Removing finalizers from generated resources

[bigkevmcd]

Expected Behavior

Externally added finalizers should be retained across reconciliations by the tigera-controller.

Current Behavior

Currently, if another controller adds a finalizer to an Operator-created resource, it will get removed on re-reconcile.

This commit beeba82cb fixed this for Kibana resources.

beeba82cb#diff-8a70460893d606f15b2f0b6b4292348d55975719fa6d0a50b32a8e4c148ddf6eR218

We are seeing the same problem, update-battles for some resources that Rancher is adding finalizers to (specifically at least ClusterRoleBindings).

Possible Solution

Retain the existing finalizers on the resource (by merging with the existing finalizers).

Steps to Reproduce (for bugs)

1. Add a finalizer to an operator-created resource e.g. the calico-node ClusterRoleBinding
2. The added finalizer will be removed and the tigera.io/cni-protector will be the only finalizer,

Context

We are seeing elevated levels of updates being applied to CRBs that are watched by Rancher.

Your Environment

• Operating System and version:
• Link to your project (optional):

[tmjd]

I think this could be done but the changes would have to make sure the operator can still remove its finializers. (If we just copy all the finalizers from the existing object then we couldn't remove finalizers, at least not using the normal CreateOrUpdateOrDelete function.)