feat: add MondooOperatorConfig for proxy and image registry support#1391
Merged
chris-rock merged 9 commits intomainfrom Feb 16, 2026
Merged
feat: add MondooOperatorConfig for proxy and image registry support#1391chris-rock merged 9 commits intomainfrom
chris-rock merged 9 commits intomainfrom
Conversation
Introduce MondooOperatorConfig CRD with support for: - HTTP/HTTPS proxy configuration (httpProxy, httpsProxy, noProxy) - Container proxy for image scanning - Image pull secrets for private registries - Image registry mirror support - Registry mirrors mapping - Skip proxy for cnspec option Tested on GKE Autopilot successfully.
- Address code quality issues and extract clone() helper - Make noProxy matching case-insensitive - Add logging for imagePullSecret lookup failures - Default createConfig to true in Helm values - Remove deprecated marker from imageRegistry field - Add tests for KeychainFromSecrets and applyImageRegistry - Add operator config documentation
- Fix imagePullSecrets to append instead of clobber existing secrets - Prefer HTTPS proxy for --api-proxy (Mondoo API is always HTTPS) - Add APIProxyURL helper to centralize proxy URL selection - Watch MondooOperatorConfig changes to trigger reconciliation - Share image cache across keychain changes (use pointer mutex) - Remove scaffolding comments from types - Fix "MondooOpertorConfig" typos in log messages Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add comprehensive test coverage for MondooOperatorConfig proxy and registry mirror integration across all resource builders: - pkg/utils/k8s: ProxyEnvVars and APIProxyURL unit tests - k8s_scan: proxy, skip-proxy, imagePullSecrets, container-proxy tests - container_image: proxy, skip-proxy, imagePullSecrets, container-proxy tests - nodes: CronJob and DaemonSet proxy/skip-proxy/imagePullSecrets tests - resource_watcher: HTTPS preference, skip-proxy, env vars, imagePullSecrets tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The cron schedule only uses the minute field, so the effective buffer between function call time and the CronJob trigger is (targetMinuteStart - now), which could be as low as 16 seconds with the old 75-second offset. This wasn't enough when leader election takes ~46 seconds, causing the CronJob to miss its scheduled minute and wait an hour for the next trigger. Increase the offset from 1m15s to 2m30s, guaranteeing at least ~91 seconds of buffer regardless of when in the current minute the function is called. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The CRDs live in charts/mondoo-operator/crds/ (not templates/), so helm template doesn't render them by default. Add --include-crds to the Template helper so TestHelmTemplate can verify CRDs are present. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The 2m30s buffer was too aggressive - worst-case trigger time (~150s) exceeded the retry window (100s), causing tests to time out before CronJobs fired. Reduce buffer to 2m (61-120s range) and double RetryLoop from 50 to 100 (200s window) to accommodate the buffer. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add CronJobRetryLoop (600s) for WaitUntilCronJobsSuccessful to handle variable scan durations without affecting other retry timeouts - Clean up stale k3d target cluster before creating in external cluster tests - Add --ignore-not-found to pod deletion in AfterTest cleanup - Downgrade completed CronJob pod describe failure from ERROR to WARN - Regenerate CRD and RBAC manifests for updated type docs and job delete verb - Fix whitespace alignment in container_image_resolver_test.go Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This comment has been minimized.
This comment has been minimized.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
imilchev
approved these changes
Feb 16, 2026
Member
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
MondooOperatorConfigcluster-scoped CRD for configuring HTTP/HTTPS proxy settings, no-proxy rules, and container image registry mirrors across allMondooAuditConfigresources--api-proxyHTTPS preference, operator config watch for live reloads, shared image cache mutexKey Changes
MondooOperatorConfigwith proxy (httpProxy,httpsProxy,noProxy), registry mirror (registryMirrors,imageRegistry), andskipContainerResolutionfieldsHTTP_PROXY/HTTPS_PROXY/NO_PROXYenv vars and--api-proxyflag into all scan CronJobs, DaemonSets, and DeploymentsTest plan
make lintpassesmake lint/actionspassesgo test ./pkg/utils/k8s/... ./controllers/k8s_scan/... ./controllers/container_image/... ./controllers/nodes/... ./controllers/resource_watcher/... ./pkg/imagecache/...🤖 Generated with Claude Code