From 081dd97cc35eb9c9c7a369c66302e17cebf46403 Mon Sep 17 00:00:00 2001
From: Joel Kamp <2976326+mrjoelkamp@users.noreply.github.com>
Date: Mon, 6 Dec 2021 18:08:16 -0600
Subject: [PATCH] fix: update registry credentials on verify (#2798)

Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
---
 pkg/cosign/cosign.go      | 19 +++++++++++++++++++
 pkg/engine/imageVerify.go |  8 ++++++++
 2 files changed, 27 insertions(+)

diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go
index 78ee30e5ec..353a151b88 100644
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@@ -31,10 +31,20 @@ import (
 var (
 	// ImageSignatureRepository is an alternate signature repository
 	ImageSignatureRepository string
+	Secrets                  []string
+
+	kubeClient            kubernetes.Interface
+	kyvernoNamespace      string
+	kyvernoServiceAccount string
 )
 
 // Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
 func Initialize(client kubernetes.Interface, namespace, serviceAccount string, imagePullSecrets []string) error {
+	kubeClient = client
+	kyvernoNamespace = namespace
+	kyvernoServiceAccount = serviceAccount
+	Secrets = imagePullSecrets
+
 	var kc authn.Keychain
 	kcOpts := &k8schain.Options{
 		Namespace:          namespace,
@@ -51,6 +61,15 @@ func Initialize(client kubernetes.Interface, namespace, serviceAccount string, i
 	return nil
 }
 
+// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls
+func UpdateKeychain() error {
+	var err = Initialize(kubeClient, kyvernoNamespace, kyvernoServiceAccount, Secrets)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 type Options struct {
 	ImageRef   string
 	Key        string
diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go
index 7108438c81..5fd1a9e15d 100644
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@@ -39,6 +39,14 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
 	policyContext.JSONContext.Checkpoint()
 	defer policyContext.JSONContext.Restore()
 
+	// update image registry secrets
+	if len(cosign.Secrets) > 0 {
+		logger.V(4).Info("updating registry credentials", "secrets", cosign.Secrets)
+		if err := cosign.UpdateKeychain(); err != nil {
+			logger.Error(err, "failed to update image pull secrets")
+		}
+	}
+
 	for i := range policyContext.Policy.Spec.Rules {
 		rule := &policyContext.Policy.Spec.Rules[i]
 		if len(rule.VerifyImages) == 0 {