fix: fall back to canonical backup auth secret name on restore (#1614)

* fix: fall back to canonical backup auth secret name on restore

When CopySecret writes an auth secret into the workspace namespace, it
always uses DevWorkspaceBackupAuthSecretName ("devworkspace-backup-registry-auth")
regardless of what name the admin configured (e.g. "quay-backup-auth").

GetNamespaceRegistryAuthSecret (the restore path) calls HandleRegistryAuthSecret
with operatorConfigNamespace="" and looked only for the configured name, found
nothing, and returned nil — leaving the workspace-restore init container without
credentials and causing CrashLoopBackOff on private registries.

Fix: when operatorConfigNamespace is empty and the configured name is not found,
attempt a second Get using the canonical DevWorkspaceBackupAuthSecretName. Skip
the extra lookup when the configured name already equals the canonical name to
avoid a redundant API call. Propagate any non-NotFound error from the fallback.

Assisted-by: Claude Sonnet 4.6 (1M context)
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>

* fixup! fix: fall back to canonical backup auth secret name on restore

fixup\! fix: fall back to canonical backup auth secret name on restore

Address review feedback:
- Use canonical DevWorkspaceBackupAuthSecretName for workspace NS lookup
  directly instead of falling back (dkwon17)
- Remove unused secretGR variable and schema import (rohanKanojia)

Assisted-by: Claude Opus 4.6 (1M context)
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>

* fixup! fixup! fix: fall back to canonical backup auth secret name on restore

fixup\! fixup\! fix: fall back to canonical backup auth secret name on restore

Use canonical name only on restore path, keep configured name on backup path

Assisted-by: Claude Opus 4.6 (1M context)
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>

* fixup! fixup! fixup! fix: fall back to canonical backup auth secret name on restore

fixup\! fixup\! fixup\! fix: fall back to canonical backup auth secret name on restore

Replace "canonical" with "predefined" throughout

Assisted-by: Claude Opus 4.6 (1M context)
Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>

---------

Signed-off-by: Oleksii Kurinnyi <okurinny@redhat.com>

Author: akurinnoy

pkg/secrets/backup.go

@@ -54,19 +54,27 @@ func HandleRegistryAuthSecret(ctx context.Context, c client.Client, workspace *d
 		return nil, nil
 	}
 
-	// First check the workspace namespace for the secret
+	// On the restore path (operatorConfigNamespace == ""), look for the predefined name
+	// that CopySecret always uses. On the backup path, look for the configured name
+	// because the secret may exist directly in the workspace namespace under that name.
+	lookupName := secretName
+	if operatorConfigNamespace == "" {
+		lookupName = constants.DevWorkspaceBackupAuthSecretName
+	}
+
 	registryAuthSecret := &corev1.Secret{}
 	err := c.Get(ctx, client.ObjectKey{
-		Name:      secretName,
+		Name:      lookupName,
 		Namespace: workspace.Namespace}, registryAuthSecret)
 	if err == nil {
-		log.Info("Successfully retrieved registry auth secret for backup from workspace namespace", "secretName", secretName)
+		log.Info("Successfully retrieved registry auth secret for backup from workspace namespace",
+			"secretName", lookupName)
 		return registryAuthSecret, nil
 	}
 	if client.IgnoreNotFound(err) != nil {
 		return nil, err
 	}
-	// If we don't provide an operator namespace, don't attempt to look there
+	// If we don't provide an operator namespace, don't attempt to look there.
 	if operatorConfigNamespace == "" {
 		return nil, nil
 	}

pkg/secrets/backup_test.go

@@ -0,0 +1,164 @@
+//
+// Copyright (c) 2019-2026 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package secrets_test
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	dwv2 "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
+	controllerv1alpha1 "github.com/devfile/devworkspace-operator/apis/controller/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	"github.com/devfile/devworkspace-operator/pkg/constants"
+	"github.com/devfile/devworkspace-operator/pkg/secrets"
+)
+
+func TestSecrets(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Secrets Suite")
+}
+
+// buildScheme returns a minimal runtime.Scheme for tests: core v1 and the DWO API types.
+func buildScheme() *runtime.Scheme {
+	scheme := runtime.NewScheme()
+	Expect(corev1.AddToScheme(scheme)).To(Succeed())
+	Expect(dwv2.AddToScheme(scheme)).To(Succeed())
+	Expect(controllerv1alpha1.AddToScheme(scheme)).To(Succeed())
+	return scheme
+}
+
+// makeWorkspace returns a minimal DevWorkspace in the given namespace.
+func makeWorkspace(namespace string) *dwv2.DevWorkspace {
+	return &dwv2.DevWorkspace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-workspace",
+			Namespace: namespace,
+		},
+	}
+}
+
+// makeConfig returns an OperatorConfiguration with BackupCronJob configured to use the given auth secret name.
+func makeConfig(authSecretName string) *controllerv1alpha1.OperatorConfiguration {
+	return &controllerv1alpha1.OperatorConfiguration{
+		Workspace: &controllerv1alpha1.WorkspaceConfig{
+			BackupCronJob: &controllerv1alpha1.BackupCronJobConfig{
+				Registry: &controllerv1alpha1.RegistryConfig{
+					Path:       "example.registry.io/org",
+					AuthSecret: authSecretName,
+				},
+			},
+		},
+	}
+}
+
+// makeSecret returns a corev1.Secret with the given name and namespace.
+func makeSecret(name, namespace string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{"auth": []byte("dXNlcjpwYXNz")},
+		Type: corev1.SecretTypeDockerConfigJson,
+	}
+}
+
+var _ = Describe("HandleRegistryAuthSecret (restore path: operatorConfigNamespace='')", func() {
+	const workspaceNS = "user-namespace"
+
+	var (
+		ctx    context.Context
+		scheme *runtime.Scheme
+		log    = zap.New(zap.UseDevMode(true)).WithName("SecretsTest")
+	)
+
+	BeforeEach(func() {
+		ctx = context.Background()
+		scheme = buildScheme()
+	})
+
+	It("returns the predefined secret when it exists in the workspace namespace", func() {
+		By("creating the predefined DevWorkspaceBackupAuthSecretName secret in the workspace namespace")
+		predefinedSecret := makeSecret(constants.DevWorkspaceBackupAuthSecretName, workspaceNS)
+
+		fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(predefinedSecret).Build()
+		workspace := makeWorkspace(workspaceNS)
+		config := makeConfig("quay-backup-auth")
+
+		result, err := secrets.HandleRegistryAuthSecret(ctx, fakeClient, workspace, config, "", scheme, log)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(result).NotTo(BeNil())
+		Expect(result.Name).To(Equal(constants.DevWorkspaceBackupAuthSecretName))
+	})
+
+	It("returns nil when the predefined secret does not exist in the workspace namespace", func() {
+		By("using a fake client with no secrets")
+		fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+		workspace := makeWorkspace(workspaceNS)
+		config := makeConfig("quay-backup-auth")
+
+		result, err := secrets.HandleRegistryAuthSecret(ctx, fakeClient, workspace, config, "", scheme, log)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(result).To(BeNil())
+	})
+
+	It("propagates a non-NotFound error from the workspace namespace lookup", func() {
+		By("wrapping a fake client so that the predefined name lookup returns a server error")
+		errClient := &errorOnNameClient{
+			Client:   fake.NewClientBuilder().WithScheme(scheme).Build(),
+			failName: constants.DevWorkspaceBackupAuthSecretName,
+			failErr:  k8sErrors.NewInternalError(errors.New("simulated etcd timeout")),
+		}
+		workspace := makeWorkspace(workspaceNS)
+		config := makeConfig("quay-backup-auth")
+
+		result, err := secrets.HandleRegistryAuthSecret(ctx, errClient, workspace, config, "", scheme, log)
+		Expect(err).To(HaveOccurred())
+		Expect(result).To(BeNil())
+		Expect(err.Error()).To(ContainSubstring("simulated etcd timeout"))
+	})
+})
+
+// errorOnNameClient is a thin client wrapper that injects an error for a specific secret name.
+type errorOnNameClient struct {
+	client.Client
+	failName string
+	failErr  error
+}
+
+func (e *errorOnNameClient) Get(ctx context.Context, key client.ObjectKey, obj client.Object, opts ...client.GetOption) error {
+	if secret, ok := obj.(*corev1.Secret); ok {
+		_ = secret
+		if key.Name == e.failName {
+			return e.failErr
+		}
+	}
+	return e.Client.Get(ctx, key, obj, opts...)
+}
+
+// Ensure errorOnNameClient satisfies client.Client at compile time.
+var _ client.Client = &errorOnNameClient{}