🐛 Add tests for ImagePullSecrets handling in CronJob, Deployment, and DaemonSet updates

Author: slntopp

pkg/utils/k8s/update_fields_test.go

@@ -0,0 +1,125 @@
+// Copyright Mondoo, Inc. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package k8s
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestUpdateCronJobFields_ImagePullSecrets(t *testing.T) {
+	desired := &batchv1.CronJob{
+		Spec: batchv1.CronJobSpec{
+			Schedule: "*/5 * * * *",
+			JobTemplate: batchv1.JobTemplateSpec{
+				Spec: batchv1.JobSpec{
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{{Name: "test", Image: "test:latest"}},
+							ImagePullSecrets: []corev1.LocalObjectReference{
+								{Name: "my-secret"},
+								{Name: "another-secret"},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	obj := &batchv1.CronJob{}
+	UpdateCronJobFields(obj, desired)
+
+	assert.Equal(t, desired.Spec.Schedule, obj.Spec.Schedule)
+	assert.Equal(t, desired.Spec.JobTemplate.Spec.Template.Spec.Containers, obj.Spec.JobTemplate.Spec.Template.Spec.Containers)
+	assert.Equal(t, desired.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets, obj.Spec.JobTemplate.Spec.Template.Spec.ImagePullSecrets)
+}
+
+func TestUpdateCronJobFields_PreservesUnmanagedFields(t *testing.T) {
+	obj := &batchv1.CronJob{
+		Spec: batchv1.CronJobSpec{
+			JobTemplate: batchv1.JobTemplateSpec{
+				Spec: batchv1.JobSpec{
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							DNSPolicy:     corev1.DNSClusterFirst,
+							SchedulerName: "custom-scheduler",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	desired := &batchv1.CronJob{
+		ObjectMeta: metav1.ObjectMeta{Labels: map[string]string{"app": "test"}},
+		Spec: batchv1.CronJobSpec{
+			Schedule: "*/10 * * * *",
+			JobTemplate: batchv1.JobTemplateSpec{
+				Spec: batchv1.JobSpec{
+					Template: corev1.PodTemplateSpec{
+						Spec: corev1.PodSpec{
+							Containers: []corev1.Container{{Name: "test"}},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	UpdateCronJobFields(obj, desired)
+
+	// Managed fields are updated
+	assert.Equal(t, "*/10 * * * *", obj.Spec.Schedule)
+	// Unmanaged fields are preserved
+	assert.Equal(t, corev1.DNSClusterFirst, obj.Spec.JobTemplate.Spec.Template.Spec.DNSPolicy)
+	assert.Equal(t, "custom-scheduler", obj.Spec.JobTemplate.Spec.Template.Spec.SchedulerName)
+}
+
+func TestUpdateDeploymentFields_ImagePullSecrets(t *testing.T) {
+	desired := &appsv1.Deployment{
+		Spec: appsv1.DeploymentSpec{
+			Template: corev1.PodTemplateSpec{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{{Name: "test", Image: "test:latest"}},
+					ImagePullSecrets: []corev1.LocalObjectReference{
+						{Name: "my-secret"},
+					},
+				},
+			},
+		},
+	}
+
+	obj := &appsv1.Deployment{}
+	UpdateDeploymentFields(obj, desired)
+
+	assert.Equal(t, desired.Spec.Template.Spec.ImagePullSecrets, obj.Spec.Template.Spec.ImagePullSecrets)
+	assert.Equal(t, desired.Spec.Template.Spec.Containers, obj.Spec.Template.Spec.Containers)
+}
+
+func TestUpdateDaemonSetFields_ImagePullSecrets(t *testing.T) {
+	desired := &appsv1.DaemonSet{
+		Spec: appsv1.DaemonSetSpec{
+			Template: corev1.PodTemplateSpec{
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{{Name: "test", Image: "test:latest"}},
+					ImagePullSecrets: []corev1.LocalObjectReference{
+						{Name: "my-secret"},
+					},
+				},
+			},
+		},
+	}
+
+	obj := &appsv1.DaemonSet{}
+	UpdateDaemonSetFields(obj, desired)
+
+	assert.Equal(t, desired.Spec.Template.Spec.ImagePullSecrets, obj.Spec.Template.Spec.ImagePullSecrets)
+	assert.Equal(t, desired.Spec.Template.Spec.Containers, obj.Spec.Template.Spec.Containers)
+}

tests/e2e/scripts/deploy-operator-mirroring.sh

@@ -45,7 +45,7 @@ fi
 # Generate values override file
 # Using a file avoids Helm --set escaping issues with dots in registry mirror keys
 VALUES_FILE=$(mktemp /tmp/mondoo-mirror-values-XXXXXX.yaml)
-trap "rm -f ${VALUES_FILE}" EXIT
+trap 'rm -f "${VALUES_FILE}"' EXIT
 
 cat > "${VALUES_FILE}" <<EOF
 operator:

tests/e2e/scripts/verify-mirroring.sh

@@ -90,11 +90,11 @@ if [[ "${ENABLE_PROXY_TEST}" == "true" && -n "${SQUID_PROXY_IP}" ]]; then
   SQUID_INSTANCE="${NAME_PREFIX:-mondoo-e2e}-squid-proxy"
 
   check_warn "Squid proxy shows access log traffic" \
-    bash -c "gcloud compute ssh '${SQUID_INSTANCE}' --zone='${SQUID_ZONE}' --project='${PROJECT_ID}' --command='sudo tail -20 /var/log/squid/access.log' 2>/dev/null | grep -q ."
+    bash -c "gcloud compute ssh '${SQUID_INSTANCE}' --zone='${SQUID_ZONE}' --project='${PROJECT_ID}' --tunnel-through-iap --command='sudo tail -20 /var/log/squid/access.log' 2>/dev/null | grep -q ."
 
   info "Squid access log (last 20 lines):"
   gcloud compute ssh "${SQUID_INSTANCE}" --zone="${SQUID_ZONE}" --project="${PROJECT_ID}" \
-    --command="sudo tail -20 /var/log/squid/access.log" 2>/dev/null || warn "Could not retrieve Squid logs"
+    --tunnel-through-iap --command="sudo tail -20 /var/log/squid/access.log" 2>/dev/null || warn "Could not retrieve Squid logs"
 else
   info ""
   info "--- Proxy checks skipped (enable_proxy_test != true) ---"

tests/e2e/terraform/proxy.tf

@@ -8,6 +8,13 @@
 resource "google_compute_instance" "squid_proxy" {
   count = var.enable_proxy_test ? 1 : 0
 
+  lifecycle {
+    precondition {
+      condition     = var.enable_mirror_test
+      error_message = "enable_proxy_test requires enable_mirror_test to also be true."
+    }
+  }
+
   name         = "${local.name_prefix}-squid-proxy"
   project      = var.project_id
   zone         = "${var.region}-a"
@@ -21,7 +28,7 @@ resource "google_compute_instance" "squid_proxy" {
 
   network_interface {
     network = "default"
-    access_config {} # Ephemeral public IP for SSH access
+    # No access_config — use IAP tunneling for SSH instead of a public IP
   }
 
   metadata_startup_script = <<-SCRIPT
@@ -74,10 +81,10 @@ resource "google_compute_firewall" "allow_squid" {
   target_tags   = ["squid-proxy"]
 }
 
-resource "google_compute_firewall" "allow_squid_ssh" {
+resource "google_compute_firewall" "allow_squid_iap_ssh" {
   count = var.enable_proxy_test ? 1 : 0
 
-  name    = "${local.name_prefix}-allow-squid-ssh"
+  name    = "${local.name_prefix}-allow-squid-iap-ssh"
   project = var.project_id
   network = "default"
 
@@ -86,6 +93,7 @@ resource "google_compute_firewall" "allow_squid_ssh" {
     ports    = ["22"]
   }
 
-  source_ranges = ["0.0.0.0/0"]
+  # IAP's IP range for TCP forwarding
+  source_ranges = ["35.235.240.0/20"]
   target_tags   = ["squid-proxy"]
 }

tests/e2e/terraform/terraform.example.tfvars

@@ -8,4 +8,4 @@ autopilot     = true
 # Set to true to provision a mirror AR repo for registry mirroring/imagePullSecrets tests
 enable_mirror_test = false
 # Set to true to also provision a Squid proxy VM for proxy tests (requires enable_mirror_test)
-enable_proxy_test = false
+enable_proxy_test  = false