Skip to content

feat: Support injection into user-defined init containers #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Support injection into user-defined init containers #55

wants to merge 2 commits into from

Conversation

NominalTrajectory
Copy link

This PR addresses the issue #49 and introduces support for injecting secrets into user-defined init containers using the 1Password Kubernetes Secrets Injector.

Background

The 1Password Kubernetes Secrets Injector does not currently support injecting secrets into user-defined init containers, as its init container is appended to the pod specification and runs after all user-defined init containers. This causes the 1Password CLI binary and command modifications to be unavailable during the execution of user-defined init containers.

Key Changes

  • Added a new annotation: operator.1password.io/injector-init-first: "true" (defaults to false)
    • When set to true, the injector prepends its init container as the first init container.
    • User-defined init containers listed in the operator.1password.io/inject annotation are also mutated to enable secret injection.
  • Updates the webhook.go to handle the new annotation logic.
  • Added tests and updated docs.

Marton6
Marton6 requested changes Jan 9, 2025
View reviewed changes
pkg/webhook/webhook.go Outdated
Comment on lines 319 to 323
if value, exists := pod.Annotations[injectorInitFirstAnnotation]; exists && strings.ToLower(value) == "true" {
patch = append(patch, prependContainers(pod.Spec.InitContainers, containers, "/spec/initContainers")...)
} else {
patch = append(patch, addContainers(pod.Spec.InitContainers, containers, "/spec/initContainers")...)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think prependContainers actually prepends the op-cli container.

Looking at the PR you linked from Hashicorp Vault, the correct approach to prepending seems to be the following:

  1. Remove all init containers
  2. Add our init container (op-cli)
  3. Add back all other init containers

Here's the source code from Hashicorp vault: https://github.com/hashicorp/vault-k8s/pull/91/files#diff-7854e12d807c917e5f3a303d9f3182cf3d95a2fbc1e2f30ec281ffabf67c95ddR329

Do you think following HashiCorp's approach makes sense here? Let me know if I missed anything!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After conducting some manual testing, I see that the reordering works because the init container is named 0 instead of -, but I still think Hashicorp's approach is more robust, and we should have the same approach.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback @Marton6, I agree. I will update the PR during the weekend.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Marton6 added changes based on your feedback, could you re-review?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Marton6 Marton6 Awaiting requested review from Marton6

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NominalTrajectory @Marton6