1Password · volodymyrZotov · Dec 1, 2025 · Oct 28, 2025 · Oct 28, 2025 · Oct 28, 2025
diff --git a/cmd/main.go b/cmd/main.go
@@ -100,8 +100,9 @@ func main() {
 	var probeAddr string
 	var secureMetrics bool
 	var enableHTTP2 bool
+	var enableAnnotations bool
 	var tlsOpts []func(*tls.Config)
-	flag.StringVar(&metricsAddr, "metrics-bind-address", "8080",
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080",
 		"The address the metrics endpoint binds to. "+
 			"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081",
@@ -119,6 +120,8 @@ func main() {
 		"The name of the metrics server key file.")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics")
+	flag.BoolVar(&enableAnnotations, "enable-annotations", false,
+		"If set, operator will add annotations to resources it manages.")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -289,9 +292,10 @@ func main() {
 	}
 
 	if err = (&controller.OnePasswordItemReconciler{
-		Client:   mgr.GetClient(),
-		Scheme:   mgr.GetScheme(),
-		OpClient: opClient,
+		Client:            mgr.GetClient(),
+		Scheme:            mgr.GetScheme(),
+		OpClient:          opClient,
+		EnableAnnotations: enableAnnotations,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "OnePasswordItem")
 		os.Exit(1)

diff --git a/internal/controller/deployment_controller.go b/internal/controller/deployment_controller.go
@@ -219,5 +219,5 @@ func (r *DeploymentReconciler) handleApplyingDeployment(ctx context.Context, dep
 		UID:        deployment.GetUID(),
 	}
 
-	return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, secretType, ownerRef)
+	return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, namespace, item, annotations[op.RestartDeploymentsAnnotation], secretLabels, annotations, secretType, ownerRef)
 }
diff --git a/internal/controller/onepassworditem_controller.go b/internal/controller/onepassworditem_controller.go
@@ -53,8 +53,9 @@ var finalizer = "onepassword.com/finalizer.secret"
 // OnePasswordItemReconciler reconciles a OnePasswordItem object
 type OnePasswordItemReconciler struct {
 	client.Client
-	Scheme   *runtime.Scheme
-	OpClient opclient.Client
+	Scheme            *runtime.Scheme
+	OpClient          opclient.Client
+	EnableAnnotations bool
 }
 
 // +kubebuilder:rbac:groups=onepassword.com,resources=onepassworditems,verbs=get;list;watch;create;update;patch;delete
@@ -163,6 +164,12 @@ func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, r
 	labels := resource.Labels
 	secretType := resource.Type
 	autoRestart := resource.Annotations[op.RestartDeploymentsAnnotation]
+	var annotations map[string]string
+	if r.EnableAnnotations {
+		annotations = resource.Annotations
+	} else {
+		annotations = nil
+	}
 
 	item, err := op.GetOnePasswordItemByPath(ctx, r.OpClient, resource.Spec.ItemPath)
 	if err != nil {
@@ -181,7 +188,7 @@ func (r *OnePasswordItemReconciler) handleOnePasswordItem(ctx context.Context, r
 		UID:        resource.GetUID(),
 	}
 
-	return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, resource.Namespace, item, autoRestart, labels, secretType, ownerRef)
+	return kubeSecrets.CreateKubernetesSecretFromItem(ctx, r.Client, secretName, resource.Namespace, item, autoRestart, labels, annotations, secretType, ownerRef)
 }
 
 func (r *OnePasswordItemReconciler) updateStatus(ctx context.Context, resource *onepasswordv1.OnePasswordItem, err error) error {

diff --git a/pkg/kubernetessecrets/kubernetes_secrets_builder.go b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -37,14 +37,16 @@ func CreateKubernetesSecretFromItem(
 	item *model.Item,
 	autoRestart string,
 	labels map[string]string,
+	secretAnnotations map[string]string,
 	secretType string,
 	ownerRef *metav1.OwnerReference,
 ) error {
 	itemVersion := fmt.Sprint(item.Version)
-	secretAnnotations := map[string]string{
-		VersionAnnotation:  itemVersion,
-		ItemPathAnnotation: fmt.Sprintf("vaults/%v/items/%v", item.VaultID, item.ID),
+	if secretAnnotations == nil {
+		secretAnnotations = map[string]string{}
 	}
+	secretAnnotations[VersionAnnotation] = itemVersion
+	secretAnnotations[ItemPathAnnotation] = fmt.Sprintf("vaults/%v/items/%v", item.VaultID, item.ID)
 
 	if autoRestart != "" {
 		_, err := utils.StringToBool(autoRestart)

diff --git a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -36,9 +36,11 @@ func TestCreateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	kubeClient := fake.NewClientBuilder().Build()
 	secretLabels := map[string]string{}
 	secretType := ""
-
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation,
-		secretLabels, secretType, nil)
+		secretLabels, secretAnnotations, secretType, nil)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -66,6 +68,9 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) {
 	kubeClient := fake.NewClientBuilder().Build()
 	secretLabels := map[string]string{}
 	secretType := ""
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
 
 	ownerRef := &metav1.OwnerReference{
 		Kind:       "Deployment",
@@ -74,7 +79,7 @@ func TestKubernetesSecretFromOnePasswordItemOwnerReferences(t *testing.T) {
 		UID:        types.UID("test-uid"),
 	}
 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation,
-		secretLabels, secretType, ownerRef)
+		secretLabels, secretAnnotations, secretType, ownerRef)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -116,9 +121,12 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	kubeClient := fake.NewClientBuilder().Build()
 	secretLabels := map[string]string{}
 	secretType := ""
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
 
 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation,
-		secretLabels, secretType, nil)
+		secretLabels, secretAnnotations, secretType, nil)
 
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
@@ -131,7 +139,7 @@ func TestUpdateKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	newItem.VaultID = testVaultUUID
 	newItem.ID = testItemUUID
 	err = CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &newItem, restartDeploymentAnnotation,
-		secretLabels, secretType, nil)
+		secretLabels, secretAnnotations, secretType, nil)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}
@@ -234,9 +242,12 @@ func TestCreateKubernetesTLSSecretFromOnePasswordItem(t *testing.T) {
 	kubeClient := fake.NewClientBuilder().Build()
 	secretLabels := map[string]string{}
 	secretType := "kubernetes.io/tls"
+	secretAnnotations := map[string]string{
+		"testAnnotation": "exists",
+	}
 
 	err := CreateKubernetesSecretFromItem(ctx, kubeClient, secretName, namespace, &item, restartDeploymentAnnotation,
-		secretLabels, secretType, nil)
+		secretLabels, secretAnnotations, secretType, nil)
 	if err != nil {
 		t.Errorf("Unexpected error: %v", err)
 	}