[Feature] make OCIR secret namespace configurable (#323)

* making secret namespace configurable

* changes with respect to review comments

Author: denismakogon

docs/configuration.adoc

@@ -205,10 +205,10 @@ Refer to {uri-topology}[topology] for more thorough examples.
 
 The {uri-oci-authtoken}#[Auth Token] must first be manually created and stored in {uri-oci-secret}#[OCI Secret in Vault]. It will subsequently be used to create a Kubernetes secret, which can then be used as an imagePullSecrets in a deployment. If you do not need to use private OCIR repositories, then leave the *secret_id* parameter empty. Refer to the {uri-instructions}#creating-a-secret-for-ocir[instructions] for how to create the Auth Token and the Secret in Vault.
 
-The secret is created in the kube-system namespace. To copy it to your namespace, use the following command:
+The secret is created in the "default" namespace. To copy it to your namespace, use the following command:
 
 ----
-kubectl --namespace=kube-system get secret ocirsecret --export -o yaml | kubectl apply --namespace=<newnamespace> -f -
+kubectl --namespace=default get secret ocirsecret --export -o yaml | kubectl apply --namespace=<newnamespace> -f -
 ----
 
 {uri-terraform-options}#ocir[Reference]

locals.tf

@@ -141,6 +141,7 @@ locals {
     secret_id     = var.secret_id
     secret_name   = var.secret_name
     username      = var.username
+    secret_ns     = var.secret_ns
   }
 
   calico = {

modules/oke/scripts/secret.py

@@ -15,6 +15,7 @@
 secret_name     = '${secret_name}'
 tenancy_namespace    = '${tenancy_namespace}'
 username        = '${username}'
+namespace       = '${secret_ns}'
 
 signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
 
@@ -35,11 +36,21 @@ def read_secret_value(secret_client, secret_id):
 try:
     secret_content = read_secret_value(secret_client, secret_id=secret_id)
     secret_content = re.escape(secret_content)
-    delsecret = "kubectl -n default delete secret ${secret_name}"
+    delsecret = "kubectl -n ${secret_ns} delete secret ${secret_name}"
     os.system(delsecret)
 
-    crtsecret = ("kubectl create secret docker-registry ${secret_name} -n default --docker-server=${region_registry} --docker-username=${tenancy_namespace}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content)
-
+    # TODO: keep an eye on the k8s API changes, make sure
+    #  that a new k8s version has this version, if not - update this template.
+    create_namespace = f"""
+    cat <<EOF | kubectl apply -f -
+    apiVersion: v1
+    kind: Namespace
+    metadata:
+      name: {namespace}
+    """
+    subprocess.call(["/bin/bash" , "-c" , create_namespace])
+
+    crtsecret = ("kubectl create secret docker-registry ${secret_name} --namespace ${secret_ns} --docker-server=${region_registry} --docker-username=${tenancy_namespace}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content)
     subprocess.call(["/bin/bash" , "-c" , crtsecret])
 
 except Exception as e:

modules/oke/secrets.tf

@@ -14,7 +14,7 @@ data "template_file" "secret" {
     secret_name       = var.oke_ocir.secret_name
     tenancy_namespace = data.oci_objectstorage_namespace.object_storage_namespace.namespace
     username          = var.oke_ocir.username
-
+    secret_ns         = var.oke_ocir.secret_ns
   }
   count = local.post_provisioning_ops == true && var.oke_ocir.secret_id != "none" ? 1 : 0
 }

modules/oke/variables.tf

@@ -85,6 +85,7 @@ variable "oke_ocir" {
     secret_id     = string
     secret_name   = string
     username      = string
+    secret_ns     = string
   })
 }
 

terraform.tfvars.example

@@ -258,6 +258,8 @@ secret_name = "ocirsecret"
 
 username = ""
 
+secret_ns = "default"
+
 # calico
 calico_enabled = false
 calico_version = "3.19"

variables.tf

@@ -531,6 +531,12 @@ variable "username" {
   type        = string
 }
 
+variable "secret_ns" {
+  default     = "default"
+  description = "the k8s namespace for a secret."
+  type        = string
+}
+
 # calico
 variable "calico_enabled" {
   description = "whether to install calico for network pod security policy"