feat: implement Vault credential refresh logic and update user manual

slntopp · slntopp · commit 997b05ad6a90 · 2026-03-13T14:33:19.000+01:00
diff --git a/controllers/k8s_scan/deployment_handler.go b/controllers/k8s_scan/deployment_handler.go
@@ -178,7 +178,21 @@ func (n *DeploymentHandler) Reconcile(ctx context.Context) (ctrl.Result, error)
 		}
 	}
 
-	return ctrl.Result{}, nil
+	// If any external cluster uses VaultAuth, request an earlier requeue so the
+	// operator refreshes Vault credentials before they expire. Default to half
+	// the requested TTL, with a floor of 10 minutes and a ceiling of 1 hour.
+	result := ctrl.Result{}
+	for i := range n.Mondoo.Spec.KubernetesResources.ExternalClusters {
+		cluster := &n.Mondoo.Spec.KubernetesResources.ExternalClusters[i]
+		if cluster.VaultAuth != nil {
+			requeue := vaultRequeueInterval(cluster.VaultAuth.TTL)
+			if result.RequeueAfter == 0 || requeue < result.RequeueAfter {
+				result.RequeueAfter = requeue
+			}
+		}
+	}
+
+	return result, nil
 }
 
 func (n *DeploymentHandler) syncCronJob(ctx context.Context) error {
diff --git a/controllers/k8s_scan/deployment_handler_test.go b/controllers/k8s_scan/deployment_handler_test.go
@@ -500,7 +500,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_ExternalCluster_VaultAuth() {
 
 	result, err := d.Reconcile(s.ctx)
 	s.NoError(err)
-	s.True(result.IsZero())
+	s.Equal(30*time.Minute, result.RequeueAfter, "should requeue at default interval when no TTL is set")
 
 	// Verify kubeconfig Secret was created
 	kubeconfigSecret := &corev1.Secret{}
@@ -599,7 +599,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_ExternalCluster_VaultAuth_WithCAC
 
 	result, err := d.Reconcile(s.ctx)
 	s.NoError(err)
-	s.True(result.IsZero())
+	s.Equal(30*time.Minute, result.RequeueAfter, "should requeue at default interval when no TTL is set")
 
 	// Verify mock received the Vault CA cert bytes
 	s.Equal([]byte("-----BEGIN CERTIFICATE-----\nvault-ca\n-----END CERTIFICATE-----"), receivedVaultCA)
@@ -758,7 +758,7 @@ func (s *DeploymentHandlerSuite) createDeploymentHandlerWithVaultMock(vaultFetch
 		MondooOperatorConfig:   &mondoov1alpha2.MondooOperatorConfig{},
 		MondooClientBuilder:    mondooclient.NewClient,
 		VaultTokenFetcher:      vaultFetcher,
-		SATokenPath:            tmpFile.Name(),
+		SATokenPath:            tmpName,
 	}
 }
 
diff --git a/controllers/k8s_scan/vault.go b/controllers/k8s_scan/vault.go
@@ -8,6 +8,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"strings"
+	"time"
 
 	vault "github.com/hashicorp/vault-client-go"
 	"github.com/hashicorp/vault-client-go/schema"
@@ -93,6 +94,35 @@ func DefaultVaultTokenFetcher(ctx context.Context, saToken string, config v1alph
 	return token, nil
 }
 
+// vaultRequeueInterval calculates a reconcile requeue interval based on the Vault TTL.
+// It targets half the TTL so credentials are refreshed well before expiry, with a
+// floor of 10 minutes and a ceiling of 1 hour.
+func vaultRequeueInterval(ttl string) time.Duration {
+	const (
+		minInterval     = 10 * time.Minute
+		maxInterval     = 1 * time.Hour
+		defaultInterval = 30 * time.Minute
+	)
+
+	if ttl == "" {
+		return defaultInterval
+	}
+
+	d, err := time.ParseDuration(ttl)
+	if err != nil {
+		return defaultInterval
+	}
+
+	half := d / 2
+	if half < minInterval {
+		return minInterval
+	}
+	if half > maxInterval {
+		return maxInterval
+	}
+	return half
+}
+
 // VaultKubeconfigSecretName returns the name for the Vault kubeconfig Secret.
 func VaultKubeconfigSecretName(prefix, clusterName string) string {
 	return fmt.Sprintf("%s-vault-kubeconfig-%s", prefix, clusterName)
@@ -126,7 +156,7 @@ current-context: default
 users:
 - name: vault
   user:
-    token: %s
+    token: "%s"
 `, clusterConfig, token)
 }
 
diff --git a/docs/user-manual.md b/docs/user-manual.md
@@ -453,7 +453,7 @@ externalClusters:
 
 > **Note: Credential refresh timing**
 >
-> Vault credentials are refreshed each time the operator reconciles (typically every 7 days, or when configuration changes). Ensure the requested TTL is longer than the operator's reconcile interval. If you need more frequent credential rotation, consider adjusting the operator's reconcile schedule.
+> When VaultAuth is configured, the operator automatically reconciles at half the requested TTL (clamped between 10 minutes and 1 hour) to refresh credentials before they expire. For example, a `ttl: "1h"` results in a 30-minute refresh interval. If no TTL is specified, the operator defaults to refreshing every 30 minutes.
 
 ## Container Image Scanning
 

Original file line number	Diff line number	Diff line change
`@@ -453,7 +453,7 @@ externalClusters:`
`453`	`453`
`454`	`454`	`> Note: Credential refresh timing`
`455`	`455`	`>`
`456`		`-> Vault credentials are refreshed each time the operator reconciles (typically every 7 days, or when configuration changes). Ensure the requested TTL is longer than the operator's reconcile interval. If you need more frequent credential rotation, consider adjusting the operator's reconcile schedule.`
	`456`	+> When VaultAuth is configured, the operator automatically reconciles at half the requested TTL (clamped between 10 minutes and 1 hour) to refresh credentials before they expire. For example, a `ttl: "1h"` results in a 30-minute refresh interval. If no TTL is specified, the operator defaults to refreshing every 30 minutes.
`457`	`457`
`458`	`458`	`## Container Image Scanning`
`459`	`459`