Support keeping existing annotations when mirroring

[flo-02-mu]

Currently when mirroring a secret, all existing annotations are stripped in the target location.

Example:

# Create secret in source and annotate it
kubectl -n ns-origin create secret generic dummy-reflector-secret
kubectl -n ns-origin annotate secret dummy-reflector-secret annotation-key=annotation-value    # <-- This annotation is not mirrored
kubectl -n ns-origin annotate secret dummy-reflector-secret reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
kubectl -n ns-origin annotate secret dummy-reflector-secret reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces=ns-target
kubectl -n ns-origin annotate secret dummy-reflector-secret reflector.v1.k8s.emberstack.com/reflection-auto-enabled="true" 

# Check secret in the target namespace
kubectl -n ns-target get secret dummy-reflector-secret -o yaml

metadata:
  annotations:
    reflector.v1.k8s.emberstack.com/auto-reflects: "True"
    reflector.v1.k8s.emberstack.com/reflected-at: '"2023-06-27T08:53:41.0909994+00:00"'
    reflector.v1.k8s.emberstack.com/reflected-version: "1137728225"
    reflector.v1.k8s.emberstack.com/reflects: ns-origin/dummy-reflector-secret

Our use case would be to use the reflected secret in combination with the reloader-operator to automatically restart pods once a secret changes. Due to the lost annotation, this does not work.

Any chance to keep the existing annotations?

[szechp]

what you can do is disable auto reflect and then create a separate secret in the namespace you want. add the annotation reflector.v1.k8s.emberstack.com/reflects: "namespace/your-secret" there. you can now add annotation or anything else to the mirrored secrets, like you would in any other secret. (This is useful for labels you want in the argocd namespace for instance)

this is documented here: https://github.com/emberstack/kubernetes-reflector#2-annotate-the-mirror-secret-or-configmap