feat: replace VaultAuth init container with operator-side vault-client-go#1399
Merged
feat: replace VaultAuth init container with operator-side vault-client-go#1399
Conversation
chris-rock
force-pushed
the
refactor/vault-auth-operator-side
branch
from
89d7235 to
978e140
Compare
Contributor
slntopp
force-pushed
the
refactor/vault-auth-operator-side
branch
from
7ef40f8 to
b4bb4b9
Compare
![mondoo-code-review[bot]](https://avatars.githubusercontent.com/in/2834902?s=60&v=4){kind=small}
…t-go Instead of running a hashicorp/vault init container with shell scripts, the operator now fetches credentials from Vault during reconciliation using vault-client-go and writes a kubeconfig Secret that the CronJob mounts directly. This removes the need for the Vault image, init containers, and a separate ServiceAccount for Vault auth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Return a clear error if the referenced CA cert secrets are missing the expected "ca.crt" key, rather than silently falling back to system CAs or insecure-skip-tls-verify. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update the README feature table and auth method list to include HashiCorp Vault. Fix stale mutually-exclusive comments on KubeconfigSecretRef, ServiceAccountAuth, and WorkloadIdentity fields that were missing SPIFFEAuth and/or VaultAuth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The temp file path comes from os.CreateTemp which is safe. The newer CI linter (v2.10.1) flags this as G703 path traversal via taint analysis. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
slntopp
force-pushed
the
refactor/vault-auth-operator-side
branch
from
b4bb4b9 to
e84720d
Compare
There was a problem hiding this comment.
Adds HashiCorp Vault auth for external cluster scanning; RBAC broadening and lack of token-refresh requeue are the main concerns.
Additional findings (file/line not in diff):
- 🟡
controllers/k8s_scan/deployment_handler.go:181—Reconcilealways returnsctrl.Result{}(noRequeueAfter). When VaultAuth is in use, the Vault-issued token stored in the kubeconfig Secret will expire, but no reconcile will be triggered to refresh it until the next external event (config change, or the controller-runtime default resync—usually 10h). Consider returningctrl.Result{RequeueAfter: <something shorter than TTL>}when at least one VaultAuth cluster is configured, so the Secret is refreshed before the token expires.
* fix: generate crds * test-suites for external scanning with Vault and self-scanning with connected Mondoo integration * feat: implement Vault credential refresh logic and update user manual
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hashicorp/vault:1.18.3init container approach with direct use ofvault-client-goin the operator controllerkubeconfigSecretRefChanges
New files:
controllers/k8s_scan/vault.go— Vault client logic:VaultTokenFetcherinterface,DefaultVaultTokenFetcher(Kubernetes auth login + credential generation), kubeconfig builder, Secret buildercontrollers/k8s_scan/vault_test.go— Unit tests for vault helpersModified files:
controllers/k8s_scan/resources.go— RemovedVaultImage,VaultAuthServiceAccountName,VaultAuthServiceAccount,vaultInitContainer; replaced VaultAuth CronJob case with simple Secret volume mountcontrollers/k8s_scan/deployment_handler.go— ReplacedsyncVaultAuthServiceAccountwithsyncVaultKubeconfigSecret; updated cleanup logiccontrollers/k8s_scan/deployment_handler_test.go— Rewrote Vault tests using mockVaultTokenFetchercontrollers/mondooauditconfig_controller.go— Addedupdateverb for secrets RBAC; wiredVaultTokenFetcherapi/v1alpha2/mondooauditconfig_types.go— AddedVaultAuthConfigtype and updated field commentsdocs/user-manual.md— Added credential refresh timing notego.mod/go.sum— Addedvault-client-go v0.4.3config/rbac/role.yaml— Regenerated withupdateverb for secretsconfig/crd/bases/k8s.mondoo.com_mondooauditconfigs.yaml— Regenerated CRDTest plan
make generatepassesmake manifestspassesmake testpasses (all unit tests)make lintpasses (0 issues)make lint/actionspasses🤖 Generated with Claude Code