refactor: streamline garbage collection logic for nodes and K8s resources

Author: slntopp

controllers/k8s_scan/deployment_handler.go

@@ -20,7 +20,6 @@ import (
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
-	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 )
@@ -612,59 +611,14 @@ func (n *DeploymentHandler) garbageCollectIfNeeded(ctx context.Context, clusterU
 
 // performGarbageCollection calls the Mondoo API to garbage collect stale K8s resource scan assets.
 func (n *DeploymentHandler) performGarbageCollection(ctx context.Context, managedBy string) error {
-	if n.MondooClientBuilder == nil {
-		logger.Info("MondooClientBuilder not configured, skipping garbage collection")
-		return nil
-	}
-
-	// Read service account credentials from the creds secret
-	credsSecret := &corev1.Secret{}
-	credsSecretKey := client.ObjectKey{
-		Namespace: n.Mondoo.Namespace,
-		Name:      n.Mondoo.Spec.MondooCredsSecretRef.Name,
-	}
-	if err := n.KubeClient.Get(ctx, credsSecretKey, credsSecret); err != nil {
-		return fmt.Errorf("failed to get credentials secret: %w", err)
-	}
-
-	saData, ok := credsSecret.Data[constants.MondooCredsSecretServiceAccountKey]
-	if !ok {
-		return fmt.Errorf("credentials secret missing key %q", constants.MondooCredsSecretServiceAccountKey)
-	}
-
-	sa, err := mondoo.LoadServiceAccountFromFile(saData)
-	if err != nil {
-		return fmt.Errorf("failed to load service account: %w", err)
-	}
-
-	token, err := mondoo.GenerateTokenFromServiceAccount(*sa, logger)
-	if err != nil {
-		return fmt.Errorf("failed to generate token: %w", err)
-	}
-
-	opts := mondooclient.MondooClientOptions{
-		ApiEndpoint: sa.ApiEndpoint,
-		Token:       token,
-	}
-	if n.MondooOperatorConfig != nil {
-		opts.HttpProxy = n.MondooOperatorConfig.Spec.HttpProxy
-		opts.HttpsProxy = n.MondooOperatorConfig.Spec.HttpsProxy
-		opts.NoProxy = n.MondooOperatorConfig.Spec.NoProxy
-	}
-
-	mondooClient, err := n.MondooClientBuilder(opts)
-	if err != nil {
-		return fmt.Errorf("failed to create mondoo client: %w", err)
-	}
-
 	gcOpts := &mondooclient.GarbageCollectOptions{
 		ManagedBy:       managedBy,
 		PlatformRuntime: "k8s-cluster",
 		OlderThan:       time.Now().Add(-2 * time.Hour).Format(time.RFC3339),
 	}
 
-	if err := mondooClient.GarbageCollectAssets(ctx, gcOpts); err != nil {
-		return fmt.Errorf("garbage collection API call failed: %w", err)
+	if err := mondoo.GarbageCollectAssets(ctx, n.KubeClient, n.Mondoo, n.MondooOperatorConfig, n.MondooClientBuilder, gcOpts, logger); err != nil {
+		return err
 	}
 
 	logger.Info("Successfully performed garbage collection of K8s resource scan assets")

controllers/nodes/deployment_handler.go

@@ -5,14 +5,12 @@ package nodes
 
 import (
 	"context"
-	"fmt"
 	"maps"
 	"slices"
 	"time"
 
 	"go.mondoo.com/mondoo-operator/api/v1alpha2"
 	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
-	"go.mondoo.com/mondoo-operator/pkg/constants"
 	"go.mondoo.com/mondoo-operator/pkg/utils/k8s"
 	"go.mondoo.com/mondoo-operator/pkg/utils/mondoo"
 	appsv1 "k8s.io/api/apps/v1"
@@ -437,59 +435,14 @@ func (n *DeploymentHandler) garbageCollectIfNeeded(ctx context.Context, clusterU
 
 // performGarbageCollection calls the Mondoo API to garbage collect stale node scan assets.
 func (n *DeploymentHandler) performGarbageCollection(ctx context.Context, managedBy string) error {
-	if n.MondooClientBuilder == nil {
-		logger.Info("MondooClientBuilder not configured, skipping node scan garbage collection")
-		return nil
-	}
-
-	// Read service account credentials from the creds secret
-	credsSecret := &corev1.Secret{}
-	credsSecretKey := client.ObjectKey{
-		Namespace: n.Mondoo.Namespace,
-		Name:      n.Mondoo.Spec.MondooCredsSecretRef.Name,
-	}
-	if err := n.KubeClient.Get(ctx, credsSecretKey, credsSecret); err != nil {
-		return fmt.Errorf("failed to get credentials secret: %w", err)
-	}
-
-	saData, ok := credsSecret.Data[constants.MondooCredsSecretServiceAccountKey]
-	if !ok {
-		return fmt.Errorf("credentials secret missing key %q", constants.MondooCredsSecretServiceAccountKey)
-	}
-
-	sa, err := mondoo.LoadServiceAccountFromFile(saData)
-	if err != nil {
-		return fmt.Errorf("failed to load service account: %w", err)
-	}
-
-	token, err := mondoo.GenerateTokenFromServiceAccount(*sa, logger)
-	if err != nil {
-		return fmt.Errorf("failed to generate token: %w", err)
-	}
-
-	opts := mondooclient.MondooClientOptions{
-		ApiEndpoint: sa.ApiEndpoint,
-		Token:       token,
-	}
-	if n.MondooOperatorConfig != nil {
-		opts.HttpProxy = n.MondooOperatorConfig.Spec.HttpProxy
-		opts.HttpsProxy = n.MondooOperatorConfig.Spec.HttpsProxy
-		opts.NoProxy = n.MondooOperatorConfig.Spec.NoProxy
-	}
-
-	mondooClient, err := n.MondooClientBuilder(opts)
-	if err != nil {
-		return fmt.Errorf("failed to create mondoo client: %w", err)
-	}
-
 	gcOpts := &mondooclient.GarbageCollectOptions{
 		ManagedBy: managedBy,
 		Labels:    map[string]string{"k8s.mondoo.com/kind": "node"},
 		OlderThan: time.Now().Add(-2 * time.Hour).Format(time.RFC3339),
 	}
 
-	if err := mondooClient.GarbageCollectAssets(ctx, gcOpts); err != nil {
-		return fmt.Errorf("garbage collection API call failed: %w", err)
+	if err := mondoo.GarbageCollectAssets(ctx, n.KubeClient, n.Mondoo, n.MondooOperatorConfig, n.MondooClientBuilder, gcOpts, logger); err != nil {
+		return err
 	}
 
 	logger.Info("Successfully performed garbage collection of node scan assets")

pkg/utils/mondoo/gc.go

@@ -0,0 +1,80 @@
+// Copyright Mondoo, Inc. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package mondoo
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"go.mondoo.com/mondoo-operator/api/v1alpha2"
+	"go.mondoo.com/mondoo-operator/pkg/client/mondooclient"
+	"go.mondoo.com/mondoo-operator/pkg/constants"
+)
+
+// GarbageCollectAssets builds a Mondoo API client from the operator's credentials and
+// calls GarbageCollectAssets with the provided options. This is shared between node scan
+// and k8s resource scan garbage collection.
+func GarbageCollectAssets(
+	ctx context.Context,
+	kubeClient client.Client,
+	mondoo *v1alpha2.MondooAuditConfig,
+	operatorConfig *v1alpha2.MondooOperatorConfig,
+	clientBuilder func(mondooclient.MondooClientOptions) (mondooclient.MondooClient, error),
+	gcOpts *mondooclient.GarbageCollectOptions,
+	logger logr.Logger,
+) error {
+	if clientBuilder == nil {
+		logger.Info("MondooClientBuilder not configured, skipping garbage collection")
+		return nil
+	}
+
+	credsSecret := &corev1.Secret{}
+	credsSecretKey := client.ObjectKey{
+		Namespace: mondoo.Namespace,
+		Name:      mondoo.Spec.MondooCredsSecretRef.Name,
+	}
+	if err := kubeClient.Get(ctx, credsSecretKey, credsSecret); err != nil {
+		return fmt.Errorf("failed to get credentials secret: %w", err)
+	}
+
+	saData, ok := credsSecret.Data[constants.MondooCredsSecretServiceAccountKey]
+	if !ok {
+		return fmt.Errorf("credentials secret missing key %q", constants.MondooCredsSecretServiceAccountKey)
+	}
+
+	sa, err := LoadServiceAccountFromFile(saData)
+	if err != nil {
+		return fmt.Errorf("failed to load service account: %w", err)
+	}
+
+	token, err := GenerateTokenFromServiceAccount(*sa, logger)
+	if err != nil {
+		return fmt.Errorf("failed to generate token: %w", err)
+	}
+
+	opts := mondooclient.MondooClientOptions{
+		ApiEndpoint: sa.ApiEndpoint,
+		Token:       token,
+	}
+	if operatorConfig != nil {
+		opts.HttpProxy = operatorConfig.Spec.HttpProxy
+		opts.HttpsProxy = operatorConfig.Spec.HttpsProxy
+		opts.NoProxy = operatorConfig.Spec.NoProxy
+	}
+
+	mc, err := clientBuilder(opts)
+	if err != nil {
+		return fmt.Errorf("failed to create mondoo client: %w", err)
+	}
+
+	if err := mc.GarbageCollectAssets(ctx, gcOpts); err != nil {
+		return fmt.Errorf("garbage collection API call failed: %w", err)
+	}
+
+	return nil
+}