refactor: make registry client variables private (#3975)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

pkg/cosign/cosign.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 
 	"github.com/google/go-containerregistry/pkg/name"
-	gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/in-toto/in-toto-golang/in_toto"
 	wildcard "github.com/kyverno/go-wildcard"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
@@ -57,7 +56,11 @@ func VerifySignature(opts Options) (digest string, err error) {
 	if err != nil {
 		return "", errors.Wrap(err, "constructing client options")
 	}
-	remoteOpts = append(remoteOpts, remote.WithRemoteOptions(gcrremote.WithAuthFromKeychain(registryclient.DefaultKeychain)))
+	o, err := registryclient.GetOptions()
+	if err != nil {
+		return "", errors.Wrap(err, "getting remote options")
+	}
+	remoteOpts = append(remoteOpts, remote.WithRemoteOptions(o))
 	cosignOpts := &cosign.CheckOpts{
 		Annotations:        map[string]interface{}{},
 		RegistryClientOpts: remoteOpts,

pkg/cosign/cosign_test.go

@@ -80,5 +80,4 @@ func TestCosignKeyless(t *testing.T) {
 	opts.Issuer = "https://github.com/login/oauth"
 	_, err = VerifySignature(opts)
 	assert.NilError(t, err)
-
 }

pkg/engine/imageVerify.go

@@ -8,8 +8,6 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/kyverno/go-wildcard"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/autogen"
@@ -45,14 +43,6 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (*response.EngineRespons
 	policyContext.JSONContext.Checkpoint()
 	defer policyContext.JSONContext.Restore()
 
-	// update image registry secrets
-	if len(registryclient.Secrets) > 0 {
-		logger.V(4).Info("updating registry credentials", "secrets", registryclient.Secrets)
-		if err := registryclient.UpdateKeychain(); err != nil {
-			logger.Error(err, "failed to update image pull secrets")
-		}
-	}
-
 	ivm := &ImageVerificationMetadata{}
 	rules := autogen.ComputeRules(policyContext.Policy)
 	for i := range rules {
@@ -254,16 +244,10 @@ func hasImageVerifiedAnnotationChanged(ctx *PolicyContext, log logr.Logger) bool
 }
 
 func fetchImageDigest(ref string) (string, error) {
-	parsedRef, err := name.ParseReference(ref)
+	_, desc, err := registryclient.Get(ref)
 	if err != nil {
-		return "", fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
+		return "", err
 	}
-
-	desc, err := remote.Get(parsedRef, remote.WithAuthFromKeychain(registryclient.DefaultKeychain))
-	if err != nil {
-		return "", fmt.Errorf("failed to fetch image reference: %s, error: %v", ref, err)
-	}
-
 	return desc.Digest.String(), nil
 }
 

pkg/engine/jsonContext.go

@@ -5,8 +5,6 @@ import (
 	"fmt"
 
 	"github.com/go-logr/logr"
-	"github.com/google/go-containerregistry/pkg/name"
-	"github.com/google/go-containerregistry/pkg/v1/remote"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
 	jmespath "github.com/kyverno/kyverno/pkg/engine/jmespath"
@@ -135,11 +133,6 @@ func loadVariable(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyC
 }
 
 func loadImageData(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyContext) error {
-	if len(registryclient.Secrets) > 0 {
-		if err := registryclient.UpdateKeychain(); err != nil {
-			return fmt.Errorf("unable to load image registry credentials, %w", err)
-		}
-	}
 	imageData, err := fetchImageData(logger, entry, ctx)
 	if err != nil {
 		return err
@@ -182,13 +175,9 @@ func fetchImageData(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *Polic
 
 // FetchImageDataMap fetches image information from the remote registry.
 func fetchImageDataMap(ref string) (interface{}, error) {
-	parsedRef, err := name.ParseReference(ref)
+	parsedRef, desc, err := registryclient.Get(ref)
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
+		return nil, err
-	}
-	desc, err := remote.Get(parsedRef, remote.WithAuthFromKeychain(registryclient.DefaultKeychain))
-	if err != nil {
-		return nil, fmt.Errorf("failed to fetch image reference: %s, error: %v", ref, err)
 	}
 	image, err := desc.Image()
 	if err != nil {

pkg/registryclient/client.go

@@ -2,6 +2,7 @@ package registryclient
 
 import (
 	"context"
+	"fmt"
 	"io/ioutil"
 
 	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
@@ -9,18 +10,19 @@ import (
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/authn/github"
 	kauth "github.com/google/go-containerregistry/pkg/authn/kubernetes"
+	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/google"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/pkg/errors"
 	"k8s.io/client-go/kubernetes"
 )
 
 var (
-	Secrets []string
+	isLocal         bool
-
+	secrets         []string
-	kubeClient     kubernetes.Interface
+	kubeClient      kubernetes.Interface
-	namespace      string
+	namespace       string
-	serviceAccount string
+	serviceAccount  string
-
 	defaultKeychain = authn.NewMultiKeychain(
 		authn.DefaultKeychain,
 		google.Keychain,
@@ -28,47 +30,63 @@ var (
 		authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper()),
 		github.Keychain,
 	)
-
-	DefaultKeychain = defaultKeychain
 )
 
 // InitializeLocal loads the docker credentials and initializes the default auth method for container registry API calls
 func InitializeLocal() {
-	DefaultKeychain = authn.DefaultKeychain
+	isLocal = true
 }
 
 // Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
 func Initialize(client kubernetes.Interface, ns, sa string, imagePullSecrets []string) error {
+	isLocal = false
 	kubeClient = client
 	namespace = ns
 	serviceAccount = sa
-	Secrets = imagePullSecrets
+	secrets = imagePullSecrets
+	_, err := getKeychain()
+	return err
+}
 
-	var kc authn.Keychain
+func getKeychain() (authn.Keychain, error) {
+	if isLocal {
+		return authn.DefaultKeychain, nil
+	}
+	if len(secrets) == 0 {
+		return defaultKeychain, nil
+	}
 	kcOpts := kauth.Options{
 		Namespace:          namespace,
 		ServiceAccountName: serviceAccount,
-		ImagePullSecrets:   imagePullSecrets,
+		ImagePullSecrets:   secrets,
 	}
-
+	kc, err := kauth.New(context.Background(), kubeClient, kcOpts)
-	kc, err := kauth.New(context.Background(), client, kcOpts)
 	if err != nil {
-		return errors.Wrap(err, "failed to initialize registry keychain")
+		return nil, errors.Wrap(err, "failed to initialize registry keychain")
 	}
-
+	return authn.NewMultiKeychain(defaultKeychain, kc), nil
-	DefaultKeychain = authn.NewMultiKeychain(
-		defaultKeychain,
-		kc,
-	)
-
-	return nil
 }
 
-// UpdateKeychain reinitializes the image pull secrets and default auth method for container registry API calls
+func Get(ref string) (name.Reference, *remote.Descriptor, error) {
-func UpdateKeychain() error {
+	parsedRef, err := name.ParseReference(ref)
-	err := Initialize(kubeClient, namespace, serviceAccount, Secrets)
 	if err != nil {
-		return err
+		return nil, nil, fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
 	}
-	return nil
+	kc, err := getKeychain()
+	if err != nil {
+		return nil, nil, err
+	}
+	desc, err := remote.Get(parsedRef, remote.WithAuthFromKeychain(kc))
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to fetch image reference: %s, error: %v", ref, err)
+	}
+	return parsedRef, desc, nil
+}
+
+func GetOptions() (remote.Option, error) {
+	kc, err := getKeychain()
+	if err != nil {
+		return nil, err
+	}
+	return remote.WithAuthFromKeychain(kc), nil
 }