Feature/multiple private registry secrets

[AdamVB]

Add Support for multiple imagepullsecrets for the operator container scan

add test scenario in makefile to host 2 "private" registries locally, to test with local k3s (via k3d)

before mounting the secret to the pod, we add an init container that merges multiple secrets into a single docker-config.json with multiple auths

[github-actions]

Test Results

  5 files  ±0   41 suites  ±0   32m 31s ⏱️ - 1m 27s
280 tests +4  280 ✅ +4  0 💤 ±0  0 ❌ ±0 
295 runs  +4  295 ✅ +4  0 💤 ±0  0 ❌ ±0 

Results for commit 787faf8. ± Comparison against base commit 5bc760f.

♻️ This comment has been updated with latest results.

[chris-rock]

Summary

Adds support for configuring multiple private registry pull secrets via a new privateRegistriesPullSecretRefs field. This is useful when registry credentials are managed by different teams or external secret operators (e.g., External Secrets, Vault).

Changes

API:

• Added spec.scanner.privateRegistriesPullSecretRefs (list) alongside the existing singular privateRegistriesPullSecretRef
• Both fields can be used together; credentials are merged

Implementation:

• When multiple secrets are configured, the operator merges them into a single managed secret (-private-registries-merged)
• The merged secret is owned by the MondooAuditConfig and cleaned up automatically
• Single secret case continues to work as before (no extra secret created)

Example

  spec:
    scanner:
      privateRegistriesPullSecretRefs:
        - name: team-a-registry-creds
        - name: team-b-registry-creds
        - name: external-secrets-managed-creds

Backward Compatibility

• Existing privateRegistriesPullSecretRef (singular) continues to work unchanged
• If both singular and plural fields are set, all secrets are merged

[chris-rock]

Implementation Approach Change

The previous implementation used an init container with a shell script to merge Docker configs at pod startup. This has been replaced with operator-side merging:

  ┌─────────────┬────────────────────────────────────────┬─────────────────────────────────┐                                 
  │   Aspect    │        Before (init container)         │    After (operator merging)     │                                 
  ├─────────────┼────────────────────────────────────────┼─────────────────────────────────┤                                 
  │ Merging     │ Shell script in init container         │ Go code in operator             │                                 
  ├─────────────┼────────────────────────────────────────┼─────────────────────────────────┤                                 
  │ Pod spec    │ Added init container + emptyDir volume │ Single secret mount (unchanged) │                                 
  ├─────────────┼────────────────────────────────────────┼─────────────────────────────────┤                                 
  │ When merged │ Every pod startup                      │ During reconciliation           │                                 
  ├─────────────┼────────────────────────────────────────┼─────────────────────────────────┤                                 
  │ Reliability │ Shell-based JSON parsing               │ Native Go JSON parsing          │                                 
  └─────────────┴────────────────────────────────────────┴─────────────────────────────────┘

The operator approach is simpler and more robust - pods remain unchanged regardless of how many source secrets are configured.