HELM-728: Persist secrets for Helm upgrade

[sowmya-sl]

Analysis / Root cause:
Helm releases are installed via URL charts which use authentication. This authentication is stored as a generic secret. But this is not persisted during upgrade, which leads to upgrade failing.
Solution description:

The secret for authentication is added as a metadata for the Helm release. So while upgrade, it is fetched and used for authentication.

Summary by Coderabbit

• New Features

  • Chart installations now record a reference to stored basic-auth credentials

• Bug Fixes

  • Improved basic-auth handling for installing and upgrading charts from URLs
  • Persisted user credentials are automatically reapplied during upgrades, avoiding manual re-entry

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

This PR refactors basic-auth credential handling in Helm chart operations across install, get, and upgrade flows. A new RegistryClientSetter interface and refactored auth helpers establish a consistent credential-application contract. The install and get operations apply these helpers with chart metadata annotation support. The upgrade operation extends this pattern to detect and re-apply persisted credentials when present.

Changes

Helm basic-auth credential lifecycle

Layer / File(s)	Summary
RegistryClientSetter interface and imports pkg/helm/actions/install_chart.go	Adds Helm registry import, the helmAuthSecretAnnotation constant, and RegistryClientSetter interface to allow injecting an OCI registry client.
Auth helper refactor, install/get usage, and chart annotation pkg/helm/actions/install_chart.go, pkg/helm/actions/get_chart.go	Refactors applyBasicAuthFromUserCredentials to accept *action.ChartPathOptions and a RegistryClientSetter, sets ChartPathOptions auth fields, builds an OCI registry client via GetOCIRegistry, calls the setter, updates InstallChartFromURL and GetChartFromURL to use the new signature, and records the basic-auth secret name into chart metadata via addAuthSecretAnnotation.
Upgrade: re-apply persisted credentials pkg/helm/actions/upgrade_release.go	UpgradeReleaseAsync reads helmAuthSecretAnnotation from the release chart, fetches stored credentials via GetUserCredentials when present, and attempts to apply them to the upgrade's ChartPathOptions using the refactored helper; credential retrieval/application failures are logged with klog and do not abort the upgrade.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant InstallChartFromURL
  participant applyBasicAuthFromUserCredentials
  participant GetOCIRegistry
  participant cmd_SetRegistryClient
  Client->>InstallChartFromURL: request install from URL
  InstallChartFromURL->>applyBasicAuthFromUserCredentials: pass &ChartPathOptions, cmd (setter), credentials
  applyBasicAuthFromUserCredentials->>GetOCIRegistry: GetOCIRegistry(auth)
  GetOCIRegistry-->>applyBasicAuthFromUserCredentials: registry.Client
  applyBasicAuthFromUserCredentials->>cmd_SetRegistryClient: SetRegistryClient(registry.Client)

  participant UpgradeReleaseAsync
  participant GetUserCredentials
  Client->>UpgradeReleaseAsync: request upgrade
  UpgradeReleaseAsync->>UpgradeReleaseAsync: read helmAuthSecretAnnotation
  UpgradeReleaseAsync->>GetUserCredentials: fetch credentials
  GetUserCredentials-->>UpgradeReleaseAsync: credentials
  UpgradeReleaseAsync->>applyBasicAuthFromUserCredentials: apply to ChartPathOptions

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/console#16360: Implements the same Helm chart URL basic-auth feature by plumbing Kubernetes basic_auth_secret_name through the helm/URL install/get/upgrade flow and applying secret-provided username/password to Helm/OCI chart retrieval.

Suggested reviewers

• martinszuc
• sg00dwin
• jseseCCS

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies helm/actions files but uses standard Go testing, not Ginkgo framework. No Ginkgo tests (It/Describe/Context/When) exist in the codebase.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo tests; all tests use standard Go testing package. Check requires Ginkgo test review, which is not applicable here.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR; changes are limited to backend Helm action source files and existing unit tests using Go's testing package.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR modifies only backend Helm code. No new Ginkgo e2e tests added; package uses standard Go unit testing.
Topology-Aware Scheduling Compatibility	✅ Passed	PR is not applicable to topology-aware scheduling check: changes are pure Go utility functions for Helm authentication/OCI registry handling with no deployment manifests or scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	klog calls added are inside regular functions called from HTTP handlers, not process-level code. klog defaults to stderr output, not stdout.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are only to backend implementation files for Helm chart operations. Check not applicable.
Title check	✅ Passed	The title 'HELM-728: Persist secrets for Helm upgrade' directly corresponds to the main objective of persisting authentication secrets during Helm upgrades, which is the primary change across all three modified files.
Description check	✅ Passed	The description provides analysis of the root cause (secrets not persisted during upgrade) and solution description (adding secret reference as metadata). However, it omits required template sections including test setup, test cases, browser conformance, and reviewers/assignees.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sowmya-sl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/helm/OWNERS [sowmya-sl]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/helm/actions/upgrade_release.go (1)

225-245: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Re-add the auth-secret annotation to the upgraded chart.

When chartUrl is set, loader.Load gives you a fresh chart object. This code restores chart_url but never writes back helm.openshift.io/auth-secret, so the upgraded release drops the secret reference and the next upgrade can no longer rehydrate credentials.

Suggested fix

 	// Ensure chart URL is properly set in the upgrade chart
+	if ch.Metadata == nil {
+		ch.Metadata = &chart.Metadata{}
+	}
+	if ch.Metadata.Annotations == nil {
+		ch.Metadata.Annotations = make(map[string]string)
+	}
 	if chartUrl != "" {
-		if ch.Metadata.Annotations == nil {
-			ch.Metadata.Annotations = make(map[string]string)
-		}
 		ch.Metadata.Annotations["chart_url"] = chartUrl
 	}
+	addAuthSecretAnnotation(ch, auth_secret)
 	if auth_secret != "" {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/upgrade_release.go` around lines 225 - 245, The upgrade
logic restores the chart_url annotation on the freshly loaded chart (chartUrl ->
ch.Metadata.Annotations["chart_url"]) but never re-adds the persisted
auth-secret annotation, so upgraded releases lose the
"helm.openshift.io/auth-secret" reference; fix by, when auth_secret != "" and
after ensuring ch.Metadata.Annotations is non-nil, set
ch.Metadata.Annotations["helm.openshift.io/auth-secret"] = auth_secret (the same
place where you already set "chart_url" and where you call
GetUserCredentials/applyBasicAuthFromUserCredentials) so the secret reference is
preserved across upgrades.

🧹 Nitpick comments (1)

pkg/helm/actions/upgrade_release.go (1)

233-240: ⚡ Quick win

Use repo-standard klog levels here.

The "found persisted auth secret" message is debug-level, while credential lookup failures should be logged as errors instead of Infof.

Suggested fix

-		klog.Infof("Found persisted auth secret %s for release %s/%s, applying credentials for upgrade", auth_secret, releaseNamespace, releaseName)
+		klog.V(4).Infof("Found persisted auth secret for release %s/%s, applying credentials for upgrade", releaseNamespace, releaseName)
 		userCredentials, err := GetUserCredentials(coreClient, releaseNamespace, auth_secret)
 		if err != nil {
-			klog.Infof("Failed to get user credentials for release upgrade %s/%s: %v", releaseNamespace, releaseName, err)
+			klog.Errorf("Failed to get user credentials for release upgrade %s/%s: %v", releaseNamespace, releaseName, err)

As per coding guidelines, "Use klog with appropriate levels (V(4) for debug, Error, Fatal) for Go logging".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/upgrade_release.go` around lines 233 - 240, The log level
usage is inconsistent: change the "Found persisted auth secret ..." Infof to a
debug-level call using klog.V(4).Infof, and change the GetUserCredentials
failure log from klog.Infof to klog.Errorf so credential lookup failures are
logged as errors; keep the existing klog.Errorf for
applyBasicAuthFromUserCredentials as-is. Update the logging calls near
GetUserCredentials, auth_secret, releaseNamespace, releaseName, and
applyBasicAuthFromUserCredentials accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/helm/actions/upgrade_release.go`:
- Around line 232-245: UpgradeReleaseAsync currently calls
client.ChartPathOptions.LocateChart before applying persisted auth, so private
OCI/direct chart fetch can’t use the credentials; move the block that checks
auth_secret and calls GetUserCredentials + applyBasicAuthFromUserCredentials to
run before the call to client.ChartPathOptions.LocateChart. Keep the same error
handling/logging (klog.Infof on GetUserCredentials failure, klog.Errorf on apply
failure) and ensure you reference the same variables (auth_secret,
releaseNamespace, releaseName, client.ChartPathOptions) so LocateChart runs with
the applied credentials.

---

Outside diff comments:
In `@pkg/helm/actions/upgrade_release.go`:
- Around line 225-245: The upgrade logic restores the chart_url annotation on
the freshly loaded chart (chartUrl -> ch.Metadata.Annotations["chart_url"]) but
never re-adds the persisted auth-secret annotation, so upgraded releases lose
the "helm.openshift.io/auth-secret" reference; fix by, when auth_secret != ""
and after ensuring ch.Metadata.Annotations is non-nil, set
ch.Metadata.Annotations["helm.openshift.io/auth-secret"] = auth_secret (the same
place where you already set "chart_url" and where you call
GetUserCredentials/applyBasicAuthFromUserCredentials) so the secret reference is
preserved across upgrades.

---

Nitpick comments:
In `@pkg/helm/actions/upgrade_release.go`:
- Around line 233-240: The log level usage is inconsistent: change the "Found
persisted auth secret ..." Infof to a debug-level call using klog.V(4).Infof,
and change the GetUserCredentials failure log from klog.Infof to klog.Errorf so
credential lookup failures are logged as errors; keep the existing klog.Errorf
for applyBasicAuthFromUserCredentials as-is. Update the logging calls near
GetUserCredentials, auth_secret, releaseNamespace, releaseName, and
applyBasicAuthFromUserCredentials accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 0e4c0f55-cdf2-4023-8777-ae5444398f6a

📥 Commits

Reviewing files that changed from the base of the PR and between e466d37 and 19338e5.

📒 Files selected for processing (3)

• pkg/helm/actions/get_chart.go
• pkg/helm/actions/install_chart.go
• pkg/helm/actions/upgrade_release.go

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/helm/actions/upgrade_release.go (1)

225-245: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Re-add the auth-secret annotation to the upgraded chart.

auth_secret is read from the previous release, but the new chart metadata only writes chart_url. After this upgrade, the next revision loses helm.openshift.io/auth-secret, so a subsequent private upgrade can no longer recover the persisted credentials.

💡 Minimal fix

 	// Ensure chart URL is properly set in the upgrade chart
-	if chartUrl != "" {
-		if ch.Metadata.Annotations == nil {
-			ch.Metadata.Annotations = make(map[string]string)
-		}
+	if ch.Metadata == nil {
+		ch.Metadata = &chart.Metadata{}
+	}
+	if ch.Metadata.Annotations == nil {
+		ch.Metadata.Annotations = make(map[string]string)
+	}
+	if chartUrl != "" {
 		ch.Metadata.Annotations["chart_url"] = chartUrl
 	}
+	addAuthSecretAnnotation(ch, auth_secret)
 	if auth_secret != "" {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/upgrade_release.go` around lines 225 - 245, The upgraded
chart currently only writes chart_url and omits persisting auth_secret, causing
future revisions to lose helm.openshift.io/auth-secret; modify the upgrade logic
(around chartUrl, ch.Metadata.Annotations, auth_secret handling) to ensure
ch.Metadata.Annotations is initialized whenever either chartUrl or auth_secret
is non-empty and set both ch.Metadata.Annotations["chart_url"] = chartUrl (if
present) and ch.Metadata.Annotations["helm.openshift.io/auth-secret"] =
auth_secret (if present); keep the existing
GetUserCredentials/applyBasicAuthFromUserCredentials flow unchanged.

🧹 Nitpick comments (1)

pkg/helm/actions/upgrade_release.go (1)

232-240: ⚡ Quick win

Use V(4)/Errorf for these klog calls.

The “found persisted auth secret” message is debug-level noise, while the credential lookup failure is an error path. Infof for both does not match the repo’s logging rule.

💡 Suggested change

-		klog.Infof("Found persisted auth secret %s for release %s/%s, applying credentials for upgrade", auth_secret, releaseNamespace, releaseName)
+		klog.V(4).Infof("Found persisted auth secret %s for release %s/%s, applying credentials for upgrade", auth_secret, releaseNamespace, releaseName)
 		userCredentials, err := GetUserCredentials(coreClient, releaseNamespace, auth_secret)
 		if err != nil {
-			klog.Infof("Failed to get user credentials for release upgrade %s/%s: %v", releaseNamespace, releaseName, err)
+			klog.Errorf("Failed to get user credentials for release upgrade %s/%s: %v", releaseNamespace, releaseName, err)

As per coding guidelines, `Use klog with appropriate levels (V(4) for debug, Error, Fatal) for Go logging`.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/helm/actions/upgrade_release.go` around lines 232 - 240, Replace the
inappropriate Info-level logs around auth secret handling: change the "Found
persisted auth secret ..." klog.Infof to debug-level klog.V(4).Infof, and change
the credential lookup failure log inside the GetUserCredentials error branch
from klog.Infof to klog.Errorf; the functions/vars to edit are auth_secret,
GetUserCredentials, applyBasicAuthFromUserCredentials, and the klog calls shown
in the snippet so the debug message is V(4) and lookup failures are logged as
errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/helm/actions/upgrade_release.go`:
- Around line 225-245: The upgraded chart currently only writes chart_url and
omits persisting auth_secret, causing future revisions to lose
helm.openshift.io/auth-secret; modify the upgrade logic (around chartUrl,
ch.Metadata.Annotations, auth_secret handling) to ensure ch.Metadata.Annotations
is initialized whenever either chartUrl or auth_secret is non-empty and set both
ch.Metadata.Annotations["chart_url"] = chartUrl (if present) and
ch.Metadata.Annotations["helm.openshift.io/auth-secret"] = auth_secret (if
present); keep the existing GetUserCredentials/applyBasicAuthFromUserCredentials
flow unchanged.

---

Nitpick comments:
In `@pkg/helm/actions/upgrade_release.go`:
- Around line 232-240: Replace the inappropriate Info-level logs around auth
secret handling: change the "Found persisted auth secret ..." klog.Infof to
debug-level klog.V(4).Infof, and change the credential lookup failure log inside
the GetUserCredentials error branch from klog.Infof to klog.Errorf; the
functions/vars to edit are auth_secret, GetUserCredentials,
applyBasicAuthFromUserCredentials, and the klog calls shown in the snippet so
the debug message is V(4) and lookup failures are logged as errors.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3467ec1d-cfbb-47ad-a798-2dc23b6c5a34

📥 Commits

Reviewing files that changed from the base of the PR and between 19338e5 and f08c6e8.

📒 Files selected for processing (3)

• pkg/helm/actions/get_chart.go
• pkg/helm/actions/install_chart.go
• pkg/helm/actions/upgrade_release.go

[openshift-ci-robot]

@sowmya-sl: This pull request references HELM-728 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Analysis / Root cause:
Helm releases are installed via URL charts which use authentication. This authentication is stored as a generic secret. But this is not persisted during upgrade, which leads to upgrade failing.
Solution description:

The secret for authentication is added as a metadata for the Helm release. So while upgrade, it is fetched and used for authentication.

Summary by Coderabbit

• New Features

• Chart installations now record a reference to stored basic-auth credentials

• Bug Fixes

• Improved basic-auth handling for installing and upgrading charts from URLs

• Persisted user credentials are automatically reapplied during upgrades, avoiding manual re-entry

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sowmya-sl: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-console	f08c6e8	link	true	/test e2e-gcp-console

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[martinszuc]

Should the sync UpgradeRelease path also read helmAuthSecretAnnotation here?

[martinszuc]

Should helmAuthSecretAnnotation also be written here alongside chart_url? My thinking is that on a second upgrade, the annotation would already be gone from the stored release, so the secret lookup would fail. Could be wrong though, curious what you think. I have not tested out the changes myself.