✨ add spaceId support for MondooAuditConfig to route assets to specific spaces (#1464)

- Introduced `spaceId` field in `MondooAuditConfig` CRD to allow routing of scanned assets to a specified Mondoo space, enabling the use of org-level service accounts across multiple spaces.
- Updated sample configurations and documentation to reflect the new `spaceId` functionality.
- Modified controller logic to create derived Secrets with injected `scope_mrn` when `spaceId` is set.
- Enhanced tests to cover new functionality, including the creation and verification of derived Secrets.
- Added end-to-end tests for space splitting scenarios, ensuring correct routing of assets to designated spaces.

✨ clean up leftover override secrets when spaceId is removed and add warning for space-scoped service accounts

✨ enhance SyncConfigOverrideSecret to handle deletion errors and improve comments for clarity

✨ remove ownership of Secrets in MondooAuditConfig reconciler setup

Author: slntopp

.gitignore

@@ -67,3 +67,6 @@ tests/e2e/**/kubeconfig
 tests/e2e/**/kubeconfig-target
 tests/e2e/**/gke_gcloud_auth_plugin_cache
 tests/e2e/**/mondoo.json
+
+# macOS
+.DS_Store

api/v1alpha2/mondooauditconfig_types.go

@@ -29,6 +29,13 @@ type MondooAuditConfigSpec struct {
 	Filtering           Filtering           `json:"filtering,omitempty"`
 	Containers          Containers          `json:"containers,omitempty"`
 
+	// SpaceID optionally specifies the target Mondoo space for asset routing.
+	// When set, scanned assets are sent to this space instead of the space
+	// associated with the service account credentials. This allows using an
+	// org-level service account across multiple spaces.
+	// +optional
+	SpaceID string `json:"spaceId,omitempty"`
+
 	// Annotations allows adding custom annotations to all scanned assets. These key-value pairs
 	// will be attached to every asset discovered by the operator, making them searchable
 	// and filterable in the Mondoo Console.

charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -1312,6 +1312,13 @@ spec:
                     default: mondoo-operator-k8s-resources-scanning
                     type: string
                 type: object
+              spaceId:
+                description: |-
+                  SpaceID optionally specifies the target Mondoo space for asset routing.
+                  When set, scanned assets are sent to this space instead of the space
+                  associated with the service account credentials. This allows using an
+                  org-level service account across multiple spaces.
+                type: string
             required:
             - mondooCredsSecretRef
             type: object

charts/mondoo-operator/crds/k8s.mondoo.com_mondoooperatorconfigs.yaml

@@ -93,6 +93,13 @@ spec:
                       ResourceLabels allows providing a list of extra labels to apply to the metrics-related
                       resources (eg. ServiceMonitor)
                     type: object
+                  secureMetrics:
+                    description: |-
+                      SecureMetrics enables authentication and authorization on the metrics endpoint
+                      using controller-runtime's built-in TLS and RBAC-based auth.
+                      When enabled, metrics are served over HTTPS on port 8443 with token-based auth.
+                      When disabled, metrics are served over HTTP on port 8080 without auth.
+                    type: boolean
                 type: object
               noProxy:
                 description: NoProxy specifies a comma-separated list of hosts that

charts/mondoo-operator/files/crds/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -1312,6 +1312,13 @@ spec:
                     default: mondoo-operator-k8s-resources-scanning
                     type: string
                 type: object
+              spaceId:
+                description: |-
+                  SpaceID optionally specifies the target Mondoo space for asset routing.
+                  When set, scanned assets are sent to this space instead of the space
+                  associated with the service account credentials. This allows using an
+                  org-level service account across multiple spaces.
+                type: string
             required:
             - mondooCredsSecretRef
             type: object

charts/mondoo-operator/templates/manager-rbac.yaml

@@ -36,6 +36,7 @@ rules:
   - create
   - delete
   - get
+  - update
 - apiGroups:
   - ""
   resources:

cmd/mondoo-operator/garbage_collect/cmd.go

@@ -30,6 +30,7 @@ func init() {
 	filterPlatformRuntime := Cmd.Flags().String("filter-platform-runtime", "", "Cleanup assets by an asset's PlatformRuntime (k8s-cluster or docker-image).")
 	filterManagedBy := Cmd.Flags().String("filter-managed-by", "", "Cleanup assets with matching ManagedBy field.")
 	filterOlderThan := Cmd.Flags().String("filter-older-than", "", "Cleanup assets which have not been updated in over the time provided (eg 12m or 48h or anything time.ParseDuration() accepts).")
+	spaceMrnOverride := Cmd.Flags().String("space-mrn", "", "Override the space MRN for garbage collection (used when spaceId is set in MondooAuditConfig).")
 	Cmd.RunE = func(cmd *cobra.Command, args []string) error {
 		log.SetLogger(logger.NewLogger())
 		logger := log.Log.WithName("garbage-collect")
@@ -77,9 +78,12 @@ func init() {
 			return fmt.Errorf("no filters provided to garbage collect by")
 		}
 
-		spaceMrn := serviceAccount.SpaceMrn
+		spaceMrn := *spaceMrnOverride
 		if spaceMrn == "" {
-			spaceMrn = mondoo.SpaceMrnFromServiceAccountMrn(serviceAccount.Mrn)
+			spaceMrn = serviceAccount.SpaceMrn
+			if spaceMrn == "" {
+				spaceMrn = mondoo.SpaceMrnFromServiceAccountMrn(serviceAccount.Mrn)
+			}
 		}
 		return GarbageCollectCmd(ctx, client, spaceMrn, *filterPlatformRuntime, *filterOlderThan, *filterManagedBy, logger)
 	}

config/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml

@@ -1312,6 +1312,13 @@ spec:
                     default: mondoo-operator-k8s-resources-scanning
                     type: string
                 type: object
+              spaceId:
+                description: |-
+                  SpaceID optionally specifies the target Mondoo space for asset routing.
+                  When set, scanned assets are sent to this space instead of the space
+                  associated with the service account credentials. This allows using an
+                  org-level service account across multiple spaces.
+                type: string
             required:
             - mondooCredsSecretRef
             type: object

config/samples/k8s_v1alpha2_mondooauditconfig.yaml

@@ -8,10 +8,18 @@ metadata:
   name: mondoo-client
   namespace: mondoo-operator
 spec:
-  # Required: Reference to secret containing Mondoo service account credentials
+  # Required: Reference to secret containing Mondoo service account credentials.
+  # Can be a space-level or org-level service account.
   mondooCredsSecretRef:
     name: mondoo-client
 
+  # Optional: Route scanned assets to a specific Mondoo space.
+  # When set, the operator injects the target space into the scanner config,
+  # overriding the space derived from the service account credentials.
+  # This enables using a single org-level service account across multiple
+  # MondooAuditConfigs, each targeting a different space.
+  # spaceId: "your-space-1234"
+
   # Optional: Reference to secret containing a Mondoo registration token
   # If provided and mondooCredsSecretRef secret doesn't exist, the operator
   # will exchange this token for a service account

controllers/container_image/resources.go

@@ -140,7 +140,7 @@ func CronJob(image, integrationMrn, clusterUid, privateRegistrySecretName string
 												},
 												{
 													Secret: &corev1.SecretProjection{
-														LocalObjectReference: m.Spec.MondooCredsSecretRef,
+														LocalObjectReference: k8s.ConfigSecretRef(*m),
 														Items: []corev1.KeyToPath{{
 															Key:  "config",
 															Path: "mondoo.yml",