feat: Support injection into user-defined init containers

Author: NominalTrajectory

README.md

@@ -184,6 +184,15 @@ annotations:
   operator.1password.io/inject: "app-example1"
 ```
 
+To inject secrets into init containers, add the `operator.1password.io/injector-init-first: "true"` annotation. This ensures the 1Password init container runs first, making secrets available to your init containers:
+
+```yaml
+annotations:
+  # List both regular and init containers
+  operator.1password.io/inject: "app-example1,init-db-migration"
+  operator.1password.io/injector-init-first: "true"
+```
+
 ### Step 5: Configure the resource's environment
 
 Add an environment variable to the resource with a value referencing your 1Password item. Use the following secret reference syntax: `op://<vault>/<item>[/section]/<field>`.

deploy/kustomization.yaml

@@ -4,3 +4,4 @@ resources:
 - permissions.yaml
 - deployment.yaml
 - service.yaml
+namespace: default

go.mod

@@ -4,6 +4,7 @@ go 1.20
 
 require (
 	github.com/golang/glog v1.1.1
+	github.com/google/go-cmp v0.5.9
 	github.com/onsi/ginkgo/v2 v2.9.2
 	github.com/onsi/gomega v1.27.5
 	github.com/stretchr/testify v1.8.2
@@ -24,7 +25,6 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
 	github.com/google/uuid v1.3.0 // indirect

pkg/webhook/webhook.go

@@ -57,9 +57,10 @@ var (
 )
 
 const (
-	injectionStatus   = "operator.1password.io/status"
-	injectAnnotation  = "operator.1password.io/inject"
-	versionAnnotation = "operator.1password.io/version"
+	injectionStatus             = "operator.1password.io/status"
+	injectAnnotation            = "operator.1password.io/inject"
+	injectorInitFirstAnnotation = "operator.1password.io/injector-init-first"
+	versionAnnotation           = "operator.1password.io/version"
 )
 
 type SecretInjector struct {
@@ -100,21 +101,20 @@ func mutationRequired(metadata *metav1.ObjectMeta) bool {
 }
 
 func addContainers(target, added []corev1.Container, basePath string) (patch []patchOperation) {
-	first := len(target) == 0
-	var value interface{}
-	for _, add := range added {
-		value = add
-		path := basePath
-		if first {
-			first = false
-			value = []corev1.Container{add}
-		} else {
-			path = path + "/-"
-		}
+	if len(target) == 0 {
 		patch = append(patch, patchOperation{
 			Op:    "add",
-			Path:  path,
-			Value: value,
+			Path:  basePath,
+			Value: added,
+		})
+		return patch
+	}
+
+	for _, c := range added {
+		patch = append(patch, patchOperation{
+			Op:    "add",
+			Path:  basePath + "/-",
+			Value: c,
 		})
 	}
 	return patch
@@ -210,24 +210,40 @@ func (s *SecretInjector) mutate(ar *admissionv1.AdmissionReview) *admissionv1.Ad
 	mutated := false
 
 	var patch []patchOperation
-	for i := range pod.Spec.InitContainers {
-		c := pod.Spec.InitContainers[i]
-		_, mutate := containers[c.Name]
-		if !mutate {
-			continue
-		}
-		didMutate, initContainerPatch, err := s.mutateContainer(ctx, &c, i)
-		if err != nil {
-			return &admissionv1.AdmissionResponse{
-				Result: &metav1.Status{
-					Message: err.Error(),
-				},
+
+	mutateInitContainers := false
+	if value, exists := pod.Annotations[injectorInitFirstAnnotation]; exists && strings.ToLower(value) == "true" {
+		mutateInitContainers = true
+	}
+
+	if mutateInitContainers {
+		for i := range pod.Spec.InitContainers {
+			c := pod.Spec.InitContainers[i]
+			// do not mutate our own init container
+			if c.Name == "copy-op-bin" {
+				continue
 			}
+			_, mutate := containers[c.Name]
+			if !mutate {
+				continue
+			}
+			didMutate, initContainerPatch, err := s.mutateContainer(ctx, &c, i)
+			if err != nil {
+				return &admissionv1.AdmissionResponse{
+					Result: &metav1.Status{
+						Message: err.Error(),
+					},
+				}
+			}
+			if didMutate {
+				mutated = true
+			}
+
+			for i := range initContainerPatch {
+				initContainerPatch[i].Path = strings.Replace(initContainerPatch[i].Path, "/spec/containers", "/spec/initContainers", 1)
+			}
+			patch = append(patch, initContainerPatch...)
 		}
-		if didMutate {
-			mutated = true
-		}
-		patch = append(patch, initContainerPatch...)
 	}
 
 	for i := range pod.Spec.Containers {
@@ -297,15 +313,35 @@ func (s *SecretInjector) mutate(ar *admissionv1.AdmissionReview) *admissionv1.Ad
 
 // create mutation patch for resources
 func createOPCLIPatch(pod *corev1.Pod, containers []corev1.Container, patch []patchOperation) ([]byte, error) {
-
 	annotations := map[string]string{injectionStatus: "injected"}
 	patch = append(patch, addVolume(pod.Spec.Volumes, []corev1.Volume{binVolume}, "/spec/volumes")...)
-	patch = append(patch, addContainers(pod.Spec.InitContainers, containers, "/spec/initContainers")...)
-	patch = append(patch, updateAnnotation(pod.Annotations, annotations)...)
 
+	if value, exists := pod.Annotations[injectorInitFirstAnnotation]; exists && strings.ToLower(value) == "true" {
+		patch = append(patch, prependContainers(pod.Spec.InitContainers, containers, "/spec/initContainers")...)
+	} else {
+		patch = append(patch, addContainers(pod.Spec.InitContainers, containers, "/spec/initContainers")...)
+	}
+
+	patch = append(patch, updateAnnotation(pod.Annotations, annotations)...)
 	return json.Marshal(patch)
 }
 
+// adds containers to the beginning of the target
+func prependContainers(target, added []corev1.Container, basePath string) (patch []patchOperation) {
+	if len(target) == 0 {
+		return addContainers(target, added, basePath)
+	}
+
+	for i := len(added) - 1; i >= 0; i-- {
+		patch = append(patch, patchOperation{
+			Op:    "add",
+			Path:  basePath + "/0",
+			Value: added[i],
+		})
+	}
+	return patch
+}
+
 func isEnvVarSetup(envVarName string) func(c *corev1.Container) bool {
 	return func(container *corev1.Container) bool {
 		envVar := findContainerEnvVarByName(envVarName, container)