test-suites for external scanning with Vault and self-scanning with connected Mondoo integration

Author: slntopp

tests/e2e/README.md

@@ -6,6 +6,8 @@ End-to-end tests that deploy the Mondoo operator to a real GKE cluster and verif
 
 - **Fresh Deploy** (`run-fresh-deploy.sh`): Builds the operator from the current branch, deploys to a GKE cluster, configures scanning, and verifies everything works.
 - **Upgrade** (`run-upgrade.sh`): Installs a released baseline version first, verifies it, then upgrades to the current branch and verifies again.
+- **External Cluster** (`run-external-cluster.sh`): Deploys the operator and configures external cluster scanning against a target GKE cluster using a static kubeconfig Secret.
+- **Vault External Cluster** (`run-vault-external-cluster.sh`): Like External Cluster, but uses HashiCorp Vault's Kubernetes secrets engine to dynamically generate short-lived service account tokens instead of a static kubeconfig.
 - **Registry Mirroring & Proxy** (`run-registry-mirroring.sh`): Deploys with an Artifact Registry mirror repo and optional Squid proxy. Verifies image references are rewritten, `imagePullSecrets` are propagated, and proxy env vars are set.
 
 All tests pause for manual verification at each verify step (check Mondoo console for assets/scan results). Press Enter to continue or Ctrl+C to abort.
@@ -61,6 +63,7 @@ terraform apply \
 | `region` | no | `europe-west3` | GCP region |
 | `autopilot` | no | `true` | `true` for Autopilot, `false` for Standard cluster |
 | `enable_mirror_test` | no | `false` | Create a mirror AR repo for registry mirroring/imagePullSecrets tests |
+| `enable_target_cluster` | no | `false` | Create a second GKE cluster for external cluster / Vault scanning tests |
 | `enable_proxy_test` | no | `false` | Provision a Squid proxy VM for proxy tests (requires `enable_mirror_test`) |
 
 You can also set these in a `terraform.tfvars` file.
@@ -99,6 +102,45 @@ What it does:
 6. Upgrades to the current branch image via local Helm chart
 7. Waits, verifies again, pauses for manual check
 
+### External Cluster (Static Kubeconfig)
+
+```bash
+# Provision infrastructure with a target cluster
+cd tests/e2e/terraform
+terraform apply -var="project_id=MY_PROJECT" -var="mondoo_org_id=MY_ORG" \
+  -var="enable_target_cluster=true"
+
+# Run the test
+cd tests/e2e
+./run-external-cluster.sh
+```
+
+### Vault External Cluster
+
+```bash
+# Provision infrastructure with a target cluster
+cd tests/e2e/terraform
+terraform apply -var="project_id=MY_PROJECT" -var="mondoo_org_id=MY_ORG" \
+  -var="enable_target_cluster=true"
+
+# Run the test
+cd tests/e2e
+./run-vault-external-cluster.sh
+```
+
+What it does:
+1. Loads Terraform outputs (requires `enable_target_cluster=true`)
+2. Builds the operator image and pushes to Artifact Registry
+3. Deploys nginx test workloads to both clusters
+4. Installs the operator via local Helm chart
+5. Deploys HashiCorp Vault in dev mode to the scanner cluster
+6. Configures Vault: Kubernetes auth (scanner cluster) + Kubernetes secrets engine (target cluster)
+7. Creates target cluster CA cert Secret for TLS verification
+8. Applies MondooAuditConfig with `vaultAuth` external cluster config
+9. Waits 90s for operator to reconcile and fetch Vault credentials
+10. Verifies: vault-kubeconfig Secret created, CronJob has no init containers, correct volume mounts
+11. Pauses for manual verification in the Mondoo console
+
 ### Registry Mirroring & Proxy
 
 ```bash
@@ -148,6 +190,8 @@ tests/e2e/
 ├── README.md
 ├── run-fresh-deploy.sh              # Fresh deploy test orchestrator
 ├── run-upgrade.sh                   # Upgrade test orchestrator
+├── run-external-cluster.sh          # External cluster scanning test orchestrator
+├── run-vault-external-cluster.sh    # Vault external cluster test orchestrator
 ├── run-registry-mirroring.sh        # Registry mirroring & proxy test orchestrator
 ├── terraform/
 │   ├── versions.tf                  # Provider requirements
@@ -163,16 +207,25 @@ tests/e2e/
 │   ├── deploy-operator-mirroring.sh # Helm install with mirror/proxy values
 │   ├── deploy-baseline.sh           # Helm install released version
 │   ├── deploy-test-workload.sh      # Deploy nginx for scanning
+│   ├── deploy-target-workload.sh    # Deploy nginx + kubeconfig Secret for external cluster
+│   ├── deploy-target-workload-only.sh # Deploy nginx to target (no kubeconfig Secret)
+│   ├── deploy-vault.sh              # Deploy + configure Vault for external cluster auth
 │   ├── apply-mondoo-config.sh       # Create secret + apply MondooAuditConfig
 │   ├── setup-mirror-registry.sh     # Create imagePullSecret for mirror AR repo
 │   ├── populate-mirror-registry.sh  # Copy cnspec image into mirror AR repo via crane
 │   ├── verify.sh                    # Automated checks + manual verification pause
+│   ├── verify-external.sh           # External cluster verification
+│   ├── verify-vault-external.sh     # Vault external cluster verification
 │   ├── verify-mirroring.sh          # Mirroring/proxy-specific verification
 │   └── cleanup.sh                   # Remove all test resources from cluster
 └── manifests/
-    ├── mondoo-audit-config.yaml.tpl            # Standard cluster config (nodes enabled)
-    ├── mondoo-audit-config-autopilot.yaml.tpl  # Autopilot config (nodes disabled)
-    └── nginx-workload.yaml                     # Test workload
+    ├── mondoo-audit-config.yaml.tpl                       # Standard config (nodes enabled)
+    ├── mondoo-audit-config-autopilot.yaml.tpl             # Autopilot config (nodes disabled)
+    ├── mondoo-audit-config-external.yaml.tpl              # External cluster (static kubeconfig)
+    ├── mondoo-audit-config-external-autopilot.yaml.tpl    # External cluster + Autopilot
+    ├── mondoo-audit-config-vault-external.yaml.tpl        # Vault external cluster
+    ├── mondoo-audit-config-vault-external-autopilot.yaml.tpl # Vault external + Autopilot
+    └── nginx-workload.yaml                                # Test workload
 ```
 
 ## Notes

tests/e2e/manifests/mondoo-audit-config-vault-external-autopilot.yaml.tpl

@@ -0,0 +1,36 @@
+# Copyright Mondoo, Inc. 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+apiVersion: k8s.mondoo.com/v1alpha2
+kind: MondooAuditConfig
+metadata:
+  name: mondoo-client
+  namespace: ${NAMESPACE}
+spec:
+  mondooCredsSecretRef:
+    name: mondoo-client
+  filtering:
+    namespaces:
+      exclude:
+        - kube-system
+        - gke-managed-system
+        - gke-managed-cim
+  kubernetesResources:
+    enable: true
+    schedule: "*/5 * * * *"
+    externalClusters:
+      - name: target-cluster
+        vaultAuth:
+          server: "${VAULT_TARGET_SERVER}"
+          vaultAddr: "${VAULT_ADDR_INTERNAL}"
+          authRole: "mondoo-operator"
+          credsRole: "target-cluster-scanner"
+          ttl: "1h"
+          targetCACertSecretRef:
+            name: vault-target-ca-cert
+  containers:
+    enable: true
+    schedule: "*/5 * * * *"
+  nodes:
+    # Disabled: GKE Autopilot does not allow hostPath volumes on /
+    enable: false

tests/e2e/manifests/mondoo-audit-config-vault-external.yaml.tpl

@@ -0,0 +1,37 @@
+# Copyright Mondoo, Inc. 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+apiVersion: k8s.mondoo.com/v1alpha2
+kind: MondooAuditConfig
+metadata:
+  name: mondoo-client
+  namespace: ${NAMESPACE}
+spec:
+  mondooCredsSecretRef:
+    name: mondoo-client
+  filtering:
+    namespaces:
+      exclude:
+        - kube-system
+        - gke-managed-system
+        - gke-managed-cim
+  kubernetesResources:
+    enable: true
+    schedule: "*/5 * * * *"
+    externalClusters:
+      - name: target-cluster
+        vaultAuth:
+          server: "${VAULT_TARGET_SERVER}"
+          vaultAddr: "${VAULT_ADDR_INTERNAL}"
+          authRole: "mondoo-operator"
+          credsRole: "target-cluster-scanner"
+          ttl: "1h"
+          targetCACertSecretRef:
+            name: vault-target-ca-cert
+  containers:
+    enable: true
+    schedule: "*/5 * * * *"
+  nodes:
+    enable: true
+    style: cronjob
+    schedule: "*/5 * * * *"

tests/e2e/run-operator-only.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+# Copyright Mondoo, Inc. 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+# Test: Operator-Only Deploy
+# Builds operator from current branch and deploys to GKE Autopilot.
+# Does NOT create a MondooAuditConfig — apply one manually from the UI.
+#
+# Prerequisites:
+#   - Terraform infrastructure provisioned (cd terraform && terraform apply)
+#   - gcloud authenticated, docker, helm, kubectl available
+#
+# Usage:
+#   ./run-operator-only.sh
+
+set -euo pipefail
+
+E2E_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${E2E_ROOT}/scripts/common.sh"
+
+info "=========================================="
+info "  Test: Operator-Only Deploy"
+info "=========================================="
+
+# Step 1: Load Terraform outputs
+load_tf_outputs
+
+# Step 2: Build and push operator image
+info "--- Step: Build and Push ---"
+source "${E2E_ROOT}/scripts/build-and-push.sh"
+
+# Step 3: Deploy test workload
+info "--- Step: Deploy Test Workload ---"
+source "${E2E_ROOT}/scripts/deploy-test-workload.sh"
+
+# Step 4: Deploy operator from local chart
+info "--- Step: Deploy Operator ---"
+source "${E2E_ROOT}/scripts/deploy-operator.sh"
+
+info ""
+info "=========================================="
+info "  Operator deployed. Apply AuditConfig from the UI."
+info "=========================================="

tests/e2e/run-vault-external-cluster.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# Copyright Mondoo, Inc. 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+# Test: Vault-Authenticated External Cluster Scanning
+# Builds operator from current branch, deploys Vault with Kubernetes auth + secrets
+# engine, configures external cluster scanning via Vault, and verifies scanning.
+#
+# Prerequisites:
+#   - Terraform infrastructure provisioned with enable_target_cluster=true
+#   - gcloud authenticated, docker, helm, kubectl available
+#
+# Usage:
+#   ./run-vault-external-cluster.sh
+
+set -euo pipefail
+
+E2E_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${E2E_ROOT}/scripts/common.sh"
+
+info "=========================================="
+info "  Test: Vault External Cluster Scanning"
+info "=========================================="
+
+# Step 1: Load Terraform outputs
+load_tf_outputs
+
+if [[ "${ENABLE_TARGET_CLUSTER}" != "true" ]]; then
+  die "Target cluster is not enabled. Run: terraform apply -var='enable_target_cluster=true'"
+fi
+
+# Step 2: Build and push operator image
+info "--- Step: Build and Push ---"
+source "${E2E_ROOT}/scripts/build-and-push.sh"
+
+# Step 3: Deploy test workload to scanner cluster
+info "--- Step: Deploy Test Workload (scanner cluster) ---"
+source "${E2E_ROOT}/scripts/deploy-test-workload.sh"
+
+# Step 4: Deploy operator from local chart
+info "--- Step: Deploy Operator ---"
+source "${E2E_ROOT}/scripts/deploy-operator.sh"
+
+# Step 5: Ensure CRDs include vaultAuth field (Helm doesn't upgrade CRDs)
+info "--- Step: Update CRDs ---"
+kubectl apply --server-side --force-conflicts -f "${REPO_ROOT}/config/crd/bases/"
+
+# Step 6: Deploy test workload to target cluster (no kubeconfig Secret — Vault handles auth)
+info "--- Step: Deploy Target Workload ---"
+source "${E2E_ROOT}/scripts/deploy-target-workload-only.sh"
+
+# Step 7: Deploy and configure Vault
+info "--- Step: Deploy and Configure Vault ---"
+source "${E2E_ROOT}/scripts/deploy-vault.sh"
+
+# Step 8: Apply MondooAuditConfig with Vault auth
+info "--- Step: Apply Mondoo Config (with Vault auth) ---"
+export ENABLE_VAULT_TEST="true"
+source "${E2E_ROOT}/scripts/apply-mondoo-config.sh"
+
+# Step 9: Wait for operator to reconcile
+info "Waiting 90s for operator to reconcile and Vault token fetch..."
+sleep 90
+
+# Step 10: Verify local scanning
+info "--- Step: Verify (local) ---"
+source "${E2E_ROOT}/scripts/verify.sh"
+
+# Step 11: Verify Vault-based external cluster scanning
+info "--- Step: Verify (Vault external cluster) ---"
+source "${E2E_ROOT}/scripts/verify-vault-external.sh"
+
+info ""
+info "=========================================="
+info "  Test: Vault External Cluster Scanning - COMPLETE"
+info "=========================================="

tests/e2e/scripts/apply-mondoo-config.sh

@@ -23,7 +23,13 @@ rm -f /tmp/mondoo-creds.json
 
 info "Applying MondooAuditConfig..."
 export NAMESPACE
-if [[ "${ENABLE_TARGET_CLUSTER:-false}" == "true" ]]; then
+if [[ "${ENABLE_VAULT_TEST:-false}" == "true" ]]; then
+  if [[ "${AUTOPILOT}" == "true" ]]; then
+    MANIFEST="${E2E_DIR}/manifests/mondoo-audit-config-vault-external-autopilot.yaml.tpl"
+  else
+    MANIFEST="${E2E_DIR}/manifests/mondoo-audit-config-vault-external.yaml.tpl"
+  fi
+elif [[ "${ENABLE_TARGET_CLUSTER:-false}" == "true" ]]; then
   if [[ "${AUTOPILOT}" == "true" ]]; then
     MANIFEST="${E2E_DIR}/manifests/mondoo-audit-config-external-autopilot.yaml.tpl"
   else

tests/e2e/scripts/cleanup.sh

@@ -30,6 +30,14 @@ kubectl delete secret mondoo-client -n "${NAMESPACE}" --ignore-not-found
 info "Deleting target-kubeconfig secret..."
 kubectl delete secret target-kubeconfig -n "${NAMESPACE}" --ignore-not-found
 
+# Vault-related secrets
+info "Deleting Vault-related secrets..."
+kubectl delete secret vault-target-ca-cert -n "${NAMESPACE}" --ignore-not-found
+# Delete any operator-created vault-kubeconfig secrets
+for secret in $(kubectl get secrets -n "${NAMESPACE}" -l app=mondoo-k8s-scan -o name 2>/dev/null | grep vault-kubeconfig || true); do
+  kubectl delete "${secret}" -n "${NAMESPACE}" --ignore-not-found
+done
+
 # Helm release
 info "Uninstalling mondoo-operator Helm release..."
 helm uninstall mondoo-operator -n "${NAMESPACE}" --wait --timeout 2m 2>/dev/null || true
@@ -62,9 +70,26 @@ if [[ -n "${TARGET_KUBECONFIG_PATH:-}" && -f "${TARGET_KUBECONFIG_PATH}" ]]; the
     -n default --ignore-not-found || true
 fi
 
+# Vault (from vault external cluster tests)
+info "Uninstalling Vault Helm release..."
+helm uninstall vault -n vault --wait --timeout 2m 2>/dev/null || true
+kubectl delete namespace vault --ignore-not-found --timeout=30s 2>/dev/null || true
+
+# Clean up Vault resources in target cluster
+if [[ -n "${TARGET_KUBECONFIG_PATH:-}" && -f "${TARGET_KUBECONFIG_PATH}" ]]; then
+  info "Cleaning up Vault resources in target cluster..."
+  kubectl --kubeconfig "${TARGET_KUBECONFIG_PATH}" delete clusterrolebinding vault-secrets-engine-admin --ignore-not-found 2>/dev/null || true
+  kubectl --kubeconfig "${TARGET_KUBECONFIG_PATH}" delete namespace vault-secrets-engine --ignore-not-found 2>/dev/null || true
+  # Clean up any temporary ClusterRoleBindings created by Vault's secrets engine
+  for crb in $(kubectl --kubeconfig "${TARGET_KUBECONFIG_PATH}" get clusterrolebindings -o name 2>/dev/null | grep "v-token-" || true); do
+    kubectl --kubeconfig "${TARGET_KUBECONFIG_PATH}" delete "${crb}" --ignore-not-found 2>/dev/null || true
+  done
+fi
+
 # Helm repo
-info "Removing mondoo Helm repo..."
+info "Removing Helm repos..."
 helm repo remove mondoo 2>/dev/null || true
+helm repo remove hashicorp 2>/dev/null || true
 
 # Mirror registry resources (from registry mirroring tests)
 info "Deleting mirror-registry-creds secret..."

tests/e2e/scripts/deploy-target-workload-only.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Copyright Mondoo, Inc. 2026
+# SPDX-License-Identifier: BUSL-1.1
+
+# Deploy a test nginx workload to the target cluster WITHOUT creating a kubeconfig
+# Secret. Used by the Vault test where auth is handled by Vault's Kubernetes
+# secrets engine instead of a static kubeconfig.
+
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${SCRIPT_DIR}/common.sh"
+
+: "${TARGET_CLUSTER_NAME:?TARGET_CLUSTER_NAME must be set}"
+: "${TARGET_KUBECONFIG_PATH:?TARGET_KUBECONFIG_PATH must be set}"
+: "${REGION:?REGION must be set}"
+: "${PROJECT_ID:?PROJECT_ID must be set}"
+
+# Refresh target cluster credentials so the kubeconfig has a fresh token
+info "Refreshing target cluster credentials..."
+KUBECONFIG="${TARGET_KUBECONFIG_PATH}" \
+  gcloud container clusters get-credentials "${TARGET_CLUSTER_NAME}" \
+  --region "${REGION}" --project "${PROJECT_ID}" --quiet
+
+info "Deploying nginx test workload to target cluster..."
+kubectl --kubeconfig "${TARGET_KUBECONFIG_PATH}" apply -f "${E2E_DIR}/manifests/nginx-workload.yaml"
+
+info "Waiting for nginx deployment on target cluster..."
+kubectl --kubeconfig "${TARGET_KUBECONFIG_PATH}" rollout status deployment/nginx-test-workload \
+  -n default --timeout=300s
+
+info "Target cluster workload deployed."