Support labels and annotations on connection secrets created via writeConnectionSecretToRef

[derbauer97]

What problem are you facing?

We rely on labels on connection Secrets for backup selection and policy integration. In Crossplane v2.x writeConnectionSecretToRef is the supported path for publishing connection secrets, but it does not allow declaring labels or annotations on the generated Secret.

The current workaround is post-processing the Secret with another controller or patch object, which is awkward for something that should be part of the secret publishing behavior.

How could Crossplane help solve your problem?

Support optional metadata on writeConnectionSecretToRef, for both local and non-local secret references, for example:

spec:
  writeConnectionSecretToRef:
    name: my-secret
    metadata:
      labels:
        foo: bar
      annotations:
        foo: bar

Please reconcile that metadata declaratively:

• metadata-only changes should trigger updates
• removing declared labels or annotations should remove them from the generated Secret
• behavior should remain unchanged when metadata is omitted

It would be nearly the same implementation as in https://docs.crossplane.io/v1.20/concepts/managed-resources/#publish-secrets-to-kubernetes which got dropped in 2.x

I am open to implement this if this is a wanted feature