Skip to content

Add Helm chart documentation and improve values.yaml annotations #1390

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
imilchev merged 1 commit into from
Feb 16, 2026
Merged

Add Helm chart documentation and improve values.yaml annotations #1390

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/actions/spelling/expect.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ psat
rolearn
selfsigned
servicemonitors
SResources
spiffe
SVIDs
tekton
Expand Down
17 changes: 17 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,6 +377,23 @@ helm/lint: ## Lint the Helm chart using chart-testing (ct).
helm/template: ## Render Helm chart templates for debugging.
helm template test charts/mondoo-operator

README_GENERATOR_DIR = $(LOCALBIN)/readme-generator-for-helm
README_GENERATOR = $(README_GENERATOR_DIR)/bin/index.js

.PHONY: helm/docs
helm/docs: $(README_GENERATOR) ## Generate Helm chart README from values.yaml annotations.
node $(README_GENERATOR) \
--values charts/mondoo-operator/values.yaml \
--readme charts/mondoo-operator/README.md

$(README_GENERATOR): $(LOCALBIN)
@if [ ! -f $(README_GENERATOR) ]; then \
echo "Installing readme-generator-for-helm..."; \
rm -rf $(README_GENERATOR_DIR); \
git clone --depth 1 https://github.com/bitnami/readme-generator-for-helm.git $(README_GENERATOR_DIR); \
cd $(README_GENERATOR_DIR) && npm install --production; \
fi

# Install prettier gloablly via
# yarn global add prettier --prefix /usr/local
.PHONY: fmt/docs
Expand Down
88 changes: 88 additions & 0 deletions charts/mondoo-operator/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# Mondoo Operator Helm Chart

The Mondoo Operator provides a Kubernetes-native way to deploy and manage [Mondoo](https://mondoo.com) security scanning in your clusters.

## Prerequisites

- Kubernetes 1.26+
- Helm 3.x

## Installation

### Add the Helm repository

```bash
helm repo add mondoo https://mondoohq.github.io/mondoo-operator
helm repo update
```

### Install the chart

```bash
helm install mondoo-operator mondoo/mondoo-operator --namespace mondoo-operator --create-namespace
```

### Uninstall the chart

```bash
helm uninstall mondoo-operator --namespace mondoo-operator
```

## Parameters

### Controller Manager Configuration

| Name | Description | Value |
| ---------------------------------------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| `controllerManager.manager.args` | Command-line arguments passed to the operator manager container | `["operator","--health-probe-bind-address=:8081","--metrics-bind-address=:8080","--leader-elect"]` |
| `controllerManager.manager.containerSecurityContext` | Security context for the manager container | `{}` |
| `controllerManager.manager.image.repository` | Container image repository for the operator | `ghcr.io/mondoohq/mondoo-operator` |
| `controllerManager.manager.image.tag` | Container image tag for the operator | `v12.0.1` |
| `controllerManager.manager.imagePullPolicy` | Image pull policy for the operator container | `IfNotPresent` |
| `controllerManager.manager.resources` | Resource requests and limits for the manager container | `{}` |
| `controllerManager.podSecurityContext` | Pod-level security context for the controller manager | `{}` |
| `controllerManager.replicas` | Number of controller manager replicas | `1` |
| `controllerManager.serviceAccount.annotations` | Annotations to add to the controller manager service account | `{}` |

### Kubernetes Resources Scanning Configuration

| Name | Description | Value |
| ------------------------------------------------- | ----------------------------------------------------------------------- | ----- |
| `k8SResourcesScanning.serviceAccount.annotations` | Annotations to add to the Kubernetes resources scanning service account | `{}` |

### General Configuration

| Name | Description | Value |
| ------------------------- | -------------------------------------- | --------------- |
| `kubernetesClusterDomain` | Kubernetes cluster domain used for DNS | `cluster.local` |

### Manager Config

| Name | Description | Value |
| ------------------------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `managerConfig.controllerManagerConfigYaml` | Embedded YAML configuration for the controller manager | `# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
kind: ControllerManagerConfig
health:
healthProbeBindAddress: :8081
metrics:
bindAddress: 127.0.0.1:8080
leaderElection:
leaderElect: true
resourceName: 60679458.mondoo.com` |

### Metrics Service Configuration

| Name | Description | Value |
| ---------------------- | ----------------------------------------------- | ----------- |
| `metricsService.ports` | Ports configuration for the metrics service | `[]` |
| `metricsService.type` | Kubernetes service type for the metrics service | `ClusterIP` |

### Pre-delete Cleanup Hook Configuration

| Name | Description | Value |
| ----------------- | ----------------------------------------------------------------- | ------ |
| `cleanup.enabled` | Enable or disable the pre-delete cleanup hook | `true` |
| `cleanup.timeout` | Timeout for waiting for MondooAuditConfig resources to be deleted | `2m` |

43 changes: 38 additions & 5 deletions charts/mondoo-operator/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,15 @@
## @section Controller Manager Configuration
## Configuration for the mondoo-operator controller manager deployment

controllerManager:
manager:
## @param controllerManager.manager.args Command-line arguments passed to the operator manager container
args:
- operator
- --health-probe-bind-address=:8081
- --metrics-bind-address=:8080
- --leader-elect
## @param controllerManager.manager.containerSecurityContext [object] Security context for the manager container
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
Expand All @@ -13,26 +18,46 @@ controllerManager:
privileged: false
readOnlyRootFilesystem: true
image:
## @param controllerManager.manager.image.repository Container image repository for the operator
repository: ghcr.io/mondoohq/mondoo-operator
## @param controllerManager.manager.image.tag Container image tag for the operator
tag: v12.0.1
## @param controllerManager.manager.imagePullPolicy Image pull policy for the operator container
imagePullPolicy: IfNotPresent
## @param controllerManager.manager.resources [object] Resource requests and limits for the manager container
resources:
limits:
cpu: 200m
memory: 140Mi
requests:
cpu: 100m
memory: 70Mi
## @param controllerManager.podSecurityContext [object] Pod-level security context for the controller manager
podSecurityContext:
runAsNonRoot: true
## @param controllerManager.replicas Number of controller manager replicas
replicas: 1
serviceAccount:
## @param controllerManager.serviceAccount.annotations [object] Annotations to add to the controller manager service account
annotations: {}

## @section Kubernetes Resources Scanning Configuration

k8SResourcesScanning:
serviceAccount:
## @param k8SResourcesScanning.serviceAccount.annotations [object] Annotations to add to the Kubernetes resources scanning service account
annotations: {}

## @section General Configuration

## @param kubernetesClusterDomain Kubernetes cluster domain used for DNS
kubernetesClusterDomain: cluster.local

## @section Manager Config
## Configuration for the controller manager runtime settings

managerConfig:
## @param managerConfig.controllerManagerConfigYaml Embedded YAML configuration for the controller manager
controllerManagerConfigYaml: |-
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
Expand All @@ -45,18 +70,26 @@ managerConfig:
leaderElection:
leaderElect: true
resourceName: 60679458.mondoo.com

## @section Metrics Service Configuration

metricsService:
## @param metricsService.ports [array] Ports configuration for the metrics service
ports:
- name: metrics
port: 8080
protocol: TCP
targetPort: metrics
## @param metricsService.type Kubernetes service type for the metrics service
type: ClusterIP
# Pre-delete cleanup hook configuration
# This hook runs before uninstall to delete MondooAuditConfig resources,
# allowing finalizers to clean up operator-created resources properly.
# The cleanup job uses the same image as the operator.

## @section Pre-delete Cleanup Hook Configuration
## This hook runs before uninstall to delete MondooAuditConfig resources,
## allowing finalizers to clean up operator-created resources properly.
## The cleanup job uses the same image as the operator.

cleanup:
## @param cleanup.enabled Enable or disable the pre-delete cleanup hook
enabled: true
# Timeout for waiting for MondooAuditConfig resources to be deleted
## @param cleanup.timeout Timeout for waiting for MondooAuditConfig resources to be deleted
timeout: 2m
Loading