Backup registry auth secret must not be owned by any workspace

[akurinnoy]

What does this PR do?

This PR removes the controller ownerReference from the backup registry auth secret so it is not garbage-collected when a workspace is deleted. Also makes the restore path fall back to copying the secret from the operator namespace when it is missing in the workspace namespace.
The PR includes an ADR documenting why the auth secret must not be owned by any workspace.

What issues does this PR fix or reference?

Fixes https://redhat.atlassian.net/browse/CRW-10760

Is it tested? How?

New unit tests added. Validated manually on CRC cluster (DWO 0.40.1, quay.io private registry):

• Backup job creates auth secret without ownerReferences
• Deleting a workspace does not garbage-collect the auth secret
• Restore path copies the secret from operator namespace when missing

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Fixed backup restoration to properly handle registry authentication secrets, ensuring backups remain accessible even after workspaces are deleted.

• Documentation

  • Added architecture decision record documenting registry authentication secret lifecycle and restoration behavior.

[coderabbitai]

Warning

Rate limit exceeded

@akurinnoy has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 44 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 57d7efe0-c8a8-485c-83e6-e657724a329e

📥 Commits

Reviewing files that changed from the base of the PR and between b41cdaf and a21d903.

📒 Files selected for processing (2)

• pkg/secrets/backup.go
• pkg/secrets/backup_test.go

📝 Walkthrough

Walkthrough

The PR fixes backup registry auth secret lifecycle management by removing workspace-level ownership references, adding operator-namespace fallback resolution during restore, and validating the changes through updated and new test suites. An ADR documents the architectural decision and problem statement.

Changes

Backup Auth Secret Lifecycle

Layer / File(s)	Summary
Architectural Decision & Problem Statement adr/adr-backup-auth-secret-lifecycle.md	New ADR documents that the backup registry auth secret (devworkspace-backup-registry-auth) is a namespace singleton required for restore after workspace deletion, and should not use workspace-tied ownerReferences. Records the bug (secret garbage-collected when last workspace deleted), the accepted decision (remove SetControllerReference from CopySecret), and alternatives considered.
Secret Lifecycle Implementation Fix pkg/secrets/backup.go	Updated imports: added infrastructure, removed controllerutil. HandleRegistryAuthSecret now resolves operatorConfigNamespace via infrastructure.GetNamespace() when empty; returns error on resolution failure instead of nil, nil. CopySecret removes controllerutil.SetControllerReference() call so the secret is created without ownerReferences while retaining existing create/AlreadyExists race-handling.
Test Coverage for Lifecycle Changes pkg/secrets/backup_test.go	Updated imports to include os and infrastructure for environment variable manipulation. Updated existing suite assertions to expect no OwnerReferences on copied secrets and to expect errors when operator namespace cannot be resolved. New "restore path: fallback to operator namespace" suite verifies HandleRegistryAuthSecret copies the auth secret from operator namespace to workspace namespace when missing. New "CopySecret" suite validates that the function creates secrets without ownerReferences and preserves source secret data and type.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• devfile/devworkspace-operator#1618: Both PRs modify pkg/secrets/backup.go's HandleRegistryAuthSecret/CopySecret logic for copying the registry auth secret between the operator namespace and the workspace namespace, with overlap on the same code paths.
• devfile/devworkspace-operator#1614: Both PRs modify pkg/secrets/backup.go's HandleRegistryAuthSecret restore-path behavior around namespace resolution and error handling.

Suggested labels

lgtm, approved

Suggested reviewers

• rohanKanojia
• dkwon17
• ibuziuk

Poem

🐰 A secret that endured every deed,
No owners tied when spaces recede,
From operator's vault it falls back with grace,
Restoring backups in a namespace's embrace,
No garbage collection shall steal what we need! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: removing the controller owner reference from the backup registry auth secret to prevent garbage collection when workspaces are deleted.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/secrets/backup_test.go`:
- Around line 279-287: BeforeEach currently calls
os.Setenv(infrastructure.WatchNamespaceEnvVar, operatorNS) without checking the
error and AfterEach unconditionally calls os.Unsetenv; instead, in BeforeEach
capture the prior value with os.LookupEnv, set the env using os.Setenv and
handle any error (fail the test via the test framework), and in AfterEach
restore the original state: if the prior value existed, call
os.Setenv(originalKey, originalVal) and check the error, otherwise call
os.Unsetenv and check the error; reference the BeforeEach/AfterEach blocks and
the use of infrastructure.WatchNamespaceEnvVar and operatorNS to locate where to
add the lookup, error checks, and restoration logic.

In `@pkg/secrets/backup.go`:
- Around line 64-69: The code currently swallows namespace resolution failures
by returning nil, nil when infrastructure.GetNamespace() returns an error;
update the error path in pkg/secrets/backup.go so that when nsErr != nil you
return the error (or a wrapped error) instead of nil, nil, and ensure
operatorConfigNamespace is only set after a successful GetNamespace() call;
reference GetNamespace(), nsErr, and operatorConfigNamespace to locate and fix
the failing branch so restore fails fast with a clear cause.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a4ce1a03-5397-4980-a568-430bf14ef1e2

📥 Commits

Reviewing files that changed from the base of the PR and between 1e949fc and 925f3bb.

📒 Files selected for processing (3)

• docs/adr-backup-auth-secret-lifecycle.md
• pkg/secrets/backup.go
• pkg/secrets/backup_test.go

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

pkg/secrets/backup_test.go (1)

286-287: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Handle and assert errors from env mutation calls.

os.Setenv / os.Unsetenv errors are still ignored in setup/teardown, which breaks errcheck and weakens test isolation guarantees.

#!/bin/bash
# Verify unchecked env mutation calls in this test file
rg -n -C2 'os\.(Setenv|Unsetenv)\(' pkg/secrets/backup_test.go

As per coding guidelines, "Don't ignore errors. Always handle or propagate errors explicitly."

Also applies to: 290-294

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/secrets/backup_test.go` around lines 286 - 287, The test currently
ignores errors from os.Setenv/os.Unsetenv (e.g., the call setting
infrastructure.WatchNamespaceEnvVar to operatorNS), which fails errcheck; update
the test to either use t.Setenv(...) (preferred) or check the returned error and
call t.Fatalf/require.NoError to fail the test on failure, and do the same for
the corresponding Unsetenv calls (and other occurrences around the same block at
the 290-294 region). Ensure you reference the environment variable symbol
infrastructure.WatchNamespaceEnvVar and the operatorNS value when updating the
setup/teardown so errors are handled/asserted.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/secrets/backup_test.go`:
- Around line 120-129: The test is flaky because it assumes WATCH_NAMESPACE is
unset and real infrastructure detection; make it deterministic by explicitly
setting the env var to an empty string (or saving and restoring it) within the
test and by initializing test infrastructure via
infrastructure.InitializeForTesting() so the test does not consult real
environment/infrastructure; update the spec around the call to
secrets.HandleRegistryAuthSecret (and helper calls makeWorkspace/makeConfig if
needed) to call infrastructure.InitializeForTesting() at start and ensure
WATCH_NAMESPACE is explicitly cleared/controlled for the duration of the test,
restoring prior state afterwards.

In `@pkg/secrets/backup.go`:
- Around line 63-69: The code resolves operatorConfigNamespace unconditionally
which causes failures even when no auth is needed; change the logic so
infrastructure.GetNamespace() is only called when AuthSecret is non-empty: wrap
the operatorConfigNamespace resolution inside the branch that checks
cfg.AuthSecret (or AuthSecret variable) and only attempt to resolve/set
operatorConfigNamespace when AuthSecret != ""; apply the same change for the
later block that currently resolves namespace (the code around
operatorConfigNamespace and infrastructure.GetNamespace) so anonymous (no-auth)
flows skip namespace resolution entirely.

---

Duplicate comments:
In `@pkg/secrets/backup_test.go`:
- Around line 286-287: The test currently ignores errors from
os.Setenv/os.Unsetenv (e.g., the call setting
infrastructure.WatchNamespaceEnvVar to operatorNS), which fails errcheck; update
the test to either use t.Setenv(...) (preferred) or check the returned error and
call t.Fatalf/require.NoError to fail the test on failure, and do the same for
the corresponding Unsetenv calls (and other occurrences around the same block at
the 290-294 region). Ensure you reference the environment variable symbol
infrastructure.WatchNamespaceEnvVar and the operatorNS value when updating the
setup/teardown so errors are handled/asserted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d993c0c2-89ec-4642-997c-d9ed96e27aa5

📥 Commits

Reviewing files that changed from the base of the PR and between 925f3bb and 7189cc3.

📒 Files selected for processing (3)

• docs/adr-backup-auth-secret-lifecycle.md
• pkg/secrets/backup.go
• pkg/secrets/backup_test.go

✅ Files skipped from review due to trivial changes (1)

• docs/adr-backup-auth-secret-lifecycle.md

[rohanKanojia]

This seems like an implementation proposal document. Is it meant to be committed?

[akurinnoy]

Yes, it's intentional. I want to start filing ADRs (Architecture Decision Record) for non-trivial changes so both humans and AI agents can find the motivation behind decisions without digging through PR history.

Do you think ADRs like this are useful to keep in repo?

cc @dkwon17 @btjd

[rohanKanojia]

Umm, I think it's okay to keep it, but not in docs/ directory. I think docs/ should only contain user-facing documentation.

[akurinnoy]

Right, but what about docs/adr/? Or, you prefer adr/ in the project root?

[rohanKanojia]

I'm okay with adr/ in project root, but let's wait for others to comment too.

[akurinnoy]

ADR moved to a separate PR: #1633. The discussion about ADR directory placement continues there.

[rohanKanojia]

I tested it and it works as expected:

Secret doesn't get cleaned up after DevWorkspace deletion:

NAME                              READY   STATUS    RESTARTS   AGE
devworkspace-backup-v6dkf-c9cds   0/1     Pending   0          0s
devworkspace-backup-v6dkf-c9cds   0/1     Pending   0          0s
devworkspace-backup-v6dkf-c9cds   0/1     Pending   0          0s
devworkspace-backup-v6dkf-c9cds   0/1     ContainerCreating   0          0s
devworkspace-backup-v6dkf-c9cds   0/1     ContainerCreating   0          1s
devworkspace-backup-v6dkf-c9cds   1/1     Running             0          36s
devworkspace-backup-v6dkf-c9cds   0/1     Completed           0          40s
devworkspace-backup-v6dkf-c9cds   0/1     Completed           0          41s
devworkspace-backup-v6dkf-c9cds   0/1     Completed           0          42s
^C%                                                                                                                                                        ╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1631 ≢  ?12  39          1.25.9   1m 30.239s   ERROR  09:23:45  ─╮
╰─ oc get secret                                                                                                                                         ─╯
NAME                                                              TYPE                             DATA   AGE
builder-dockercfg-zs945                                           kubernetes.io/dockercfg          1      2d20h
default-dockercfg-tkszl                                           kubernetes.io/dockercfg          1      2d20h
deployer-dockercfg-5r658                                          kubernetes.io/dockercfg          1      2d20h
devworkspace-backup-registry-auth                                 kubernetes.io/dockerconfigjson   1      7m47s
devworkspace-job-runner-workspace92915-96bf4d15-dockercfg-9wdp8   kubernetes.io/dockercfg          1      47s
workspace92915cbcc2ff44c7-sa-dockercfg-xszsb                      kubernetes.io/dockercfg          1      101s
╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1631 ≢  ?12  39                             1.25.9     09:23:47  ─╮
╰─ oc get dw                                                                                                                                             ─╯
NAME                       DEVWORKSPACE ID             PHASE     INFO
test-workspace-with-copy   workspace92915cbcc2ff44c7   Stopped   Stopped
╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1631 ≢  ?12  39                             1.25.9     09:23:51  ─╮
╰─ oc delete dw test-workspace-with-copy                                                                                                                 ─╯
devworkspace.workspace.devfile.io "test-workspace-with-copy" deleted
╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1631 ≢  ?12  39                             1.25.9     09:23:56  ─╮
╰─ oc get secret devworkspace-backup-registry-auth                                                                                                       ─╯
NAME                                TYPE                             DATA   AGE
devworkspace-backup-registry-auth   kubernetes.io/dockerconfigjson   1      8m1s
╭─      ~/go/src/github.com/devfile/devworkspace-operator   pullRequest1631 ≢  ?12  39                             1.25.9     09:24:01  ─╮
╰─ oc get secret devworkspace-backup-registry-auth -o yaml                                                                                               ─╯
apiVersion: v1
data:
  .dockerconfigjson: REDACTED
kind: Secret
metadata:
  creationTimestamp: "2026-05-14T03:46:00Z"
  labels:
    controller.devfile.io/watch-secret: "true"
  name: devworkspace-backup-registry-auth
  namespace: test-workspace-copy
  resourceVersion: "253651"
  uid: d8c8c273-b348-4b2c-a234-75fa6b64c3ba
type: kubernetes.io/dockerconfigjson

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: akurinnoy, rohanKanojia
Once this PR has been reviewed and has the lgtm label, please assign dkwon17 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@adr/adr-backup-auth-secret-lifecycle.md`:
- Around line 89-91: Update the Neutral section to remove the incorrect claim
that CopySecret (and SyncObjectWithCluster) will overwrite existing secrets;
instead state that CopySecret explicitly avoids modifying existing secrets and
will fetch and return them as-is, so secrets created by older DWO versions will
keep their stale ownerReference until explicitly replaced or deleted by other
logic. Mention the CopySecret function name and that there is no
SyncObjectWithCluster call modifying existing secrets to make the correction
precise.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 62ea655f-5662-4e9d-bdb0-9cac39ce3a6a

📥 Commits

Reviewing files that changed from the base of the PR and between 7189cc3 and b41cdaf.

📒 Files selected for processing (1)

• adr/adr-backup-auth-secret-lifecycle.md

[tolusha]

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

• /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
• /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
• /che-ai-assistant help — Show this help message

[akurinnoy]

The ADR discussion from this PR continues in #1633, which introduces the ADR framework to the project.

[akurinnoy]

/che-ai-assistant ok-pr-review