feat: Support injection into user-defined init containers

README.md

@@ -184,6 +184,15 @@ annotations:
   operator.1password.io/inject: "app-example1"
 ```
 
+To inject secrets into init containers, add the `operator.1password.io/injector-init-first: "true"` annotation. This ensures the 1Password init container runs first, making secrets available to your init containers:
+
+```yaml
+annotations:
+  # List both regular and init containers
+  operator.1password.io/inject: "app-example1,init-db-migration"
+  operator.1password.io/injector-init-first: "true"
+```
+
 ### Step 5: Configure the resource's environment
 
 Add an environment variable to the resource with a value referencing your 1Password item. Use the following secret reference syntax: `op://<vault>/<item>[/section]/<field>`.

deploy/kustomization.yaml

@@ -4,3 +4,4 @@ resources:
 - permissions.yaml
 - deployment.yaml
 - service.yaml
+namespace: default

go.mod

@@ -4,6 +4,7 @@ go 1.20
 
 require (
 	github.com/golang/glog v1.1.1
+	github.com/google/go-cmp v0.5.9
 	github.com/onsi/ginkgo/v2 v2.9.2
 	github.com/onsi/gomega v1.27.5
 	github.com/stretchr/testify v1.8.2
@@ -24,7 +25,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
 	github.com/google/uuid v1.3.0 // indirect

pkg/webhook/webhook.go

@@ -18,6 +18,13 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 )
 
+type ContainerType string
+
+const (
+	InitContainer ContainerType = "initContainer"
+	Container     ContainerType = "container"
+)
+
 const (
 	connectHostEnv  = "OP_CONNECT_HOST"
 	connectTokenEnv = "OP_CONNECT_TOKEN"
@@ -57,9 +64,10 @@ var (
 )
 
 const (
-	injectionStatus   = "operator.1password.io/status"
-	injectAnnotation  = "operator.1password.io/inject"
-	versionAnnotation = "operator.1password.io/version"
+	injectionStatus             = "operator.1password.io/status"
+	injectAnnotation            = "operator.1password.io/inject"
+	injectorInitFirstAnnotation = "operator.1password.io/injector-init-first"
+	versionAnnotation           = "operator.1password.io/version"
 )
 
 type SecretInjector struct {
@@ -99,24 +107,26 @@ func mutationRequired(metadata *metav1.ObjectMeta) bool {
 	return required
 }
 
-func addContainers(target, added []corev1.Container, basePath string) (patch []patchOperation) {
+func addContainers(target, containers []corev1.Container, basePath string) (patch []patchOperation) {
 	first := len(target) == 0
 	var value interface{}
-	for _, add := range added {
-		value = add
+	for _, c := range containers {
+		value = c
 		path := basePath
 		if first {
 			first = false
-			value = []corev1.Container{add}
+			value = []corev1.Container{c}
 		} else {
 			path = path + "/-"
 		}
+
 		patch = append(patch, patchOperation{
 			Op:    "add",
 			Path:  path,
 			Value: value,
 		})
 	}
+
 	return patch
 }
 
@@ -210,24 +220,40 @@ func (s *SecretInjector) mutate(ar *admissionv1.AdmissionReview) *admissionv1.Ad
 	mutated := false
 
 	var patch []patchOperation
-	for i := range pod.Spec.InitContainers {
-		c := pod.Spec.InitContainers[i]
-		_, mutate := containers[c.Name]
-		if !mutate {
-			continue
-		}
-		didMutate, initContainerPatch, err := s.mutateContainer(ctx, &c, i)
-		if err != nil {
-			return &admissionv1.AdmissionResponse{
-				Result: &metav1.Status{
-					Message: err.Error(),
-				},
+
+	mutateInitContainers := false
+	if val, ok := pod.Annotations[injectorInitFirstAnnotation]; ok && strings.ToLower(val) == "true" {
+		mutateInitContainers = true
+	}
+
+	if mutateInitContainers {
+		for i := range pod.Spec.InitContainers {
+			c := pod.Spec.InitContainers[i]
+			// do not mutate our own init container
+			if c.Name == "copy-op-bin" {
+				continue
 			}
+			_, mutate := containers[c.Name]
+			if !mutate {
+				continue
+			}
+			didMutate, initContainerPatch, err := s.mutateContainer(ctx, &c, i, InitContainer)
+			if err != nil {
+				return &admissionv1.AdmissionResponse{
+					Result: &metav1.Status{
+						Message: err.Error(),
+					},
+				}
+			}
+			if didMutate {
+				mutated = true
+			}
+
+			for i := range initContainerPatch {
+				initContainerPatch[i].Path = strings.Replace(initContainerPatch[i].Path, "/spec/containers", "/spec/initContainers", 1)
+			}
+			patch = append(patch, initContainerPatch...)
 		}
-		if didMutate {
-			mutated = true
-		}
-		patch = append(patch, initContainerPatch...)
 	}
 
 	for i := range pod.Spec.Containers {
@@ -237,7 +263,7 @@ func (s *SecretInjector) mutate(ar *admissionv1.AdmissionReview) *admissionv1.Ad
 			continue
 		}
 
-		didMutate, containerPatch, err := s.mutateContainer(ctx, &c, i)
+		didMutate, containerPatch, err := s.mutateContainer(ctx, &c, i, Container)
 		if err != nil {
 			glog.Error("Error occurred mutating container for secret injection: ", err)
 			return &admissionv1.AdmissionResponse{
@@ -297,12 +323,24 @@ func (s *SecretInjector) mutate(ar *admissionv1.AdmissionReview) *admissionv1.Ad
 
 // create mutation patch for resources
 func createOPCLIPatch(pod *corev1.Pod, containers []corev1.Container, patch []patchOperation) ([]byte, error) {
-
 	annotations := map[string]string{injectionStatus: "injected"}
 	patch = append(patch, addVolume(pod.Spec.Volumes, []corev1.Volume{binVolume}, "/spec/volumes")...)
+
+	initFirst := false
+	if val, ok := pod.Annotations[injectorInitFirstAnnotation]; ok && strings.ToLower(val) == "true" {
+		initFirst = true
+	}
+
+	if initFirst {
+		if len(pod.Spec.InitContainers) > 0 {
+			patch = append(patch, removeContainers(getContainerPath(InitContainer))...)
+		}
+
+		containers = append(containers, pod.Spec.InitContainers...)
+	}
+
 	patch = append(patch, addContainers(pod.Spec.InitContainers, containers, "/spec/initContainers")...)
 	patch = append(patch, updateAnnotation(pod.Annotations, annotations)...)
-
 	return json.Marshal(patch)
 }
 
@@ -350,7 +388,7 @@ func checkOPCLIEnvSetup(container *corev1.Container) {
 	}
 }
 
-func passUserAgentInformationToCLI(container *corev1.Container, containerIndex int) []patchOperation {
+func passUserAgentInformationToCLI(container *corev1.Container, containerIndex int, containerType ContainerType) []patchOperation {
 	userAgentEnvs := []corev1.EnvVar{
 		{
 			Name:  "OP_INTEGRATION_NAME",
@@ -366,11 +404,11 @@ func passUserAgentInformationToCLI(container *corev1.Container, containerIndex i
 		},
 	}
 
-	return setEnvironment(*container, containerIndex, userAgentEnvs, "/spec/containers")
+	return setEnvironment(*container, containerIndex, userAgentEnvs, getContainerPath(containerType))
 }
 
 // mutates the container to allow for secrets to be injected into the container via the op cli
-func (s *SecretInjector) mutateContainer(cxt context.Context, container *corev1.Container, containerIndex int) (bool, []patchOperation, error) {
+func (s *SecretInjector) mutateContainer(cxt context.Context, container *corev1.Container, containerIndex int, containerType ContainerType) (bool, []patchOperation, error) {
 	//  prepending op run command to the container command so that secrets are injected before the main process is started
 	if len(container.Command) == 0 {
 		return false, nil, fmt.Errorf("not attaching OP to the container %s: the podspec does not define a command", container.Name)
@@ -382,15 +420,15 @@ func (s *SecretInjector) mutateContainer(cxt context.Context, container *corev1.
 	var patch []patchOperation
 
 	// adding the cli to the container using a volume mount
-	path := fmt.Sprintf("%s/%d/volumeMounts", "/spec/containers", containerIndex)
+	path := fmt.Sprintf("%s/%d/volumeMounts", getContainerPath(containerType), containerIndex)
 	patch = append(patch, patchOperation{
 		Op:    "add",
 		Path:  path,
 		Value: append(container.VolumeMounts, binVolumeMount),
 	})
 
 	// replacing the container command with a command prepended with op run
-	path = fmt.Sprintf("%s/%d/command", "/spec/containers", containerIndex)
+	path = fmt.Sprintf("%s/%d/command", getContainerPath(containerType), containerIndex)
 	patch = append(patch, patchOperation{
 		Op:    "replace",
 		Path:  path,
@@ -400,7 +438,7 @@ func (s *SecretInjector) mutateContainer(cxt context.Context, container *corev1.
 	checkOPCLIEnvSetup(container)
 
 	//creating patch for passing User-Agent information to the CLI.
-	patch = append(patch, passUserAgentInformationToCLI(container, containerIndex)...)
+	patch = append(patch, passUserAgentInformationToCLI(container, containerIndex, containerType)...)
 	return true, patch, nil
 }
 
@@ -485,3 +523,20 @@ func (s *SecretInjector) Serve(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
 	}
 }
+
+func getContainerPath(containerType ContainerType) string {
+	if containerType == InitContainer {
+		return "/spec/initContainers"
+	}
+	return "/spec/containers"
+}
+
+func removeContainers(path string) []patchOperation {
+	return []patchOperation{
+		{
+			Op:    "remove",
+			Path:  path,
+			Value: nil,
+		},
+	}
+}