fix: use inventory-file for node scanner

[MaxRink]

Summary

• replace node scanner Go-template inventory values with a stable node-name placeholder
• render the placeholder to a writable /tmp inventory file in a lightweight render-node-inventory init container
• run the main scanner container directly as cnspec ... --inventory-file, so custom scanner images only need cnspec and no longer need /bin/sh or sed
• resolve the render-helper image through the shared container image resolver so imageRegistry, registryMirrors, imagePullSecrets, and skipContainerResolution apply to the helper image too
• document the init-container behavior in the node-scanning user manual

Review fixes

• removed the hard-coded upstream helper image from rendered workloads by passing a resolver-managed helper image into CronJob and DaemonSet builders
• added resolver and reconciliation regression tests for registry-mirrored helper images

Validation

• git diff --check
• go test ./controllers/nodes ./pkg/utils/mondoo ./pkg/utils/k8s ./controllers/status
• go build -o /tmp/mondoo-operator-node ./cmd/mondoo-operator/main.go
• make lint/actions
• make lint
• kubectl --context kind-mondoo-oidc-kind apply -k config/crd
• kubectl --context kind-mondoo-oidc-kind apply --server-side --dry-run=server -k config/rbac
• kubectl --context kind-mondoo-oidc-kind apply --server-side --dry-run=server -f config/samples/k8s_v1alpha2_mondooauditconfig.yaml
• kubectl --context kind-mondoo-oidc-kind apply --server-side --dry-run=server -f config/samples/k8s_v1alpha2_mondoooperatorconfig.yaml
• targeted kind-mondoo-oidc-kind server-side dry-run for a node-scanning MondooAuditConfig plus registry-mirrored MondooOperatorConfig

Notes

• The init helper uses the existing lightweight BusyBox helper image pattern. Pod-level imagePullSecrets still apply to both the helper and scanner containers.

• go test ./pkg/utils/mondoo -run 'TestContainerImageResolverSuite/Test(ContainerImageUsesRegistryMirror|BusyBoxImageUsesRegistryMirror|ApplyImageRegistry)'

• go test ./controllers/nodes -run 'TestResources|TestCronJob_UsesInventoryFileFlag|TestDaemonSet_UsesInventoryFileFlag|TestDeploymentHandlerSuite/TestReconcile_(CreateCronJobs|CronJobUsesResolvedRenderImage|CreateDaemonSet)'

• go test ./controllers/nodes ./pkg/utils/mondoo ./pkg/utils/k8s ./controllers/status

• make lint/actions

• make lint

[github-actions]

Test Results

0 tests  ±0   0 ✅ ±0   0s ⏱️ ±0s
0 suites ±0   0 💤 ±0 
0 files   ±0   0 ❌ ±0 

Results for commit 3c2d973. ± Comparison against base commit 70733ca.

♻️ This comment has been updated with latest results.

[mondoo-code-review]

Node scanning init container's busybox image won't apply registry mirrors in air-gapped environments.

Superseded by new review

[mondoo-code-review]

Node scanner now uses an init container to render inventory files, removing shell/sed dependency from the scanner image.