FIX - Server passes secret prefixes to ingestion

[pmbrull]

Describe your changes:

Reverting #25236

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

---

Summary by Gitar

• Secrets manager fix:
  • decryptPasswordFields() only Fernet-decrypts, returns secret:/ references unchanged
• Hybrid SaaS support:
  • Server skips fetching customer secrets; ingestion resolves in customer environment
• Regression test:
  • Added test verifying external secret references aren't fetched server-side

_{This will update automatically on new commits.}

---

[gitar-bot]

🔍 CI failure analysis for 4dc6570: CI failures include: (1) CRITICAL - Collate compilation error from removed API method, (2) Python test failures (3.10 & 3.11) - identical failures unrelated to PR, (3) Java integration test failures unrelated to PR, and (4) Multiple Playwright UI test failures/flaky tests unrelated to PR.

Issue

Multiple CI failures detected across different test suites:

1. Collate Repository Compilation Failure (maven-collate-ci) - CRITICAL ⚠️

The openmetadata-collate repository continues to fail compilation. This is the ONLY blocking issue directly caused by this PR.

Compilation errors:

[ERROR] QueryRunnerTokenManager.java:[453,63] cannot find symbol
  symbol:   method decryptSecretIfNeeded(java.lang.String)
  location: class org.openmetadata.service.secrets.SecretsManager

[ERROR] QueryRunnerOAuthServlet.java:[701,55] cannot find symbol
  symbol:   method decryptSecretIfNeeded(java.lang.String)
  location: class org.openmetadata.service.secrets.SecretsManager

2. Python Ingestion Test Failures - Unrelated to PR

Consistent across Python 3.10 and 3.11 (identical failures):

py-run-tests (3.10) - Job 61476947497:

• Unit tests: 3683 passed, 0 failed (100% pass rate)
• Integration tests: 2 failed, 531 passed, 21 skipped (99.6% pass rate)

py-run-tests (3.11) - Job 61478274144:

• Unit tests: 3683 passed, 0 failed (100% pass rate)
• Integration tests: 2 failed, 531 passed, 21 skipped (99.6% pass rate)

Same 2 failed tests in both Python versions:

• ingestion/tests/integration/auto_classification/test_tag_processor.py::test_it_returns_the_expected_classifications
• ingestion/tests/integration/s3/test_s3_storage.py::test_s3_ingestion

Also noted: PostgreSQL pg_stat_statements errors, AWS STS API version mismatches

3. Java Integration Test Failures - Unrelated to PR

integration-tests-mysql-elasticsearch:

• 8458 tests: 1 failure, 1 error, 433 skipped (99.98% pass rate)
• UserResourceIT.test_listUsersWithAdminFilter:629
• DashboardResourceIT.checkIndexCreated:3726

integration-tests-postgres-opensearch:

• 8458 tests: 1 failure, 0 errors, 433 skipped (99.99% pass rate)
• UserResourceIT.test_listUsersWithAdminFilter:629

4. Playwright UI Test Failures - Unrelated to PR

playwright-ci-postgresql (2, 6):

• 554 passed, 1 failed, 6 flaky, 3 skipped (98.9% pass rate)

playwright-ci-postgresql (3, 6):

• 587 passed, 2 failed, 6 flaky, 1 skipped (98.5% pass rate)

Total: 12 flaky tests explicitly marked by test runner

Root Cause Analysis

Collate Compilation Failure (Critical - ONLY PR-Related Failure)

This PR removes the decryptSecretIfNeeded() method from SecretsManager.java as part of reverting PR #25236. The Collate repository depends on this public API method, creating a breaking change.

All Other Test Failures (NOT Related to PR)

These failures are NOT caused by this PR because:

1. This PR ONLY modifies:

   • SecretsManager.java (Java backend secrets management)
   • AWSSecretsManagerTest.java (Java secrets manager tests)
   • values-k8s-test.yaml (minor helm port change)
   • ZERO Python files modified
   • ZERO UI files modified
   • ZERO user/search/classification code modified

2. Python test failures are consistent:

   • Exact same 2 tests fail in both Python 3.10 and Python 3.11
   • Not version-specific bugs, suggests pre-existing issues
   • Auto-classification and S3 storage tests completely unrelated to Java secrets manager

3. Very high pass rates indicate isolated issues:

   • Python integration: 99.6% pass rate (531/533 across both versions)
   • Java integration: 99.98-99.99% pass rate
   • Playwright: 98.5-98.9% pass rate

4. Unrelated functional areas: All failing tests are in areas NOT touched by this PR's Java backend secrets manager changes

Summary Statistics

Total CI failures: 22 across all jobs

• PR-related: 1 (Collate compilation - 4.5% of all failures)
• Unrelated: 21 test failures (95.5% of all failures)
  • 4 Python test failures (2 tests × 2 Python versions)
  • 2 Java integration test failures
  • 3 Playwright test failures
  • 12 Playwright flaky tests

Key insight: This PR only changes Java secrets manager backend code, yet 95.5% of failures are in completely different areas (Python ingestion, UI, user management, search, classification).

Code Review ✅ Approved

Clean revert that correctly restores the behavior where the server only performs Fernet decryption and leaves external secret references for the ingestion client to resolve. The added test properly validates this behavior.

Rules ✅ All requirements met

Gitar Rules

✅ Summary Enhancement: Technical summary present and accurate for current changes

_{2 rules not applicable. Show all rules by commenting gitar display:verbose.}

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}