Fixes incorrect namespace issue when creating secret for OCIR (#272)

hyder · web-flow · commit bf9a49282ad8 · 2021-04-07T09:13:38.000+10:00
* updated default kubernetes version to v1.18.10, fixed deprecated interpolation-only expressions

* now looking object storage namespace for ocirsecret instead of having to pass as variable

* updated description for tenancy id
diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc
@@ -613,11 +613,6 @@ Refer to {uri-topology}[topology] for more thorough examples.
 |
 |none
 
-|`tenancy_name`
-|The *_name_* of the tenancy to be used when creating the Docker secret.  This is different from tenancy_id. *Required* if secret_id is set.
-|
-|none
-
 |`username`
 |The username that can login to the selected tenancy. This is different from tenancy_id. *Required* if secret_id is set.
 |
diff --git a/locals.tf b/locals.tf
@@ -121,12 +121,11 @@ locals {
   }
 
   oke_ocir = {
-    email_address = var.email_address
-    ocir_urls     = var.ocir_urls
-    secret_id     = var.secret_id
-    secret_name   = var.secret_name
-    tenancy_name  = var.tenancy_name
-    username      = var.username
+    email_address     = var.email_address
+    ocir_urls         = var.ocir_urls
+    secret_id         = var.secret_id
+    secret_name       = var.secret_name
+    username          = var.username
   }
 
   oke_kms = {
diff --git a/modules/oke/datasources.tf b/modules/oke/datasources.tf
@@ -10,3 +10,7 @@ data "oci_containerengine_node_pools" "all_node_pools" {
 data "oci_containerengine_node_pool_option" "node_pool_options" {
   node_pool_option_id = oci_containerengine_cluster.k8s_cluster.id
 }
+
+# retrieve for creating ocir secret
+data "oci_objectstorage_namespace" "object_storage_namespace" {
+}
diff --git a/modules/oke/scripts/secret.py b/modules/oke/scripts/secret.py
@@ -13,7 +13,7 @@
 region_registry = '${region_registry}'
 secret_id       = '${secret_id}'
 secret_name     = '${secret_name}'
-tenancy_name    = '${tenancy_name}'
+tenancy_namespace    = '${tenancy_namespace}'
 username        = '${username}'
 
 signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
@@ -38,7 +38,7 @@ def read_secret_value(secret_client, secret_id):
     delsecret = "kubectl -n default delete secret ${secret_name}"
     os.system(delsecret)
 
-    crtsecret = ("kubectl create secret docker-registry ${secret_name} -n default --docker-server=${region_registry} --docker-username=${tenancy_name}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content)
+    crtsecret = ("kubectl create secret docker-registry ${secret_name} -n default --docker-server=${region_registry} --docker-username=${tenancy_namespace}/${username} --docker-email=${email_address} --docker-password=%s" % secret_content)
 
     subprocess.call(["/bin/bash" , "-c" , crtsecret])
  
diff --git a/modules/oke/secrets.tf b/modules/oke/secrets.tf
@@ -1,55 +1,55 @@
 # # Copyright 2017, 2019, Oracle Corporation and/or affiliates.  All rights reserved.
 # # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
- data "template_file" "secret" {
-   template = file("${path.module}/scripts/secret.py")
-
-   vars = {
-     compartment_id  = var.compartment_id
-     region          = var.region
-
-     email_address   = var.oke_ocir.email_address
-     region_registry = var.oke_ocir.ocir_urls[var.region]
-     secret_id       = var.oke_ocir.secret_id
-     secret_name     = var.oke_ocir.secret_name
-     tenancy_name    = var.oke_ocir.tenancy_name
-     username        = var.oke_ocir.username
-
-   }
-   count = var.oke_operator.operator_enabled == true && var.oke_operator.operator_instance_principal == true && var.oke_ocir.secret_id != "none" ? 1 : 0
- }
-
- resource null_resource "secret" {
-   triggers = {
+data "template_file" "secret" {
+  template = file("${path.module}/scripts/secret.py")
+
+  vars = {
+    compartment_id = var.compartment_id
+    region         = var.region
+
+    email_address     = var.oke_ocir.email_address
+    region_registry   = var.oke_ocir.ocir_urls[var.region]
+    secret_id         = var.oke_ocir.secret_id
+    secret_name       = var.oke_ocir.secret_name
+    tenancy_namespace = data.oci_objectstorage_namespace.object_storage_namespace.namespace
+    username          = var.oke_ocir.username
+
+  }
+  count = var.oke_operator.operator_enabled == true && var.oke_operator.operator_instance_principal == true && var.oke_ocir.secret_id != "none" ? 1 : 0
+}
+
+resource null_resource "secret" {
+  triggers = {
     secret_id = var.oke_ocir.secret_id
   }
-   connection {
-     host        = var.oke_operator.operator_private_ip
-     private_key = file(var.oke_ssh_keys.ssh_private_key_path)
-     timeout     = "40m"
-     type        = "ssh"
-     user        = "opc"
-
-     bastion_host        = var.oke_operator.bastion_public_ip
-     bastion_user        = "opc"
-     bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
-   }
-
-   depends_on = [null_resource.write_kubeconfig_on_operator]
-
-   provisioner "file" {
-     content     = data.template_file.secret[0].rendered
-     destination = "~/secret.py"
-   }
-
-   provisioner "remote-exec" {
-     inline = [
-       "chmod +x $HOME/secret.py",
-       "$HOME/secret.py",
-       "sleep 10",
-       "rm -f $HOME/secret.py"
-     ]
-   }
-
-   count = var.oke_operator.operator_enabled == true && var.oke_operator.operator_instance_principal == true && var.oke_ocir.secret_id != "none" ? 1 : 0
- }
+  connection {
+    host        = var.oke_operator.operator_private_ip
+    private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+    timeout     = "40m"
+    type        = "ssh"
+    user        = "opc"
+
+    bastion_host        = var.oke_operator.bastion_public_ip
+    bastion_user        = "opc"
+    bastion_private_key = file(var.oke_ssh_keys.ssh_private_key_path)
+  }
+
+  depends_on = [null_resource.write_kubeconfig_on_operator]
+
+  provisioner "file" {
+    content     = data.template_file.secret[0].rendered
+    destination = "~/secret.py"
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      "chmod +x $HOME/secret.py",
+      "$HOME/secret.py",
+      "sleep 10",
+      "rm -f $HOME/secret.py"
+    ]
+  }
+
+  count = var.oke_operator.operator_enabled == true && var.oke_operator.operator_instance_principal == true && var.oke_ocir.secret_id != "none" ? 1 : 0
+}
diff --git a/modules/oke/variables.tf b/modules/oke/variables.tf
@@ -73,12 +73,11 @@ variable "lbs" {
 # ocir
 variable "oke_ocir" {
   type = object({
-    email_address = string
-    ocir_urls     = map(string)
-    secret_id     = string
-    secret_name   = string
-    tenancy_name  = string
-    username      = string
+    email_address     = string
+    ocir_urls         = map(string)
+    secret_id         = string
+    secret_name       = string
+    username          = string
   })
 }
 
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -186,8 +186,6 @@ secret_id = "none"
 
 secret_name = "ocirsecret"
 
-tenancy_name = ""
-
 username = ""
 
 # calico
diff --git a/variables.tf b/variables.tf
@@ -19,7 +19,7 @@ variable "region" {
 }
 
 variable "tenancy_id" {
-  description = "The tenancy id in which to create the sources."
+  description = "The tenancy id in which to create the resources."
   type        = string
 }
 
@@ -435,12 +435,6 @@ variable "secret_name" {
   default     = "ocirsecret"
 }
 
-variable "tenancy_name" {
-  default     = "none"
-  description = "The tenancy name to use when creating the ocir secret."
-  type        = string
-}
-
 variable "username" {
   default     = "none"
   description = "The username to access OCIR."

Original file line number	Diff line number	Diff line change
`@@ -613,11 +613,6 @@ Refer to {uri-topology}[topology] for more thorough examples.`
`613`	`613`	`\|`
`614`	`614`	`\|none`
`615`	`615`
`616`		-\|`tenancy_name`
`617`		`-\|The _name_ of the tenancy to be used when creating the Docker secret. This is different from tenancy_id. Required if secret_id is set.`
`618`		`-\|`
`619`		`-\|none`
`620`		`-`
`621`	`616`	\|`username`
`622`	`617`	`\|The username that can login to the selected tenancy. This is different from tenancy_id. Required if secret_id is set.`
`623`	`618`	`\|`
Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,7 @@ data "oci_containerengine_node_pools" "all_node_pools" {`
`10`	`10`	`data "oci_containerengine_node_pool_option" "node_pool_options" {`
`11`	`11`	`node_pool_option_id = oci_containerengine_cluster.k8s_cluster.id`
`12`	`12`	`}`
	`13`	`+`
	`14`	`+# retrieve for creating ocir secret`
	`15`	`+data "oci_objectstorage_namespace" "object_storage_namespace" {`
	`16`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ variable "region" {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`variable "tenancy_id" {`
`22`		`- description = "The tenancy id in which to create the sources."`
	`22`	`+ description = "The tenancy id in which to create the resources."`
`23`	`23`	`type = string`
`24`	`24`	`}`
`25`	`25`
`@@ -435,12 +435,6 @@ variable "secret_name" {`
`435`	`435`	`default = "ocirsecret"`
`436`	`436`	`}`
`437`	`437`
`438`		`-variable "tenancy_name" {`
`439`		`- default = "none"`
`440`		`- description = "The tenancy name to use when creating the ocir secret."`
`441`		`- type = string`
`442`		`-}`
`443`		`-`
`444`	`438`	`variable "username" {`
`445`	`439`	`default = "none"`
`446`	`440`	`description = "The username to access OCIR."`