Annotate push-replicated copies to clearly identify the origin resource

[ringerc]

The annotations added by kubernetes-replicator to copied secrets are insufficient to reliably identify the origin they were copied from.

e.g.

annotations:
  replicator.v1.mittwald.de/replicated-at: "2025-05-06T01:24:17Z"
  replicator.v1.mittwald.de/replicated-from-version: "677124"
  replicator.v1.mittwald.de/replicated-keys: queries

Describe the solution you'd like

It would be very helpful if kubernetes-replicator could annotate the copied secrets with the origin resource's:

• namespace
• name
• uid (the resourceVersion is already there as replicator.v1.mittwald.de/replicated-from-version)

It might look like this:

annotations:
  replicator.v1.mittwald.de/replicated-at: "2025-05-06T01:24:17Z"
  replicator.v1.mittwald.de/replicated-from-name: "my-secret"
  replicator.v1.mittwald.de/replicated-from-namespace: "some-namespace"
  replicator.v1.mittwald.de/replicated-from-uid: "5200dabf-3945-4917-8edc-42b5d8593567"
  replicator.v1.mittwald.de/replicated-from-version: "677124"
  replicator.v1.mittwald.de/replicated-keys: queries

This would make understanding systems that use the replicator significantly easier, as there would be breadcrumbs from the destination copies back to the source resource.

Describe alternatives you've considered

Pull-based replication inherently provides this, and solves other issues like the inability to change the name on the destination.

But pull secrets interact poorly with gitops-style continuous deployment tools like fluxcd because flux tends to fight for control over the secret. Telling the tool to only create the pull secret once then ignore it means that it tends to be orphaned when deleted, and updates to its annotations etc get ignored. It's also not always very practical in cases where a secret must be replicated to a lot of namespaces owned and managed by different components (e.g. TLS resources or image registry credentials), since each one must contain the pull secret stub.

Proposed implementation

Something like:

• Add a config.go option for addSourceAnnotations
• Add a flag in main.go to set the option on the CLI
• add constants in replicate/common/consts.go for the annotation names
• Move the maintenance of replicated-from annotations etc from individual replicators into the common helper base
• inject the new annotations in the common helper when the feature is enabled

[whg517]

I think this is a very valuable feature. Currently, only a small amount of information is recorded in the annotations of the mirror resources, making it impossible to determine the source from the annotations.

I would like to inquire if there is a plan for developing this function?

[siegenthalerroger]

I'd argue this is needed in order to provide a possibility to at least manually cleanup orphaned secrets (#241).