Fix non-deterministic annotation ordering and add test coverage

chris-rock · claude · chris-rock · commit f4f0efab2246 · 2026-02-06T19:15:03.000+01:00
Sort annotation map keys before building CLI args to prevent spurious
Kubernetes Deployment updates caused by Go's randomized map iteration.
Add tests for annotation propagation across all scan controllers.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/controllers/container_image/resources_test.go b/controllers/container_image/resources_test.go
@@ -0,0 +1,34 @@
+// Copyright Mondoo, Inc. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package container_image
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"go.mondoo.com/mondoo-operator/api/v1alpha2"
+)
+
+const testClusterUID = "abcdefg"
+
+func TestInventory_WithAnnotations(t *testing.T) {
+	auditConfig := v1alpha2.MondooAuditConfig{
+		ObjectMeta: metav1.ObjectMeta{Name: "mondoo-client"},
+		Spec: v1alpha2.MondooAuditConfigSpec{
+			Annotations: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+		},
+	}
+
+	inv, err := Inventory("", testClusterUID, auditConfig, v1alpha2.MondooOperatorConfig{})
+	assert.NoError(t, err, "unexpected error generating inventory")
+	assert.Contains(t, inv, "env")
+	assert.Contains(t, inv, "prod")
+	assert.Contains(t, inv, "team")
+	assert.Contains(t, inv, "platform")
+}
diff --git a/controllers/k8s_scan/resources_test.go b/controllers/k8s_scan/resources_test.go
@@ -0,0 +1,57 @@
+// Copyright Mondoo, Inc. 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package k8s_scan
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"go.mondoo.com/mondoo-operator/api/v1alpha2"
+)
+
+const testClusterUID = "abcdefg"
+
+func TestInventory_WithAnnotations(t *testing.T) {
+	auditConfig := v1alpha2.MondooAuditConfig{
+		ObjectMeta: metav1.ObjectMeta{Name: "mondoo-client"},
+		Spec: v1alpha2.MondooAuditConfigSpec{
+			Annotations: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+		},
+	}
+
+	inv, err := Inventory("", testClusterUID, auditConfig, v1alpha2.MondooOperatorConfig{})
+	assert.NoError(t, err, "unexpected error generating inventory")
+	assert.Contains(t, inv, "env")
+	assert.Contains(t, inv, "prod")
+	assert.Contains(t, inv, "team")
+	assert.Contains(t, inv, "platform")
+}
+
+func TestExternalClusterInventory_WithAnnotations(t *testing.T) {
+	auditConfig := v1alpha2.MondooAuditConfig{
+		ObjectMeta: metav1.ObjectMeta{Name: "mondoo-client"},
+		Spec: v1alpha2.MondooAuditConfigSpec{
+			Annotations: map[string]string{
+				"env":  "staging",
+				"team": "security",
+			},
+		},
+	}
+
+	cluster := v1alpha2.ExternalCluster{
+		Name: "remote-cluster",
+	}
+
+	inv, err := ExternalClusterInventory("", testClusterUID, cluster, auditConfig, v1alpha2.MondooOperatorConfig{})
+	assert.NoError(t, err, "unexpected error generating inventory")
+	assert.Contains(t, inv, "env")
+	assert.Contains(t, inv, "staging")
+	assert.Contains(t, inv, "team")
+	assert.Contains(t, inv, "security")
+}
diff --git a/controllers/nodes/resources_test.go b/controllers/nodes/resources_test.go
@@ -242,6 +242,25 @@ func TestInventory(t *testing.T) {
 	assert.Contains(t, inventory, integrationMRN)
 }
 
+func TestInventory_WithAnnotations(t *testing.T) {
+	auditConfig := v1alpha2.MondooAuditConfig{
+		ObjectMeta: metav1.ObjectMeta{Name: "mondoo-client"},
+		Spec: v1alpha2.MondooAuditConfigSpec{
+			Annotations: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+		},
+	}
+
+	inv, err := Inventory("", testClusterUID, auditConfig)
+	assert.NoError(t, err, "unexpected error generating inventory")
+	assert.Contains(t, inv, "env")
+	assert.Contains(t, inv, "prod")
+	assert.Contains(t, inv, "team")
+	assert.Contains(t, inv, "platform")
+}
+
 func testMondooAuditConfig() *v1alpha2.MondooAuditConfig {
 	return &v1alpha2.MondooAuditConfig{
 		ObjectMeta: metav1.ObjectMeta{
diff --git a/controllers/resource_watcher/resources.go b/controllers/resource_watcher/resources.go
@@ -5,6 +5,7 @@ package resource_watcher
 
 import (
 	"fmt"
+	"sort"
 	"strings"
 	"time"
 
@@ -85,9 +86,14 @@ func Deployment(image string, m *v1alpha2.MondooAuditConfig, cfg v1alpha2.Mondoo
 		cmd = append(cmd, "--api-proxy", *cfg.Spec.HttpProxy)
 	}
 
-	// Add annotations
-	for key, value := range m.Spec.Annotations {
-		cmd = append(cmd, "--annotation", fmt.Sprintf("%s=%s", key, value))
+	// Add annotations (sorted for deterministic ordering)
+	annotationKeys := make([]string, 0, len(m.Spec.Annotations))
+	for k := range m.Spec.Annotations {
+		annotationKeys = append(annotationKeys, k)
+	}
+	sort.Strings(annotationKeys)
+	for _, key := range annotationKeys {
+		cmd = append(cmd, "--annotation", fmt.Sprintf("%s=%s", key, m.Spec.Annotations[key]))
 	}
 
 	envVars := feature_flags.AllFeatureFlagsAsEnv()
diff --git a/controllers/resource_watcher/resources_test.go b/controllers/resource_watcher/resources_test.go
@@ -234,6 +234,39 @@ func TestDeployment_WatchAllResources(t *testing.T) {
 	assert.Contains(t, cmdStr, "--watch-all-resources")
 }
 
+func TestDeployment_WithAnnotations(t *testing.T) {
+	config := &v1alpha2.MondooAuditConfig{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-config",
+			Namespace: "mondoo-operator",
+		},
+		Spec: v1alpha2.MondooAuditConfigSpec{
+			KubernetesResources: v1alpha2.KubernetesResources{
+				Enable: true,
+				ResourceWatcher: v1alpha2.ResourceWatcherSpec{
+					Enable: true,
+				},
+			},
+			Annotations: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+		},
+	}
+
+	operatorConfig := v1alpha2.MondooOperatorConfig{}
+
+	deployment := Deployment("ghcr.io/mondoohq/cnspec:latest", config, operatorConfig)
+
+	container := deployment.Spec.Template.Spec.Containers[0]
+	cmdStr := ""
+	for _, c := range container.Command {
+		cmdStr += c + " "
+	}
+	assert.Contains(t, cmdStr, "--annotation env=prod")
+	assert.Contains(t, cmdStr, "--annotation team=platform")
+}
+
 func TestDeployment_HighPriorityByDefault(t *testing.T) {
 	config := &v1alpha2.MondooAuditConfig{
 		ObjectMeta: metav1.ObjectMeta{
diff --git a/controllers/resource_watcher/scanner.go b/controllers/resource_watcher/scanner.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"sort"
 	"time"
 
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -80,9 +81,14 @@ func (s *Scanner) ScanManifests(ctx context.Context, manifests []byte) error {
 	if s.config.APIProxy != "" {
 		cnspecArgs = append(cnspecArgs, "--api-proxy", s.config.APIProxy)
 	}
-	// Add annotations as command-line arguments
-	for key, value := range s.config.Annotations {
-		cnspecArgs = append(cnspecArgs, "--annotation", fmt.Sprintf("%s=%s", key, value))
+	// Add annotations as command-line arguments (sorted for deterministic ordering)
+	annotationKeys := make([]string, 0, len(s.config.Annotations))
+	for k := range s.config.Annotations {
+		annotationKeys = append(annotationKeys, k)
+	}
+	sort.Strings(annotationKeys)
+	for _, key := range annotationKeys {
+		cnspecArgs = append(cnspecArgs, "--annotation", fmt.Sprintf("%s=%s", key, s.config.Annotations[key]))
 	}
 
 	// Create context with timeout
