diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 78ee30e5ec..353a151b88 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -31,10 +31,20 @@ import ( var ( // ImageSignatureRepository is an alternate signature repository ImageSignatureRepository string + Secrets []string + + kubeClient kubernetes.Interface + kyvernoNamespace string + kyvernoServiceAccount string ) // Initialize loads the image pull secrets and initializes the default auth method for container registry API calls func Initialize(client kubernetes.Interface, namespace, serviceAccount string, imagePullSecrets []string) error { + kubeClient = client + kyvernoNamespace = namespace + kyvernoServiceAccount = serviceAccount + Secrets = imagePullSecrets + var kc authn.Keychain kcOpts := &k8schain.Options{ Namespace: namespace, @@ -51,6 +61,15 @@ func Initialize(client kubernetes.Interface, namespace, serviceAccount string, i return nil } +// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls +func UpdateKeychain() error { + var err = Initialize(kubeClient, kyvernoNamespace, kyvernoServiceAccount, Secrets) + if err != nil { + return err + } + return nil +} + type Options struct { ImageRef string Key string diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index 7108438c81..5fd1a9e15d 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -39,6 +39,14 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe policyContext.JSONContext.Checkpoint() defer policyContext.JSONContext.Restore() + // update image registry secrets + if len(cosign.Secrets) > 0 { + logger.V(4).Info("updating registry credentials", "secrets", cosign.Secrets) + if err := cosign.UpdateKeychain(); err != nil { + logger.Error(err, "failed to update image pull secrets") + } + } + for i := range policyContext.Policy.Spec.Rules { rule := &policyContext.Policy.Spec.Rules[i] if len(rule.VerifyImages) == 0 {