Finalizer Naming Inconsistencies

[xWink]

Per Kubebuilder documentation, finalizers are typically named in the format of my.domain.com/finalizer. In our case, that would be application-networking.k8s.aws/finalizer.

The purpose of using our domain as part of the finalizer is to avoid conflicts with other controllers which may add/remove finalizers for the same resources. Currently, we use finalizers that do not include our domain, and if another controller uses the same finalizer, then we are at risk of collision (a risk which is greatly mitigated if we include our domain in the finalizer). We also use different finalizers for every resource, which adds unnecessary code to controllers. Lastly, it's an inconsistency with the broader Kubernetes community.

Changing finalizers would be a backwards incompatible change.

[mikhail-aws]

We need to include domain by recommendation. For key I think each reconlicer/controller need to have a unique one, otherwise you restricted to having single finalizer per entire manager. Also word" finalizer" is an example, not a guidance.

Identifiers of custom finalizers consist of a domain name, a forward slash and the name of the finalizer. Any controller can add a finalizer to any object's list of finalizers.

https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#finalizers

[xWink]

Per discussion, the finalizers we'd like to go with are <domain>/<controller's resource name>. For example, application-networking.k8s.aws/accesslogpolicy or application-networking.k8s.aws/service. This will prevent different controllers under the same domain from interfering with each other.

We will need to continue supporting deletion of the BOTH the old and new finalizers for now, but only add the new finalizer on creation. In the future, we may remove deletion of the old finalizer to fully drop support of it.

[xWink]

We should put finalizer tools in utility functions/global constants instead of re-implementing them in each reconciler.