Secrets manager deleted before SecretInjector processed.

[GrahamDumpleton]

Describe the bug

Educates training platform package creates educates-registry-credentials SecretInjector resource. The SecretInjector resource has a finalizer added by the secrets-manager operator. When deleting Educates, if the operator is deleted before the instance of SecretInjector, then deletion of the package will get stuck as finalizer can't be removed.

To avoid problems kapp delete ordering rules should be set up using annotations to ensure that any SecretInjector instances created with the training platform package are deleted before secrets-manager operator is deleted.

Related issue: https://github.com/vmware-tanzu-labs/educates-training-platform/issues/208

Additional information

No response

[GrahamDumpleton]

kapp docs state:

kapp includes builtin rules to make sure certain changes are applied in particular order:

Creates/updates CRDs are created/updated before custom resources Namespaces are created/updated before namespaced resources Pod related resources (ServiceAccount, ConfigMap, Secret, etc.) are created/updated before other resources (v0.25.0+) RBAC related resources (Role, RoleBinding, etc.) are created/updated before other resources (v0.25.0+)

Deletions (below is order as of v0.29.0+) Custom resources are deleted first CRDs are deleted next Rest of resoures are deleted

So technically the default order should result in custom resources being deleted first and before the operator would be deleted. So adding an explicit rule should not actually be required.

[GrahamDumpleton]

Note that there will be an issue with stuck resources when deleting Educates package if issue described in https://github.com/vmware-tanzu-labs/educates-training-platform/issues/202 occurs as the operator will not be running properly to clean up instances of secrets-manager resources. Thus deletion of Educates package will hang.