Tests and improvements v13-beta (#1409)

* fix: node scanning errors no longer block other scan types

When node scanning setup fails (e.g. hostPath rejected on GKE Autopilot),
the reconciler now sets the NodeScanningDegraded condition and continues
reconciling containers, k8s resources, and resource watcher. The error is
still returned at the end so the controller requeues to retry.

Previously, any node scanning error would abort the entire reconciliation,
preventing all other scan types from being set up.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add e2e test suite for GKE clusters

Adds a Terraform + shell-based e2e test suite that provisions a GKE
cluster (Autopilot or Standard), builds and deploys the operator from
the current branch, and verifies scanning works.

Includes two test cases:
- Fresh deploy: build, deploy, configure, verify
- Upgrade: install baseline release, verify, upgrade to current branch, verify

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: ensure smooth Helm upgrade path for CRDs and deprecated resources

Previously, CRDs were shipped in the Helm `crds/` directory which Helm
only processes on initial install, never on upgrade. Since v12.x shipped
CRDs as template resources, upgrading to a chart that moved them to
`crds/` caused Helm to delete the template-managed CRDs while the new
ones were never installed — breaking the operator.

This commit:
- Restores CRDs as Helm template resources (via .Files.Get from
  files/crds/) so they are managed across install and upgrade
- Removes the crds/ directory to avoid duplication
- Adds a pre-upgrade hook as belt-and-suspenders for CRD updates
- Makes operator startup resilient when MondooOperatorConfig CRD is
  absent (skips controller registration, uses defaults in reconciler)
- Adds RBAC for admissionregistration.k8s.io so deprecated webhook
  resources can be cleaned up on upgrade

* fix: downgrade conflict errors to info level in status updates

Optimistic concurrency conflicts on MondooAuditConfig status updates are
expected when multiple reconciliation loops run concurrently. The
controller-runtime automatically requeues on conflict, so these are not
errors. Downgrade to info-level logging to reduce noise.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add nolint:gosec annotations for new gosec rules

G117 (marshaling structs with secret-pattern fields) and G118 (stored
cancel func) are false positives in these contexts — test fixtures,
internal credential structs, and a debouncer that stores cancel for
later use.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: slntopp

.github/actions/spelling/expect.txt

@@ -13,6 +13,7 @@ irsa
 kustomization
 mcr
 mondoooperatorconfig
+nginx
 oidc
 openssl
 psat
@@ -24,4 +25,5 @@ SResources
 spiffe
 SVIDs
 tekton
+tpl
 wif

.gitignore

@@ -52,4 +52,17 @@ tests/integration/_output
 /cnspec
 
 package.json
-.env
+.env
+
+# Terraform
+.terraform
+*.tfstate
+.terraform.lock.hcl
+terraform.tfvars
+.terraform.tfstate.lock.info
+terraform.tfstate.backup
+
+# tests artifacts
+tests/e2e/terraform/kubeconfig
+tests/e2e/terraform/gke_gcloud_auth_plugin_cache
+tests/e2e/terraform/mondoo.json

charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -0,0 +1,169 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.20.0
+  name: mondoooperatorconfigs.k8s.mondoo.com
+spec:
+  group: k8s.mondoo.com
+  names:
+    kind: MondooOperatorConfig
+    listKind: MondooOperatorConfigList
+    plural: mondoooperatorconfigs
+    singular: mondoooperatorconfig
+  scope: Cluster
+  versions:
+  - name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: MondooOperatorConfig is the Schema for the mondoooperatorconfigs
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MondooOperatorConfigSpec defines the desired state of MondooOperatorConfig
+            properties:
+              containerProxy:
+                description: ContainerProxy specifies a proxy to use for container
+                  images.
+                type: string
+              httpProxy:
+                description: HttpProxy specifies a proxy to use for HTTP requests
+                  to the Mondoo Platform.
+                type: string
+              httpsProxy:
+                description: HttpsProxy specifies a proxy to use for HTTPS requests
+                  to the Mondoo Platform.
+                type: string
+              imagePullSecrets:
+                description: |-
+                  ImagePullSecrets specifies the name of the Secret to use for pulling images for all Mondoo components.
+                  The secret must be of type kubernetes.io/dockerconfigjson.
+                items:
+                  description: |-
+                    LocalObjectReference contains enough information to let you locate the
+                    referenced object inside the same namespace.
+                  properties:
+                    name:
+                      default: ""
+                      description: |-
+                        Name of the referent.
+                        This field is effectively required, but due to backwards compatibility is
+                        allowed to be empty. Instances of this type with an empty value here are
+                        almost certainly wrong.
+                        More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      type: string
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
+              imageRegistry:
+                description: |-
+                  ImageRegistry specifies a custom container image registry to use for all Mondoo images.
+                  This allows using a private registry mirror (e.g., artifactory.example.com/ghcr.io.docker).
+                  If set, all image references will be prefixed with this registry.
+                  Deprecated: Use RegistryMirrors for more flexible registry mapping.
+                type: string
+              metrics:
+                description: Metrics controls the enabling/disabling of metrics report
+                  of mondoo-operator
+                properties:
+                  enable:
+                    type: boolean
+                  resourceLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      ResourceLabels allows providing a list of extra labels to apply to the metrics-related
+                      resources (eg. ServiceMonitor)
+                    type: object
+                type: object
+              noProxy:
+                description: NoProxy specifies a comma-separated list of hosts that
+                  should not use the proxy.
+                type: string
+              registryMirrors:
+                additionalProperties:
+                  type: string
+                description: |-
+                  RegistryMirrors specifies a mapping of public registries to private mirrors.
+                  The key is the public registry (e.g., "ghcr.io", "docker.io", "quay.io")
+                  and the value is the private mirror (e.g., "artifactory.example.com/ghcr.io.docker").
+                  Example:
+                    registryMirrors:
+                      ghcr.io: artifactory.example.com/ghcr.io.docker
+                      docker.io: artifactory.example.com/hub.docker.com
+                type: object
+              skipContainerResolution:
+                description: Allows skipping Image resolution from upstream repository
+                type: boolean
+              skipProxyForCnspec:
+                description: |-
+                  SkipProxyForCnspec disables proxy environment variables for cnspec-based components
+                  (scan-api, container scanning). Use this when the Mondoo API is accessible directly
+                  without proxy (e.g., internal mirror) but other components need proxy for external access.
+                  Default: false (proxy settings are applied to all components)
+                type: boolean
+            type: object
+          status:
+            description: MondooOperatorConfigStatus defines the observed state of
+              MondooOperatorConfig
+            properties:
+              conditions:
+                description: Conditions includes more detailed status for the mondoo
+                  config
+                items:
+                  description: Condition contains details for the current condition
+                    of a MondooOperatorConfig
+                  properties:
+                    lastTransitionTime:
+                      description: LastTransitionTime is the last time the condition
+                        transitioned from one status to another.
+                      format: date-time
+                      type: string
+                    lastUpdateTime:
+                      description: LastUpdateTime is the last time the condition was
+                        updated.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Message is a human-readable message indicating
+                        details about last transition.
+                      type: string
+                    reason:
+                      description: Reason is a unique, one-word, CamelCase reason
+                        for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status is the status of the condition.
+                      type: string
+                    type:
+                      description: Type is the type of the condition.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

charts/mondoo-operator/files/crds/k8s.mondoo.com_mondoooperatorconfigs.yaml

@@ -124,6 +124,15 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - delete
+  - get
+  - list
+  - watch
 - apiGroups:
   - monitoring.coreos.com
   resources:

charts/mondoo-operator/templates/manager-rbac.yaml

@@ -0,0 +1,8 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+#
+# On fresh install, Helm installs CRDs from the crds/ directory (before templates).
+# On upgrade, crds/ is skipped, so we render CRDs here to keep them current.
+{{- if .Release.IsUpgrade }}
+{{ .Files.Get "files/crds/k8s.mondoo.com_mondooauditconfigs.yaml" }}
+{{- end }}

charts/mondoo-operator/templates/mondooauditconfig-crd.yaml

@@ -0,0 +1,8 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+#
+# On fresh install, Helm installs CRDs from the crds/ directory (before templates).
+# On upgrade, crds/ is skipped, so we render CRDs here to keep them current.
+{{- if .Release.IsUpgrade }}
+{{ .Files.Get "files/crds/k8s.mondoo.com_mondoooperatorconfigs.yaml" }}
+{{- end }}

charts/mondoo-operator/templates/mondoooperatorconfig-crd.yaml

@@ -0,0 +1,129 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+#
+# Pre-upgrade hook to ensure CRDs are up-to-date before upgrading the operator.
+# Helm only installs CRDs from the crds/ directory on initial install, not on upgrade.
+# This hook applies CRDs as templates during pre-upgrade to ensure they are current.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "mondoo-operator.fullname" . }}-crd-upgrade
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "mondoo-operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+spec:
+  ttlSecondsAfterFinished: 60
+  template:
+    metadata:
+      labels:
+        {{- include "mondoo-operator.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "mondoo-operator.fullname" . }}-crd-upgrade
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: crd-upgrade
+        image: "bitnami/kubectl:latest"
+        command:
+        - sh
+        - -c
+        - |
+          kubectl apply --server-side --force-conflicts -f /crds/
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+        resources:
+          limits:
+            cpu: 100m
+            memory: 64Mi
+          requests:
+            cpu: 50m
+            memory: 32Mi
+        volumeMounts:
+        - name: crds
+          mountPath: /crds
+          readOnly: true
+      volumes:
+      - name: crds
+        configMap:
+          name: {{ include "mondoo-operator.fullname" . }}-crds
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "mondoo-operator.fullname" . }}-crd-upgrade
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "mondoo-operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "mondoo-operator.fullname" . }}-crd-upgrade
+  labels:
+    {{- include "mondoo-operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "mondoo-operator.fullname" . }}-crd-upgrade
+  labels:
+    {{- include "mondoo-operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "mondoo-operator.fullname" . }}-crd-upgrade
+subjects:
+- kind: ServiceAccount
+  name: {{ include "mondoo-operator.fullname" . }}-crd-upgrade
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "mondoo-operator.fullname" . }}-crds
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "mondoo-operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+data:
+  mondooauditconfigs.yaml: |
+    {{- .Files.Get "files/crds/k8s.mondoo.com_mondooauditconfigs.yaml" | nindent 4 }}
+  mondoooperatorconfigs.yaml: |
+    {{- .Files.Get "files/crds/k8s.mondoo.com_mondoooperatorconfigs.yaml" | nindent 4 }}