Fix memory leak when updating ggcr keychain (#3088)

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
2025-03-13 19:28:55 +00:00 · 2022-01-26 20:45:05 +00:00 · 2022-01-26 20:45:05 +00:00 · 2eb8f5f285
commit 2eb8f5f285
parent 7a8c19e0cb
5 changed files with 7 additions and 7 deletions
--- a/go.mod
+++ b/go.mod
@ -56,7 +56,6 @@ require (
 require (
 	github.com/aquilax/truncate v1.0.0
 	github.com/blang/semver/v4 v4.0.0
-	github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249
 	gopkg.in/inf.v0 v0.9.1
 )

--- a/go.sum
+++ b/go.sum
@ -1268,8 +1268,6 @@ github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxzi
 github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nishanths/predeclared v0.0.0-20200524104333-86fad755b4d3/go.mod h1:nt3d53pc1VYcphSCIaYAJtnPYnr3Zyn8fMq2wvPGPso=
-github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249 h1:NHrXEjTNQY7P0Zfx1aMrNhpgxHmow66XQtm0aQLY0AE=
-github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249/go.mod h1:mpRZBD8SJ55OIICQ3iWH0Yz3cjzA61JdqMLoWXeB2+8=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@ -14,8 +14,10 @@ import (

 	"github.com/go-logr/logr"
 	"github.com/google/go-containerregistry/pkg/name"
+	gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/kyverno/kyverno/pkg/engine/common"
+	"github.com/kyverno/kyverno/pkg/registryclient"
 	"github.com/minio/pkg/wildcard"
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
@ -51,7 +53,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 	if err != nil {
 		return "", errors.Wrap(err, "constructing client options")
 	}
-
+	remoteOpts = append(remoteOpts, remote.WithRemoteOptions(gcrremote.WithAuthFromKeychain(registryclient.DefaultKeychain)))
 	cosignOpts := &cosign.CheckOpts{
 		Annotations:        map[string]interface{}{},
 		RegistryClientOpts: remoteOpts,
@ -174,7 +176,7 @@ func FetchAttestations(imageRef string, key string, repository string, log logr.
 	if err != nil {
 		return nil, errors.Wrap(err, "constructing client options")
 	}
-
+	opts = append(opts, remote.WithRemoteOptions(gcrremote.WithAuthFromKeychain(registryclient.DefaultKeychain)))
 	if repository != "" {
 		signatureRepo, err := name.NewRepository(repository)
 		if err != nil {
--- a/pkg/engine/jsonContext.go
+++ b/pkg/engine/jsonContext.go
@ -113,7 +113,7 @@ func fetchImageDataMap(ref string) (interface{}, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse image reference: %s, error: %v", ref, err)
 	}
-	desc, err := remote.Get(parsedRef)
+	desc, err := remote.Get(parsedRef, remote.WithAuthFromKeychain(registryclient.DefaultKeychain))
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch image reference: %s, error: %v", ref, err)
 	}
--- a/pkg/registryclient/client.go
+++ b/pkg/registryclient/client.go
@ -15,6 +15,7 @@ var (
 	kubeClient            kubernetes.Interface
 	kyvernoNamespace      string
 	kyvernoServiceAccount string
+	DefaultKeychain       authn.Keychain
 )

 // Initialize loads the image pull secrets and initializes the default auth method for container registry API calls
@ -36,7 +37,7 @@ func Initialize(client kubernetes.Interface, namespace, serviceAccount string, i
 		return errors.Wrap(err, "failed to initialize registry keychain")
 	}

-	authn.DefaultKeychain = kc
+	DefaultKeychain = kc
 	return nil
 }