237: Fixing review comment

Signed-off-by: Abhishek Sharma <abhishek44sharma@gmail.com>

app/safe/internal/bootstrap/k8s.go

@@ -12,7 +12,6 @@ package bootstrap
 
 import (
 	"context"
-	"os"
 	"github.com/pkg/errors"
 	"github.com/vmware-tanzu/secrets-manager/core/log"
 	"github.com/vmware-tanzu/secrets-manager/app/safe/internal/state"
@@ -23,13 +22,16 @@ import (
 	"k8s.io/client-go/rest"
 )
 
-var podNamespace string
-var id string = "VSECMSAFE"
+var (
+	vsecmSystemNamespace string
+	id string = "VSECMSAFE"
+)
+
 func init() {
-	podNamespace = os.Getenv("POD_NAMESPACE")
-	if len(podNamespace) == 0 {
+	// getting metadata.namespace, passed through environment variable VSECM_SYSTEM_NAMESPACE
+	if vsecmSystemNamespace = env.InitVsecmSystemNamespace(); len(vsecmSystemNamespace) == 0 {
 		log.FatalLn(&id, "Failed to get pod namespace",
-			"Pod namespace should be exported into environment as POD_NAMESPACE")
+			"Pod namespace should be exported into environment as VSECM_SYSTEM_NAMESPACE")
 	}
 }
 
@@ -49,7 +51,7 @@ func persistKeys(privateKey, publicKey, aesSeed string) error {
 	data["KEY_TXT"] = ([]byte)(keysCombined)
 
 	// Update the Secret in the cluster
-	_, err = k8sApi.CoreV1().Secrets(podNamespace).Update(
+	_, err = k8sApi.CoreV1().Secrets(vsecmSystemNamespace).Update(
 		context.Background(),
 		&v1.Secret{
 			TypeMeta: metaV1.TypeMeta{
@@ -58,7 +60,7 @@ func persistKeys(privateKey, publicKey, aesSeed string) error {
 			},
 			ObjectMeta: metaV1.ObjectMeta{
 				Name:      env.SafeAgeKeySecretName(),
-				Namespace: podNamespace,
+				Namespace: vsecmSystemNamespace,
 			},
 			Data: data,
 		},

core/env/init.go

@@ -32,3 +32,10 @@ func InitContainerPollInterval() time.Duration {
 	}
 	return time.Duration(i) * time.Millisecond
 }
+
+// InitVsecmSystemNamespace returns namespace from metadata,
+// metadata.namespace should be passed as environment variable
+// as VSECM_SYSTEM_NAMESPACE to the container.
+func InitVsecmSystemNamespace() string {
+	return os.Getenv("VSECM_SYSTEM_NAMESPACE")
+}

docs/_pages/0110-configuration.md

@@ -382,3 +382,14 @@ increasing the poll interval. Defaults to `2`.
 
 The next interval is calculated by multiplying the current interval with
 `VSECM_SIDECAR_EXPONENTIAL_BACKOFF_MULTIPLIER`.
+
+### VSECM_SYSTEM_NAMESPACE
+
+`VSECM_SYSTEM_NAMESPACE` environment variable specifies the namespace in
+which a VSecM instance is deployed.
+
+Ensure this is set as an environment variable for your containers; it's a
+critical piece. VSecM Safe and Sentinel rely on it to precisely locate the
+deployment's namespace. For instance, Safe leverages this information to securely
+store age keys within a designated secret, as specified by the `VSECM_CRYPTO_KEY_NAME`
+configuration.

helm-charts/0.22.0/charts/safe/templates/deployment.yaml

@@ -75,7 +75,7 @@ spec:
               value: ":{{ .Values.livenessPort }}"
             - name: VSECM_PROBE_READINESS_PORT
               value: ":{{ .Values.readynessPort }}"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/local/istanbul-fips/Deployment.yaml

@@ -93,7 +93,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "true"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/local/istanbul/Deployment.yaml

@@ -94,7 +94,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "false"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/local/photon-fips/Deployment.yaml

@@ -93,7 +93,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "true"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/local/photon/Deployment.yaml

@@ -93,7 +93,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "false"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/remote/istanbul-fips/Deployment.yaml

@@ -93,7 +93,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "true"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/remote/istanbul/Deployment.yaml

@@ -94,7 +94,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "false"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/remote/photon-fips/Deployment.yaml

@@ -93,7 +93,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "true"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace

k8s/safe/kustomizations/remote/photon/Deployment.yaml

@@ -94,7 +94,7 @@ spec:
               value: "30000"
             - name: VSECM_SAFE_FIPS_COMPLIANT
               value: "false"
-            - name: POD_NAMESPACE
+            - name: VSECM_SYSTEM_NAMESPACE
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace