Skip to content

Commit c0095ba

Browse files
slntoppslntopp
authored
fix prepare-release (#1427)
* chore: update crds * fix: update release process to generate CRDs during Helm chart build
1 parent 9698207 commit c0095ba

File tree

5 files changed

+100
-14
lines changed

5 files changed

+100
-14
lines changed

.github/workflows/release.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ jobs:
5858
- name: Generate manifests and Helm chart
5959
run: |
6060
make manifests
61-
CHART_NAME=charts/mondoo-operator make helm
61+
CHART_NAME=charts/mondoo-operator make helm/crds
6262
6363
- name: Configure Git
6464
run: |

charts/mondoo-operator/crds/k8s.mondoo.com_mondoooperatorconfigs.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -75,10 +75,10 @@ spec:
7575
type: array
7676
imageRegistry:
7777
description: |-
78-
ImageRegistry specifies a custom container image registry to use for all Mondoo images.
79-
This allows using a private registry mirror (e.g., artifactory.example.com/ghcr.io.docker).
80-
If set, all image references will be prefixed with this registry.
81-
Deprecated: Use RegistryMirrors for more flexible registry mapping.
78+
ImageRegistry specifies a custom container image registry prefix for all Mondoo images.
79+
Use this for simple registry mirrors where all images go to the same mirror.
80+
Example: "artifactory.example.com/ghcr.io.docker"
81+
For more complex setups with multiple source registries, use RegistryMirrors instead.
8282
type: string
8383
metrics:
8484
description: Metrics controls the enabling/disabling of metrics report
@@ -103,12 +103,14 @@ spec:
103103
type: string
104104
description: |-
105105
RegistryMirrors specifies a mapping of public registries to private mirrors.
106+
Use this when you need to map different source registries to different mirrors.
106107
The key is the public registry (e.g., "ghcr.io", "docker.io", "quay.io")
107108
and the value is the private mirror (e.g., "artifactory.example.com/ghcr.io.docker").
108109
Example:
109110
registryMirrors:
110111
ghcr.io: artifactory.example.com/ghcr.io.docker
111112
docker.io: artifactory.example.com/hub.docker.com
113+
Note: If both ImageRegistry and RegistryMirrors are set, RegistryMirrors takes precedence.
112114
type: object
113115
skipContainerResolution:
114116
description: Allows skipping Image resolution from upstream repository

charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yaml

Lines changed: 86 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -393,7 +393,7 @@ spec:
393393
description: |-
394394
KubeconfigSecretRef references a Secret containing kubeconfig for the remote cluster.
395395
The Secret must have a key "kubeconfig" with the kubeconfig content.
396-
Mutually exclusive with ServiceAccountAuth and WorkloadIdentity.
396+
Mutually exclusive with ServiceAccountAuth, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
397397
properties:
398398
name:
399399
default: ""
@@ -436,7 +436,7 @@ spec:
436436
serviceAccountAuth:
437437
description: |-
438438
ServiceAccountAuth configures authentication using a service account token.
439-
Mutually exclusive with KubeconfigSecretRef and WorkloadIdentity.
439+
Mutually exclusive with KubeconfigSecretRef, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
440440
properties:
441441
credentialsSecretRef:
442442
description: |-
@@ -473,7 +473,7 @@ spec:
473473
spiffeAuth:
474474
description: |-
475475
SPIFFEAuth configures SPIFFE/SPIRE-based authentication using X.509 SVIDs.
476-
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and WorkloadIdentity.
476+
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and VaultAuth.
477477
properties:
478478
audience:
479479
description: |-
@@ -512,10 +512,92 @@ spec:
512512
- server
513513
- trustBundleSecretRef
514514
type: object
515+
vaultAuth:
516+
description: |-
517+
VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
518+
The operator authenticates to Vault during reconciliation using its own service account token,
519+
fetches short-lived credentials, and writes a kubeconfig Secret that the CronJob mounts.
520+
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and SPIFFEAuth.
521+
properties:
522+
authPath:
523+
default: auth/kubernetes
524+
description: AuthPath is the Vault Kubernetes auth method
525+
mount path.
526+
type: string
527+
authRole:
528+
description: AuthRole is the Vault role for authenticating
529+
the pod's service account.
530+
type: string
531+
caCertSecretRef:
532+
description: |-
533+
CACertSecretRef references a Secret containing Vault's CA certificate
534+
for TLS verification. The Secret must have a key "ca.crt".
535+
properties:
536+
name:
537+
default: ""
538+
description: |-
539+
Name of the referent.
540+
This field is effectively required, but due to backwards compatibility is
541+
allowed to be empty. Instances of this type with an empty value here are
542+
almost certainly wrong.
543+
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
544+
type: string
545+
type: object
546+
x-kubernetes-map-type: atomic
547+
credsRole:
548+
description: CredsRole is the Vault role for generating
549+
target cluster credentials.
550+
type: string
551+
kubernetesNamespace:
552+
description: KubernetesNamespace is the target namespace
553+
for the generated service account token.
554+
type: string
555+
secretsPath:
556+
default: kubernetes
557+
description: SecretsPath is the Vault Kubernetes secrets
558+
engine mount path.
559+
type: string
560+
server:
561+
description: |-
562+
Server is the URL of the target Kubernetes API server.
563+
Example: "https://target-cluster.example.com:6443"
564+
pattern: ^https://.*
565+
type: string
566+
targetCACertSecretRef:
567+
description: |-
568+
TargetCACertSecretRef references a Secret containing the target cluster's
569+
CA certificate for TLS verification. The Secret must have a key "ca.crt".
570+
properties:
571+
name:
572+
default: ""
573+
description: |-
574+
Name of the referent.
575+
This field is effectively required, but due to backwards compatibility is
576+
allowed to be empty. Instances of this type with an empty value here are
577+
almost certainly wrong.
578+
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
579+
type: string
580+
type: object
581+
x-kubernetes-map-type: atomic
582+
ttl:
583+
description: TTL is the requested TTL for the generated
584+
credentials (e.g. "1h", "30m").
585+
type: string
586+
vaultAddr:
587+
description: |-
588+
VaultAddr is the address of the Vault server.
589+
Example: "https://vault.example.com:8200"
590+
type: string
591+
required:
592+
- authRole
593+
- credsRole
594+
- server
595+
- vaultAddr
596+
type: object
515597
workloadIdentity:
516598
description: |-
517599
WorkloadIdentity configures cloud-native Workload Identity Federation authentication.
518-
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and SPIFFEAuth.
600+
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, SPIFFEAuth, and VaultAuth.
519601
properties:
520602
aks:
521603
description: |-

charts/mondoo-operator/files/crds/k8s.mondoo.com_mondoooperatorconfigs.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -75,10 +75,10 @@ spec:
7575
type: array
7676
imageRegistry:
7777
description: |-
78-
ImageRegistry specifies a custom container image registry to use for all Mondoo images.
79-
This allows using a private registry mirror (e.g., artifactory.example.com/ghcr.io.docker).
80-
If set, all image references will be prefixed with this registry.
81-
Deprecated: Use RegistryMirrors for more flexible registry mapping.
78+
ImageRegistry specifies a custom container image registry prefix for all Mondoo images.
79+
Use this for simple registry mirrors where all images go to the same mirror.
80+
Example: "artifactory.example.com/ghcr.io.docker"
81+
For more complex setups with multiple source registries, use RegistryMirrors instead.
8282
type: string
8383
metrics:
8484
description: Metrics controls the enabling/disabling of metrics report
@@ -103,12 +103,14 @@ spec:
103103
type: string
104104
description: |-
105105
RegistryMirrors specifies a mapping of public registries to private mirrors.
106+
Use this when you need to map different source registries to different mirrors.
106107
The key is the public registry (e.g., "ghcr.io", "docker.io", "quay.io")
107108
and the value is the private mirror (e.g., "artifactory.example.com/ghcr.io.docker").
108109
Example:
109110
registryMirrors:
110111
ghcr.io: artifactory.example.com/ghcr.io.docker
111112
docker.io: artifactory.example.com/hub.docker.com
113+
Note: If both ImageRegistry and RegistryMirrors are set, RegistryMirrors takes precedence.
112114
type: object
113115
skipContainerResolution:
114116
description: Allows skipping Image resolution from upstream repository

release.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,4 +25,4 @@ yq -i ".images[0].newTag=\"v${VERSION}\"" config/manager/kustomization.yaml
2525

2626
yq -i ".appVersion = \"${VERSION}\"" charts/mondoo-operator/Chart.yaml
2727
yq -i ".version = \"${VERSION}\"" charts/mondoo-operator/Chart.yaml
28-
CHART_NAME=charts/mondoo-operator make helm
28+
CHART_NAME=charts/mondoo-operator make helm/crds

0 commit comments

Comments
 (0)