addressing pr comments

This reverts commit a5f4a7a0c1.

.VERSION

@@ -1 +1 @@
-1.0.2
+1.1.0

CHANGELOG.md

@@ -12,6 +12,14 @@
 
 ---
 
+[//]: # (START/v1.1.0)
+# v1.1.0
+
+## Fixes
+ * Fix normalization for keys in a Secret's `data` section to allow upper- and lower-case alphanumeric characters. {#66}
+
+---
+
 [//]: # (START/v1.0.2)
 # v1.0.2
 

Makefile

@@ -11,7 +11,9 @@ versionFile = $(CURDIR)/.VERSION
 curVersion := $(shell cat $(versionFile) | sed 's/^v//')
 
 OPERATOR_NAME := onepassword-connect-operator
-DOCKER_IMG_TAG ?= $(OPERATOR_NAME):v$(curVersion)
+INJECTOR_NAME := onepassword-secrets-injector
+OPERATOR_DOCKER_IMG_TAG ?= $(OPERATOR_NAME):v$(curVersion)
+INJECTOR_DOCKER_IMG_TAG ?= $(INJECTOR_NAME):v$(curVersion)
 
 test:	## Run test suite
 	go test ./...
@@ -19,17 +21,30 @@ test:	## Run test suite
 test/coverage:	## Run test suite with coverage report
 	go test -v ./... -cover
 
-build:	## Build operator Docker image
-	@docker build -f Dockerfile --build-arg operator_version=$(curVersion) -t $(DOCKER_IMG_TAG) .
+build/operator:	## Build operator Docker image
+	@docker build -f operator/Dockerfile --build-arg operator_version=$(curVersion) -t $(OPERATOR_DOCKER_IMG_TAG) .
 	@echo "Successfully built and tagged image."
-	@echo "Tag: $(DOCKER_IMG_TAG)"
+	@echo "Tag: $(OPERATOR_DOCKER_IMG_TAG)"
 
-build/local:	## Build local version of the operator Docker image
-	@docker build -f Dockerfile -t local/$(DOCKER_IMG_TAG) .
+build/operator/local:	## Build local version of the operator Docker image 
+	@docker build -f operator/Dockerfile -t local/$(OPERATOR_DOCKER_IMG_TAG) .
 
-build/binary: clean	## Build operator binary
+build/operator/binary: clean	## Build operator binary
 	@mkdir -p dist
-	@go build -mod vendor -a -o manager ./cmd/manager/main.go
+	@go build -mod vendor -a -o manager ./operator/cmd/manager/main.go
+	@mv manager ./dist
+
+build/secret-injector:	## Build secret-injector Docker image
+	@docker build -f secret-injector/Dockerfile --build-arg operator_version=$(curVersion) -t $(INJECTOR_DOCKER_IMG_TAG) .
+	@echo "Successfully built and tagged image."
+	@echo "Tag: $(INJECTOR_DOCKER_IMG_TAG)"
+
+build/secret-injector/local:	## Build local version of the secret-injector Docker image 
+	@docker build -f secret-injector/Dockerfile -t local/$(INJECTOR_DOCKER_IMG_TAG) .
+
+build/secret-injector/binary: clean	## Build secret-injector binary
+	@mkdir -p dist
+	@go build -mod vendor -a -o manager ./secret-injector/cmd/manager/main.go
 	@mv manager ./dist
 
 clean:

README.md

@@ -1,4 +1,8 @@
-# 1Password Connect Kubernetes Operator
+# 1Password for Kubernetes
+
+This repository includes various tooling for integrating 1Password secrets wtih Kubernetes.
+
+## 1Password Connect Kubernetes Operator
 
 The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages `OnePasswordItem` Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The `OnePasswordItem` CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.
 
@@ -6,227 +10,16 @@ The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to
 
 The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.
 
-## Setup
+[Click here for more details on the 1Password Kubernetes Operator](operator/README.md)
 
-Prerequisites:
+## 1Password Secrets Injector for Kubernetes
 
-- [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
-- [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
-- [docker installed](https://docs.docker.com/get-docker/)
-- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
-- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
+The 1Password Secrets Injector implements a mutating webhook to inject 1Password secrets as environment variables into a pod or deployment. Unlike the 1Password Kubernetes Operator, the Secrets Injector does not create a Kubernetes Secret when assigning secrets to your resource.
 
-### Quickstart for Deploying 1Password Connect to Kubernetes
+[Click here for more details on the 1Password Secrets Injector for Kubernetes](secret-injector/README.md)
 
 
-#### Deploy with Helm
-The 1Password Connect Helm Chart helps to simplify the deployment of 1Password Connect and the 1Password Connect Kubernetes Operator to Kubernetes. 
-
-[The 1Password Connect Helm Chart can be found here.](https://github.com/1Password/connect-helm-charts)
-
-#### Deploy using the Connect Operator
-If 1Password Connect is already running, you can skip this step. This guide will provide a quickstart option for deploying a default configuration of 1Password Connect via starting the deploying the 1Password Connect Operator, however it is recommended that you instead deploy your own manifest file if customization of the 1Password Connect deployment is desired.
-
-Encode the 1password-credentials.json file you generated in the prerequisite steps and save it to a file named op-session:
-
-```bash
-$ cat 1password-credentials.json | base64 | \
-  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session
-```
-
-Create a Kubernetes secret from the op-session file:
-```bash
-
-$  kubectl create secret generic op-credentials --from-file=1password-credentials.json
-```
-
-Add the following environment variable to the onepassword-connect-operator container in `deploy/operator.yaml`:
-```yaml
-- name: MANAGE_CONNECT
-  value: "true"
-```
-Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the `default` namespace.
-### Kubernetes Operator Deployment
-
-**Create Kubernetes Secret for OP_CONNECT_TOKEN**
-
-"Create a Connect token for the operator and save it as a Kubernetes Secret: 
-
-```bash
-$ kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
-```
-
-If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
-```bash
-$ kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
-```
-
-[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)
-
-**Set Permissions For Operator**
-
-We must create a service account, role, and role binding and Kubernetes. Examples can be found in the `/deploy` folder.
-
-```bash
-$ kubectl apply -f deploy/permissions.yaml
-```
-
-**Create Custom One Password Secret Resource**
-
-```bash
-$ kubectl apply -f deploy/crds/onepassword.com_onepassworditems_crd.yaml
-```
-
-**Deploying the Operator**
-
-An sample Deployment yaml can be found at `/deploy/operator.yaml`.
-
-
-To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:
-
-- **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
-- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
-- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
-- **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
-- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
-
-Apply the deployment file:
-
-```yaml
-kubectl apply -f deploy/operator.yaml
-```
-
-## Usage
-
-To create a Kubernetes Secret from a 1Password item, create a yaml file with the following
-
-```yaml
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: <item_name> #this name will also be used for naming the generated kubernetes secret
-spec:
-  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>" 
-```
-
-Deploy the OnePasswordItem to Kubernetes:
-
-```bash
-$ kubectl apply -f <your_item>.yaml
-```
-
-To test that the Kubernetes Secret check that the following command returns a secret:
-
-```bash
-$ kubectl get secret <secret_name>
-```
-
-Note: Deleting the `OnePasswordItem` that you've created will automatically delete the created Kubernetes Secret.
-
-To create a single Kubernetes Secret for a deployment, add the following annotations to the deployment metadata:
-
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: deployment-example
-  annotations:
-    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
-    operator.1password.io/item-name: "<secret_name>"
-```
-
-Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
-
-Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
-
-If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.
-
----
-**NOTE**
-
-If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
-
-Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
- - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
- - All whitespaces between words will be replaced by `-`
- - All the letters will be lower-cased.
-
----
-
-### Configuring Automatic Rolling Restarts of Deployments
-
-If a 1Password Item that is linked to a Kubernetes Secret is updated, any deployments configured to `auto-restart` AND are using that secret will be given a rolling restart the next time 1Password Connect is polled for updates.
-
-There are many levels of granularity on which to configure auto restarts on deployments: at the operator level, per-namespace, or per-deployment.
-
-**On the operator**: This method allows for managing auto restarts on all deployments within the namespaces watched by operator. Auto restarts can be enabled by setting the environemnt variable  `AUTO_RESTART` to true. If the value is not set, the operator will default this value to false.
-
-**Per Namespace**: This method allows for managing auto restarts on all deployments within a namespace. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired namespace. An example of this is shown below:
-```yaml
-# enabled auto restarts for all deployments within a namespace unless overwritten within a deployment
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: "example-namespace"
-  annotations:
-    operator.1password.io/auto-restart: "true"
-```
-If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.
-
-**Per Deployment**
-This method allows for managing auto restarts on a given deployment. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired deployment. An example of this is shown below:
-```yaml
-# enabled auto restarts for the deployment
-apiVersion: v1
-kind: Deployment
-metadata:
-  name: "example-deployment"
-  annotations:
-    operator.1password.io/auto-restart: "true"
-```
-If the value is not set, the auto reset settings on the namespace will be used.
-
-**Per OnePasswordItem Custom Resource**
-This method allows for managing auto restarts on a given OnePasswordItem custom resource. Auto restarts can by managed by setting the annotation `operator.1password.io/auto_restart` to either `true` or `false` on the desired OnePasswordItem. An example of this is shown below:
-```yaml
-# enabled auto restarts for the OnePasswordItem
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
-metadata:
-  name: example
-  annotations:
-    operator.1password.io/auto-restart: "true"
-```
-If the value is not set, the auto reset settings on the deployment will be used.
-
-## Development
-
-### Creating a Docker image
-
-To create a local version of the Docker image for testing, use the following `Makefile` target:
-```shell
-make build/local
-```
-
-### Building the Operator binary
-```shell
-make build/binary
-```
-
-The binary will be placed inside a `dist` folder within this repository.
-
-### Running Tests
-
-```shell
-make test
-```
-
-With coverage:
-```shell
-make test/coverage
-```
-
-## Security
+# Security
 
 1Password requests you practice responsible disclosure if you discover a vulnerability. 
 

build/Dockerfile

@@ -1,15 +0,0 @@
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
-
-ENV OPERATOR=/usr/local/bin/onepassword-connect-operator \
-    USER_UID=1001 \
-    USER_NAME=onepassword-connect-operator
-
-# install operator binary
-COPY build/_output/bin/op-kubernetes-connect-operator ${OPERATOR}
-
-COPY build/bin /usr/local/bin
-RUN  /usr/local/bin/user_setup
-
-ENTRYPOINT ["/usr/local/bin/entrypoint"]
-
-USER ${USER_UID}

build/bin/entrypoint

@@ -1,3 +0,0 @@
-#!/bin/sh -e
-
-exec ${OPERATOR} $@

build/bin/user_setup

@@ -1,11 +0,0 @@
-#!/bin/sh
-set -x
-
-# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
-echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd
-mkdir -p "${HOME}"
-chown "${USER_UID}:0" "${HOME}"
-chmod ug+rwx "${HOME}"
-
-# no need for this script to remain in the image after running
-rm "$0"

go.mod

@@ -4,6 +4,7 @@ go 1.13
 
 require (
 	github.com/1Password/connect-sdk-go v1.0.1
+	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/operator-framework/operator-sdk v0.19.0
 	github.com/prometheus/common v0.14.0 // indirect
 	github.com/spf13/pflag v1.0.5

go.sum

@@ -370,6 +370,7 @@ github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang-migrate/migrate/v4 v4.6.2/go.mod h1:JYi6reN3+Z734VZ0akNuyOJNcrg45ZL7LDBMW3WGJL0=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef h1:veQD95Isof8w9/WXiA+pa3tz3fJXkt5B7QaRBrM62gk=
@@ -1331,6 +1332,7 @@ k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftc
 k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad/go.mod h1:XPCXEwhjaFN29a8NldXA901ElnKeKLrLtREO9ZhFyhg=
 k8s.io/apiserver v0.0.0-20191122221311-9d521947b1e1/go.mod h1:RbsZY5zzBIWnz4KbctZsTVjwIuOpTp4Z8oCgFHN4kZQ=
 k8s.io/apiserver v0.18.0/go.mod h1:3S2O6FeBBd6XTo0njUrLxiqk8GNy6wWOftjhJcXYnjw=
+k8s.io/apiserver v0.18.2 h1:fwKxdTWwwYhxvtjo0UUfX+/fsitsNtfErPNegH2x9ic=
 k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw=
 k8s.io/autoscaler v0.0.0-20190607113959-1b4f1855cb8e/go.mod h1:QEXezc9uKPT91dwqhSJq3GNI3B1HxFRQHiku9kmrsSA=
 k8s.io/cli-runtime v0.18.0/go.mod h1:1eXfmBsIJosjn9LjEBUd2WVPoPAY9XGTqTFcPMIBsUQ=
@@ -1343,6 +1345,7 @@ k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRV
 k8s.io/component-base v0.0.0-20190918160511-547f6c5d7090/go.mod h1:933PBGtQFJky3TEwYx4aEPZ4IxqhWh3R6DCmzqIn1hA=
 k8s.io/component-base v0.0.0-20191122220729-2684fb322cb9/go.mod h1:NFuUusy/X4Tk21m21tcNUihnmp4OI7lXU7/xA+rYXkc=
 k8s.io/component-base v0.18.0/go.mod h1:u3BCg0z1uskkzrnAKFzulmYaEpZF7XC9Pf/uFyb1v2c=
+k8s.io/component-base v0.18.2 h1:SJweNZAGcUvsypLGNPNGeJ9UgPZQ6+bW+gEHe8uyh/Y=
 k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
@@ -1367,6 +1370,7 @@ k8s.io/kube-state-metrics v1.7.2/go.mod h1:U2Y6DRi07sS85rmVPmBFlmv+2peBcL8IWGjM+
 k8s.io/kubectl v0.18.0/go.mod h1:LOkWx9Z5DXMEg5KtOjHhRiC1fqJPLyCr3KtQgEolCkU=
 k8s.io/kubectl v0.18.2 h1:9jnGSOC2DDVZmMUTMi0D1aed438mfQcgqa5TAzVjA1k=
 k8s.io/kubectl v0.18.2/go.mod h1:OdgFa3AlsPKRpFFYE7ICTwulXOcMGXHTc+UKhHKvrb4=
+k8s.io/kubernetes v1.13.0 h1:qTfB+u5M92k2fCCCVP2iuhgwwSOv1EkAkvQY1tQODD8=
 k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
 k8s.io/metrics v0.18.0/go.mod h1:8aYTW18koXqjLVKL7Ds05RPMX9ipJZI3mywYvBOxXd4=
 k8s.io/metrics v0.18.2/go.mod h1:qga8E7QfYNR9Q89cSCAjinC9pTZ7yv1XSVGUB0vJypg=

operator/Dockerfile

@@ -7,18 +7,18 @@ COPY go.mod go.mod
 COPY go.sum go.sum
 
 # Copy the go source
-COPY cmd/manager/main.go main.go
-COPY pkg/ pkg/
-COPY version/ version/
+COPY operator/cmd/manager/main.go operator/main.go
+COPY operator/pkg/ operator/pkg/
+COPY operator/version/ operator/version/
 COPY vendor/ vendor/
 # Build
 ARG operator_version=dev
 RUN CGO_ENABLED=0 \
     GO111MODULE=on \
     go build \
-    -ldflags "-X \"github.com/1Password/onepassword-operator/version.Version=$operator_version\"" \
+    -ldflags "-X \"github.com/1Password/onepassword-operator/operator/version.Version=$operator_version\"" \
     -mod vendor \
-    -a -o manager main.go
+    -a -o manager operator/main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
@@ -26,6 +26,6 @@ FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER nonroot:nonroot
-COPY deploy/connect/ deploy/connect/
+COPY operator/deploy/connect/ operator/deploy/connect/
 
 ENTRYPOINT ["/manager"]

operator/README.md

@@ -0,0 +1,235 @@
+# 1Password Connect Kubernetes Operator
+
+The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes with 1Password. This Operator manages `OnePasswordItem` Custom Resource Definitions (CRDs) that define the location of an Item stored in 1Password. The `OnePasswordItem` CRD, when created, will be used to compose a Kubernetes Secret containing the contents of the specified item.
+
+The 1Password Connect Kubernetes Operator also allows for Kubernetes Secrets to be composed from a 1Password Item through annotation of an Item Path on a deployment.
+
+The 1Password Connect Kubernetes Operator will continually check for updates from 1Password for any Kubernetes Secret that it has generated. If a Kubernetes Secret is updated, any Deployment using that secret can be automatically restarted.
+
+## Setup
+
+Prerequisites:
+
+- [1Password Command Line Tool Installed](https://1password.com/downloads/command-line/)
+- [kubectl installed](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+- [docker installed](https://docs.docker.com/get-docker/)
+- [Generated a 1password-credentials.json file and issued a 1Password Connect API Token for the K8s Operator integration](https://support.1password.com/secrets-automation/)
+- [1Password Connect deployed to Kubernetes](https://support.1password.com/connect-deploy-kubernetes/#step-2-deploy-a-1password-connect-server). **NOTE**: If customization of the 1Password Connect deployment is not required you can skip this prerequisite.
+
+### Quickstart for Deploying 1Password Connect to Kubernetes
+
+
+#### Deploy with Helm
+The 1Password Connect Helm Chart helps to simplify the deployment of 1Password Connect and the 1Password Connect Kubernetes Operator to Kubernetes. 
+
+[The 1Password Connect Helm Chart can be found here.](https://github.com/1Password/connect-helm-charts)
+
+#### Deploy using the Connect Operator
+If 1Password Connect is already running, you can skip this step. This guide will provide a quickstart option for deploying a default configuration of 1Password Connect via starting the deploying the 1Password Connect Operator, however it is recommended that you instead deploy your own manifest file if customization of the 1Password Connect deployment is desired.
+
+Encode the 1password-credentials.json file you generated in the prerequisite steps and save it to a file named op-session:
+
+```bash
+$ cat 1password-credentials.json | base64 | \
+  tr '/+' '_-' | tr -d '=' | tr -d '\n' > op-session
+```
+
+Create a Kubernetes secret from the op-session file:
+```bash
+
+$  kubectl create secret generic op-credentials --from-file=1password-credentials.json
+```
+
+Add the following environment variable to the onepassword-connect-operator container in `deploy/operator.yaml`:
+```yaml
+- name: MANAGE_CONNECT
+  value: "true"
+```
+Adding this environment variable will have the operator automatically deploy a default configuration of 1Password Connect to the `default` namespace.
+### Kubernetes Operator Deployment
+
+**Create Kubernetes Secret for OP_CONNECT_TOKEN**
+
+"Create a Connect token for the operator and save it as a Kubernetes Secret: 
+
+```bash
+$ kubectl create secret generic onepassword-token --from-literal=token=<OP_CONNECT_TOKEN>"
+```
+
+If you do not have a token for the operator, you can generate a token and save it to kubernetes with the following command:
+```bash
+$ kubectl create secret generic onepassword-token --from-literal=token=$(op create connect token <server> op-k8s-operator --vault <vault>)
+```
+
+[More information on generating a token can be found here](https://support.1password.com/secrets-automation/#appendix-issue-additional-access-tokens)
+
+**Set Permissions For Operator**
+
+We must create a service account, role, and role binding and Kubernetes. Examples can be found in the `/deploy` folder.
+
+```bash
+$ kubectl apply -f deploy/permissions.yaml
+```
+
+**Create Custom One Password Secret Resource**
+
+```bash
+$ kubectl apply -f deploy/crds/onepassword.com_onepassworditems_crd.yaml
+```
+
+**Deploying the Operator**
+
+An sample Deployment yaml can be found at `/deploy/operator.yaml`.
+
+
+To further configure the 1Password Kubernetes Operator the Following Environment variables can be set in the operator yaml:
+
+- **OP_CONNECT_HOST** (required): Specifies the host name within Kubernetes in which to access the 1Password Connect.
+- **WATCH_NAMESPACE:** (default: watch all namespaces): Comma separated list of what Namespaces to watch for changes.
+- **POLLING_INTERVAL** (default: 600): The number of seconds the 1Password Kubernetes Operator will wait before checking for updates from 1Password Connect.
+- **MANAGE_CONNECT** (default: false): If set to true, on deployment of the operator, a default configuration of the OnePassword Connect Service will be deployed to the `default` namespace.
+- **AUTO_RESTART** (default: false): If set to true, the operator will restart any deployment using a secret from 1Password Connect. This can be overwritten by namespace, deployment, or individual secret. More details on AUTO_RESTART can be found in the ["Configuring Automatic Rolling Restarts of Deployments"](#configuring-automatic-rolling-restarts-of-deployments) section.
+
+Apply the deployment file:
+
+```yaml
+kubectl apply -f deploy/operator.yaml
+```
+
+## Usage
+
+To create a Kubernetes Secret from a 1Password item, create a yaml file with the following
+
+```yaml
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: <item_name> #this name will also be used for naming the generated kubernetes secret
+spec:
+  itemPath: "vaults/<vault_id_or_title>/items/<item_id_or_title>" 
+```
+
+Deploy the OnePasswordItem to Kubernetes:
+
+```bash
+$ kubectl apply -f <your_item>.yaml
+```
+
+To test that the Kubernetes Secret check that the following command returns a secret:
+
+```bash
+$ kubectl get secret <secret_name>
+```
+
+Note: Deleting the `OnePasswordItem` that you've created will automatically delete the created Kubernetes Secret.
+
+To create a single Kubernetes Secret for a deployment, add the following annotations to the deployment metadata:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-example
+  annotations:
+    operator.1password.io/item-path: "vaults/<vault_id_or_title>/items/<item_id_or_title>"
+    operator.1password.io/item-name: "<secret_name>"
+```
+
+Applying this yaml file will create a Kubernetes Secret with the name `<secret_name>` and contents from the location specified at the specified Item Path.
+
+Note: Deleting the Deployment that you've created will automatically delete the created Kubernetes Secret only if the deployment is still annotated with `operator.1password.io/item-path` and `operator.1password.io/item-name` and no other deployment is using the secret.
+
+If a 1Password Item that is linked to a Kubernetes Secret is updated within the POLLING_INTERVAL the associated Kubernetes Secret will be updated. However, if you do not want a specific secret to be updated you can add the tag `operator.1password.io:ignore-secret` to the item stored in 1Password. While this tag is in place, any updates made to an item will not trigger an update to the associated secret in Kubernetes.
+
+---
+**NOTE**
+
+If multiple 1Password vaults/items have the same `title` when using a title in the access path, the desired action will be performed on the oldest vault/item. 
+
+Titles and field names that include white space and other characters that are not a valid [DNS subdomain name](https://kubernetes.io/docs/concepts/configuration/secret/) will create Kubernetes secrets that have titles and fields in the following format:
+ - Invalid characters before the first alphanumeric character and after the last alphanumeric character will be removed
+ - All whitespaces between words will be replaced by `-`
+ - All the letters will be lower-cased.
+
+---
+
+### Configuring Automatic Rolling Restarts of Deployments
+
+If a 1Password Item that is linked to a Kubernetes Secret is updated, any deployments configured to `auto-restart` AND are using that secret will be given a rolling restart the next time 1Password Connect is polled for updates.
+
+There are many levels of granularity on which to configure auto restarts on deployments: at the operator level, per-namespace, or per-deployment.
+
+**On the operator**: This method allows for managing auto restarts on all deployments within the namespaces watched by operator. Auto restarts can be enabled by setting the environemnt variable  `AUTO_RESTART` to true. If the value is not set, the operator will default this value to false.
+
+**Per Namespace**: This method allows for managing auto restarts on all deployments within a namespace. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired namespace. An example of this is shown below:
+```yaml
+# enabled auto restarts for all deployments within a namespace unless overwritten within a deployment
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "example-namespace"
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the operator will be used. This value can be overwritten by deployment.
+
+**Per Deployment**
+This method allows for managing auto restarts on a given deployment. Auto restarts can by managed by setting the annotation `operator.1password.io/auto-restart` to either `true` or `false` on the desired deployment. An example of this is shown below:
+```yaml
+# enabled auto restarts for the deployment
+apiVersion: v1
+kind: Deployment
+metadata:
+  name: "example-deployment"
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the namespace will be used.
+
+**Per OnePasswordItem Custom Resource**
+This method allows for managing auto restarts on a given OnePasswordItem custom resource. Auto restarts can by managed by setting the annotation `operator.1password.io/auto_restart` to either `true` or `false` on the desired OnePasswordItem. An example of this is shown below:
+```yaml
+# enabled auto restarts for the OnePasswordItem
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: example
+  annotations:
+    operator.1password.io/auto-restart: "true"
+```
+If the value is not set, the auto reset settings on the deployment will be used.
+
+## Development
+
+### Creating a Docker image
+
+To create a local version of the Docker image for testing, use the following `Makefile` target:
+```shell
+make build/local
+```
+
+### Building the Operator binary
+```shell
+make build/binary
+```
+
+The binary will be placed inside a `dist` folder within this repository.
+
+### Running Tests
+
+```shell
+make test
+```
+
+With coverage:
+```shell
+make test/coverage
+```
+
+## Security
+
+1Password requests you practice responsible disclosure if you discover a vulnerability. 
+
+Please file requests via [**BugCrowd**](https://bugcrowd.com/agilebits). 
+
+For information about security practices, please visit our [Security homepage](https://bugcrowd.com/agilebits).

operator/cmd/manager/main.go

@@ -11,16 +11,16 @@ import (
 	"strings"
 	"time"
 
-	"github.com/1Password/onepassword-operator/pkg/controller"
-	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/controller"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
 
-	"github.com/1Password/onepassword-operator/pkg/apis"
-	"github.com/1Password/onepassword-operator/version"
+	"github.com/1Password/onepassword-operator/operator/pkg/apis"
+	"github.com/1Password/onepassword-operator/operator/version"
 
 	"github.com/1Password/connect-sdk-go/connect"
 

operator/pkg/apis/addtoscheme_onepassword_v1.go

@@ -1,7 +1,7 @@
 package apis
 
 import (
-	v1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
+	v1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
 )
 
 func init() {

operator/pkg/controller/add_deployment.go

@@ -1,7 +1,7 @@
 package controller
 
 import (
-	"github.com/1Password/onepassword-operator/pkg/controller/deployment"
+	"github.com/1Password/onepassword-operator/operator/pkg/controller/deployment"
 )
 
 func init() {

operator/pkg/controller/add_onepassworditem.go

@@ -1,7 +1,7 @@
 package controller
 
 import (
-	"github.com/1Password/onepassword-operator/pkg/controller/onepassworditem"
+	"github.com/1Password/onepassword-operator/operator/pkg/controller/onepassworditem"
 )
 
 func init() {

operator/pkg/controller/deployment/deployment_controller.go

@@ -3,10 +3,12 @@ package deployment
 import (
 	"context"
 	"fmt"
+	"strings"
 
-	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
-	op "github.com/1Password/onepassword-operator/pkg/onepassword"
-	"github.com/1Password/onepassword-operator/pkg/utils"
+	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
 
 	"regexp"
 
@@ -114,7 +116,7 @@ func (r *ReconcileDeployment) Reconcile(request reconcile.Request) (reconcile.Re
 			}
 		}
 		// Handles creation or updating secrets for deployment if needed
-		if err := r.HandleApplyingDeployment(deployment.Namespace, annotations, request); err != nil {
+		if err := r.HandleApplyingDeployment(deployment, annotations, request); err != nil {
 			return reconcile.Result{}, err
 		}
 		return reconcile.Result{}, nil
@@ -187,10 +189,19 @@ func (r *ReconcileDeployment) removeOnePasswordFinalizerFromDeployment(deploymen
 	return r.kubeClient.Update(context.Background(), deployment)
 }
 
-func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotations map[string]string, request reconcile.Request) error {
+func (r *ReconcileDeployment) HandleApplyingDeployment(deployment *appsv1.Deployment, annotations map[string]string, request reconcile.Request) error {
 	reqLog := log.WithValues("Request.Namespace", request.Namespace, "Request.Name", request.Name)
+	namespace := deployment.Namespace
+
+	// check if deployment is marked to be injected with secrets via the webhook
+	injectedContainers, injected := annotations[op.ContainerInjectAnnotation]
+	if injected {
+		parsedInjectedContainers := strings.Split(injectedContainers, ",")
+		return onepassword.CreateOnePasswordItemResourceFromDeployment(r.opConnectClient, r.kubeClient, deployment, parsedInjectedContainers)
+	}
 
 	secretName := annotations[op.NameAnnotation]
+	secretLabels := map[string]string(nil)
 	if len(secretName) == 0 {
 		reqLog.Info("No 'item-name' annotation set. 'item-path' and 'item-name' must be set as annotations to add new secret.")
 		return nil
@@ -201,5 +212,5 @@ func (r *ReconcileDeployment) HandleApplyingDeployment(namespace string, annotat
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
 
-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation])
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations)
 }

operator/pkg/controller/deployment/deployment_controller_test.go

@@ -6,8 +6,8 @@ import (
 	"regexp"
 	"testing"
 
-	"github.com/1Password/onepassword-operator/pkg/mocks"
-	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/stretchr/testify/assert"
@@ -258,7 +258,7 @@ var tests = []testReconcileItem{
 		},
 	},
 	{
-		testName: "Test Do not update if OnePassword Item Version has not changed",
+		testName: "Test Do not update if Annotations have not changed",
 		deploymentResource: &appsv1.Deployment{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       deploymentKind,
@@ -271,6 +271,7 @@ var tests = []testReconcileItem{
 					op.ItemPathAnnotation: itemPath,
 					op.NameAnnotation:     name,
 				},
+				Labels: map[string]string{},
 			},
 		},
 		existingSecret: &corev1.Secret{
@@ -279,6 +280,8 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
 				},
 			},
 			Data: expectedSecretData,
@@ -290,7 +293,10 @@ var tests = []testReconcileItem{
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+					op.NameAnnotation:     name,
 				},
+				Labels: map[string]string(nil),
 			},
 			Data: expectedSecretData,
 		},

operator/pkg/controller/onepassworditem/onepassworditem_controller.go

@@ -3,11 +3,12 @@ package onepassworditem
 import (
 	"context"
 	"fmt"
-	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
-	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
-	"github.com/1Password/onepassword-operator/pkg/onepassword"
-	op "github.com/1Password/onepassword-operator/pkg/onepassword"
-	"github.com/1Password/onepassword-operator/pkg/utils"
+
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
 
 	"github.com/1Password/connect-sdk-go/connect"
 
@@ -143,12 +144,21 @@ func (r *ReconcileOnePasswordItem) removeOnePasswordFinalizerFromOnePasswordItem
 
 func (r *ReconcileOnePasswordItem) HandleOnePasswordItem(resource *onepasswordv1.OnePasswordItem, request reconcile.Request) error {
 	secretName := resource.GetName()
-	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]
+	labels := resource.Labels
+	annotations := resource.Annotations
+	autoRestart := annotations[op.RestartDeploymentsAnnotation]
+
+	// do not create kubernetes secret if the OnePasswordItem was generated
+	// due to secret being injected container via webhook
+	_, injectedSecret := annotations[op.InjectedAnnotation]
+	if injectedSecret {
+		return nil
+	}
 
 	item, err := onepassword.GetOnePasswordItemByPath(r.opConnectClient, resource.Spec.ItemPath)
 	if err != nil {
 		return fmt.Errorf("Failed to retrieve item: %v", err)
 	}
 
-	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart)
+	return kubeSecrets.CreateKubernetesSecretFromItem(r.kubeClient, secretName, resource.Namespace, item, autoRestart, labels, annotations)
 }

operator/pkg/controller/onepassworditem/onepassworditem_test.go

@@ -5,10 +5,10 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/1Password/onepassword-operator/pkg/mocks"
-	op "github.com/1Password/onepassword-operator/pkg/onepassword"
+	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
+	op "github.com/1Password/onepassword-operator/operator/pkg/onepassword"
 
-	onepasswordv1 "github.com/1Password/onepassword-operator/pkg/apis/onepassword/v1"
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
 	"github.com/stretchr/testify/assert"
@@ -119,7 +119,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -130,7 +131,8 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
 				},
 			},
 			Data: expectedSecretData,
@@ -150,6 +152,11 @@ var tests = []testReconcileItem{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
 				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
+				},
+				Labels: map[string]string{},
 			},
 			Spec: onepasswordv1.OnePasswordItemSpec{
 				ItemPath: itemPath,
@@ -160,8 +167,10 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: "456",
+					op.VersionAnnotation:  "456",
+					op.ItemPathAnnotation: itemPath,
 				},
+				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -171,8 +180,10 @@ var tests = []testReconcileItem{
 				Name:      name,
 				Namespace: namespace,
 				Annotations: map[string]string{
-					op.VersionAnnotation: fmt.Sprint(version),
+					op.VersionAnnotation:  fmt.Sprint(version),
+					op.ItemPathAnnotation: itemPath,
 				},
+				Labels: map[string]string{},
 			},
 			Data: expectedSecretData,
 		},
@@ -274,7 +285,7 @@ var tests = []testReconcileItem{
 				"password":       []byte(password),
 				"username":       []byte(username),
 				"first-host":     []byte(firstHost),
-				"aws-access-key": []byte(awsKey),
+				"AWS-Access-Key": []byte(awsKey),
 				"ice-cream-type": []byte(iceCream),
 			},
 		},
@@ -286,6 +297,47 @@ var tests = []testReconcileItem{
 			"😄 ice-cream type": iceCream,
 		},
 	},
+	{
+		testName: "Secret from 1Password item with `-`, `_` and `.`",
+		customResource: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       onePasswordItemKind,
+				APIVersion: onePasswordItemAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "!.my_sECReT.it3m%-_",
+				Namespace: namespace,
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		existingSecret: nil,
+		expectedError:  nil,
+		expectedResultSecret: &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "my-secret.it3m",
+				Namespace: namespace,
+				Annotations: map[string]string{
+					op.VersionAnnotation: fmt.Sprint(version),
+				},
+			},
+			Data: map[string][]byte{
+				"password":          []byte(password),
+				"username":          []byte(username),
+				"first-host":        []byte(firstHost),
+				"AWS-Access-Key":    []byte(awsKey),
+				"-_ice_cream.type.": []byte(iceCream),
+			},
+		},
+		opItem: map[string]string{
+			userKey:               username,
+			passKey:               password,
+			"first host":          firstHost,
+			"AWS Access Key":      awsKey,
+			"😄 -_ice_cream.type.": iceCream,
+		},
+	},
 }
 
 func TestReconcileOnePasswordItem(t *testing.T) {

operator/pkg/kubernetessecrets/kubernetes_secrets_builder.go

@@ -5,10 +5,11 @@ import (
 	"fmt"
 
 	"regexp"
-	"strings"
+
+	"reflect"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
-	"github.com/1Password/onepassword-operator/pkg/utils"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -28,22 +29,27 @@ const RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"
 
 var log = logf.Log
 
-func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string) error {
+func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretName, namespace string, item *onepassword.Item, autoRestart string, labels map[string]string, secretAnnotations map[string]string) error {
 
 	itemVersion := fmt.Sprint(item.Version)
-	annotations := map[string]string{
-		VersionAnnotation:  itemVersion,
-		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID),
+
+	// If secretAnnotations is nil we create an empty map so we can later assign values for the OP Annotations in the map
+	if secretAnnotations == nil {
+		secretAnnotations = map[string]string{}
 	}
+
+	secretAnnotations[VersionAnnotation] = itemVersion
+	secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.Vault.ID, item.ID)
+
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)
 		if err != nil {
 			log.Error(err, "Error parsing %v annotation on Secret %v. Must be true or false. Defaulting to false.", RestartDeploymentsAnnotation, secretName)
 			return err
 		}
-		annotations[RestartDeploymentsAnnotation] = autoRestart
+		secretAnnotations[RestartDeploymentsAnnotation] = autoRestart
 	}
-	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, annotations, *item)
+	secret := BuildKubernetesSecretFromOnePasswordItem(secretName, namespace, secretAnnotations, labels, *item)
 
 	currentSecret := &corev1.Secret{}
 	err := kubeClient.Get(context.Background(), types.NamespacedName{Name: secret.Name, Namespace: secret.Namespace}, currentSecret)
@@ -54,9 +60,10 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 		return err
 	}
 
-	if currentSecret.Annotations[VersionAnnotation] != itemVersion {
+	if !reflect.DeepEqual(currentSecret.Annotations, secretAnnotations) || !reflect.DeepEqual(currentSecret.Labels, labels) {
 		log.Info(fmt.Sprintf("Updating Secret %v at namespace '%v'", secret.Name, secret.Namespace))
-		currentSecret.ObjectMeta.Annotations = annotations
+		currentSecret.ObjectMeta.Annotations = secretAnnotations
+		currentSecret.ObjectMeta.Labels = labels
 		currentSecret.Data = secret.Data
 		return kubeClient.Update(context.Background(), currentSecret)
 	}
@@ -65,12 +72,13 @@ func CreateKubernetesSecretFromItem(kubeClient kubernetesClient.Client, secretNa
 	return nil
 }
 
-func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, item onepassword.Item) *corev1.Secret {
+func BuildKubernetesSecretFromOnePasswordItem(name, namespace string, annotations map[string]string, labels map[string]string, item onepassword.Item) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:        formatSecretName(name),
+			Name:        utils.FormatSecretName(name),
 			Namespace:   namespace,
 			Annotations: annotations,
+			Labels:      labels,
 		},
 		Data: BuildKubernetesSecretData(item.Fields),
 	}
@@ -80,33 +88,34 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
 	secretData := map[string][]byte{}
 	for i := 0; i < len(fields); i++ {
 		if fields[i].Value != "" {
-			key := formatSecretName(fields[i].Label)
+			key := formatSecretDataName(fields[i].Label)
 			secretData[key] = []byte(fields[i].Value)
 		}
 	}
 	return secretData
 }
 
-// formatSecretName rewrites a value to be a valid Secret name or Secret data key.
+// formatSecretDataName rewrites a value to be a valid Secret data key.
 //
-// The Secret meta.name and data keys must be valid DNS subdomain names (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
-func formatSecretName(value string) string {
-	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
+// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func formatSecretDataName(value string) string {
+	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
 		return value
 	}
-	return createValidSecretName(value)
+	return createValidSecretDataName(value)
 }
 
-var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-]+")
+var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
+var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
 
-func createValidSecretName(value string) string {
-	result := strings.ToLower(value)
-	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
+func createValidSecretDataName(value string) string {
+	result := invalidStartEndChars.ReplaceAllString(value, "")
+	result = invalidDataChars.ReplaceAllString(result, "-")
 
 	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
 		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
 	}
 
-	// first and last character MUST be alphanumeric
-	return strings.Trim(result, "-")
+	return result
 }

operator/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go

@@ -3,13 +3,13 @@ package kubernetessecrets
 import (
 	"context"
 	"fmt"
-	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"strings"
 	"testing"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -31,7 +31,11 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
 
 	kubeClient := fake.NewFakeClient()
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -43,6 +47,10 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	compareFields(item.Fields, createdSecret.Data, t)
 	compareAnnotationsToItem(createdSecret.Annotations, item, t)
+
+	if createdSecret.Annotations["testAnnotation"] != "exists" {
+		t.Errorf("Expected testAnnotation to be merged with existing annotations, but wasn't.")
+	}
 }
 
 func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
@@ -56,7 +64,9 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.ID = "h46bb3jddvay7nxopfhvlwg35q"
 
 	kubeClient := fake.NewFakeClient()
-	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation)
+	secretLabels := map[string]string{}
+	secretAnnotations := map[string]string{}
+	err := CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &item, restartDeploymentAnnotation, secretLabels, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -67,7 +77,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	newItem.Version = 456
 	newItem.Vault.ID = "hfnjvi6aymbsnfc2xeeoheizda"
 	newItem.ID = "h46bb3jddvay7nxopfhvlwg35q"
-	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation)
+	err = CreateKubernetesSecretFromItem(kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation, secretLabels, secretAnnotations)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -100,8 +110,9 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	}
 	item := onepassword.Item{}
 	item.Fields = generateFields(5)
+	labels := map[string]string{}
 
-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels, item)
 	if kubeSecret.Name != strings.ToLower(name) {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
@@ -121,6 +132,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 	annotations := map[string]string{
 		"annotationKey": "annotationValue",
 	}
+	labels := map[string]string{}
 	item := onepassword.Item{}
 
 	item.Fields = []*onepassword.ItemField{
@@ -134,7 +146,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 		},
 	}
 
-	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
+	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, labels,  item)
 
 	// Assert Secret's meta.name was fixed
 	if kubeSecret.Name != expectedName {
@@ -205,7 +217,7 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
 }
 
 func validLabel(v string) bool {
-	if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 {
+	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
 		return false
 	}
 	return true

operator/pkg/onepassword/annotations.go

@@ -14,6 +14,8 @@ const (
 	VersionAnnotation            = OnepasswordPrefix + "/item-version"
 	RestartAnnotation            = OnepasswordPrefix + "/last-restarted"
 	RestartDeploymentsAnnotation = OnepasswordPrefix + "/auto-restart"
+	ContainerInjectAnnotation    = OnepasswordPrefix + "/inject"
+	InjectedAnnotation           = OnepasswordPrefix + "/injected"
 )
 
 func GetAnnotationsForDeployment(deployment *appsv1.Deployment, regex *regexp.Regexp) (map[string]string, bool) {

operator/pkg/onepassword/containers.go

@@ -1,6 +1,10 @@
 package onepassword
 
-import corev1 "k8s.io/api/core/v1"
+import (
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+	corev1 "k8s.io/api/core/v1"
+)
 
 func AreContainersUsingSecrets(containers []corev1.Container, secrets map[string]*corev1.Secret) bool {
 	for i := 0; i < len(containers); i++ {
@@ -31,3 +35,29 @@ func AppendUpdatedContainerSecrets(containers []corev1.Container, secrets map[st
 	}
 	return updatedDeploymentSecrets
 }
+
+func AreContainersUsingInjectedSecrets(containers []corev1.Container, injectedContainers []string, items map[string]*onepasswordv1.OnePasswordItem) bool {
+	for _, container := range containers {
+		envVariables := container.Env
+
+		// check if container was set to be injected with secrets
+		for _, injectedContainer := range injectedContainers {
+			if injectedContainer != container.Name {
+				continue
+			}
+		}
+
+		// check if any environment variables are using an updated injected secret
+		for _, envVariable := range envVariables {
+			referenceVault, referenceItem, err := ParseReference(envVariable.Value)
+			if err != nil {
+				continue
+			}
+			_, itemFound := items[utils.BuildInjectedOnePasswordItemName(referenceVault, referenceItem)]
+			if itemFound {
+				return true
+			}
+		}
+	}
+	return false
+}

operator/pkg/onepassword/deployments.go

@@ -1,6 +1,9 @@
 package onepassword
 
 import (
+	"strings"
+
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 )
@@ -24,3 +27,14 @@ func GetUpdatedSecretsForDeployment(deployment *appsv1.Deployment, secrets map[s
 
 	return updatedSecretsForDeployment
 }
+
+func IsDeploymentUsingInjectedSecrets(deployment *appsv1.Deployment, items map[string]*onepasswordv1.OnePasswordItem) bool {
+	containers := deployment.Spec.Template.Spec.Containers
+	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...)
+	injectedContainers, enabled := deployment.Spec.Template.Annotations[ContainerInjectAnnotation]
+	if !enabled {
+		return false
+	}
+	parsedInjectedContainers := strings.Split(injectedContainers, ",")
+	return AreContainersUsingInjectedSecrets(containers, parsedInjectedContainers, items)
+}

operator/pkg/onepassword/items.go

@@ -11,6 +11,16 @@ import (
 
 var logger = logf.Log.WithName("retrieve_item")
 
+const secretReferencePrefix = "op://"
+
+type InvalidOPFormatError struct {
+	Reference string
+}
+
+func (e *InvalidOPFormatError) Error() string {
+	return fmt.Sprintf("Invalid secret reference : %s. Secret references should start with op://", e.Reference)
+}
+
 func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*onepassword.Item, error) {
 	vaultValue, itemValue, err := ParseVaultAndItemFromPath(path)
 	if err != nil {
@@ -33,6 +43,30 @@ func GetOnePasswordItemByPath(opConnectClient connect.Client, path string) (*one
 	return item, nil
 }
 
+func ParseReference(reference string) (string, string, error) {
+	if !strings.HasPrefix(reference, secretReferencePrefix) {
+		return "", "", &InvalidOPFormatError{Reference: reference}
+	}
+	path := strings.TrimPrefix(reference, secretReferencePrefix)
+
+	splitPath := strings.Split(path, "/")
+	if len(splitPath) != 3 {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Secret references should match op://<vault>/<item>/<field>", reference)
+	}
+
+	vault := splitPath[0]
+	if vault == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Vault can't be empty.", reference)
+	}
+
+	item := splitPath[1]
+	if item == "" {
+		return "", "", fmt.Errorf("Invalid secret reference : %s. Item can't be empty.", reference)
+	}
+
+	return vault, item, nil
+}
+
 func ParseVaultAndItemFromPath(path string) (string, string, error) {
 	splitPath := strings.Split(path, "/")
 	if len(splitPath) == 4 && splitPath[0] == "vaults" && splitPath[2] == "items" {

operator/pkg/onepassword/onepassword_item.go

@@ -0,0 +1,95 @@
+package onepassword
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/1Password/connect-sdk-go/connect"
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	kubernetesClient "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func CreateOnePasswordItemResourceFromDeployment(opClient connect.Client, kubeClient kubernetesClient.Client, deployment *appsv1.Deployment, injectedContainers []string) error {
+	containers := deployment.Spec.Template.Spec.Containers
+	containers = append(containers, deployment.Spec.Template.Spec.InitContainers...)
+	for _, container := range containers {
+		// check if container is listed is one of the containers
+		// set to have injected secrets
+		for _, injectedContainer := range injectedContainers {
+			if injectedContainer != container.Name {
+				continue
+			}
+			// create a one password item custom resource to track updates for injected secrets
+			err := CreateOnePasswordCRSecretsFromContainer(opClient, kubeClient, container, deployment.Namespace)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func CreateOnePasswordCRSecretsFromContainer(opClient connect.Client, kubeClient kubernetesClient.Client, container corev1.Container, namespace string) error {
+	for _, env := range container.Env {
+		// if value is not of format op://<vault>/<item>/<field> then ignore
+		vault, item, err := ParseReference(env.Value)
+		if err != nil {
+			var ev *InvalidOPFormatError
+			if !errors.As(err, &ev) {
+				return err
+			}
+			continue
+		}
+		// create a one password item custom resource to track updates for injected secrets
+		err = CreateOnePasswordCRSecretFromReference(opClient, kubeClient, vault, item, namespace)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func CreateOnePasswordCRSecretFromReference(opClient connect.Client, kubeClient kubernetesClient.Client, vault, item, namespace string) error {
+
+	retrievedItem, err := GetOnePasswordItemByPath(opClient, fmt.Sprintf("vaults/%s/items/%s", vault, item))
+	if err != nil {
+		return fmt.Errorf("Failed to retrieve item: %v", err)
+	}
+
+	name := utils.BuildInjectedOnePasswordItemName(vault, item)
+	onepassworditem := BuildOnePasswordItemCRFromPath(vault, item, name, namespace, fmt.Sprint(retrievedItem.Version))
+
+	currentOnepassworditem := &onepasswordv1.OnePasswordItem{}
+	err = kubeClient.Get(context.Background(), types.NamespacedName{Name: onepassworditem.Name, Namespace: onepassworditem.Namespace}, currentOnepassworditem)
+	if k8sErrors.IsNotFound(err) {
+		log.Info(fmt.Sprintf("Creating OnePasswordItem CR %v at namespace '%v'", onepassworditem.Name, onepassworditem.Namespace))
+		return kubeClient.Create(context.Background(), onepassworditem)
+	} else if err != nil {
+		return err
+	}
+	return nil
+}
+
+func BuildOnePasswordItemCRFromPath(vault, item, name, namespace, version string) *onepasswordv1.OnePasswordItem {
+	return &onepasswordv1.OnePasswordItem{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Annotations: map[string]string{
+				InjectedAnnotation: "true",
+				VersionAnnotation:  version,
+			},
+		},
+		Spec: onepasswordv1.OnePasswordItemSpec{
+			ItemPath: fmt.Sprintf("vaults/%s/items/%s", vault, item),
+		},
+	}
+}

operator/pkg/onepassword/onepassword_item_test.go

@@ -0,0 +1,234 @@
+package onepassword
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
+
+	"github.com/1Password/connect-sdk-go/onepassword"
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	errors2 "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/kubectl/pkg/scheme"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+type onepassworditemInjections struct {
+	testName           string
+	existingDeployment *appsv1.Deployment
+	existingNamespace  *corev1.Namespace
+	expectedError      error
+	expectedEvents     []string
+	opItem             map[string]string
+	expectedOPItem     *onepasswordv1.OnePasswordItem
+}
+
+var onepassworditemTests = []onepassworditemInjections{
+	{
+		testName:          "Try to Create OnePasswordItem with container with valid op reference",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      name,
+						Namespace: namespace,
+						Annotations: map[string]string{
+							ContainerInjectAnnotation: "test-app",
+						},
+					},
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Name: "test-app",
+								Env: []corev1.EnvVar{
+									{
+										Name:  name,
+										Value: fmt.Sprintf("op://%s/%s/test", vaultId, itemId),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		expectedError: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedOPItem: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "OnePasswordItem",
+				APIVersion: "onepassword.com/v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      injectedOnePasswordItemName,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					InjectedAnnotation: "true",
+					VersionAnnotation:  "old",
+				},
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+	},
+	{
+		testName:          "Container with no op:// reference does not create OnePasswordItem",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      name,
+						Namespace: namespace,
+						Annotations: map[string]string{
+							ContainerInjectAnnotation: "test-app",
+						},
+					},
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Name: "test-app",
+								Env: []corev1.EnvVar{
+									{
+										Name:  name,
+										Value: fmt.Sprintf("some value"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		expectedError: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedOPItem: nil,
+	},
+	{
+		testName:          "Container with op:// reference missing vault and item does not create OnePasswordItem and returns error",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      name,
+						Namespace: namespace,
+						Annotations: map[string]string{
+							ContainerInjectAnnotation: "test-app",
+						},
+					},
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Name: "test-app",
+								Env: []corev1.EnvVar{
+									{
+										Name:  name,
+										Value: fmt.Sprintf("op://"),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		expectedError: fmt.Errorf("Invalid secret reference : %s. Secret references should match op://<vault>/<item>/<field>", "op://"),
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedOPItem: nil,
+	},
+}
+
+func TestOnePasswordItemSecretInjected(t *testing.T) {
+	for _, testData := range onepassworditemTests {
+		t.Run(testData.testName, func(t *testing.T) {
+
+			// Register operator types with the runtime scheme.
+			s := scheme.Scheme
+			s.AddKnownTypes(appsv1.SchemeGroupVersion, &onepasswordv1.OnePasswordItem{}, &onepasswordv1.OnePasswordItemList{}, &appsv1.Deployment{})
+
+			// Objects to track in the fake client.
+			objs := []runtime.Object{
+				testData.existingDeployment,
+				testData.existingNamespace,
+			}
+
+			// Create a fake client to mock API calls.
+			cl := fake.NewFakeClientWithScheme(s, objs...)
+
+			opConnectClient := &mocks.TestClient{}
+			mocks.GetGetItemFunc = func(uuid string, vaultUUID string) (*onepassword.Item, error) {
+
+				item := onepassword.Item{}
+				item.Fields = generateFields(testData.opItem["username"], testData.opItem["password"])
+				item.Version = itemVersion
+				item.Vault.ID = vaultUUID
+				item.ID = uuid
+				return &item, nil
+			}
+
+			injectedContainers := testData.existingDeployment.Spec.Template.ObjectMeta.Annotations[ContainerInjectAnnotation]
+			parsedInjectedContainers := strings.Split(injectedContainers, ",")
+			err := CreateOnePasswordItemResourceFromDeployment(opConnectClient, cl, testData.existingDeployment, parsedInjectedContainers)
+
+			assert.Equal(t, testData.expectedError, err)
+
+			// Check if Secret has been created and has the correct data
+			opItemCR := &onepasswordv1.OnePasswordItem{}
+			err = cl.Get(context.TODO(), types.NamespacedName{Name: injectedOnePasswordItemName, Namespace: namespace}, opItemCR)
+
+			if testData.expectedOPItem == nil {
+				assert.Error(t, err)
+				assert.True(t, errors2.IsNotFound(err))
+			} else {
+				assert.Equal(t, testData.expectedOPItem.Spec.ItemPath, opItemCR.Spec.ItemPath)
+				assert.Equal(t, testData.expectedOPItem.Name, opItemCR.Name)
+				assert.Equal(t, testData.expectedOPItem.Annotations[InjectedAnnotation], opItemCR.Annotations[InjectedAnnotation])
+			}
+
+		})
+	}
+}

operator/pkg/onepassword/secret_update_handler.go

@@ -5,8 +5,9 @@ import (
 	"fmt"
 	"time"
 
-	kubeSecrets "github.com/1Password/onepassword-operator/pkg/kubernetessecrets"
-	"github.com/1Password/onepassword-operator/pkg/utils"
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
+	kubeSecrets "github.com/1Password/onepassword-operator/operator/pkg/kubernetessecrets"
+	"github.com/1Password/onepassword-operator/operator/pkg/utils"
 
 	"github.com/1Password/connect-sdk-go/connect"
 	"github.com/1Password/connect-sdk-go/onepassword"
@@ -41,12 +42,17 @@ func (h *SecretUpdateHandler) UpdateKubernetesSecretsTask() error {
 		return err
 	}
 
-	return h.restartDeploymentsWithUpdatedSecrets(updatedKubernetesSecrets)
+	updatedInjectedSecrets, err := h.updateInjectedSecrets()
+	if err != nil {
+		return err
+	}
+
+	return h.restartDeploymentsWithUpdatedSecrets(updatedKubernetesSecrets, updatedInjectedSecrets)
 }
 
-func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(updatedSecretsByNamespace map[string]map[string]*corev1.Secret) error {
-	// No secrets to update. Exit
-	if len(updatedSecretsByNamespace) == 0 || updatedSecretsByNamespace == nil {
+func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(updatedSecretsByNamespace map[string]map[string]*corev1.Secret, updatedInjectedSecretsByNamespace map[string]map[string]*onepasswordv1.OnePasswordItem) error {
+
+	if len(updatedSecretsByNamespace) == 0 && len(updatedInjectedSecretsByNamespace) == 0 {
 		return nil
 	}
 
@@ -63,6 +69,7 @@ func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(updatedSecret
 
 	setForAutoRestartByNamespaceMap, err := h.getIsSetForAutoRestartByNamespaceMap()
 	if err != nil {
+		log.Error(err, "Error determining which namespaces allow restarts")
 		return err
 	}
 
@@ -70,17 +77,24 @@ func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(updatedSecret
 		deployment := &deployments.Items[i]
 		updatedSecrets := updatedSecretsByNamespace[deployment.Namespace]
 
+		// check if deployment is using one of the updated secrets
 		updatedDeploymentSecrets := GetUpdatedSecretsForDeployment(deployment, updatedSecrets)
-		if len(updatedDeploymentSecrets) == 0 {
-			continue
-		}
-		for _, secret := range updatedDeploymentSecrets {
-			if isSecretSetForAutoRestart(secret, deployment, setForAutoRestartByNamespaceMap) {
-				h.restartDeployment(deployment)
-				continue
+		if len(updatedDeploymentSecrets) != 0 {
+			for _, secret := range updatedDeploymentSecrets {
+				if isSecretSetForAutoRestart(secret, deployment, setForAutoRestartByNamespaceMap) {
+					h.restartDeployment(deployment)
+					continue
+				}
 			}
 		}
 
+		// check if the deployment is using one of the updated injected secrets
+		updatedInjection := IsDeploymentUsingInjectedSecrets(deployment, updatedInjectedSecretsByNamespace[deployment.Namespace])
+		if updatedInjection && isDeploymentSetForAutoRestart(deployment, setForAutoRestartByNamespaceMap) {
+			h.restartDeployment(deployment)
+			continue
+		}
+
 		log.Info(fmt.Sprintf("Deployment %q at namespace %q is up to date", deployment.GetName(), deployment.Namespace))
 
 	}
@@ -89,9 +103,10 @@ func (h *SecretUpdateHandler) restartDeploymentsWithUpdatedSecrets(updatedSecret
 
 func (h *SecretUpdateHandler) restartDeployment(deployment *appsv1.Deployment) {
 	log.Info(fmt.Sprintf("Deployment %q at namespace %q references an updated secret. Restarting", deployment.GetName(), deployment.Namespace))
-	deployment.Spec.Template.Annotations = map[string]string{
-		RestartAnnotation: time.Now().String(),
+	if deployment.Spec.Template.Annotations == nil {
+		deployment.Spec.Template.Annotations = map[string]string{}
 	}
+	deployment.Spec.Template.Annotations[RestartAnnotation] = time.Now().String()
 	err := h.client.Update(context.Background(), deployment)
 	if err != nil {
 		log.Error(err, "Problem restarting deployment")
@@ -131,7 +146,7 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 			}
 			log.Info(fmt.Sprintf("Updating kubernetes secret '%v'", secret.GetName()))
 			secret.Annotations[VersionAnnotation] = itemVersion
-			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, *item)
+			updatedSecret := kubeSecrets.BuildKubernetesSecretFromOnePasswordItem(secret.Name, secret.Namespace, secret.Annotations, secret.Labels, *item)
 			h.client.Update(context.Background(), updatedSecret)
 			if updatedSecrets[secret.Namespace] == nil {
 				updatedSecrets[secret.Namespace] = make(map[string]*corev1.Secret)
@@ -142,6 +157,52 @@ func (h *SecretUpdateHandler) updateKubernetesSecrets() (map[string]map[string]*
 	return updatedSecrets, nil
 }
 
+func (h *SecretUpdateHandler) updateInjectedSecrets() (map[string]map[string]*onepasswordv1.OnePasswordItem, error) {
+	// fetch all onepassworditems
+	onepasswordItems := &onepasswordv1.OnePasswordItemList{}
+	err := h.client.List(context.Background(), onepasswordItems)
+	if err != nil {
+		log.Error(err, "Failed to list OnePasswordItems")
+		return nil, err
+	}
+
+	updatedItems := map[string]map[string]*onepasswordv1.OnePasswordItem{}
+	for _, item := range onepasswordItems.Items {
+
+		// if onepassworditem was not generated by injecting a secret into a deployment then ignore
+		_, injected := item.Annotations[InjectedAnnotation]
+		if !injected {
+			continue
+		}
+
+		itemPath := item.Spec.ItemPath
+		currentVersion := item.Annotations[VersionAnnotation]
+		if len(itemPath) == 0 || len(currentVersion) == 0 {
+			continue
+		}
+
+		storedItem, err := GetOnePasswordItemByPath(h.opConnectClient, itemPath)
+		if err != nil {
+			return nil, fmt.Errorf("Failed to retrieve item: %v", err)
+		}
+
+		itemVersion := fmt.Sprint(storedItem.Version)
+		if currentVersion != itemVersion {
+			item.Annotations[VersionAnnotation] = itemVersion
+			h.client.Update(context.Background(), &item)
+			if isItemLockedForForcedRestarts(storedItem) {
+				log.Info(fmt.Sprintf("Secret '%v' has been updated in 1Password but is set to be ignored. Updates to an ignored secret will not trigger an update to a OnePasswordItem secret or a rolling restart.", item.Name))
+				continue
+			}
+			if updatedItems[item.Namespace] == nil {
+				updatedItems[item.Namespace] = make(map[string]*onepasswordv1.OnePasswordItem)
+			}
+			updatedItems[item.Namespace][item.Name] = &item
+		}
+	}
+	return updatedItems, nil
+}
+
 func isItemLockedForForcedRestarts(item *onepassword.Item) bool {
 	tags := item.Tags
 	for i := 0; i < len(tags); i++ {
@@ -178,7 +239,7 @@ func (h *SecretUpdateHandler) getIsSetForAutoRestartByNamespaceMap() (map[string
 
 func isSecretSetForAutoRestart(secret *corev1.Secret, deployment *appsv1.Deployment, setForAutoRestartByNamespace map[string]bool) bool {
 	restartDeployment := secret.Annotations[RestartDeploymentsAnnotation]
-	//If annotation for auto restarts for deployment is not set. Check for the annotation on its namepsace
+	//If annotation for auto restarts for deployment is not set. Check for the annotation on its deployment
 	if restartDeployment == "" {
 		return isDeploymentSetForAutoRestart(deployment, setForAutoRestartByNamespace)
 	}

operator/pkg/onepassword/secret_update_handler_test.go

@@ -5,9 +5,10 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/1Password/onepassword-operator/pkg/mocks"
+	"github.com/1Password/onepassword-operator/operator/pkg/mocks"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
+	onepasswordv1 "github.com/1Password/onepassword-operator/operator/pkg/apis/onepassword/v1"
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -20,23 +21,25 @@ import (
 )
 
 const (
-	deploymentKind       = "Deployment"
-	deploymentAPIVersion = "v1"
-	name                 = "test-deployment"
-	namespace            = "default"
-	vaultId              = "hfnjvi6aymbsnfc2xeeoheizda"
-	itemId               = "nwrhuano7bcwddcviubpp4mhfq"
-	username             = "test-user"
-	password             = "QmHumKc$mUeEem7caHtbaBaJ"
-	userKey              = "username"
-	passKey              = "password"
-	itemVersion          = 123
+	deploymentKind              = "Deployment"
+	deploymentAPIVersion        = "v1"
+	name                        = "test-deployment"
+	namespace                   = "default"
+	vaultId                     = "hfnjvi6aymbsnfc2xeeoheizda"
+	itemId                      = "nwrhuano7bcwddcviubpp4mhfq"
+	username                    = "test-user"
+	password                    = "QmHumKc$mUeEem7caHtbaBaJ"
+	userKey                     = "username"
+	passKey                     = "password"
+	itemVersion                 = 123
+	injectedOnePasswordItemName = "injectedsecret-" + vaultId + "-" + itemId
 )
 
 type testUpdateSecretTask struct {
 	testName                 string
 	existingDeployment       *appsv1.Deployment
 	existingNamespace        *corev1.Namespace
+	existingOnePasswordItem  *onepasswordv1.OnePasswordItem
 	existingSecret           *corev1.Secret
 	expectedError            error
 	expectedResultSecret     *corev1.Secret
@@ -755,6 +758,123 @@ var tests = []testUpdateSecretTask{
 		expectedRestart:          true,
 		globalAutoRestartEnabled: false,
 	},
+	{
+		testName:          "OP item has new version. Secret needs update. Deployment is restarted based on injected secrets in containers",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      name,
+						Namespace: namespace,
+						Annotations: map[string]string{
+							ContainerInjectAnnotation: "test-app",
+						},
+					},
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Name: "test-app",
+								Env: []corev1.EnvVar{
+									{
+										Name:  name,
+										Value: fmt.Sprintf("op://%s/%s/test", vaultId, itemId),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingOnePasswordItem: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "OnePasswordItem",
+				APIVersion: "onepassword.com/v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      injectedOnePasswordItemName,
+				Namespace: namespace,
+				Annotations: map[string]string{
+					InjectedAnnotation: "true",
+					VersionAnnotation:  "old",
+				},
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		expectedError: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          true,
+		globalAutoRestartEnabled: true,
+	},
+	{
+		testName:          "OP item has new version. Secret needs update. Deployment does not have a inject annotation",
+		existingNamespace: defaultNamespace,
+		existingDeployment: &appsv1.Deployment{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       deploymentKind,
+				APIVersion: deploymentAPIVersion,
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Spec: appsv1.DeploymentSpec{
+				Template: corev1.PodTemplateSpec{
+					Spec: corev1.PodSpec{
+						Containers: []corev1.Container{
+							{
+								Name: "test-app",
+								Env: []corev1.EnvVar{
+									{
+										Name:  name,
+										Value: fmt.Sprintf("op://%s/%s/test", vaultId, itemId),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		existingOnePasswordItem: &onepasswordv1.OnePasswordItem{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "OnePasswordItem",
+				APIVersion: "onepassword.com/v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      fmt.Sprintf("%s-%s", vaultId, itemId),
+				Namespace: namespace,
+				Annotations: map[string]string{
+					InjectedAnnotation: "true",
+					VersionAnnotation:  "old",
+				},
+			},
+			Spec: onepasswordv1.OnePasswordItemSpec{
+				ItemPath: itemPath,
+			},
+		},
+		expectedError: nil,
+		opItem: map[string]string{
+			userKey: username,
+			passKey: password,
+		},
+		expectedRestart:          false,
+		globalAutoRestartEnabled: true,
+	},
 }
 
 func TestUpdateSecretHandler(t *testing.T) {
@@ -763,7 +883,7 @@ func TestUpdateSecretHandler(t *testing.T) {
 
 			// Register operator types with the runtime scheme.
 			s := scheme.Scheme
-			s.AddKnownTypes(appsv1.SchemeGroupVersion, testData.existingDeployment)
+			s.AddKnownTypes(appsv1.SchemeGroupVersion, &onepasswordv1.OnePasswordItem{}, &onepasswordv1.OnePasswordItemList{}, &appsv1.Deployment{})
 
 			// Objects to track in the fake client.
 			objs := []runtime.Object{
@@ -775,6 +895,10 @@ func TestUpdateSecretHandler(t *testing.T) {
 				objs = append(objs, testData.existingSecret)
 			}
 
+			if testData.existingOnePasswordItem != nil {
+				objs = append(objs, testData.existingOnePasswordItem)
+			}
+
 			// Create a fake client to mock API calls.
 			cl := fake.NewFakeClientWithScheme(s, objs...)
 
@@ -825,9 +949,9 @@ func TestUpdateSecretHandler(t *testing.T) {
 
 			_, ok := deployment.Spec.Template.Annotations[RestartAnnotation]
 			if ok {
-				assert.True(t, testData.expectedRestart, "Expected deployment to restart but it did not")
+				assert.True(t, testData.expectedRestart, "Deployment was restarted but should not have been.")
 			} else {
-				assert.False(t, testData.expectedRestart, "Deployment was restarted but should not have been.")
+				assert.False(t, testData.expectedRestart, "Expected deployment to restart but it did not")
 			}
 		})
 	}

operator/pkg/utils/string.go

@@ -0,0 +1,66 @@
+package utils
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
+)
+
+var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
+
+func ContainsString(slice []string, s string) bool {
+	for _, item := range slice {
+		if item == s {
+			return true
+		}
+	}
+	return false
+}
+
+func RemoveString(slice []string, s string) (result []string) {
+	for _, item := range slice {
+		if item == s {
+			continue
+		}
+		result = append(result, item)
+	}
+	return
+}
+
+func StringToBool(str string) (bool, error) {
+	restartDeploymentBool, err := strconv.ParseBool(strings.ToLower(str))
+	if err != nil {
+		return false, err
+	}
+	return restartDeploymentBool, nil
+}
+
+// formatSecretName rewrites a value to be a valid Secret name.
+//
+// The Secret meta.name and data keys must be valid DNS subdomain names
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func FormatSecretName(value string) string {
+	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
+		return value
+	}
+	return CreateValidSecretName(value)
+}
+
+func CreateValidSecretName(value string) string {
+	result := strings.ToLower(value)
+	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
+
+	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
+		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
+	}
+
+	// first and last character MUST be alphanumeric
+	return strings.Trim(result, "-.")
+}
+
+func BuildInjectedOnePasswordItemName(vaultId, injectedId string) string {
+	return FormatSecretName(fmt.Sprintf("injectedsecret-%s-%s", vaultId, injectedId))
+}

pkg/utils/string.go

@@ -1,33 +0,0 @@
-package utils
-
-import (
-	"strconv"
-	"strings"
-)
-
-func ContainsString(slice []string, s string) bool {
-	for _, item := range slice {
-		if item == s {
-			return true
-		}
-	}
-	return false
-}
-
-func RemoveString(slice []string, s string) (result []string) {
-	for _, item := range slice {
-		if item == s {
-			continue
-		}
-		result = append(result, item)
-	}
-	return
-}
-
-func StringToBool(str string) (bool, error) {
-	restartDeploymentBool, err := strconv.ParseBool(strings.ToLower(str))
-	if err != nil {
-		return false, err
-	}
-	return restartDeploymentBool, nil
-}

secret-injector/Dockerfile

@@ -0,0 +1,30 @@
+# Build the manager binary
+FROM golang:1.17 as builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# Copy the go source
+COPY secret-injector/cmd/main.go secret-injector/main.go
+COPY secret-injector/pkg/ secret-injector/pkg/
+COPY vendor/ vendor/
+# Build
+ARG secret_injector_version=dev
+RUN CGO_ENABLED=0 \
+    GO111MODULE=on \
+    go build \
+    -ldflags "-X \"github.com/1Password/onepassword-operator/secret-injector/version.Version=$secret_injector_version\"" \
+    -mod vendor \
+    -a -o injector secret-injector/main.go
+
+# Use distroless as minimal base image to package the secret-injector binary
+# Refer to https://github.com/GoogleContainerTools/distroless for more details
+FROM gcr.io/distroless/static:nonroot
+WORKDIR /
+COPY --from=builder /workspace/injector .
+USER nonroot:nonroot
+
+ENTRYPOINT ["/injector"]
+

secret-injector/README.md

@@ -0,0 +1,123 @@
+# 1Password Secrets Injector for Kubernetes
+The 1Password Secrets Injector implements a mutating webhook to inject 1Password secrets as environment variables into a pod or deployment. Unlike the 1Password Kubernetes Operator, the Secrets Injector does not create a Kubernetes Secret when assigning secrets to your resource.
+
+## Use with the 1Password Kubernetes Operator
+The 1Password Secrets Injector for Kubernetes can be used in conjuction with the 1Password Kubernetes Operator in order to provide automatic deployment restarts when a 1Password item being used by your deployment has been updated.
+
+
+[Click here for more details on the 1Password Kubernetes Operator](../operator/README.md)
+
+## Setup and Deployment
+
+The 1Password Secrets Injector for Kubernetes uses a webhook server in order to inject secrets into pods and deployments. Admission to the webhook server must be a secure operation, thus communication with the webhook server requires a TLS certificate signed by a Kubernetes CA.
+
+For managing TLS certifcates for your cluster please see the [official documentation](https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/). The certificate and key generated in the offical documentation must be set in the [deployment](deploy/deployment.yaml) arguments (`tlsCertFile` and `tlsKeyFile` respectively) for the Secret injector.
+
+In additon to setting the tlsCert and tlsKey for the Secret Injector service, we must also create a webhook configuration  for the service. An example of the confiugration can be found [here](deploy/mutatingwebhook.yaml). In the provided example you may notice that the caBundle is not set. Please replace this value with your caBundle. This can be generated with the Kubernetes apiserver's default caBundle with the following command
+
+```export CA_BUNDLE=$(kubectl get configmap -n kube-system extension-apiserver-authentication -o=jsonpath='{.data.client-ca-file}' | base64 | tr -d '\n')```
+
+```
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: op-secret-injector-webhook-config
+  labels:
+    app: op-secret-injector
+webhooks:
+- name: op-secret-injector.1password
+  failurePolicy: Fail
+  clientConfig:
+    service:
+      name: op-secret-injector-webhook-service
+      namespace: op-secret-injector
+      path: "/inject"
+    caBundle: ${CA_BUNDLE} //replace this with your own CA Bundle
+  rules:
+  - operations: ["CREATE", "UPDATE"]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  namespaceSelector:
+    matchLabels:
+      op-secret-injection: enabled
+```
+
+You can automate this step using the script by [morvencao](https://github.com/morvencao/kube-mutating-webhook-tutorial). 
+
+```
+cat deploy/mutatingwebhook.yaml | \
+    deploy/webhook-patch-ca-bundle.sh > \
+    deploy/mutatingwebhook-ca-bundle.yaml
+```
+
+Lastly, we must apply the deployment, service, and mutating webhook configuration to kubernetes:
+
+```
+kubectl create -f deploy/deployment.yaml
+kubectl create -f deploy/service.yaml
+kubectl create -f deploy/mutatingwebhook-ca-bundle.yaml
+```
+
+## Usage
+
+For every namespace you want the 1Password Secret Injector to inject secrets for, you must add the label `op-secret-injection=enabled` label to the namespace:
+
+```
+kubectl label namespace <namespace> op-secret-injection=enabled
+```
+
+To inject a 1Password secret as an environment variable, your pod or deployment you must add an environment variable to the resource with a value referencing your 1Password item in the format `op://<vault>/<item>[/section]/<field>`. You must also annotate your pod/deployment spec with `operator.1password.io/inject` which expects a comma separated list of the names of the containers to that will be mutated and have secrets injected.
+
+Note: You must also include the command needed to run the container as the secret injector prepends a script to this command in order to allow for secret injection.
+
+```
+#example
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: app-example
+spec:
+  selector:
+    matchLabels:
+      app: app-example
+  template:
+    metadata:
+      annotations:
+        operator.1password.io/inject: "app-example,another-example" 
+      labels:
+        app: app-example
+    spec:
+      containers:
+        - name: app-example
+          image: my-image
+          command: ["./example"]
+          env:
+          - name: DB_USERNAME
+            value: op://my-vault/my-item/sql/username
+          - name: DB_PASSWORD
+            value: op://my-vault/my-item/sql/password
+        - name: another-example
+          image: my-image
+          env:
+          - name: DB_USERNAME
+            value: op://my-vault/my-item/sql/username
+          - name: DB_PASSWORD
+            value: op://my-vault/my-item/sql/password
+        - name: my-app //because my-app is not listed in the inject annotation above this container will not be injected with secrets
+          image: my-image
+          env:
+          - name: DB_USERNAME
+            value: op://my-vault/my-item/sql/username
+          - name: DB_PASSWORD
+            value: op://my-vault/my-item/sql/password
+```
+## Troubleshooting
+
+If you are trouble getting secrets injected in your pod, check the following:
+
+1. Check that that the namespace of your pod has the `op-secret-injection=enabled` label
+2. Check that the `caBundle` in `mutatingwebhookconfiguration.yaml` is set with a correct value
+3. Ensure that the 1Password Secret Injector webhook is running (`op-secret-injector` by default).
+4. Check that your container has a `command` field specifying the command to run the app in your container

secret-injector/cmd/main.go

@@ -0,0 +1,87 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/1Password/onepassword-operator/secret-injector/pkg/webhook"
+	"github.com/golang/glog"
+)
+
+const (
+	connectTokenSecretKeyEnv  = "OP_CONNECT_TOKEN_KEY"
+	connectTokenSecretNameEnv = "OP_CONNECT_TOKEN_NAME"
+	connectHostEnv            = "OP_CONNECT_HOST"
+)
+
+func main() {
+	var parameters webhook.SecretInjectorParameters
+
+	glog.Info("Starting webhook")
+	// get command line parameters
+	flag.IntVar(&parameters.Port, "port", 8443, "Webhook server port.")
+	flag.StringVar(&parameters.CertFile, "tlsCertFile", "/etc/webhook/certs/cert.pem", "File containing the x509 Certificate for HTTPS.")
+	flag.StringVar(&parameters.KeyFile, "tlsKeyFile", "/etc/webhook/certs/key.pem", "File containing the x509 private key to --tlsCertFile.")
+	flag.Parse()
+
+	pair, err := tls.LoadX509KeyPair(parameters.CertFile, parameters.KeyFile)
+	if err != nil {
+		glog.Errorf("Failed to load key pair: %v", err)
+		os.Exit(1)
+	}
+
+	connectHost, present := os.LookupEnv(connectHostEnv)
+	if !present || connectHost == "" {
+		glog.Error("Connect host not set")
+	}
+
+	connectTokenName, present := os.LookupEnv(connectTokenSecretNameEnv)
+	if !present || connectTokenName == "" {
+		glog.Error("Connect token name not set")
+	}
+
+	connectTokenKey, present := os.LookupEnv(connectTokenSecretKeyEnv)
+	if !present || connectTokenKey == "" {
+		glog.Error("Connect token key not set")
+	}
+
+	webhookConfig := webhook.Config{
+		ConnectHost:      connectHost,
+		ConnectTokenName: connectTokenName,
+		ConnectTokenKey:  connectTokenKey,
+	}
+	secretInjector := &webhook.SecretInjector{
+		Config: webhookConfig,
+		Server: &http.Server{
+			Addr:      fmt.Sprintf(":%v", parameters.Port),
+			TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}},
+		},
+	}
+
+	// define http server and server handler
+	mux := http.NewServeMux()
+	mux.HandleFunc("/inject", secretInjector.Serve)
+	secretInjector.Server.Handler = mux
+
+	// start webhook server in new rountine
+	go func() {
+		if err := secretInjector.Server.ListenAndServeTLS("", ""); err != nil {
+			glog.Errorf("Failed to listen and serve webhook server: %v", err)
+			os.Exit(1)
+		}
+	}()
+
+	// listening OS shutdown singal
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
+	<-signalChan
+
+	glog.Infof("Got OS shutdown signal, shutting down webhook server gracefully...")
+	secretInjector.Server.Shutdown(context.Background())
+}

secret-injector/deploy/deployment.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: op-secret-injector-webhook-deployment
+  namespace: op-secret-injector
+  labels:
+    app: op-secret-injector
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: op-secret-injector
+  template:
+    metadata:
+      labels:
+        app: op-secret-injector
+    spec:
+      containers:
+        - name: op-secret-injector
+          image: local/onepassword-secrets-injector:v1.1.0
+          imagePullPolicy: Never
+          args:
+          - -tlsCertFile=/etc/webhook/certs/cert.pem
+          - -tlsKeyFile=/etc/webhook/certs/key.pem
+          - -alsologtostderr
+          - -v=4
+          - 2>&1
+          env:
+          - name: OP_CONNECT_HOST
+            value: http://onepassword-connect:8080/
+          - name: OP_CONNECT_TOKEN_NAME
+            value: onepassword-token
+          - name: OP_CONNECT_TOKEN_KEY
+            value: token
+          volumeMounts:
+          - name: webhook-certs
+            mountPath: /etc/webhook/certs
+            readOnly: true
+      volumes:
+      - name: webhook-certs
+        secret:
+          secretName: op-secret-injector-webhook-certs

secret-injector/deploy/mutatingwebhook.yaml

@@ -0,0 +1,23 @@
+apiVersion: admissionregistration.k8s.io/v1beta1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: op-secret-injector-webhook-config
+  labels:
+    app: op-secret-injector
+webhooks:
+- name: op-secret-injector.1password
+  failurePolicy: Fail
+  clientConfig:
+    service:
+      name: op-secret-injector-webhook-service
+      namespace: op-secret-injector
+      path: "/inject"
+    caBundle: ${CA_BUNDLE}
+  rules:
+  - operations: ["CREATE", "UPDATE"]
+    apiGroups: [""]
+    apiVersions: ["v1"]
+    resources: ["pods"]
+  namespaceSelector:
+    matchLabels:
+      op-secret-injection: enabled

secret-injector/deploy/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: op-secret-injector-webhook-service
+  namespace: op-secret-injector
+  labels:
+    app: op-secret-injector
+spec:
+  ports:
+  - port: 443
+    targetPort: 8443
+  selector:
+    app: op-secret-injector

secret-injector/pkg/webhook/webhook.go

@@ -0,0 +1,494 @@
+package webhook
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/golang/glog"
+	"k8s.io/api/admission/v1beta1"
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
+	v1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+)
+
+const (
+	// binVolumeName is the name of the volume where the OP CLI binary is stored.
+	binVolumeName = "op-bin"
+
+	// binVolumeMountPath is the mount path where the OP CLI binary can be found.
+	binVolumeMountPath = "/op/bin/"
+
+	connectTokenEnv = "OP_CONNECT_TOKEN"
+	connectHostEnv  = "OP_CONNECT_HOST"
+)
+
+// binVolume is the shared, in-memory volume where the OP CLI binary lives.
+var binVolume = corev1.Volume{
+	Name: binVolumeName,
+	VolumeSource: corev1.VolumeSource{
+		EmptyDir: &corev1.EmptyDirVolumeSource{
+			Medium: corev1.StorageMediumMemory,
+		},
+	},
+}
+
+// binVolumeMount is the shared volume mount where the OP CLI binary lives.
+var binVolumeMount = corev1.VolumeMount{
+	Name:      binVolumeName,
+	MountPath: binVolumeMountPath,
+	ReadOnly:  true,
+}
+
+var (
+	runtimeScheme = runtime.NewScheme()
+	codecs        = serializer.NewCodecFactory(runtimeScheme)
+	deserializer  = codecs.UniversalDeserializer()
+
+	// (https://github.com/kubernetes/kubernetes/issues/57982)
+	defaulter = runtime.ObjectDefaulter(runtimeScheme)
+)
+
+const (
+	injectionStatus   = "operator.1password.io/status"
+	injectAnnotation  = "operator.1password.io/inject"
+	versionAnnotation = "operator.1password.io/version"
+)
+
+type SecretInjector struct {
+	Config Config
+	Server *http.Server
+}
+
+// the command line parameters for configuraing the webhook
+type SecretInjectorParameters struct {
+	Port     int    // webhook server port
+	CertFile string // path to the x509 certificate for https
+	KeyFile  string // path to the x509 private key matching `CertFile`
+}
+
+type Config struct {
+	ConnectHost      string // the host in which a connect server is running
+	ConnectTokenName string // the token name of the secret that stores the connect token
+	ConnectTokenKey  string // the name of the data field in the secret the stores the connect token
+}
+
+type patchOperation struct {
+	Op    string      `json:"op"`
+	Path  string      `json:"path"`
+	Value interface{} `json:"value,omitempty"`
+}
+
+func init() {
+	_ = corev1.AddToScheme(runtimeScheme)
+	_ = admissionregistrationv1beta1.AddToScheme(runtimeScheme)
+	_ = v1.AddToScheme(runtimeScheme)
+}
+
+func applyDefaultsWorkaround(containers []corev1.Container, volumes []corev1.Volume) {
+	defaulter.Default(&corev1.Pod{
+		Spec: corev1.PodSpec{
+			Containers: containers,
+			Volumes:    volumes,
+		},
+	})
+}
+
+// Check if the pod should have secrets injected
+func mutationRequired(metadata *metav1.ObjectMeta) bool {
+
+	annotations := metadata.GetAnnotations()
+	if annotations == nil {
+		annotations = map[string]string{}
+	}
+
+	status := annotations[injectionStatus]
+	_, enabled := annotations[injectAnnotation]
+
+	// if pod has not already been injected and injection has been enabled mark the pod for injection
+	required := false
+	if strings.ToLower(status) != "injected" && enabled {
+		required = true
+	}
+
+	glog.Infof("Pod %v at namepspace %v. Secret injection status: %v Secret Injection Enabled:%v", metadata.Name, metadata.Namespace, status, required)
+	return required
+}
+
+func addContainers(target, added []corev1.Container, basePath string) (patch []patchOperation) {
+	first := len(target) == 0
+	var value interface{}
+	for _, add := range added {
+		value = add
+		path := basePath
+		if first {
+			first = false
+			value = []corev1.Container{add}
+		} else {
+			path = path + "/-"
+		}
+		patch = append(patch, patchOperation{
+			Op:    "add",
+			Path:  path,
+			Value: value,
+		})
+	}
+	return patch
+}
+
+func addVolume(target, added []corev1.Volume, basePath string) (patch []patchOperation) {
+	first := len(target) == 0
+	var value interface{}
+	for _, add := range added {
+		value = add
+		path := basePath
+		if first {
+			first = false
+			value = []corev1.Volume{add}
+		} else {
+			path = path + "/-"
+		}
+		patch = append(patch, patchOperation{
+			Op:    "add",
+			Path:  path,
+			Value: value,
+		})
+	}
+	return patch
+}
+
+func updateAnnotation(target map[string]string, added map[string]string) (patch []patchOperation) {
+	for key, value := range added {
+		if target == nil || target[key] == "" {
+			target = map[string]string{}
+			patch = append(patch, patchOperation{
+				Op:   "add",
+				Path: "/metadata/annotations",
+				Value: map[string]string{
+					key: value,
+				},
+			})
+		} else {
+			patch = append(patch, patchOperation{
+				Op:    "replace",
+				Path:  "/metadata/annotations/" + key,
+				Value: value,
+			})
+		}
+	}
+	return patch
+}
+
+// mutation process for injecting secrets into pods
+func (s *SecretInjector) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionResponse {
+	ctx := context.Background()
+	req := ar.Request
+	var pod corev1.Pod
+	if err := json.Unmarshal(req.Object.Raw, &pod); err != nil {
+		glog.Errorf("Could not unmarshal raw object: %v", err)
+		return &v1beta1.AdmissionResponse{
+			Result: &metav1.Status{
+				Message: err.Error(),
+			},
+		}
+	}
+
+	glog.Infof("Checking if secret injection is needed for %v %s at namespace %v",
+		req.Kind, pod.Name, req.Namespace)
+
+	// determine whether to inject secrets
+	if !mutationRequired(&pod.ObjectMeta) {
+		glog.Infof("Secret injection not required for %s at namespace %s", pod.Name, pod.Namespace)
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+		}
+	}
+
+	containersStr := pod.Annotations[injectAnnotation]
+
+	containers := map[string]struct{}{}
+
+	if containersStr == "" {
+		glog.Infof("No containers set for secret injection for %s/%s", pod.Namespace, pod.Name)
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+		}
+	}
+	for _, container := range strings.Split(containersStr, ",") {
+		containers[container] = struct{}{}
+	}
+
+	version, ok := pod.Annotations[versionAnnotation]
+	if !ok {
+		version = "2.0.0-beta.4"
+	}
+
+	mutated := false
+
+	var patch []patchOperation
+	for i, c := range pod.Spec.InitContainers {
+		_, mutate := containers[c.Name]
+		if !mutate {
+			continue
+		}
+		c, didMutate, initContainerPatch, err := s.mutateContainer(ctx, &c, i)
+		if err != nil {
+			return &v1beta1.AdmissionResponse{
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
+		}
+		if didMutate {
+			mutated = true
+			pod.Spec.InitContainers[i] = *c
+		}
+		patch = append(patch, initContainerPatch...)
+	}
+
+	for i, c := range pod.Spec.Containers {
+		_, mutate := containers[c.Name]
+		if !mutate {
+			continue
+		}
+
+		c, didMutate, containerPatch, err := s.mutateContainer(ctx, &c, i)
+		if err != nil {
+			glog.Error("Error occured mutating container for secret injection: ", err)
+			return &v1beta1.AdmissionResponse{
+				Result: &metav1.Status{
+					Message: err.Error(),
+				},
+			}
+		}
+		patch = append(patch, containerPatch...)
+		if didMutate {
+			mutated = true
+			pod.Spec.Containers[i] = *c
+		}
+	}
+
+	if !mutated {
+		glog.Infof("No containers set for secret injection for %s/%s", pod.Namespace, pod.Name)
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+		}
+	}
+
+	// binInitContainer is the container that pulls the OP CLI
+	// into a shared volume mount.
+	var binInitContainer = corev1.Container{
+		Name:            "copy-op-bin",
+		Image:           "1password/op" + ":" + version,
+		ImagePullPolicy: corev1.PullIfNotPresent,
+		Command: []string{"sh", "-c",
+			fmt.Sprintf("cp /usr/local/bin/op %s", binVolumeMountPath)},
+		VolumeMounts: []corev1.VolumeMount{
+			{
+				Name:      binVolumeName,
+				MountPath: binVolumeMountPath,
+			},
+		},
+	}
+
+	patchBytes, err := createOPCLIPatch(&pod, []corev1.Container{binInitContainer}, patch)
+	if err != nil {
+		return &v1beta1.AdmissionResponse{
+			Result: &metav1.Status{
+				Message: err.Error(),
+			},
+		}
+	}
+
+	glog.Infof("AdmissionResponse: patch=%v\n", string(patchBytes))
+	return &v1beta1.AdmissionResponse{
+		Allowed: true,
+		Patch:   patchBytes,
+		PatchType: func() *v1beta1.PatchType {
+			pt := v1beta1.PatchTypeJSONPatch
+			return &pt
+		}(),
+	}
+}
+
+// create mutation patch for resoures
+func createOPCLIPatch(pod *corev1.Pod, containers []corev1.Container, patch []patchOperation) ([]byte, error) {
+
+	annotations := map[string]string{injectionStatus: "injected"}
+	patch = append(patch, addVolume(pod.Spec.Volumes, []corev1.Volume{binVolume}, "/spec/volumes")...)
+	patch = append(patch, addContainers(pod.Spec.InitContainers, containers, "/spec/initContainers")...)
+	patch = append(patch, updateAnnotation(pod.Annotations, annotations)...)
+
+	return json.Marshal(patch)
+}
+
+func createOPConnectPatch(container *corev1.Container, containerIndex int, host, tokenSecretName, tokenSecretKey string) []patchOperation {
+	var patch []patchOperation
+	envs := []corev1.EnvVar{}
+
+	// if connect configuration is already set in the container do not overwrite it
+	hostConfig, tokenConfig := isConnectConfigurationSet(container)
+
+	if !hostConfig {
+		connectHostEnvVar := corev1.EnvVar{
+			Name:  "OP_CONNECT_HOST",
+			Value: host,
+		}
+		envs = append(envs, connectHostEnvVar)
+	}
+
+	if !tokenConfig {
+		connectTokenEnvVar := corev1.EnvVar{
+			Name: "OP_CONNECT_TOKEN",
+			ValueFrom: &corev1.EnvVarSource{
+				SecretKeyRef: &corev1.SecretKeySelector{
+					Key: tokenSecretKey,
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: tokenSecretName,
+					},
+				},
+			},
+		}
+		envs = append(envs, connectTokenEnvVar)
+	}
+
+	patch = append(patch, setEnvironment(*container, containerIndex, envs, "/spec/containers")...)
+
+	return patch
+}
+
+func isConnectConfigurationSet(container *corev1.Container) (bool, bool) {
+
+	hostConfig := false
+	tokenConfig := false
+
+	for _, env := range container.Env {
+		if env.Name == connectHostEnv {
+			hostConfig = true
+		}
+
+		if env.Name == connectTokenEnv {
+			tokenConfig = true
+		}
+
+		if tokenConfig && hostConfig {
+			break
+		}
+	}
+	return hostConfig, tokenConfig
+}
+
+// mutates the container to allow for secrets to be injected into the container via the op cli
+func (s *SecretInjector) mutateContainer(_ context.Context, container *corev1.Container, containerIndex int) (*corev1.Container, bool, []patchOperation, error) {
+	//  prepending op run command to the container command so that secrets are injected before the main process is started
+	if len(container.Command) == 0 {
+		return container, false, nil, fmt.Errorf("not attaching OP to the container %s: the podspec does not define a command", container.Name)
+	}
+
+	// Prepend the command with op run --
+	container.Command = append([]string{binVolumeMountPath + "op", "run", "--"}, container.Command...)
+
+	var patch []patchOperation
+
+	// adding the cli to the container using a volume mount
+	path := fmt.Sprintf("%s/%d/volumeMounts", "/spec/containers", containerIndex)
+	patch = append(patch, patchOperation{
+		Op:    "add",
+		Path:  path,
+		Value: []corev1.VolumeMount{binVolumeMount},
+	})
+
+	// replacing the container command with a command prepended with op run
+	path = fmt.Sprintf("%s/%d/command", "/spec/containers", containerIndex)
+	patch = append(patch, patchOperation{
+		Op:    "replace",
+		Path:  path,
+		Value: container.Command,
+	})
+
+	//creating patch for adding connect environment variables to container. If they are already set in the container then this will be skipped
+	patch = append(patch, createOPConnectPatch(container, containerIndex, s.Config.ConnectHost, s.Config.ConnectTokenName, s.Config.ConnectTokenKey)...)
+	return container, true, patch, nil
+}
+
+func setEnvironment(container corev1.Container, containerIndex int, addedEnv []corev1.EnvVar, basePath string) (patch []patchOperation) {
+	first := len(container.Env) == 0
+	var value interface{}
+	for _, add := range addedEnv {
+		path := fmt.Sprintf("%s/%d/env", basePath, containerIndex)
+		value = add
+		if first {
+			first = false
+			value = []corev1.EnvVar{add}
+		} else {
+			path = path + "/-"
+		}
+		patch = append(patch, patchOperation{
+			Op:    "add",
+			Path:  path,
+			Value: value,
+		})
+	}
+	return patch
+}
+
+// Serve method for secrets injector webhook
+func (s *SecretInjector) Serve(w http.ResponseWriter, r *http.Request) {
+	var body []byte
+	if r.Body != nil {
+		if data, err := ioutil.ReadAll(r.Body); err == nil {
+			body = data
+		}
+	}
+	if len(body) == 0 {
+		glog.Error("empty body")
+		http.Error(w, "empty body", http.StatusBadRequest)
+		return
+	}
+
+	// verify the content type is accurate
+	contentType := r.Header.Get("Content-Type")
+	if contentType != "application/json" {
+		glog.Errorf("Content-Type=%s, expect application/json", contentType)
+		http.Error(w, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
+		return
+	}
+
+	var admissionResponse *v1beta1.AdmissionResponse
+	ar := v1beta1.AdmissionReview{}
+	if _, _, err := deserializer.Decode(body, nil, &ar); err != nil {
+		glog.Errorf("Can't decode body: %v", err)
+		admissionResponse = &v1beta1.AdmissionResponse{
+			Result: &metav1.Status{
+				Message: err.Error(),
+			},
+		}
+	} else {
+		admissionResponse = s.mutate(&ar)
+	}
+
+	admissionReview := v1beta1.AdmissionReview{}
+	if admissionResponse != nil {
+		admissionReview.Response = admissionResponse
+		if ar.Request != nil {
+			admissionReview.Response.UID = ar.Request.UID
+		}
+	}
+
+	resp, err := json.Marshal(admissionReview)
+	if err != nil {
+		glog.Errorf("Can't encode response: %v", err)
+		http.Error(w, fmt.Sprintf("could not encode response: %v", err), http.StatusInternalServerError)
+	}
+	glog.Infof("Ready to write reponse ...")
+	if _, err := w.Write(resp); err != nil {
+		glog.Errorf("Can't write response: %v", err)
+		http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
+	}
+}

secret-injector/version/version.go

@@ -0,0 +1,5 @@
+package version
+
+var (
+	Version = "0.0.1"
+)

vendor/github.com/golang/glog/LICENSE

@@ -0,0 +1,191 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made
+available under the License, as indicated by a copyright notice that is included
+in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work
+by the copyright owner or by an individual or Legal Entity authorized to submit
+on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor for
+the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the Work and such
+Derivative Works in Source or Object form.
+
+3. Grant of Patent License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable (except as stated in this section) patent license to make, have
+made, use, offer to sell, sell, import, and otherwise transfer the Work, where
+such license applies only to those patent claims licensable by such Contributor
+that are necessarily infringed by their Contribution(s) alone or by combination
+of their Contribution(s) with the Work to which such Contribution(s) was
+submitted. If You institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work or a
+Contribution incorporated within the Work constitutes direct or contributory
+patent infringement, then any patent licenses granted to You under this License
+for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution.
+
+You may reproduce and distribute copies of the Work or Derivative Works thereof
+in any medium, with or without modifications, and in Source or Object form,
+provided that You meet the following conditions:
+
+You must give any other recipients of the Work or Derivative Works a copy of
+this License; and
+You must cause any modified files to carry prominent notices stating that You
+changed the files; and
+You must retain, in the Source form of any Derivative Works that You distribute,
+all copyright, patent, trademark, and attribution notices from the Source form
+of the Work, excluding those notices that do not pertain to any part of the
+Derivative Works; and
+If the Work includes a "NOTICE" text file as part of its distribution, then any
+Derivative Works that You distribute must include a readable copy of the
+attribution notices contained within such NOTICE file, excluding those notices
+that do not pertain to any part of the Derivative Works, in at least one of the
+following places: within a NOTICE text file distributed as part of the
+Derivative Works; within the Source form or documentation, if provided along
+with the Derivative Works; or, within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear. The contents of
+the NOTICE file are for informational purposes only and do not modify the
+License. You may add Your own attribution notices within Derivative Works that
+You distribute, alongside or as an addendum to the NOTICE text from the Work,
+provided that such additional attribution notices cannot be construed as
+modifying the License.
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions.
+
+Unless You explicitly state otherwise, any Contribution intentionally submitted
+for inclusion in the Work by You to the Licensor shall be under the terms and
+conditions of this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify the terms of
+any separate license agreement you may have executed with Licensor regarding
+such Contributions.
+
+6. Trademarks.
+
+This License does not grant permission to use the trade names, trademarks,
+service marks, or product names of the Licensor, except as required for
+reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty.
+
+Unless required by applicable law or agreed to in writing, Licensor provides the
+Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
+including, without limitation, any warranties or conditions of TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
+solely responsible for determining the appropriateness of using or
+redistributing the Work and assume any risks associated with Your exercise of
+permissions under this License.
+
+8. Limitation of Liability.
+
+In no event and under no legal theory, whether in tort (including negligence),
+contract, or otherwise, unless required by applicable law (such as deliberate
+and grossly negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special, incidental,
+or consequential damages of any character arising as a result of this License or
+out of the use or inability to use the Work (including but not limited to
+damages for loss of goodwill, work stoppage, computer failure or malfunction, or
+any and all other commercial damages or losses), even if such Contributor has
+been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability.
+
+While redistributing the Work or Derivative Works thereof, You may choose to
+offer, and charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this License. However,
+in accepting such obligations, You may act only on Your own behalf and on Your
+sole responsibility, not on behalf of any other Contributor, and only if You
+agree to indemnify, defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason of your
+accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work
+
+To apply the Apache License to your work, attach the following boilerplate
+notice, with the fields enclosed by brackets "[]" replaced with your own
+identifying information. (Don't include the brackets!) The text should be
+enclosed in the appropriate comment syntax for the file format. We also
+recommend that a file or class name and description of purpose be included on
+the same "printed page" as the copyright notice for easier identification within
+third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/golang/glog/README

@@ -0,0 +1,44 @@
+glog
+====
+
+Leveled execution logs for Go.
+
+This is an efficient pure Go implementation of leveled logs in the
+manner of the open source C++ package
+	https://github.com/google/glog
+
+By binding methods to booleans it is possible to use the log package
+without paying the expense of evaluating the arguments to the log.
+Through the -vmodule flag, the package also provides fine-grained
+control over logging at the file level.
+
+The comment from glog.go introduces the ideas:
+
+	Package glog implements logging analogous to the Google-internal
+	C++ INFO/ERROR/V setup.  It provides functions Info, Warning,
+	Error, Fatal, plus formatting variants such as Infof. It
+	also provides V-style logging controlled by the -v and
+	-vmodule=file=2 flags.
+	
+	Basic examples:
+	
+		glog.Info("Prepare to repel boarders")
+	
+		glog.Fatalf("Initialization failed: %s", err)
+	
+	See the documentation for the V function for an explanation
+	of these examples:
+	
+		if glog.V(2) {
+			glog.Info("Starting transaction...")
+		}
+	
+		glog.V(2).Infoln("Processed", nItems, "elements")
+
+
+The repository contains an open source version of the log package
+used inside Google. The master copy of the source lives inside
+Google, not here. The code in this repo is for export only and is not itself
+under development. Feature requests will be ignored.
+
+Send bug reports to golang-nuts@googlegroups.com.

vendor/github.com/golang/glog/glog_file.go

@@ -0,0 +1,124 @@
+// Go support for leveled logs, analogous to https://code.google.com/p/google-glog/
+//
+// Copyright 2013 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// File I/O for logs.
+
+package glog
+
+import (
+	"errors"
+	"flag"
+	"fmt"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+// MaxSize is the maximum size of a log file in bytes.
+var MaxSize uint64 = 1024 * 1024 * 1800
+
+// logDirs lists the candidate directories for new log files.
+var logDirs []string
+
+// If non-empty, overrides the choice of directory in which to write logs.
+// See createLogDirs for the full list of possible destinations.
+var logDir = flag.String("log_dir", "", "If non-empty, write log files in this directory")
+
+func createLogDirs() {
+	if *logDir != "" {
+		logDirs = append(logDirs, *logDir)
+	}
+	logDirs = append(logDirs, os.TempDir())
+}
+
+var (
+	pid      = os.Getpid()
+	program  = filepath.Base(os.Args[0])
+	host     = "unknownhost"
+	userName = "unknownuser"
+)
+
+func init() {
+	h, err := os.Hostname()
+	if err == nil {
+		host = shortHostname(h)
+	}
+
+	current, err := user.Current()
+	if err == nil {
+		userName = current.Username
+	}
+
+	// Sanitize userName since it may contain filepath separators on Windows.
+	userName = strings.Replace(userName, `\`, "_", -1)
+}
+
+// shortHostname returns its argument, truncating at the first period.
+// For instance, given "www.google.com" it returns "www".
+func shortHostname(hostname string) string {
+	if i := strings.Index(hostname, "."); i >= 0 {
+		return hostname[:i]
+	}
+	return hostname
+}
+
+// logName returns a new log file name containing tag, with start time t, and
+// the name for the symlink for tag.
+func logName(tag string, t time.Time) (name, link string) {
+	name = fmt.Sprintf("%s.%s.%s.log.%s.%04d%02d%02d-%02d%02d%02d.%d",
+		program,
+		host,
+		userName,
+		tag,
+		t.Year(),
+		t.Month(),
+		t.Day(),
+		t.Hour(),
+		t.Minute(),
+		t.Second(),
+		pid)
+	return name, program + "." + tag
+}
+
+var onceLogDirs sync.Once
+
+// create creates a new log file and returns the file and its filename, which
+// contains tag ("INFO", "FATAL", etc.) and t.  If the file is created
+// successfully, create also attempts to update the symlink for that tag, ignoring
+// errors.
+func create(tag string, t time.Time) (f *os.File, filename string, err error) {
+	onceLogDirs.Do(createLogDirs)
+	if len(logDirs) == 0 {
+		return nil, "", errors.New("log: no log dirs")
+	}
+	name, link := logName(tag, t)
+	var lastErr error
+	for _, dir := range logDirs {
+		fname := filepath.Join(dir, name)
+		f, err := os.Create(fname)
+		if err == nil {
+			symlink := filepath.Join(dir, link)
+			os.Remove(symlink)        // ignore err
+			os.Symlink(name, symlink) // ignore err
+			return f, fname, nil
+		}
+		lastErr = err
+	}
+	return nil, "", fmt.Errorf("log: cannot create log: %v", lastErr)
+}

vendor/modules.txt

@@ -36,6 +36,8 @@ github.com/go-logr/zapr
 # github.com/gogo/protobuf v1.3.1
 github.com/gogo/protobuf/proto
 github.com/gogo/protobuf/sortkeys
+# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+github.com/golang/glog
 # github.com/golang/groupcache v0.0.0-20191027212112-611e8accdfc9
 github.com/golang/groupcache/lru
 # github.com/golang/protobuf v1.4.2