Bound finalizer from Secret Stores to PushSecrets if DeletionPolicy == Delete

[ma-ble]

Is your feature request related to a problem? Please describe.
When deleting resources, it is currently not guaranteed that the PushSecrets will be deleted before the associated SecretStores.

This problem can occur if, for example, you want to delete the namespace and thereby delete all the resources (PushSecrets and SecretStores) in it. It is a coincidence which resources are deleted first. If the SecretStore is deleted first, deleting the PushSecrets fails and cannot be done by Kubernetes. You have to delete it manually by hand.

This is a problem, especially if the deletion and creation of resources is to be done automatically - for example using frameworks such as Crossplane or Helm.

Describe the solution you'd like
Using a finalizer when the DeletionPolicy is Delete enables a controlled, successful removal of SecretStores and PushSecrets.
Such a solution would also help very well with the automated deletion of resources.

[gusfcarvalho]

That is a very nice feature to have!! 😄

[mohitsethia]

Hi @gusfcarvalho , I want to contribute. I am a first time contributor, can you please help a bit?

[RafaelN0bre]

Hey everyone. I'm working on this issue. Hope to contribute with the project

[s3than]

@RafaelN0bre Any update on how your going?

[brenob6]

Hi everyone, I’m taking a look at this issue, as it’s marked as a good first issue.

So the task is create a graceful deletion process when a PushSecret associated with a SecretStore is deleted simultaneously?
(There’s also the case where the Secret associated with the SecretStore is being deleted at the same time.)

Or, it's a deletion policy attached to the SecretStore, so that when the SecretStore is deleted, all SecretRefs from this SecretStore are removed from the PushSecrets? Then If no references remain, the PushSecret would then be deleted.

I don't know if I misunderstand the problem.

[Rand0mF]

I think it would be great that the SecretStore stays until there are no more PushSecrets referencing this SecretStore.
So the PushSecret can successfully be removed in case both objects are deleted at the same time.

[thesuperzapper]

Here is my comment from #4338 (comment) on the first PR that attempted this.

I think someone experienced in Go/Controllers could implement this feature based on the following design.

---

This feature is a LOT more complex than it first might seem, I have implemented similar features before.

Here are the steps I think will be required, but there might be other edge cases:

1. Create 2 new controller-runtime index on PS which can be used to quickly find PS that have pushed to a specific SS or CSS:

   • The index will have to be a list, based on status.syncedPushSecrets of the PS, as this includes information about all pushed secrets. (NOTE: indexes can have multiple values, and a list-option equals selector effectively becomes as "in list" selector)
   • The indexes can be an array of {store_name} strings, with an element for each store we have pushed to. (NOTE: we don't need to include the namespace in the index, because we will already only be looking for PS in a specific namespace for SS, and for CSS there is obviously no namespace)
   • We can debate if it makes sense to only add the index to PS that have deletionPolicy=Delete, as this is more efficient than filtering PS by deletionPolicy in each SS/CSS reconcile.

2. We will need to then trigger SS/CSS reconciliation on PushSecret creates/updates (based on that index) to guarantee that we add/remove the finalizer when a PS changes deletionPolicy or pushes a new secret.

3. We should then update the PS/CSS reconciliation to use that index each loop to determine if we need to add/remove the finalizer:

   • TIP: remember you can only add finalizers to resources that are not being deleted, so its too late to add it if the SS/CSS is being deleted, this means we should probably have a protection mechanism in the PS loop to not use a SS/CSS that is being deleted.

[matheusmazzoni]

Hey Guys, I'll try this one :)