feat: add setting remote namespace to metadata for kubernetes provider (#5224)

* feat: add setting remote namespace to metadata for kubernetes provider

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

On-behalf-of: gergely.brautigam@sap.com

* update the documentation with the new metadata configuration value

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

docs/provider/kubernetes.md

@@ -377,7 +377,7 @@ spec:
           property: best-pokemon
 ```
 
-To utilize the PushSecret feature effectively, the referenced `SecretStore` requires specific permissions on the target cluster. In particular it requires `create`, `read`, `update` and `delete` permissions on the Secret resource:
+To use the PushSecret feature effectively, the referenced `SecretStore` requires specific permissions on the target cluster. In particular, it requires `create`, `read`, `update` and `delete` permissions on the Secret resource:
 
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
@@ -434,7 +434,7 @@ spec:
 
 The Kubernetes provider is able to manage both `metadata.labels` and `metadata.annotations` of the secret on the target cluster.
 
-Users have different preferences on what metadata should be pushed. ESO by default pushes both labels and annotations to the target secret and merges them with the existing metadata.
+Users have different preferences on what metadata should be pushed. ESO, by default, pushes both labels and annotations to the target secret and merges them with the existing metadata.
 
 You can specify the metadata in the `spec.template.metadata` section if you want to decouple it from the existing secret.
 
@@ -461,7 +461,7 @@ spec:
 {% endraw %}
 ```
 
-Further, you can leverage the `.data[].metadata` section to fine-tine the behaviour of the metadata merge strategy. The metadata section is a versioned custom-resource _alike_ structure, the behaviour is detailed below.
+Further, you can leverage the `.data[].metadata` section to fine-tine the behavior of the metadata merge strategy. The metadata section is a versioned custom-resource _similar_ structure, the behavior is detailed below.
 
 ```yaml
 apiVersion: external-secrets.io/v1alpha1
@@ -490,18 +490,17 @@ spec:
 
 ```
 
-
 | Field             | Type                                 | Description                                                                                                                                                                                                                                                                                                                                       |
-| ----------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|-------------------|--------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | sourceMergePolicy | string: `Merge`, `Replace`           | The sourceMergePolicy defines how the metadata of the source secret is merged. `Merge` will merge the metadata of the source secret with the  metadata defined in `.data[].metadata`. With `Replace`, the metadata in `.data[].metadata` replaces the source metadata.                                                                            |
 | targetMergePolicy | string: `Merge`, `Replace`, `Ignore` | The targetMergePolicy defines how ESO merges the metadata produced by the sourceMergePolicy with the target secret. With `Merge`, the source metadata is merged with the existing metadata from the target secret. `Replace` will replace the target metadata with the metadata defined in the source. `Ignore` leaves the target metadata as is. |
 | labels            | `map[string]string`                  | The labels.                                                                                                                                                                                                                                                                                                                                       |
 | annotations       | `map[string]string`                  | The annotations.                                                                                                                                                                                                                                                                                                                                  |
+| remoteNamespace   | string                               | The Namespace in which the remote Secret will created in if defined.                                                                                                                                                                                                                                                                              |
 
 #### Implementation Considerations
 
-When utilizing the PushSecret feature and configuring the permissions for the SecretStore, consider the following:
-
+When using the PushSecret feature and configuring the permissions for the SecretStore, consider the following:
 
 * **RBAC Configuration**: Ensure that the Role-Based Access Control (RBAC) configuration for the SecretStore grants the appropriate permissions for creating, reading, and updating resources in the target cluster.
 

pkg/provider/kubernetes/client.go

@@ -151,6 +151,9 @@ func (c *Client) mergePushSecretData(remoteRef esv1.PushSecretData, remoteSecret
 	}
 	remoteSecret.ObjectMeta.Labels = targetLabels
 	remoteSecret.ObjectMeta.Annotations = targetAnnotations
+	if pushMeta != nil && pushMeta.Spec.RemoteNamespace != "" {
+		remoteSecret.ObjectMeta.Namespace = pushMeta.Spec.RemoteNamespace
+	}
 
 	// case 1: push the whole secret
 	if remoteRef.GetProperty() == "" {

pkg/provider/kubernetes/client_test.go

@@ -1353,6 +1353,45 @@ func TestPushSecret(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "create new secret with remote namespace",
+			fields: fields{
+				Client: &fakeClient{
+					t:         t,
+					secretMap: map[string]*v1.Secret{},
+				},
+			},
+			secret: &v1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "mysec",
+					Namespace: "source-namespace",
+				},
+				Data: map[string][]byte{secretKey: []byte("bar")},
+			},
+			data: testingfake.PushSecretData{
+				SecretKey: secretKey,
+				RemoteKey: "mysec",
+				Property:  "secret",
+				Metadata: &apiextensionsv1.JSON{
+					Raw: []byte(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", "spec": {"remoteNamespace": "target-namespace"}}`),
+				},
+			},
+			wantErr: false,
+			wantSecretMap: map[string]*v1.Secret{
+				"mysec": {
+					ObjectMeta: metav1.ObjectMeta{
+						Name:        "mysec",
+						Namespace:   "target-namespace",
+						Labels:      map[string]string{},
+						Annotations: map[string]string{},
+					},
+					Data: map[string][]byte{
+						"secret": []byte(`bar`),
+					},
+					Type: v1.SecretTypeOpaque,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/provider/kubernetes/metadata.go

@@ -26,8 +26,9 @@ type PushSecretMetadataSpec struct {
 	TargetMergePolicy targetMergePolicy `json:"targetMergePolicy,omitempty"`
 	SourceMergePolicy sourceMergePolicy `json:"sourceMergePolicy,omitempty"`
 
-	Labels      map[string]string `json:"labels,omitempty"`
-	Annotations map[string]string `json:"annotations,omitempty"`
+	Labels          map[string]string `json:"labels,omitempty"`
+	Annotations     map[string]string `json:"annotations,omitempty"`
+	RemoteNamespace string            `json:"remoteNamespace,omitempty"`
 }
 
 type targetMergePolicy string