fix: update registry credentials on verify (#2798)

Signed-off-by: Joel Kamp <joel.kamp@invitae.com>

pkg/cosign/cosign.go

@@ -31,10 +31,20 @@ import (
 var (
 	// ImageSignatureRepository is an alternate signature repository
 	ImageSignatureRepository string
+	Secrets                  []string
+
+	kubeClient            kubernetes.Interface
+	kyvernoNamespace      string
+	kyvernoServiceAccount string
 )
 
 // Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
 func Initialize(client kubernetes.Interface, namespace, serviceAccount string, imagePullSecrets []string) error {
+	kubeClient = client
+	kyvernoNamespace = namespace
+	kyvernoServiceAccount = serviceAccount
+	Secrets = imagePullSecrets
+
 	var kc authn.Keychain
 	kcOpts := &k8schain.Options{
 		Namespace:          namespace,
@@ -51,6 +61,15 @@ func Initialize(client kubernetes.Interface, namespace, serviceAccount string, i
 	return nil
 }
 
+// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls
+func UpdateKeychain() error {
+	var err = Initialize(kubeClient, kyvernoNamespace, kyvernoServiceAccount, Secrets)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 type Options struct {
 	ImageRef   string
 	Key        string

pkg/engine/imageVerify.go

@@ -39,6 +39,14 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
 	policyContext.JSONContext.Checkpoint()
 	defer policyContext.JSONContext.Restore()
 
+	// update image registry secrets
+	if len(cosign.Secrets) > 0 {
+		logger.V(4).Info("updating registry credentials", "secrets", cosign.Secrets)
+		if err := cosign.UpdateKeychain(); err != nil {
+			logger.Error(err, "failed to update image pull secrets")
+		}
+	}
+
 	for i := range policyContext.Policy.Spec.Rules {
 		rule := &policyContext.Policy.Spec.Rules[i]
 		if len(rule.VerifyImages) == 0 {