Extract annotation helpers, add validation, and strengthen tests

chris-rock · claude · chris-rock · commit 072c03e23723 · 2026-02-06T19:26:14.000+01:00
- Extract duplicated annotation CLI arg building into pkg/annotations.AnnotationArgs()
- Add annotations.Validate() to reject empty keys, keys containing '=', and empty values
- Call validation in the reconciler and resource-watcher CLI entrypoint
- Strengthen test assertions to unmarshal inventory YAML and check asset annotations directly

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/cmd/mondoo-operator/resource_watcher/cmd.go b/cmd/mondoo-operator/resource_watcher/cmd.go
@@ -21,6 +21,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"go.mondoo.com/mondoo-operator/controllers/resource_watcher"
+	annot "go.mondoo.com/mondoo-operator/pkg/annotations"
 	"go.mondoo.com/mondoo-operator/pkg/utils/logger"
 )
 
@@ -110,6 +111,11 @@ func init() {
 			}
 		}
 
+		// Validate annotations
+		if err := annot.Validate(*annotations); err != nil {
+			return fmt.Errorf("invalid annotations: %w", err)
+		}
+
 		logger.Info("Starting resource watcher",
 			"config", *configPath,
 			"namespaces", namespacesList,
diff --git a/controllers/container_image/resources_test.go b/controllers/container_image/resources_test.go
@@ -7,8 +7,11 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"go.mondoo.com/cnquery/v12/providers-sdk/v1/inventory"
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 )
 
@@ -25,10 +28,15 @@ func TestInventory_WithAnnotations(t *testing.T) {
 		},
 	}
 
-	inv, err := Inventory("", testClusterUID, auditConfig, v1alpha2.MondooOperatorConfig{})
-	assert.NoError(t, err, "unexpected error generating inventory")
-	assert.Contains(t, inv, "env")
-	assert.Contains(t, inv, "prod")
-	assert.Contains(t, inv, "team")
-	assert.Contains(t, inv, "platform")
+	invStr, err := Inventory("", testClusterUID, auditConfig, v1alpha2.MondooOperatorConfig{})
+	require.NoError(t, err, "unexpected error generating inventory")
+
+	var inv inventory.Inventory
+	require.NoError(t, yaml.Unmarshal([]byte(invStr), &inv))
+	require.NotEmpty(t, inv.Spec.Assets, "expected at least one asset")
+
+	for _, asset := range inv.Spec.Assets {
+		assert.Equal(t, "prod", asset.Annotations["env"], "asset %s missing env annotation", asset.Name)
+		assert.Equal(t, "platform", asset.Annotations["team"], "asset %s missing team annotation", asset.Name)
+	}
 }
diff --git a/controllers/k8s_scan/resources_test.go b/controllers/k8s_scan/resources_test.go
@@ -7,8 +7,11 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"go.mondoo.com/cnquery/v12/providers-sdk/v1/inventory"
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 )
 
@@ -25,12 +28,17 @@ func TestInventory_WithAnnotations(t *testing.T) {
 		},
 	}
 
-	inv, err := Inventory("", testClusterUID, auditConfig, v1alpha2.MondooOperatorConfig{})
-	assert.NoError(t, err, "unexpected error generating inventory")
-	assert.Contains(t, inv, "env")
-	assert.Contains(t, inv, "prod")
-	assert.Contains(t, inv, "team")
-	assert.Contains(t, inv, "platform")
+	invStr, err := Inventory("", testClusterUID, auditConfig, v1alpha2.MondooOperatorConfig{})
+	require.NoError(t, err, "unexpected error generating inventory")
+
+	var inv inventory.Inventory
+	require.NoError(t, yaml.Unmarshal([]byte(invStr), &inv))
+	require.NotEmpty(t, inv.Spec.Assets, "expected at least one asset")
+
+	for _, asset := range inv.Spec.Assets {
+		assert.Equal(t, "prod", asset.Annotations["env"], "asset %s missing env annotation", asset.Name)
+		assert.Equal(t, "platform", asset.Annotations["team"], "asset %s missing team annotation", asset.Name)
+	}
 }
 
 func TestExternalClusterInventory_WithAnnotations(t *testing.T) {
@@ -48,10 +56,15 @@ func TestExternalClusterInventory_WithAnnotations(t *testing.T) {
 		Name: "remote-cluster",
 	}
 
-	inv, err := ExternalClusterInventory("", testClusterUID, cluster, auditConfig, v1alpha2.MondooOperatorConfig{})
-	assert.NoError(t, err, "unexpected error generating inventory")
-	assert.Contains(t, inv, "env")
-	assert.Contains(t, inv, "staging")
-	assert.Contains(t, inv, "team")
-	assert.Contains(t, inv, "security")
+	invStr, err := ExternalClusterInventory("", testClusterUID, cluster, auditConfig, v1alpha2.MondooOperatorConfig{})
+	require.NoError(t, err, "unexpected error generating inventory")
+
+	var inv inventory.Inventory
+	require.NoError(t, yaml.Unmarshal([]byte(invStr), &inv))
+	require.NotEmpty(t, inv.Spec.Assets, "expected at least one asset")
+
+	for _, asset := range inv.Spec.Assets {
+		assert.Equal(t, "staging", asset.Annotations["env"], "asset %s missing env annotation", asset.Name)
+		assert.Equal(t, "security", asset.Annotations["team"], "asset %s missing team annotation", asset.Name)
+	}
 }
diff --git a/controllers/mondooauditconfig_controller.go b/controllers/mondooauditconfig_controller.go
@@ -32,6 +32,7 @@ import (
 	"go.mondoo.com/mondoo-operator/controllers/nodes"
 	resourcewatcher "go.mondoo.com/mondoo-operator/controllers/resource_watcher"
 	"go.mondoo.com/mondoo-operator/controllers/status"
+	"go.mondoo.com/mondoo-operator/pkg/annotations"
 	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
 	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
@@ -183,6 +184,12 @@ func (r *MondooAuditConfigReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		return ctrl.Result{Requeue: true}, nil
 	}
 
+	// Validate annotations before using them in inventory or CLI args
+	if err := annotations.Validate(mondooAuditConfig.Spec.Annotations); err != nil {
+		log.Error(err, "invalid annotations in MondooAuditConfig")
+		return ctrl.Result{}, err
+	}
+
 	mondooAuditConfigCopy := mondooAuditConfig.DeepCopy()
 
 	// Conditions might be updated before this reconciler reaches the end
diff --git a/controllers/nodes/resources_test.go b/controllers/nodes/resources_test.go
@@ -9,6 +9,10 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v2"
+
+	"go.mondoo.com/cnquery/v12/providers-sdk/v1/inventory"
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
@@ -253,12 +257,17 @@ func TestInventory_WithAnnotations(t *testing.T) {
 		},
 	}
 
-	inv, err := Inventory("", testClusterUID, auditConfig)
-	assert.NoError(t, err, "unexpected error generating inventory")
-	assert.Contains(t, inv, "env")
-	assert.Contains(t, inv, "prod")
-	assert.Contains(t, inv, "team")
-	assert.Contains(t, inv, "platform")
+	invStr, err := Inventory("", testClusterUID, auditConfig)
+	require.NoError(t, err, "unexpected error generating inventory")
+
+	var inv inventory.Inventory
+	require.NoError(t, yaml.Unmarshal([]byte(invStr), &inv))
+	require.NotEmpty(t, inv.Spec.Assets, "expected at least one asset")
+
+	for _, asset := range inv.Spec.Assets {
+		assert.Equal(t, "prod", asset.Annotations["env"], "asset %s missing env annotation", asset.Name)
+		assert.Equal(t, "platform", asset.Annotations["team"], "asset %s missing team annotation", asset.Name)
+	}
 }
 
 func testMondooAuditConfig() *v1alpha2.MondooAuditConfig {
diff --git a/controllers/resource_watcher/resources.go b/controllers/resource_watcher/resources.go
@@ -5,7 +5,6 @@ package resource_watcher
 
 import (
 	"fmt"
-	"sort"
 	"strings"
 	"time"
 
@@ -15,6 +14,7 @@ import (
 	"k8s.io/utils/ptr"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
+	"go.mondoo.com/mondoo-operator/pkg/annotations"
 	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/feature_flags"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
@@ -87,14 +87,7 @@ func Deployment(image string, m *v1alpha2.MondooAuditConfig, cfg v1alpha2.Mondoo
 	}
 
 	// Add annotations (sorted for deterministic ordering)
-	annotationKeys := make([]string, 0, len(m.Spec.Annotations))
-	for k := range m.Spec.Annotations {
-		annotationKeys = append(annotationKeys, k)
-	}
-	sort.Strings(annotationKeys)
-	for _, key := range annotationKeys {
-		cmd = append(cmd, "--annotation", fmt.Sprintf("%s=%s", key, m.Spec.Annotations[key]))
-	}
+	cmd = append(cmd, annotations.AnnotationArgs(m.Spec.Annotations)...)
 
 	envVars := feature_flags.AllFeatureFlagsAsEnv()
 	envVars = append(envVars, corev1.EnvVar{Name: "MONDOO_AUTO_UPDATE", Value: "false"})
diff --git a/controllers/resource_watcher/resources_test.go b/controllers/resource_watcher/resources_test.go
@@ -259,12 +259,17 @@ func TestDeployment_WithAnnotations(t *testing.T) {
 	deployment := Deployment("ghcr.io/mondoohq/cnspec:latest", config, operatorConfig)
 
 	container := deployment.Spec.Template.Spec.Containers[0]
-	cmdStr := ""
-	for _, c := range container.Command {
-		cmdStr += c + " "
+	cmd := container.Command
+
+	// Find --annotation flags and collect their values
+	annotationArgs := map[string]bool{}
+	for i, arg := range cmd {
+		if arg == "--annotation" && i+1 < len(cmd) {
+			annotationArgs[cmd[i+1]] = true
+		}
 	}
-	assert.Contains(t, cmdStr, "--annotation env=prod")
-	assert.Contains(t, cmdStr, "--annotation team=platform")
+	assert.True(t, annotationArgs["env=prod"], "expected --annotation env=prod")
+	assert.True(t, annotationArgs["team=platform"], "expected --annotation team=platform")
 }
 
 func TestDeployment_HighPriorityByDefault(t *testing.T) {
diff --git a/controllers/resource_watcher/scanner.go b/controllers/resource_watcher/scanner.go
@@ -8,10 +8,11 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
-	"sort"
 	"time"
 
 	ctrl "sigs.k8s.io/controller-runtime"
+
+	"go.mondoo.com/mondoo-operator/pkg/annotations"
 )
 
 var scannerLogger = ctrl.Log.WithName("resource-watcher-scanner")
@@ -82,14 +83,7 @@ func (s *Scanner) ScanManifests(ctx context.Context, manifests []byte) error {
 		cnspecArgs = append(cnspecArgs, "--api-proxy", s.config.APIProxy)
 	}
 	// Add annotations as command-line arguments (sorted for deterministic ordering)
-	annotationKeys := make([]string, 0, len(s.config.Annotations))
-	for k := range s.config.Annotations {
-		annotationKeys = append(annotationKeys, k)
-	}
-	sort.Strings(annotationKeys)
-	for _, key := range annotationKeys {
-		cnspecArgs = append(cnspecArgs, "--annotation", fmt.Sprintf("%s=%s", key, s.config.Annotations[key]))
-	}
+	cnspecArgs = append(cnspecArgs, annotations.AnnotationArgs(s.config.Annotations)...)
 
 	// Create context with timeout
 	scanCtx := ctx
diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
@@ -0,0 +1,48 @@
+// Copyright Mondoo, Inc. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package annotations
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+)
+
+// AnnotationArgs converts a map of annotations into sorted CLI arguments
+// suitable for passing to cnspec via --annotation key=value flags.
+func AnnotationArgs(annotations map[string]string) []string {
+	if len(annotations) == 0 {
+		return nil
+	}
+
+	keys := make([]string, 0, len(annotations))
+	for k := range annotations {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+
+	args := make([]string, 0, len(annotations)*2)
+	for _, key := range keys {
+		args = append(args, "--annotation", fmt.Sprintf("%s=%s", key, annotations[key]))
+	}
+	return args
+}
+
+// Validate checks that annotation keys and values are well-formed for use as
+// cnspec --annotation key=value CLI arguments. Keys must be non-empty and must
+// not contain '='. Values must be non-empty.
+func Validate(annotations map[string]string) error {
+	for k, v := range annotations {
+		if k == "" {
+			return fmt.Errorf("annotation key must not be empty")
+		}
+		if strings.Contains(k, "=") {
+			return fmt.Errorf("annotation key %q must not contain '='", k)
+		}
+		if v == "" {
+			return fmt.Errorf("annotation value for key %q must not be empty", k)
+		}
+	}
+	return nil
+}
diff --git a/pkg/annotations/annotations_test.go b/pkg/annotations/annotations_test.go
@@ -0,0 +1,75 @@
+// Copyright Mondoo, Inc. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package annotations
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAnnotationArgs(t *testing.T) {
+	t.Run("nil map returns nil", func(t *testing.T) {
+		assert.Nil(t, AnnotationArgs(nil))
+	})
+
+	t.Run("empty map returns nil", func(t *testing.T) {
+		assert.Nil(t, AnnotationArgs(map[string]string{}))
+	})
+
+	t.Run("single annotation", func(t *testing.T) {
+		args := AnnotationArgs(map[string]string{"env": "prod"})
+		assert.Equal(t, []string{"--annotation", "env=prod"}, args)
+	})
+
+	t.Run("multiple annotations are sorted by key", func(t *testing.T) {
+		args := AnnotationArgs(map[string]string{
+			"team": "platform",
+			"env":  "prod",
+			"app":  "mondoo",
+		})
+		assert.Equal(t, []string{
+			"--annotation", "app=mondoo",
+			"--annotation", "env=prod",
+			"--annotation", "team=platform",
+		}, args)
+	})
+}
+
+func TestValidate(t *testing.T) {
+	t.Run("valid annotations", func(t *testing.T) {
+		err := Validate(map[string]string{
+			"env":  "prod",
+			"team": "platform",
+		})
+		assert.NoError(t, err)
+	})
+
+	t.Run("nil map is valid", func(t *testing.T) {
+		assert.NoError(t, Validate(nil))
+	})
+
+	t.Run("empty map is valid", func(t *testing.T) {
+		assert.NoError(t, Validate(map[string]string{}))
+	})
+
+	t.Run("empty key is rejected", func(t *testing.T) {
+		err := Validate(map[string]string{"": "value"})
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "must not be empty")
+	})
+
+	t.Run("key with equals sign is rejected", func(t *testing.T) {
+		err := Validate(map[string]string{"key=bad": "value"})
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "must not contain '='")
+	})
+
+	t.Run("empty value is rejected", func(t *testing.T) {
+		err := Validate(map[string]string{"key": ""})
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "must not be empty")
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ import (`
`21`	`21`	`"sigs.k8s.io/controller-runtime/pkg/log"`
`22`	`22`
`23`	`23`	`"go.mondoo.com/mondoo-operator/controllers/resource_watcher"`
	`24`	`+ annot "go.mondoo.com/mondoo-operator/pkg/annotations"`
`24`	`25`	`"go.mondoo.com/mondoo-operator/pkg/utils/logger"`
`25`	`26`	`)`
`26`	`27`
`@@ -110,6 +111,11 @@ func init() {`
`110`	`111`	`}`
`111`	`112`	`}`
`112`	`113`
	`114`	`+ // Validate annotations`
	`115`	`+ if err := annot.Validate(*annotations); err != nil {`
	`116`	`+ return fmt.Errorf("invalid annotations: %w", err)`
	`117`	`+ }`
	`118`	`+`
`113`	`119`	`logger.Info("Starting resource watcher",`
`114`	`120`	`"config", *configPath,`
`115`	`121`	`"namespaces", namespacesList,`