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/secrets/backup_test.go`:
- Around line 146-159: The test claims "no duplicate query" but never asserts
Get call count; update the test to assert a single Get by replacing or wrapping
the fakeClient with a small counting decorator that implements client.Client and
increments a counter inside its Get method, then call
secrets.HandleRegistryAuthSecret and Expect(counter).To(Equal(1)); reference the
used symbols: fakeClient (or the decorated client),
secrets.HandleRegistryAuthSecret, and constants.DevWorkspaceBackupAuthSecretName
so the instrumentation targets the same fake client used in the test. Ensure all
other client methods delegate to the underlying
fake.NewClientBuilder().WithScheme(...).WithObjects(...).Build() instance.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e89b05c2-703d-43b0-80d8-9c0b7f09c772

📥 Commits

Reviewing files that changed from the base of the PR and between fcee0cd and c9f7339.

📒 Files selected for processing (2)

• pkg/secrets/backup.go
• pkg/secrets/backup_test.go

[dkwon17]

Since workspace namespace's secret name is always constants.DevWorkspaceBackupAuthSecretName, should we do the following? :

Suggested change

	Name: constants.DevWorkspaceBackupAuthSecretName ,