Introduce namespace restriction

[riccardomc]

It would be useful to restrict secrets injections to specific namespaces. Possibilities are:

1. allow/deny regex in ExternalSecretBackend CR definition (depends on ExternalSecretBackend implementation Introduce Secret Backends implementation and CRDs #6 ) in metadata or parameters
2. allow/deny regex in ExternalSecret CR definition
3. Annotation in namespaces

1 should give more flexibility.

[iakat]

This is useful to @frankscholten when implementing 1Password, although might be a bit more dynamic #11 #12

[riccardomc]

I'd like to have a discussion about this. Simplifying the architecture of the operator would also have a simpler security model and we could rely on RBAC to limit access.

We could drop the CRD introudced by #15 and limit an operator instance to one backend and let it watch only one namespace.

In this way we scope operator per namespace by RBAC and by Watch operation and avoid the risk of injecting, for example, prod secret into dev. If you want an additional backend, just run another operator with different backend type. I believe this is easier to reason about, but might be more resource intensive.

Notice that only the operator with the right backend type will actually create the Secret, all the other will gracefully fail with "backend not found".

[frankscholten]

I like this approach as it would simplify things a lot.

[riccardomc]

I will try to implement this in #4 .

[riccardomc]

This need to be documented, but it is implemented in #4 as RBAC roles.