Allow adding arbitrary finalizers to generated Secret

[artem-nefedov]

Is your feature request related to a problem? Please describe.

While running self-hosted GitHub runners managed by github actions-runner-controller (ARC), I'm using ExternalSecret to generate a Secret that is then consumed by AutoscalingRunnerSet. Both ExternalSecret and AutoscalingRunnerSet are installed within the same helm chart. ARC has a custom cleanup functionality where you're expected to put actions.github.com/cleanup-protection finalizer on a Secret to prevent it from being deleted too early. When AutoscalingRunnerSet is deleted, ARC will also delete the finalizer on the Secret at the appropriate moment. If this procedure is not followed and the Secret is deleted too early, everything breaks during the chart uninstall. Note that ARC only removes the finalizer, it can't delete the Secret by itself, which is why just specifying creationPolicy: Orphan won't fully solve the problem.

ARC cleanup is described here. Example of a Secret with finalizer when it's created by an official chart rather than ExternalSecret: https://github.com/actions/actions-runner-controller/blob/v0.27.6/charts/gha-runner-scale-set/templates/githubsecret.yaml#L10

Describe the solution you'd like

Ability to specify finalizers in spec.target.template.metadata. Currently, it only supports labels and annotations.

Describe alternatives you've considered

• creationPolicy: Orphan to never delete a Secret - not ideal to leave the garbage around + potential security concern.
• Mutating webhook with a thirdparty controller (e.g. kyverno) - this is what I ended up doing, but still would be nice to use native support instead.

[suvaidkhan]

I'd like to take a stab at this!

[suvaidkhan]

Hey @gusfcarvalho quick question the changes for this would go in the v1beta1 package right?

[gusfcarvalho]

No, they’d need to go to v1. v1beta1 is Jo longer served to users

[suvaidkhan]

Hey @gusfcarvalho not too familiar with the codebase hence wanted to run the changes by you before raising a PR

This change would involve adding the finalizer field in the ExternalSecretTemplateMetadata struct and then if a finalizer exists adding it to the secret in externalsecret_controller_template.go package.

Am I on the right track?

[gusfcarvalho]

Yeah, that should do it!

[matheusmazzoni]

Hey team, @gusfcarvalho and @suvaidkhan
I'd like to know if you're already working on this feature. If not, I'd like to sign it for myself and make my first contribution :)

[gusfcarvalho]

Thanks a lot for your contribution @matheusmazzoni ! I'm assigning you to the issue, as AFAIK no one started doing it 🥳

[suvaidkhan]

Hey team, @gusfcarvalho and @suvaidkhan I'd like to know if you're already working on this feature. If not, I'd like to sign it for myself and make my first contribution :)

Hey, I've been slammed right now and unfortunately not a lot of progress on this issue, feel free to take this up!

[malovme]

@gusfcarvalho @matheusmazzoni I've been working on this quietly (my fault, should have assigned the issue to myself) yesterday, and I opened a PR with what I have, so it would be great if you let me continue on it. I am going to add tests

[matheusmazzoni]

@gusfcarvalho @matheusmazzoni I've been working on this quietly (my fault, should have assigned the issue to myself) yesterday, and I opened a PR with what I have, so it would be great if you let me continue on it. I am going to add tests

NP, I've already started, but your draft PR LGTM :)