feat: add MondooOperatorConfig for proxy and image registry support (#1391)

* feat: add MondooOperatorConfig for proxy and image registry support

Introduce MondooOperatorConfig CRD with support for:
- HTTP/HTTPS proxy configuration (httpProxy, httpsProxy, noProxy)
- Container proxy for image scanning
- Image pull secrets for private registries
- Image registry mirror support
- Registry mirrors mapping
- Skip proxy for cnspec option

Tested on GKE Autopilot successfully.

* refactor: improve MondooOperatorConfig quality and documentation

- Address code quality issues and extract clone() helper
- Make noProxy matching case-insensitive
- Add logging for imagePullSecret lookup failures
- Default createConfig to true in Helm values
- Remove deprecated marker from imageRegistry field
- Add tests for KeychainFromSecrets and applyImageRegistry
- Add operator config documentation

* fix: address review issues in MondooOperatorConfig integration

- Fix imagePullSecrets to append instead of clobber existing secrets
- Prefer HTTPS proxy for --api-proxy (Mondoo API is always HTTPS)
- Add APIProxyURL helper to centralize proxy URL selection
- Watch MondooOperatorConfig changes to trigger reconciliation
- Share image cache across keychain changes (use pointer mutex)
- Remove scaffolding comments from types
- Fix "MondooOpertorConfig" typos in log messages

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add proxy and registry integration tests for resource builders

Add comprehensive test coverage for MondooOperatorConfig proxy and
registry mirror integration across all resource builders:
- pkg/utils/k8s: ProxyEnvVars and APIProxyURL unit tests
- k8s_scan: proxy, skip-proxy, imagePullSecrets, container-proxy tests
- container_image: proxy, skip-proxy, imagePullSecrets, container-proxy tests
- nodes: CronJob and DaemonSet proxy/skip-proxy/imagePullSecrets tests
- resource_watcher: HTTPS preference, skip-proxy, env vars, imagePullSecrets tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: increase CronJob schedule buffer in integration tests

The cron schedule only uses the minute field, so the effective buffer
between function call time and the CronJob trigger is
(targetMinuteStart - now), which could be as low as 16 seconds with
the old 75-second offset. This wasn't enough when leader election
takes ~46 seconds, causing the CronJob to miss its scheduled minute
and wait an hour for the next trigger.

Increase the offset from 1m15s to 2m30s, guaranteeing at least ~91
seconds of buffer regardless of when in the current minute the
function is called.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: include CRDs in helm template test output

The CRDs live in charts/mondoo-operator/crds/ (not templates/),
so helm template doesn't render them by default. Add --include-crds
to the Template helper so TestHelmTemplate can verify CRDs are present.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: correct CronJob schedule buffer and increase retry window

The 2m30s buffer was too aggressive - worst-case trigger time (~150s)
exceeded the retry window (100s), causing tests to time out before
CronJobs fired. Reduce buffer to 2m (61-120s range) and double
RetryLoop from 50 to 100 (200s window) to accommodate the buffer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: improve integration test reliability and cleanup

- Add CronJobRetryLoop (600s) for WaitUntilCronJobsSuccessful to handle
  variable scan durations without affecting other retry timeouts
- Clean up stale k3d target cluster before creating in external cluster tests
- Add --ignore-not-found to pod deletion in AfterTest cleanup
- Downgrade completed CronJob pod describe failure from ERROR to WARN
- Regenerate CRD and RBAC manifests for updated type docs and job delete verb
- Fix whitespace alignment in container_image_resolver_test.go

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add expected words for spell checker

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: jpaodev <jpaodev@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

.github/actions/spelling/expect.txt

@@ -1,20 +1,24 @@
 AADSTS
+artifactory
 bak
 bitnami
 curlimages
 deepcopy
 deletecollection
+dockerconfigjson
 eksctl
 fullname
 iamidentitymapping
 irsa
 kustomization
 mcr
+mondoooperatorconfig
 oidc
 openssl
 psat
 rolearn
 selfsigned
+servicemonitor
 servicemonitors
 SResources
 spiffe

api/v1alpha2/mondoooperatorconfig_types.go

@@ -14,22 +14,43 @@ const (
 	MondooOperatorConfigName = "mondoo-operator-config"
 )
 
-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
 // MondooOperatorConfigSpec defines the desired state of MondooOperatorConfig
 type MondooOperatorConfigSpec struct {
-	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// Metrics controls the enabling/disabling of metrics report of mondoo-operator
 	Metrics Metrics `json:"metrics,omitempty"`
 	// Allows skipping Image resolution from upstream repository
 	SkipContainerResolution bool `json:"skipContainerResolution,omitempty"`
 	// HttpProxy specifies a proxy to use for HTTP requests to the Mondoo Platform.
 	HttpProxy *string `json:"httpProxy,omitempty"`
+	// HttpsProxy specifies a proxy to use for HTTPS requests to the Mondoo Platform.
+	HttpsProxy *string `json:"httpsProxy,omitempty"`
+	// NoProxy specifies a comma-separated list of hosts that should not use the proxy.
+	NoProxy *string `json:"noProxy,omitempty"`
 	// ContainerProxy specifies a proxy to use for container images.
 	ContainerProxy *string `json:"containerProxy,omitempty"`
+	// ImagePullSecrets specifies the name of the Secret to use for pulling images for all Mondoo components.
+	// The secret must be of type kubernetes.io/dockerconfigjson.
+	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+	// ImageRegistry specifies a custom container image registry prefix for all Mondoo images.
+	// Use this for simple registry mirrors where all images go to the same mirror.
+	// Example: "artifactory.example.com/ghcr.io.docker"
+	// For more complex setups with multiple source registries, use RegistryMirrors instead.
+	ImageRegistry *string `json:"imageRegistry,omitempty"`
+	// RegistryMirrors specifies a mapping of public registries to private mirrors.
+	// Use this when you need to map different source registries to different mirrors.
+	// The key is the public registry (e.g., "ghcr.io", "docker.io", "quay.io")
+	// and the value is the private mirror (e.g., "artifactory.example.com/ghcr.io.docker").
+	// Example:
+	//   registryMirrors:
+	//     ghcr.io: artifactory.example.com/ghcr.io.docker
+	//     docker.io: artifactory.example.com/hub.docker.com
+	// Note: If both ImageRegistry and RegistryMirrors are set, RegistryMirrors takes precedence.
+	RegistryMirrors map[string]string `json:"registryMirrors,omitempty"`
+	// SkipProxyForCnspec disables proxy environment variables for cnspec-based components
+	// (scan-api, container scanning). Use this when the Mondoo API is accessible directly
+	// without proxy (e.g., internal mirror) but other components need proxy for external access.
+	// Default: false (proxy settings are applied to all components)
+	SkipProxyForCnspec bool `json:"skipProxyForCnspec,omitempty"`
 }
 
 type Metrics struct {
@@ -41,9 +62,6 @@ type Metrics struct {
 
 // MondooOperatorConfigStatus defines the observed state of MondooOperatorConfig
 type MondooOperatorConfigStatus struct {
-	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
-	// Important: Run "make" to regenerate code after modifying this file
-
 	// Conditions includes more detailed status for the mondoo config
 	// +optional
 	Conditions []MondooOperatorConfigCondition `json:"conditions,omitempty"`