feat: replace VaultAuth init container with operator-side vault-client-go

Instead of running a hashicorp/vault init container with shell scripts,
the operator now fetches credentials from Vault during reconciliation
using vault-client-go and writes a kubeconfig Secret that the CronJob
mounts directly. This removes the need for the Vault image, init
containers, and a separate ServiceAccount for Vault auth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: chris-rock

api/v1alpha2/mondooauditconfig_types.go

@@ -169,10 +169,17 @@ type ExternalCluster struct {
 	WorkloadIdentity *WorkloadIdentityConfig `json:"workloadIdentity,omitempty"`
 
 	// SPIFFEAuth configures SPIFFE/SPIRE-based authentication using X.509 SVIDs.
-	// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and WorkloadIdentity.
+	// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and VaultAuth.
 	// +optional
 	SPIFFEAuth *SPIFFEAuthConfig `json:"spiffeAuth,omitempty"`
 
+	// VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
+	// The operator authenticates to Vault during reconciliation using its own service account token,
+	// fetches short-lived credentials, and writes a kubeconfig Secret that the CronJob mounts.
+	// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and SPIFFEAuth.
+	// +optional
+	VaultAuth *VaultAuthConfig `json:"vaultAuth,omitempty"`
+
 	// Schedule overrides the default schedule for this cluster (optional).
 	// If not specified, uses the schedule from KubernetesResources.Schedule.
 	// +optional
@@ -329,6 +336,57 @@ type SPIFFEAuthConfig struct {
 	Audience string `json:"audience,omitempty"`
 }
 
+// VaultAuthConfig configures HashiCorp Vault's Kubernetes secrets engine
+// for dynamically generating short-lived service account tokens to scan external clusters.
+type VaultAuthConfig struct {
+	// Server is the URL of the target Kubernetes API server.
+	// Example: "https://target-cluster.example.com:6443"
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^https://.*`
+	Server string `json:"server"`
+
+	// VaultAddr is the address of the Vault server.
+	// Example: "https://vault.example.com:8200"
+	// +kubebuilder:validation:Required
+	VaultAddr string `json:"vaultAddr"`
+
+	// AuthPath is the Vault Kubernetes auth method mount path.
+	// +optional
+	// +kubebuilder:default="auth/kubernetes"
+	AuthPath string `json:"authPath,omitempty"`
+
+	// AuthRole is the Vault role for authenticating the pod's service account.
+	// +kubebuilder:validation:Required
+	AuthRole string `json:"authRole"`
+
+	// SecretsPath is the Vault Kubernetes secrets engine mount path.
+	// +optional
+	// +kubebuilder:default="kubernetes"
+	SecretsPath string `json:"secretsPath,omitempty"`
+
+	// CredsRole is the Vault role for generating target cluster credentials.
+	// +kubebuilder:validation:Required
+	CredsRole string `json:"credsRole"`
+
+	// KubernetesNamespace is the target namespace for the generated service account token.
+	// +optional
+	KubernetesNamespace string `json:"kubernetesNamespace,omitempty"`
+
+	// TTL is the requested TTL for the generated credentials (e.g. "1h", "30m").
+	// +optional
+	TTL string `json:"ttl,omitempty"`
+
+	// CACertSecretRef references a Secret containing Vault's CA certificate
+	// for TLS verification. The Secret must have a key "ca.crt".
+	// +optional
+	CACertSecretRef *corev1.LocalObjectReference `json:"caCertSecretRef,omitempty"`
+
+	// TargetCACertSecretRef references a Secret containing the target cluster's
+	// CA certificate for TLS verification. The Secret must have a key "ca.crt".
+	// +optional
+	TargetCACertSecretRef *corev1.LocalObjectReference `json:"targetCACertSecretRef,omitempty"`
+}
+
 // NodeScanStyle specifies the scan style for nodes
 type NodeScanStyle string
 

api/v1alpha2/zz_generated.deepcopy.go

@@ -473,7 +473,7 @@ spec:
                         spiffeAuth:
                           description: |-
                             SPIFFEAuth configures SPIFFE/SPIRE-based authentication using X.509 SVIDs.
-                            Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and WorkloadIdentity.
+                            Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and VaultAuth.
                           properties:
                             audience:
                               description: |-
@@ -512,6 +512,88 @@ spec:
                           - server
                           - trustBundleSecretRef
                           type: object
+                        vaultAuth:
+                          description: |-
+                            VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
+                            The operator authenticates to Vault during reconciliation using its own service account token,
+                            fetches short-lived credentials, and writes a kubeconfig Secret that the CronJob mounts.
+                            Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and SPIFFEAuth.
+                          properties:
+                            authPath:
+                              default: auth/kubernetes
+                              description: AuthPath is the Vault Kubernetes auth method
+                                mount path.
+                              type: string
+                            authRole:
+                              description: AuthRole is the Vault role for authenticating
+                                the pod's service account.
+                              type: string
+                            caCertSecretRef:
+                              description: |-
+                                CACertSecretRef references a Secret containing Vault's CA certificate
+                                for TLS verification. The Secret must have a key "ca.crt".
+                              properties:
+                                name:
+                                  default: ""
+                                  description: |-
+                                    Name of the referent.
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            credsRole:
+                              description: CredsRole is the Vault role for generating
+                                target cluster credentials.
+                              type: string
+                            kubernetesNamespace:
+                              description: KubernetesNamespace is the target namespace
+                                for the generated service account token.
+                              type: string
+                            secretsPath:
+                              default: kubernetes
+                              description: SecretsPath is the Vault Kubernetes secrets
+                                engine mount path.
+                              type: string
+                            server:
+                              description: |-
+                                Server is the URL of the target Kubernetes API server.
+                                Example: "https://target-cluster.example.com:6443"
+                              pattern: ^https://.*
+                              type: string
+                            targetCACertSecretRef:
+                              description: |-
+                                TargetCACertSecretRef references a Secret containing the target cluster's
+                                CA certificate for TLS verification. The Secret must have a key "ca.crt".
+                              properties:
+                                name:
+                                  default: ""
+                                  description: |-
+                                    Name of the referent.
+                                    This field is effectively required, but due to backwards compatibility is
+                                    allowed to be empty. Instances of this type with an empty value here are
+                                    almost certainly wrong.
+                                    More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            ttl:
+                              description: TTL is the requested TTL for the generated
+                                credentials (e.g. "1h", "30m").
+                              type: string
+                            vaultAddr:
+                              description: |-
+                                VaultAddr is the address of the Vault server.
+                                Example: "https://vault.example.com:8200"
+                              type: string
+                          required:
+                          - authRole
+                          - credsRole
+                          - server
+                          - vaultAddr
+                          type: object
                         workloadIdentity:
                           description: |-
                             WorkloadIdentity configures cloud-native Workload Identity Federation authentication.

config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -35,6 +35,7 @@ rules:
   - create
   - delete
   - get
+  - update
 - apiGroups:
   - ""
   resources: