feat (backup) : Implement copyOperatorAuthSecret flag with tests

Refactor CopySecret to respect copyOperatorAuthSecret flag and never
overwrite existing user secrets. When flag is false, return error
requiring users to provide their own credentials.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Rohan Kumar <rohaan@redhat.com>

Author: rohanKanojia

controllers/backupcronjob/backupcronjob_controller_test.go

@@ -121,7 +121,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   pointer.Bool(true),
 							Schedule: "* * * * *",
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -148,7 +149,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -173,7 +175,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -206,7 +209,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule1,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -242,7 +246,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule1,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -268,7 +273,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -303,8 +309,9 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path:       "fake-registry",
-								AuthSecret: "non-existent",
+								Path:                   "fake-registry",
+								AuthSecret:             "non-existent",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -335,7 +342,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 							OrasConfig: &controllerv1alpha1.OrasConfig{
 								ExtraArgs: "--extra-arg1",
@@ -392,7 +400,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Schedule:     schedule,
 							BackoffLimit: &backoffLimit,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -428,7 +437,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -469,7 +479,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -500,8 +511,9 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path:       "my-registry:5000",
-								AuthSecret: "my-secret",
+								Path:                   "my-registry:5000",
+								AuthSecret:             "my-secret",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -536,8 +548,9 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path:       "my-registry:5000",
-								AuthSecret: "my-secret",
+								Path:                   "my-registry:5000",
+								AuthSecret:             "my-secret",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 						},
 					},
@@ -572,7 +585,8 @@ var _ = Describe("BackupCronJobReconciler", func() {
 							Enable:   &enabled,
 							Schedule: schedule,
 							Registry: &controllerv1alpha1.RegistryConfig{
-								Path: "fake-registry",
+								Path:                   "fake-registry",
+								CopyOperatorAuthSecret: pointer.Bool(true),
 							},
 							OrasConfig: &controllerv1alpha1.OrasConfig{
 								ExtraArgs: "--extra-arg1",

pkg/secrets/backup.go

@@ -24,12 +24,12 @@ import (
 	"github.com/devfile/devworkspace-operator/pkg/constants"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-
-	"github.com/devfile/devworkspace-operator/pkg/provision/sync"
 )
 
 // GetRegistryAuthSecret retrieves the registry authentication secret for accessing backup images
@@ -54,8 +54,14 @@ func HandleRegistryAuthSecret(ctx context.Context, c client.Client, workspace *d
 		return nil, nil
 	}
 
+	// Extract flag value (default: false, users must provide their own secret)
+	copyOperatorAuthSecret := pointer.BoolDeref(
+		dwOperatorConfig.Workspace.BackupCronJob.Registry.CopyOperatorAuthSecret,
+		false,
+	)
+
 	// On the restore path (operatorConfigNamespace == ""), look for the predefined name
-	// that CopySecret always uses. On the backup path, look for the configured name
+	// that EnsureRegistryAuthSecret always uses. On the backup path, look for the configured name
 	// because the secret may exist directly in the workspace namespace under that name.
 	lookupName := secretName
 	if operatorConfigNamespace == "" {
@@ -88,13 +94,46 @@ func HandleRegistryAuthSecret(ctx context.Context, c client.Client, workspace *d
 		log.Error(err, "Failed to get registry auth secret for backup job", "secretName", secretName)
 		return nil, err
 	}
-	log.Info("Successfully retrieved registry auth secret for backup job", "secretName", secretName)
-	return CopySecret(ctx, c, workspace, registryAuthSecret, scheme, log)
+	log.Info("Successfully retrieved registry auth secret from operator namespace", "secretName", secretName)
+	return EnsureRegistryAuthSecret(ctx, c, workspace, registryAuthSecret, scheme, log, copyOperatorAuthSecret)
 }
 
-// CopySecret copies the given secret from the operator namespace to the workspace namespace.
-func CopySecret(ctx context.Context, c client.Client, workspace *dw.DevWorkspace, sourceSecret *corev1.Secret, scheme *runtime.Scheme, log logr.Logger) (namespaceSecret *corev1.Secret, err error) {
-	// Construct the desired secret state
+// EnsureRegistryAuthSecret copies the given secret from the operator namespace to the workspace namespace.
+// If copyOperatorAuthSecret is false and the secret doesn't exist, it returns an error.
+// If a secret already exists in the workspace namespace, it is never overwritten.
+func EnsureRegistryAuthSecret(ctx context.Context, c client.Client, workspace *dw.DevWorkspace, sourceSecret *corev1.Secret, scheme *runtime.Scheme, log logr.Logger, copyOperatorAuthSecret bool) (namespaceSecret *corev1.Secret, err error) {
+	// Check if secret already exists (user-provided)
+	existingSecret := &corev1.Secret{}
+	err = c.Get(ctx, client.ObjectKey{
+		Name:      constants.DevWorkspaceBackupAuthSecretName,
+		Namespace: workspace.Namespace,
+	}, existingSecret)
+
+	if err == nil {
+		// User provided their own secret - always respect it, never overwrite
+		log.Info("Using existing registry auth secret from workspace namespace",
+			"secretName", constants.DevWorkspaceBackupAuthSecretName)
+		return existingSecret, nil
+	}
+
+	if client.IgnoreNotFound(err) != nil {
+		return nil, err
+	}
+
+	// Secret doesn't exist - check if we should copy
+	if !copyOperatorAuthSecret {
+		return nil, fmt.Errorf(
+			"registry auth secret %q not found in workspace namespace %q. "+
+				"copyOperatorAuthSecret is set to false, so the operator will not copy the secret. "+
+				"Please manually create a secret of type kubernetes.io/dockerconfigjson with the name %q "+
+				"in the workspace namespace",
+			constants.DevWorkspaceBackupAuthSecretName,
+			workspace.Namespace,
+			constants.DevWorkspaceBackupAuthSecretName,
+		)
+	}
+
+	// copyOperatorAuthSecret is true - create it from operator's secret
 	desiredSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      constants.DevWorkspaceBackupAuthSecretName,
@@ -111,27 +150,27 @@ func CopySecret(ctx context.Context, c client.Client, workspace *dw.DevWorkspace
 		return nil, err
 	}
 
-	// Use the sync mechanism
-	clusterAPI := sync.ClusterAPI{
-		Client: c,
-		Scheme: scheme,
-		Logger: log,
-		Ctx:    ctx,
-	}
-
-	syncedObj, err := sync.SyncObjectWithCluster(desiredSecret, clusterAPI)
+	// Use direct Create instead of SyncObjectWithCluster to avoid overwrites
+	err = c.Create(ctx, desiredSecret)
 	if err != nil {
-		if _, ok := err.(*sync.NotInSyncError); !ok {
-			return nil, err
+		if k8sErrors.IsAlreadyExists(err) {
+			// Race condition - secret was created between Get and Create
+			// Fetch and return it (respect what's there)
+			if err := c.Get(ctx, client.ObjectKey{
+				Name:      constants.DevWorkspaceBackupAuthSecretName,
+				Namespace: workspace.Namespace,
+			}, existingSecret); err != nil {
+				return nil, err
+			}
+			log.Info("Registry auth secret was created concurrently, using existing secret",
+				"secretName", constants.DevWorkspaceBackupAuthSecretName)
+			return existingSecret, nil
 		}
-		// NotInSyncError means the sync operation was successful but triggered a change
-		log.Info("Successfully synced secret", "name", desiredSecret.Name, "namespace", workspace.Namespace)
-	}
-
-	// If syncedObj is nil (due to NotInSyncError), return the desired object
-	if syncedObj == nil {
-		return desiredSecret, nil
+		return nil, err
 	}
 
-	return syncedObj.(*corev1.Secret), nil
+	log.Info("Created registry auth secret from operator credentials",
+		"secretName", constants.DevWorkspaceBackupAuthSecretName,
+		"namespace", workspace.Namespace)
+	return desiredSecret, nil
 }