Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow running copy-op-bin before other init containers #49

Open
NominalTrajectory opened this issue Dec 20, 2023 · 1 comment
Open

Allow running copy-op-bin before other init containers #49

NominalTrajectory opened this issue Dec 20, 2023 · 1 comment

Comments

@NominalTrajectory
Copy link

Summary

Hi 1Password team,

We started using 1Password k8s injector recently and generally happy about it. However, we noticed one limitation. We run a lot of init containers and we want them to use secrets from 1Password. This does not seem to be possible right now because the copy-op-bin init container gets appended to the init containers array which means it will always run last.

It would be nice if we could tell the injector to prepend the 1Password container.

Use cases

This feature will make it possible to use secrets loaded from 1Password in init containers, e.g. to run database migrations.

Proposed solution

Hashicorp Vault solved this problem by adding an annotation vault.hashicorp.com/agent-init-first which allows to prepend the init container instead of appending it so that it runs first. Maybe something similar would work for 1Password injector?

Is there a workaround to accomplish this today?

We had to move the init steps outside of init containers; we have to run them in the CI which is not ideal.

References & Prior Work

Many thanks!

@NominalTrajectory
Copy link
Author

Hi,

I wanted to circle back to this issue, it remains a high priority for our platform.

Not sure if you've had the opportunity to look into this already but I'd like to give it a try and draft a PR with something similar to how it was solved in Hashicorp Vault.

Would it be possible to assign this issue to me?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant