You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We started using 1Password k8s injector recently and generally happy about it. However, we noticed one limitation. We run a lot of init containers and we want them to use secrets from 1Password. This does not seem to be possible right now because the copy-op-bin init container gets appended to the init containers array which means it will always run last.
It would be nice if we could tell the injector to prepend the 1Password container.
Use cases
This feature will make it possible to use secrets loaded from 1Password in init containers, e.g. to run database migrations.
Proposed solution
Hashicorp Vault solved this problem by adding an annotation vault.hashicorp.com/agent-init-first which allows to prepend the init container instead of appending it so that it runs first. Maybe something similar would work for 1Password injector?
Is there a workaround to accomplish this today?
We had to move the init steps outside of init containers; we have to run them in the CI which is not ideal.
I wanted to circle back to this issue, it remains a high priority for our platform.
Not sure if you've had the opportunity to look into this already but I'd like to give it a try and draft a PR with something similar to how it was solved in Hashicorp Vault.
Summary
Hi 1Password team,
We started using 1Password k8s injector recently and generally happy about it. However, we noticed one limitation. We run a lot of init containers and we want them to use secrets from 1Password. This does not seem to be possible right now because the
copy-op-bin
init container gets appended to the init containers array which means it will always run last.It would be nice if we could tell the injector to prepend the 1Password container.
Use cases
This feature will make it possible to use secrets loaded from 1Password in init containers, e.g. to run database migrations.
Proposed solution
Hashicorp Vault solved this problem by adding an annotation
vault.hashicorp.com/agent-init-first
which allows to prepend the init container instead of appending it so that it runs first. Maybe something similar would work for 1Password injector?Is there a workaround to accomplish this today?
We had to move the init steps outside of init containers; we have to run them in the CI which is not ideal.
References & Prior Work
Many thanks!
The text was updated successfully, but these errors were encountered: