Ability to set template/metadata on generated secrets

[adamstrawson]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Network project.
• [X] I have joined the Ory Community Slack.
• [X] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We have tooling that performs actions when a configmap/secret changes based on annotations.

It would be nice to be able to include metadata (specially annotations) within the secret that hydra-maester creates.

Describe your ideal solution

Within the Custom Resource, i'd like to define a spec template form which to create the secret, in a similar format to below:

apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: my-client
spec:
  grantTypes:
    - client_credentials
  scope: my-scope
  secret:
    name: my-test-secret
    template:
      metadata:
        annotations:
          hello/world: foo
  clientName: foobar

The generated secret would then look like:

apiVersion: v1
kind: Secret
metadata:
  name: my-test-secret
  namespace: test
  annotations:
    hello/world: foo
  ownerReferences:
    - apiVersion: hydra.ory.sh/v1alpha1
      kind: OAuth2Client
      name: my-client
      uid: 1234-1234
data:
  client_id: aGVsbG8tZGlkLXlvdS1yZWFsbHktY2hlY2stdGhpcw==
  client_secret: aS13b3VsZC1saWtlLXNvbWUtcGllLXBsZWFzZQ==
type: Opaque

For backwards compatibility, we could support both secretName and secret.name with the intention of deprecating secretName in a future version.

Workarounds or alternatives

N/A

Version

N/A

Additional Context

Happy to PR if we feel this is a welcome addition.