Skip to content

Support labels and annotations on connection secrets created via writeConnectionSecretToRef #1008

Description

@derbauer97

What problem are you facing?

We rely on labels on connection Secrets for backup selection and policy integration. In Crossplane v2.x writeConnectionSecretToRef is the supported path for publishing connection secrets, but it does not allow declaring labels or annotations on the generated Secret.

The current workaround is post-processing the Secret with another controller or patch object, which is awkward for something that should be part of the secret publishing behavior.

How could Crossplane help solve your problem?

Support optional metadata on writeConnectionSecretToRef, for both local and non-local secret references, for example:

spec:
  writeConnectionSecretToRef:
    name: my-secret
    metadata:
      labels:
        foo: bar
      annotations:
        foo: bar

Please reconcile that metadata declaratively:

  • metadata-only changes should trigger updates
  • removing declared labels or annotations should remove them from the generated Secret
  • behavior should remain unchanged when metadata is omitted

It would be nearly the same implementation as in https://docs.crossplane.io/v1.20/concepts/managed-resources/#publish-secrets-to-kubernetes which got dropped in 2.x

I am open to implement this if this is a wanted feature

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions