fix: restore init container uses configured registry auth secret name

[akurinnoy]

What does this PR do?

When a workspace is backed up to a private registry, CopySecret hardcodes the name of the copied auth secret as devworkspace-backup-registry-auth, regardless of the name configured in the DWOC. During restore, GetNamespaceRegistryAuthSecret looks only in the workspace namespace for the configured name and passes an empty operator namespace - so it never finds anything, mounts no credentials, and the workspace-restore init container crashes with CrashLoopBackOff.

This PR fixes the root cause:

• CopySecret now takes a secretName parameter and uses it instead of the hardcoded constant, so the copy in the
  workspace namespace gets the correct name
• HandleRegistryAuthSecret passes the configured name through to CopySecret
• GetNamespaceRegistryAuthSecret gains an operatorConfigNamespace parameter so the restore path can look up the operator namespace and copy the secret with the right name

Old copies named devworkspace-backup-registry-auth created by previous backups become orphaned but are owned by the workspace and will be garbage-collected when the workspace is deleted.

Note: This is the root-cause fix. See #1614 for a more conservative fallback-only approach that avoids changing the CopySecret signature.

What issues does this PR fix or reference?

CRW-10591

Is it tested? How?

New unit tests added.

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

• Refactor

  • Improved namespace handling for workspace restore and backup flows to reliably locate registry auth secrets.
  • Backup now uses the configured auth secret name instead of a legacy hardcoded name.

• Tests

  • Added comprehensive tests covering secret lookup, fallback behavior, and copy semantics.

• Bug Fixes

  • Fixed error handling when operator namespace lookup fails.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: akurinnoy
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: be9f5b8f-8d9c-4741-b698-81472f457d93

📥 Commits

Reviewing files that changed from the base of the PR and between 4e0f7e2 and 7c3743c.

📒 Files selected for processing (1)

• pkg/constants/metadata.go

💤 Files with no reviewable changes (1)

• pkg/constants/metadata.go

---

📝 Walkthrough

Walkthrough

GetWorkspaceRestoreInitContainer now resolves the operator namespace via infrastructure.GetNamespace() and passes it into secrets.GetNamespaceRegistryAuthSecret; secrets functions were updated to accept an operator-config namespace and a configurable secret name, and tests were added to validate the new flows and naming.

Changes

Cohort / File(s)	Summary
Restore Logic pkg/library/restore/restore.go	Resolve operator namespace with infrastructure.GetNamespace() and pass it to secrets.GetNamespaceRegistryAuthSecret(...); add error return when namespace lookup fails.
Secrets Backup Logic pkg/secrets/backup.go	GetNamespaceRegistryAuthSecret gains operatorConfigNamespace string parameter; CopySecret gains secretName string parameter and uses it when creating the namespace secret instead of the removed hardcoded constant. Fallback lookup in operator namespace remains conditional on non-empty operator namespace.
Secrets Backup Tests pkg/secrets/backup_test.go	New Ginkgo/Gomega tests covering CopySecret, HandleRegistryAuthSecret, and GetNamespaceRegistryAuthSecret, validating configured secret naming, operator-namespace fallback, and end-to-end copy behavior.
Constants pkg/constants/metadata.go	Removed exported constant DevWorkspaceBackupAuthSecretName (previous hardcoded backup registry auth secret name).

Sequence Diagram(s)

sequenceDiagram
    participant Restore as Restore Module
    participant Infra as infrastructure.GetNamespace
    participant Secrets as secrets.GetNamespaceRegistryAuthSecret
    participant Handler as secrets.HandleRegistryAuthSecret
    participant K8s as Kubernetes API (client)

    Restore->>Infra: resolve operator namespace
    Infra-->>Restore: operator namespace (or error)
    Restore->>Secrets: GetNamespaceRegistryAuthSecret(workspace, operatorConfigNamespace)
    Secrets->>Handler: HandleRegistryAuthSecret(workspace, operatorConfigNamespace, secretName)
    Handler->>K8s: Get secret in workspace namespace
    alt secret found in workspace
        K8s-->>Handler: secret
        Handler-->>Secrets: return secret
    else secret missing in workspace
        Handler->>K8s: Get secret in operatorConfigNamespace (if non-empty)
        alt found in operator namespace
            K8s-->>Handler: operator secret
            Handler->>K8s: Create copy in workspace namespace with configured secretName
            K8s-->>Handler: created secret
            Handler-->>Secrets: return copied secret
        else not found
            K8s-->>Handler: not found
            Handler-->>Secrets: return error
        end
    end
    Secrets-->>Restore: secret or error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Restoring workspaces does not use pull secret #1607 — The change passes resolved operator namespace into GetNamespaceRegistryAuthSecret and makes secret naming configurable, addressing the failure to mount non-legacy-named pull secrets for the workspace-restore init container.

Poem

🐰 I hopped through namespaces, snuck secrets in tow,
I swapped out hardcodes for names that can grow,
From infra to restore, the path is now clear,
Copies and tests make the flow reappear,
A little rabbit cheers: "Config, forward—let's go!" 🎉

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: the restore init container now uses a configured registry auth secret name instead of a hardcoded value.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

pkg/library/restore/restore.go (1)

118-123: Avoid failing restore when operator namespace lookup is unavailable

If infrastructure.GetNamespace() fails, restore now exits early even when the registry auth secret may already exist in the workspace namespace. Consider degrading gracefully (pass empty operator namespace and continue) so lookup still works in the workspace namespace path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/library/restore/restore.go` around lines 118 - 123, The code currently
returns an error when infrastructure.GetNamespace() fails, causing the restore
to abort instead of attempting to find the registry auth secret in the workspace
namespace; change the error path to degrade gracefully by setting
operatorNamespace to an empty string and continuing (optionally log a warning)
before calling secrets.GetNamespaceRegistryAuthSecret(ctx, k8sClient,
workspace.DevWorkspace, workspace.Config, operatorNamespace, scheme, log) so
that the secret lookup still proceeds using the workspace namespace path.

pkg/secrets/backup_test.go (1)

197-207: Align test name with actual expectation

The test title says “returns nil, nil” but the assertion expects an error. Renaming the test to reflect nil, error will avoid confusion during failure triage.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/secrets/backup_test.go` around lines 197 - 207, Rename the test
description for the It block that calls secrets.HandleRegistryAuthSecret so it
accurately reflects the assertions: change the title from "returns nil, nil when
operator namespace is given but secret is in neither namespace" to something
like "returns nil and an error when operator namespace is given but secret is in
neither namespace" so the test name matches the expectation that result is nil
and err is non-nil; update only the string passed to It(...) in the test
containing the HandleRegistryAuthSecret invocation and its
Expect(err).To(HaveOccurred()) / Expect(result).To(BeNil()) assertions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/library/restore/restore.go`:
- Around line 118-123: The code currently returns an error when
infrastructure.GetNamespace() fails, causing the restore to abort instead of
attempting to find the registry auth secret in the workspace namespace; change
the error path to degrade gracefully by setting operatorNamespace to an empty
string and continuing (optionally log a warning) before calling
secrets.GetNamespaceRegistryAuthSecret(ctx, k8sClient, workspace.DevWorkspace,
workspace.Config, operatorNamespace, scheme, log) so that the secret lookup
still proceeds using the workspace namespace path.

In `@pkg/secrets/backup_test.go`:
- Around line 197-207: Rename the test description for the It block that calls
secrets.HandleRegistryAuthSecret so it accurately reflects the assertions:
change the title from "returns nil, nil when operator namespace is given but
secret is in neither namespace" to something like "returns nil and an error when
operator namespace is given but secret is in neither namespace" so the test name
matches the expectation that result is nil and err is non-nil; update only the
string passed to It(...) in the test containing the HandleRegistryAuthSecret
invocation and its Expect(err).To(HaveOccurred()) / Expect(result).To(BeNil())
assertions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 01d1190b-a173-4528-b151-cec9f07bfa0f

📥 Commits

Reviewing files that changed from the base of the PR and between fcee0cd and 4e0f7e2.

📒 Files selected for processing (3)

• pkg/library/restore/restore.go
• pkg/secrets/backup.go
• pkg/secrets/backup_test.go