fix: add auth self-healing after repeated unlock failures

[pwojciechowski]

Summary

This PR adds bounded auth self-healing to the Bitwarden CRD operator and documents the new tuning option in Helm/root docs.

Problem

In some environments, the operator can enter a persistent auth failure loop:

• You are not logged in.
• Failed to unlock vault
• repeated update_managed_secret failures
  When this happens, periodic retries continue but may not recover without a manual pod restart.

What changed

Auth recovery logic

• Added consecutive auth failure tracking in bitwarden_signin.
• Added configurable threshold via env var:
  • BW_AUTH_FAILURE_THRESHOLD (default: 3)
• When threshold is reached, operator now performs recovery:
  1. clears BW_SESSION
  2. runs bw logout (best effort)
  3. removes local Bitwarden CLI cache file ~/.config/Bitwarden CLI/data.json
  4. retries login + unlock
• Counter resets after successful authentication.

Documentation and chart values

• Added BW_AUTH_FAILURE_THRESHOLD to:
  • root README environment variable table + example
  • chart README example
  • chart values.yaml env snippet comments

Why this approach

• Avoids brittle stderr-string matching for one specific error message.
• Uses deterministic recovery based on repeated auth/unlock failures.
• Improves resilience across multiple poisoned-state scenarios (stale session, broken local CLI state, etc.).

Files changed

• src/bitwardenCrdOperator.py
• tests/test_bitwarden_signin_recovery.py
• README.md
• charts/bitwarden-crd-operator/values.yaml
• charts/bitwarden-crd-operator/README.md

Tests

Added unit tests for:

• success resets failure counter
• below-threshold failures do not trigger recovery
• threshold-triggered recovery path
• recovery clears session + cache file
• unlock failures count toward auth failures
  Local verification run:

ruff check src/bitwardenCrdOperator.py tests/test_bitwarden_signin_recovery.py
python -m unittest discover -s tests
python -m compileall src

[Lerentis]

Hi @pwojciechowski ,
thanks for the PR. i have some minor concerns and then it can get merged.
EDIT: Please make sure to write a changelog in the Chart.yaml and bump the versions there

[Lerentis]

please add back this decorator. we should contain this thread to its own object

[pwojciechowski]

Good catch — I restored @classmethod on ScheduleThread.run

[Lerentis]

this try expect block seems to be used to manage program flow. please refactor it to an if else statement and do not use try expect for that.

[pwojciechowski]

Agreed. I refactored the auth threshold/signin path to explicit return-value and if/else logic. Rookie mistake ;)

[Lerentis]

shouldn't we exit in this case to let kubernetes retry a fresh run?

[pwojciechowski]

Yes, implemented: if auth recovery still fails after threshold + recovery attempt, the operator now logs the failure and exits with sys.exit(1) so Kubernetes restarts it cleanly.

[Lerentis]

@pwojciechowski Please make sure to write a changelog in the Chart.yaml and bump the versions there

[pwojciechowski]

@pwojciechowski Please make sure to write a changelog in the Chart.yaml and bump the versions there

Done. Chart.yaml updated.

[Lerentis]

LGTM

Thanks again for sending this PR