Allow running `copy-op-bin` before other init containers

[NominalTrajectory]

Summary

Hi 1Password team,

We started using 1Password k8s injector recently and generally happy about it. However, we noticed one limitation. We run a lot of init containers and we want them to use secrets from 1Password. This does not seem to be possible right now because the copy-op-bin init container gets appended to the init containers array which means it will always run last.

It would be nice if we could tell the injector to prepend the 1Password container.

Use cases

This feature will make it possible to use secrets loaded from 1Password in init containers, e.g. to run database migrations.

Proposed solution

Hashicorp Vault solved this problem by adding an annotation vault.hashicorp.com/agent-init-first which allows to prepend the init container instead of appending it so that it runs first. Maybe something similar would work for 1Password injector?

Is there a workaround to accomplish this today?

We had to move the init steps outside of init containers; we have to run them in the CI which is not ideal.

References & Prior Work

• Same problem/use case with Hashicorp Vault: Define order of vault init container hashicorp/vault-k8s#53 and resolution in Add annotation to change init container order hashicorp/vault-k8s#91

Many thanks!

[NominalTrajectory]

Hi,

I wanted to circle back to this issue, it remains a high priority for our platform.

Not sure if you've had the opportunity to look into this already but I'd like to give it a try and draft a PR with something similar to how it was solved in Hashicorp Vault.

Would it be possible to assign this issue to me?