feat: add strategic merge for init containers

Signed-off-by: Oleksii Kurinnyi <[email protected]>

Author: akurinnoy

controllers/workspace/devworkspace_controller.go

@@ -22,6 +22,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/devfile/devworkspace-operator/pkg/library/initcontainers"
 	"github.com/devfile/devworkspace-operator/pkg/library/ssh"
 
 	dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
@@ -474,11 +475,13 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 	}
 
 	// Inject operator-configured init containers
-	if workspace.Config != nil && workspace.Config.Workspace != nil {
+	if workspace.Config != nil && workspace.Config.Workspace != nil && len(workspace.Config.Workspace.InitContainers) > 0 {
 		// Check if init-persistent-home should be disabled
 		disableHomeInit := workspace.Config.Workspace.PersistUserHome.DisableInitContainer != nil &&
 			*workspace.Config.Workspace.PersistUserHome.DisableInitContainer
 
+		// Prepare patches: filter and preprocess init containers from config
+		patches := []corev1.Container{}
 		for _, c := range workspace.Config.Workspace.InitContainers {
 			// Special handling for init-persistent-home
 			if c.Name == constants.HomeInitComponentName {
@@ -497,8 +500,33 @@ func (r *DevWorkspaceReconciler) Reconcile(ctx context.Context, req ctrl.Request
 				}
 				c = validated
 			}
-			devfilePodAdditions.InitContainers = append(devfilePodAdditions.InitContainers, c)
+			patches = append(patches, c)
 		}
+
+		// Perform strategic merge
+		merged, err := initcontainers.MergeInitContainers(devfilePodAdditions.InitContainers, patches)
+		if err != nil {
+			return r.failWorkspace(workspace, fmt.Sprintf("Failed to merge init containers: %s", err), metrics.ReasonBadRequest, reqLogger, &reconcileStatus), nil
+		}
+
+		// Ensure init-persistent-home container have correct fields after merge
+		for i := range merged {
+			if merged[i].Name == constants.HomeInitComponentName {
+				// Ensure Command is correct (should be set by defaultAndValidateHomeInitContainer, but enforce after merge)
+				merged[i].Command = []string{"/bin/sh", "-c"}
+				// Args should be set by patch validation, but ensure it has exactly one element
+				if len(merged[i].Args) != 1 {
+					return r.failWorkspace(workspace, fmt.Sprintf("Invalid %s container: args must contain exactly one script string", constants.HomeInitComponentName), metrics.ReasonBadRequest, reqLogger, &reconcileStatus), nil
+				}
+				// Ensure VolumeMounts are correct
+				merged[i].VolumeMounts = []corev1.VolumeMount{{
+					Name:      constants.HomeVolumeName,
+					MountPath: constants.HomeUserDirectory,
+				}}
+			}
+		}
+
+		devfilePodAdditions.InitContainers = merged
 	}
 
 	// Add ServiceAccount tokens into devfile containers

pkg/library/initcontainers/merge.go

@@ -0,0 +1,105 @@
+//
+// Copyright (c) 2019-2025 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package initcontainers
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
+)
+
+// MergeInitContainers performs a strategic merge of init containers.
+// Containers with the same name in the patch will be merged into the base,
+// and new containers will be appended. The merge uses Kubernetes' strategic
+// merge patch semantics with name as the merge key.
+func MergeInitContainers(base []corev1.Container, patches []corev1.Container) ([]corev1.Container, error) {
+	if len(patches) == 0 {
+		return base, nil
+	}
+
+	// create PodSpec structure with base init containers
+	basePodSpec := corev1.PodSpec{
+		InitContainers: base,
+	}
+
+	// create PodSpec structure with patch init containers
+	patchPodSpec := corev1.PodSpec{
+		InitContainers: patches,
+	}
+
+	// marshal both structures to JSON
+	baseBytes, err := json.Marshal(basePodSpec)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal base init containers: %w", err)
+	}
+	patchBytes, err := json.Marshal(patchPodSpec)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal patch init containers: %w", err)
+	}
+
+	// perform strategic merge patch
+	mergedBytes, err := strategicpatch.StrategicMergePatch(
+		baseBytes,
+		patchBytes,
+		&corev1.PodSpec{},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to apply strategic merge patch: %w", err)
+	}
+
+	// unmarshal the merged result
+	var mergedPodSpec corev1.PodSpec
+	if err := json.Unmarshal(mergedBytes, &mergedPodSpec); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal merged init containers: %w", err)
+	}
+
+	/* restore the original containers order */
+
+	// build map for quick lookup
+	mergedMap := make(map[string]corev1.Container)
+	for _, container := range mergedPodSpec.InitContainers {
+		mergedMap[container.Name] = container
+	}
+
+	result := make([]corev1.Container, 0, len(mergedPodSpec.InitContainers))
+	baseNames := make(map[string]bool)
+
+	// add base containers in order, merged one if patched
+	for _, baseContainer := range base {
+		baseNames[baseContainer.Name] = true
+		if merged, exists := mergedMap[baseContainer.Name]; exists {
+			result = append(result, merged)
+			delete(mergedMap, baseContainer.Name)
+		} else {
+			result = append(result, baseContainer)
+		}
+	}
+
+	// append new containers from patches
+	for _, patchContainer := range patches {
+		if !baseNames[patchContainer.Name] {
+			if merged, exists := mergedMap[patchContainer.Name]; exists {
+				result = append(result, merged)
+			} else {
+				result = append(result, patchContainer)
+			}
+		}
+	}
+
+	return result, nil
+}

pkg/library/initcontainers/merge_test.go

@@ -0,0 +1,115 @@
+//
+// Copyright (c) 2019-2025 Red Hat, Inc.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package initcontainers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestMergeInitContainers(t *testing.T) {
+	tests := []struct {
+		name    string
+		base    []corev1.Container
+		patches []corev1.Container
+		want    []corev1.Container
+		wantErr bool
+	}{
+		{
+			name: "empty base",
+			base: []corev1.Container{},
+			patches: []corev1.Container{
+				{Name: "new-container", Image: "new-image"},
+			},
+			want: []corev1.Container{
+				{Name: "new-container", Image: "new-image"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "empty patches",
+			base: []corev1.Container{
+				{Name: "base-container", Image: "base-image"},
+			},
+			patches: []corev1.Container{},
+			want: []corev1.Container{
+				{Name: "base-container", Image: "base-image"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple containers",
+			base: []corev1.Container{
+				{Name: "first", Image: "first-image"},
+				{Name: "second", Image: "second-image"},
+				{Name: "third", Image: "third-image"},
+			},
+			patches: []corev1.Container{
+				{Name: "new-container", Image: "new-image"},
+				{Name: "second", Image: "updated-second-image"},
+			},
+			want: []corev1.Container{
+				{Name: "first", Image: "first-image"},
+				{Name: "second", Image: "updated-second-image"},
+				{Name: "third", Image: "third-image"},
+				{Name: "new-container", Image: "new-image"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "partial field merge",
+			base: []corev1.Container{
+				{
+					Name:    "base-container",
+					Image:   "base-image",
+					Command: []string{"/bin/sh", "-c"},
+					Args:    []string{"echo 'base'"},
+					Env:     []corev1.EnvVar{{Name: "BASE_VAR", Value: "base-value"}},
+				},
+			},
+			patches: []corev1.Container{
+				{
+					Name: "base-container",
+					Args: []string{"echo 'patched'"}, // only this field changed
+				},
+			},
+			want: []corev1.Container{
+				{
+					Name:    "base-container",
+					Image:   "base-image",
+					Command: []string{"/bin/sh", "-c"},
+					Args:    []string{"echo 'patched'"},
+					Env:     []corev1.EnvVar{{Name: "BASE_VAR", Value: "base-value"}},
+				},
+			},
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := MergeInitContainers(tt.base, tt.patches)
+			if tt.wantErr {
+				assert.Error(t, err, "should return error")
+			} else {
+				assert.NoError(t, err, "should not return error")
+				assert.Equal(t, tt.want, got, "should return merged containers")
+			}
+		})
+	}
+}