SecretClaim annotations are ignored when the secret is created

[mgreau]

Expected behavior

When annotations exist in the SecretClaim definition, they should be added to the created secret.

Current behavior

The existing annotations are not added to the secret which contains only the 3 vaultproject.io/xxx annotations.

Additional info

While using Tekton Pipeline, I need to create a Secret like this one for example.

In order to have this Secret in my cluster, I'm using a SecretClaim like below

----
apiVersion: vaultproject.io/v1
kind: SecretClaim
metadata:
  name: git-ssh
  annotations:
    tekton.dev/git-0: github.com
spec:
  type: kubernetes.io/ssh-auth
  path: secret/example
----

Then the secret created is the following:

$ kubectl describe secret git-ssh-n default

Name:         git-ssh
Namespace:    default
Labels:       <none>
Annotations:  vaultproject.io/lease-expiration: 1576451579
              vaultproject.io/lease-id:
              vaultproject.io/renewable: false

Type:  kubernetes.io/ssh-auth

Data
====
known_hosts:     524 bytes
ssh-privatekey:  4324 bytes

instead of having something like

Name:         git-ssh
Namespace:    default
Labels:       <none>
Annotations:  tekton.dev/git-0: github.com
              vaultproject.io/lease-expiration: 1576451579
              vaultproject.io/lease-id:
              vaultproject.io/renewable: false

Type:  kubernetes.io/ssh-auth

Data
====
known_hosts:     524 bytes
ssh-privatekey:  4324 bytes

In my case, this annotation tekton.dev/git-0: github.com is required by the Tekton Controller when using secret for cloning a private git repository.

[mgreau]

Expected behavior

When annotations exist in the SecretClaim definition, they should be added to the created secret.

When I write that, I mean this is the behavior I was expected to see. But I did not find anything in the doc that assumes it should work like this. This is more a feature request than a bug :)