Add OperatorImageDigest to status reporting and fix interface signatures

chris-rock · claude · chris-rock · commit 2385ff08142d · 2026-02-13T15:32:40.000+01:00
Extend the OperatorCustomState to include OperatorImageDigest alongside
the existing CnspecVersion and CnspecImageDigest fields. This ensures
both cnspec and operator image name, tag, and SHA are reported to the
Mondoo platform.

Also fixes the ContainerImageResolverMock to match the current 4-param
CnspecImage/MondooOperatorImage interface signatures (with userDigest).

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/controllers/status/operator_status.go b/controllers/status/operator_status.go
@@ -4,6 +4,7 @@
 package status
 
 import (
+	"context"
 	"strings"
 
 	"github.com/go-logr/logr"
@@ -30,6 +31,7 @@ type OperatorCustomState struct {
 	Nodes                  []string
 	MondooAuditConfig      MondooAuditConfig
 	OperatorVersion        string
+	OperatorImageDigest    string
 	CnspecVersion          string
 	CnspecImageDigest      string
 	K8sResourcesScanning   bool
@@ -44,7 +46,7 @@ type MondooAuditConfig struct {
 }
 
 func ReportStatusRequestFromAuditConfig(
-	integrationMrn string, m v1alpha2.MondooAuditConfig, nodes []v1.Node, k8sVersion *k8sversion.Info, containerImageResolver mondoo.ContainerImageResolver, log logr.Logger,
+	ctx context.Context, integrationMrn string, m v1alpha2.MondooAuditConfig, nodes []v1.Node, k8sVersion *k8sversion.Info, containerImageResolver mondoo.ContainerImageResolver, log logr.Logger,
 ) mondooclient.ReportStatusRequest {
 	nodeNames := make([]string, len(nodes))
 	for i := range nodes {
@@ -164,10 +166,10 @@ func ReportStatusRequestFromAuditConfig(
 		}
 	}
 
-	// Resolve cnspec image to get version and digest
-	var cnspecVersion, cnspecImageDigest string
+	// Resolve cnspec and operator images to get version and digest
+	var cnspecVersion, cnspecImageDigest, operatorImageDigest string
 	if containerImageResolver != nil {
-		resolvedImage, err := containerImageResolver.CnspecImage(m.Spec.Scanner.Image.Name, m.Spec.Scanner.Image.Tag, "", false)
+		resolvedImage, err := containerImageResolver.CnspecImage(m.Spec.Scanner.Image.Name, m.Spec.Scanner.Image.Tag, m.Spec.Scanner.Image.Digest, false)
 		if err != nil {
 			log.Error(err, "Failed to resolve cnspec image for status reporting")
 		} else {
@@ -177,10 +179,20 @@ func ReportStatusRequestFromAuditConfig(
 			}
 		}
 		// Get the tag separately (without resolution) for the version field
-		tagImage, _ := containerImageResolver.CnspecImage(m.Spec.Scanner.Image.Name, m.Spec.Scanner.Image.Tag, "", true)
+		tagImage, _ := containerImageResolver.CnspecImage(m.Spec.Scanner.Image.Name, m.Spec.Scanner.Image.Tag, m.Spec.Scanner.Image.Digest, true)
 		if idx := strings.LastIndex(tagImage, ":"); idx != -1 {
 			cnspecVersion = tagImage[idx+1:]
 		}
+
+		// Resolve operator image digest
+		resolvedOperator, err := containerImageResolver.MondooOperatorImage(ctx, "", "", "", false)
+		if err != nil {
+			log.Error(err, "Failed to resolve operator image for status reporting")
+		} else {
+			if idx := strings.Index(resolvedOperator, "@"); idx != -1 {
+				operatorImageDigest = resolvedOperator[idx+1:]
+			}
+		}
 	}
 
 	return mondooclient.ReportStatusRequest{
@@ -191,6 +203,7 @@ func ReportStatusRequestFromAuditConfig(
 			KubernetesVersion:      k8sVersion.GitVersion,
 			MondooAuditConfig:      MondooAuditConfig{Name: m.Name, Namespace: m.Namespace},
 			OperatorVersion:        version.Version,
+			OperatorImageDigest:    operatorImageDigest,
 			CnspecVersion:          cnspecVersion,
 			CnspecImageDigest:      cnspecImageDigest,
 			K8sResourcesScanning:   m.Spec.KubernetesResources.Enable,
diff --git a/controllers/status/operator_status_test.go b/controllers/status/operator_status_test.go
@@ -4,6 +4,7 @@
 package status
 
 import (
+	"context"
 	"testing"
 
 	"github.com/go-logr/logr"
@@ -29,7 +30,7 @@ func TestReportStatusRequestFromAuditConfig_AllDisabled(t *testing.T) {
 	v := &k8sversion.Info{GitVersion: "v1.24.0"}
 
 	m := testMondooAuditConfig()
-	reportStatus := ReportStatusRequestFromAuditConfig(integrationMrn, m, nodes, v, nil, logger)
+	reportStatus := ReportStatusRequestFromAuditConfig(context.Background(), integrationMrn, m, nodes, v, nil, logger)
 	assert.Equal(t, integrationMrn, reportStatus.Mrn)
 	assert.Equal(t, mondooclient.Status_ACTIVE, reportStatus.Status)
 	assert.Equal(t, OperatorCustomState{
@@ -73,7 +74,7 @@ func TestReportStatusRequestFromAuditConfig_AllEnabled(t *testing.T) {
 		{Message: "Mondoo Operator controller is available", Status: v1.ConditionFalse, Type: v1alpha2.MondooOperatorDegraded},
 	}
 
-	reportStatus := ReportStatusRequestFromAuditConfig(integrationMrn, m, nodes, v, nil, logger)
+	reportStatus := ReportStatusRequestFromAuditConfig(context.Background(), integrationMrn, m, nodes, v, nil, logger)
 	assert.Equal(t, integrationMrn, reportStatus.Mrn)
 	assert.Equal(t, mondooclient.Status_ACTIVE, reportStatus.Status)
 	assert.Equal(t, OperatorCustomState{
@@ -125,7 +126,7 @@ func TestReportStatusRequestFromAuditConfig_AllEnabled_DeprecatedFields(t *testi
 		{Message: "Mondoo Operator controller is available", Status: v1.ConditionFalse, Type: v1alpha2.MondooOperatorDegraded},
 	}
 
-	reportStatus := ReportStatusRequestFromAuditConfig(integrationMrn, m, nodes, v, nil, logger)
+	reportStatus := ReportStatusRequestFromAuditConfig(context.Background(), integrationMrn, m, nodes, v, nil, logger)
 	assert.Equal(t, integrationMrn, reportStatus.Mrn)
 	assert.Equal(t, mondooclient.Status_ACTIVE, reportStatus.Status)
 	assert.Equal(t, OperatorCustomState{
@@ -173,7 +174,7 @@ func TestReportStatusRequestFromAuditConfig_AllError(t *testing.T) {
 		{Message: "Mondoo Operator controller is unavailable", Status: v1.ConditionTrue, Type: v1alpha2.MondooOperatorDegraded},
 	}
 
-	reportStatus := ReportStatusRequestFromAuditConfig(integrationMrn, m, nodes, v, nil, logger)
+	reportStatus := ReportStatusRequestFromAuditConfig(context.Background(), integrationMrn, m, nodes, v, nil, logger)
 	assert.Equal(t, integrationMrn, reportStatus.Mrn)
 	assert.Equal(t, mondooclient.Status_ERROR, reportStatus.Status)
 	assert.Equal(t, OperatorCustomState{
diff --git a/controllers/status/status_reporter.go b/controllers/status/status_reporter.go
@@ -58,7 +58,7 @@ func (r *StatusReporter) Report(ctx context.Context, m v1alpha2.MondooAuditConfi
 		return err
 	}
 
-	operatorStatus := ReportStatusRequestFromAuditConfig(integrationMrn, m, nodes.Items, r.k8sVersion, r.containerImageResolver, logger)
+	operatorStatus := ReportStatusRequestFromAuditConfig(ctx, integrationMrn, m, nodes.Items, r.k8sVersion, r.containerImageResolver, logger)
 
 	r.mu.RLock()
 	statusUnchanged := reflect.DeepEqual(operatorStatus, r.lastReportedStatus)

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func (r *StatusReporter) Report(ctx context.Context, m v1alpha2.MondooAuditConfi`
`58`	`58`	`return err`
`59`	`59`	`}`
`60`	`60`
`61`		`- operatorStatus := ReportStatusRequestFromAuditConfig(integrationMrn, m, nodes.Items, r.k8sVersion, r.containerImageResolver, logger)`
	`61`	`+ operatorStatus := ReportStatusRequestFromAuditConfig(ctx, integrationMrn, m, nodes.Items, r.k8sVersion, r.containerImageResolver, logger)`
`62`	`62`
`63`	`63`	`r.mu.RLock()`
`64`	`64`	`statusUnchanged := reflect.DeepEqual(operatorStatus, r.lastReportedStatus)`