Skip to content

feat: replace VaultAuth init container with operator-side vault-client-go #1399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
slntopp merged 5 commits into from
Mar 13, 2026
Merged

feat: replace VaultAuth init container with operator-side vault-client-go #1399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
05dbb3f
feat: replace VaultAuth init container with operator-side vault-clien…
chris-rock Feb 19, 2026
6e735d6
fix: validate ca.crt key exists in Vault CA cert secrets
chris-rock Feb 19, 2026
f215b3b
docs: add Vault auth to README and fix stale mutually-exclusive comments
chris-rock Feb 19, 2026
e84720d
fix: add nolint:gosec for G703 path traversal in test cleanup
chris-rock Feb 19, 2026
9dc2874
🧪 Test suites for Vault and Mondoo Integration (#1424)
slntopp Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ Install the operator in a central management cluster and scan remote clusters vi
│ └──────────┬──────────────────┘ │
└─────────────┼───────────────────────┘
│ kubeconfig / WIF* / SPIFFE*
│ kubeconfig / WIF* / SPIFFE* / Vault
┌─────────┴─────────┬─────────────────┐
▼ ▼ ▼
Expand All @@ -93,6 +93,7 @@ _*WIF and SPIFFE authentication are experimental features._
- **Kubeconfig**: Use a kubeconfig file stored in a Secret
- **Workload Identity (WIF)** _(Experimental)_: Native cloud provider authentication for GKE, EKS, AKS
- **SPIFFE** _(Experimental)_: Use SPIFFE/SPIRE for cross-cluster authentication
- **HashiCorp Vault**: Dynamic short-lived credentials via Vault's Kubernetes secrets engine

```yaml
# External cluster scanning with kubeconfig
Expand Down Expand Up @@ -141,6 +142,7 @@ spec:
| Kubeconfig Auth | - | ✅ |
| Workload Identity (GKE/EKS/AKS) | - | ✅ ⚠️ Experimental |
| SPIFFE Auth | - | ✅ ⚠️ Experimental |
| HashiCorp Vault Auth | - | ✅ |

### Self-Cluster Scanning Architecture

Expand Down
66 changes: 62 additions & 4 deletions api/v1alpha2/mondooauditconfig_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,25 +154,32 @@ type ExternalCluster struct {

// KubeconfigSecretRef references a Secret containing kubeconfig for the remote cluster.
// The Secret must have a key "kubeconfig" with the kubeconfig content.
// Mutually exclusive with ServiceAccountAuth and WorkloadIdentity.
// Mutually exclusive with ServiceAccountAuth, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
// +optional
KubeconfigSecretRef *corev1.LocalObjectReference `json:"kubeconfigSecretRef,omitempty"`

// ServiceAccountAuth configures authentication using a service account token.
// Mutually exclusive with KubeconfigSecretRef and WorkloadIdentity.
// Mutually exclusive with KubeconfigSecretRef, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
// +optional
ServiceAccountAuth *ServiceAccountAuth `json:"serviceAccountAuth,omitempty"`

// WorkloadIdentity configures cloud-native Workload Identity Federation authentication.
// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and SPIFFEAuth.
// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, SPIFFEAuth, and VaultAuth.
// +optional
WorkloadIdentity *WorkloadIdentityConfig `json:"workloadIdentity,omitempty"`

// SPIFFEAuth configures SPIFFE/SPIRE-based authentication using X.509 SVIDs.
// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and WorkloadIdentity.
// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and VaultAuth.
// +optional
SPIFFEAuth *SPIFFEAuthConfig `json:"spiffeAuth,omitempty"`

// VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
// The operator authenticates to Vault during reconciliation using its own service account token,
// fetches short-lived credentials, and writes a kubeconfig Secret that the CronJob mounts.
// Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and SPIFFEAuth.
// +optional
VaultAuth *VaultAuthConfig `json:"vaultAuth,omitempty"`

// Schedule overrides the default schedule for this cluster (optional).
// If not specified, uses the schedule from KubernetesResources.Schedule.
// +optional
Expand Down Expand Up @@ -329,6 +336,57 @@ type SPIFFEAuthConfig struct {
Audience string `json:"audience,omitempty"`
}

// VaultAuthConfig configures HashiCorp Vault's Kubernetes secrets engine
// for dynamically generating short-lived service account tokens to scan external clusters.
type VaultAuthConfig struct {
// Server is the URL of the target Kubernetes API server.
// Example: "https://target-cluster.example.com:6443"
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^https://.*`
Server string `json:"server"`

// VaultAddr is the address of the Vault server.
// Example: "https://vault.example.com:8200"
// +kubebuilder:validation:Required
VaultAddr string `json:"vaultAddr"`

// AuthPath is the Vault Kubernetes auth method mount path.
// +optional
// +kubebuilder:default="auth/kubernetes"
AuthPath string `json:"authPath,omitempty"`

// AuthRole is the Vault role for authenticating the pod's service account.
// +kubebuilder:validation:Required
AuthRole string `json:"authRole"`

// SecretsPath is the Vault Kubernetes secrets engine mount path.
// +optional
// +kubebuilder:default="kubernetes"
SecretsPath string `json:"secretsPath,omitempty"`

// CredsRole is the Vault role for generating target cluster credentials.
// +kubebuilder:validation:Required
CredsRole string `json:"credsRole"`

// KubernetesNamespace is the target namespace for the generated service account token.
// +optional
KubernetesNamespace string `json:"kubernetesNamespace,omitempty"`

// TTL is the requested TTL for the generated credentials (e.g. "1h", "30m").
// +optional
TTL string `json:"ttl,omitempty"`

// CACertSecretRef references a Secret containing Vault's CA certificate
// for TLS verification. The Secret must have a key "ca.crt".
// +optional
CACertSecretRef *corev1.LocalObjectReference `json:"caCertSecretRef,omitempty"`

// TargetCACertSecretRef references a Secret containing the target cluster's
// CA certificate for TLS verification. The Secret must have a key "ca.crt".
// +optional
TargetCACertSecretRef *corev1.LocalObjectReference `json:"targetCACertSecretRef,omitempty"`
}

// NodeScanStyle specifies the scan style for nodes
type NodeScanStyle string

Expand Down
30 changes: 30 additions & 0 deletions api/v1alpha2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

90 changes: 86 additions & 4 deletions charts/mondoo-operator/crds/k8s.mondoo.com_mondooauditconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -393,7 +393,7 @@ spec:
description: |-
KubeconfigSecretRef references a Secret containing kubeconfig for the remote cluster.
The Secret must have a key "kubeconfig" with the kubeconfig content.
Mutually exclusive with ServiceAccountAuth and WorkloadIdentity.
Mutually exclusive with ServiceAccountAuth, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
properties:
name:
default: ""
Expand Down Expand Up @@ -436,7 +436,7 @@ spec:
serviceAccountAuth:
description: |-
ServiceAccountAuth configures authentication using a service account token.
Mutually exclusive with KubeconfigSecretRef and WorkloadIdentity.
Mutually exclusive with KubeconfigSecretRef, WorkloadIdentity, SPIFFEAuth, and VaultAuth.
properties:
credentialsSecretRef:
description: |-
Expand Down Expand Up @@ -473,7 +473,7 @@ spec:
spiffeAuth:
description: |-
SPIFFEAuth configures SPIFFE/SPIRE-based authentication using X.509 SVIDs.
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and WorkloadIdentity.
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and VaultAuth.
properties:
audience:
description: |-
Expand Down Expand Up @@ -512,10 +512,92 @@ spec:
- server
- trustBundleSecretRef
type: object
vaultAuth:
description: |-
VaultAuth configures HashiCorp Vault Kubernetes secrets engine for dynamic credential generation.
The operator authenticates to Vault during reconciliation using its own service account token,
fetches short-lived credentials, and writes a kubeconfig Secret that the CronJob mounts.
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, WorkloadIdentity, and SPIFFEAuth.
properties:
authPath:
default: auth/kubernetes
description: AuthPath is the Vault Kubernetes auth method
mount path.
type: string
authRole:
description: AuthRole is the Vault role for authenticating
the pod's service account.
type: string
caCertSecretRef:
description: |-
CACertSecretRef references a Secret containing Vault's CA certificate
for TLS verification. The Secret must have a key "ca.crt".
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
credsRole:
description: CredsRole is the Vault role for generating
target cluster credentials.
type: string
kubernetesNamespace:
description: KubernetesNamespace is the target namespace
for the generated service account token.
type: string
secretsPath:
default: kubernetes
description: SecretsPath is the Vault Kubernetes secrets
engine mount path.
type: string
server:
description: |-
Server is the URL of the target Kubernetes API server.
Example: "https://target-cluster.example.com:6443"
pattern: ^https://.*
type: string
targetCACertSecretRef:
description: |-
TargetCACertSecretRef references a Secret containing the target cluster's
CA certificate for TLS verification. The Secret must have a key "ca.crt".
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
ttl:
description: TTL is the requested TTL for the generated
credentials (e.g. "1h", "30m").
type: string
vaultAddr:
description: |-
VaultAddr is the address of the Vault server.
Example: "https://vault.example.com:8200"
type: string
required:
- authRole
- credsRole
- server
- vaultAddr
type: object
workloadIdentity:
description: |-
WorkloadIdentity configures cloud-native Workload Identity Federation authentication.
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, and SPIFFEAuth.
Mutually exclusive with KubeconfigSecretRef, ServiceAccountAuth, SPIFFEAuth, and VaultAuth.
properties:
aks:
description: |-
Expand Down
Loading
Loading