Enable flexible registry credential configurations (#7114)

* types added

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added secret fetching and client creation

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* codegen

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fixed tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* validate target resource scope & namespace settings (#7098)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: mutation code (#7095)

* fix: mutation code

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* lazy loading of context vars (#7071)

* lazy loading of context vars

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* gofumpt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add kuttl tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* moved to policy context

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* removed errors

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* RegistryClientLoader

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* [Feature] Add kuttl tests with policy exceptions disabled (#7117)

* added tests

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* removed redundant code

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* typo fix and README changes

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

---------

Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Conditions message (#7113)

* add message to conditions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* extend tests

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump zgosalvez/github-actions-ensure-sha-pinned-actions (#7123)

Bumps [zgosalvez/github-actions-ensure-sha-pinned-actions](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions) from 2.1.2 to 2.1.3.
- [Release notes](https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions/releases)
- [Commits](21991cec25...555a30da26)

---
updated-dependencies:
- dependency-name: zgosalvez/github-actions-ensure-sha-pinned-actions
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/kustomize/kyaml from 0.14.1 to 0.14.2 (#7121)

Bumps [sigs.k8s.io/kustomize/kyaml](https://github.com/kubernetes-sigs/kustomize) from 0.14.1 to 0.14.2.
- [Release notes](https://github.com/kubernetes-sigs/kustomize/releases)
- [Commits](https://github.com/kubernetes-sigs/kustomize/compare/kyaml/v0.14.1...kyaml/v0.14.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/kustomize/kyaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump oras.land/oras-go/v2 from 2.0.2 to 2.1.0 (#7102)

Bumps [oras.land/oras-go/v2](https://github.com/oras-project/oras-go) from 2.0.2 to 2.1.0.
- [Release notes](https://github.com/oras-project/oras-go/releases)
- [Commits](https://github.com/oras-project/oras-go/compare/v2.0.2...v2.1.0)

---
updated-dependencies:
- dependency-name: oras.land/oras-go/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* add condition msg to v2beta1 (#7126)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: print container flags and their values (#7127)

* add condition msg to v2beta1

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* print flags settings

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* remove the container flag genWorker from the admission controller (#7132)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#7103)

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.54.0 to 1.55.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.54.0...v1.55.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* remove the duplicate entry (#7125)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.2 to 0.13.3 (#7120)

Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.2 to 0.13.3.
- [Release notes](https://github.com/kubernetes-sigs/kustomize/releases)
- [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.2...api/v0.13.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/kustomize/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* update background scan logging messages (#7142)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Update chart with v2 to v3 migration guidance. (#7144)

* add Saxo Bank and Velux as adopters

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* update chart README and validations

Signed-off-by: Chip Zoller <chipzoller@gmail.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* add Controller Internals info (#7147)

Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Supporting ValidatingAdmissionPolicy in kyverno cli (apply and test command) (#6656)

* feat: add policy reporter to the dev lab

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: remove obsolete structs from CLI

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* Supporting ValidatingAdmissionPolicy in kyverno apply

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* chore: bump k8s from v0.26.3 to v0.27.0-rc.0

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Support validating admission policy in kyverno apply

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Support validating admission policy in kyverno test

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* refactoring

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Adding kyverno apply tests for validating admission policy

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* running codegen-all

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Adding IsVap field in TestResults

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* chore: bump k8s from v0.27.0-rc.0 to v0.27.1

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Fix vap in engine response

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/kustomize/api from 0.13.3 to 0.13.4 (#7150)

Bumps [sigs.k8s.io/kustomize/api](https://github.com/kubernetes-sigs/kustomize) from 0.13.3 to 0.13.4.
- [Release notes](https://github.com/kubernetes-sigs/kustomize/releases)
- [Commits](https://github.com/kubernetes-sigs/kustomize/compare/api/v0.13.3...api/v0.13.4)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/kustomize/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#7149)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.8.0 to 0.9.0.
- [Commits](https://github.com/golang/crypto/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Added `omit-events` flag to allow disabling of event emission  (#7010)

* added comma seperated flag

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* reason added in logs

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added requested changes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* kuttl test init

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated kuttl tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated behavior

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fixed flawed behavior

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated test location and added readme

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* tests

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* updated step

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* omit events

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: let reports controller quit when loosing the lead (#7153)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump slsa-framework/slsa-github-generator (#7160)

Bumps [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases)
- [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
- [Commits](https://github.com/slsa-framework/slsa-github-generator/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: slsa-framework/slsa-github-generator
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore: bump otel deps (#7152)

* chore: bump otel deps

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/cloudflare/circl from 1.3.2 to 1.3.3 (#7172)

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/docker/distribution (#7171)

Bumps [github.com/docker/distribution](https://github.com/docker/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.1...v2.8.2)

---
updated-dependencies:
- dependency-name: github.com/docker/distribution
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-logr/zapr from 1.2.3 to 1.2.4 (#7177)

Bumps [github.com/go-logr/zapr](https://github.com/go-logr/zapr) from 1.2.3 to 1.2.4.
- [Release notes](https://github.com/go-logr/zapr/releases)
- [Commits](https://github.com/go-logr/zapr/compare/v1.2.3...v1.2.4)

---
updated-dependencies:
- dependency-name: github.com/go-logr/zapr
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Add refactor note (#7169)

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fixed typo in the v2 to v3 helm migration guide (#7163)

* fixed typo in the v2 to v3 helm migration guide

Signed-off-by: Richard Parke <richardparke15@gmail.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Richard Parke <richardparke15@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/distribution/distribution (#7178)

Bumps [github.com/distribution/distribution](https://github.com/distribution/distribution) from 2.8.1+incompatible to 2.8.2+incompatible.
- [Release notes](https://github.com/distribution/distribution/releases)
- [Commits](https://github.com/distribution/distribution/compare/v2.8.1...v2.8.2)

---
updated-dependencies:
- dependency-name: github.com/distribution/distribution
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* tweaks (#7166)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: add logging feature to helm chart (#7181)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* refactor: hide json context from caller (#7139)

* refactor: hide json context from caller

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* unit tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* feat: add omit-events feature in helm chart (#7185)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: preconditions in mutate existing rules (#7183)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: use structured jsonpatch instead of byte arrays (#7186)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added secret lister

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* changes from review

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added rclientloader to policy context

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* refactor changes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* NIT

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added RegistryClientLoaderNewOrDie to policy context

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* CI fixes

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: panic for policy variable validation (#7079)

* fix panic

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* check errors

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: remove policy-reporter from dev lab (#7196)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: cleanup controller metrics name (#7198)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: http request metrics (#7197)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* remove unused code (#7203)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* handle Deny rules where conditions eval to true (#7204)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* [Bug] Enforce message wrong (#7208)

* fix

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

* fixed tests

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

---------

Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump codecov/codecov-action from 3.1.3 to 3.1.4 (#7207)

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 3.1.3 to 3.1.4.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](894ff025c7...eaaf4bedf3)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigstore/cosign-installer from 3.0.3 to 3.0.4 (#7215)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](204a51a57a...03d0fecf17)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: panic in reports controller (#7220)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: mutate existing auth check (#7219)

* fix auth check when using variables in ns

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add kuttl tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: do not exclude kube-system service accounts by default (#7225)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* docs: add reports system design doc (#6949)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/apimachinery from 0.27.1 to 0.27.2 (#7227)

Bumps [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/cli-runtime from 0.27.1 to 0.27.2 (#7228)

Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/cli-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigstore/cosign-installer from 3.0.4 to 3.0.5 (#7229)

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.4 to 3.0.5.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](03d0fecf17...dd6b2e2b61)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/pod-security-admission from 0.27.1 to 0.27.2 (#7232)

Bumps [k8s.io/pod-security-admission](https://github.com/kubernetes/pod-security-admission) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/pod-security-admission/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/pod-security-admission
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: match logic misbehave (#7218)

* add rule name in ur for mutate existing

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix match logic

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* linter fixes

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix the match logic to only apply to the new object, unless it's a delete request

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#7240)

Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.7 (#7239)

Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.27.6 to 1.27.7.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.27.6...v1.27.7)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/kube-aggregator from 0.27.1 to 0.27.2 (#7241)

Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.27.1 to 0.27.2.
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/kube-aggregator
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump k8s.io/apiextensions-apiserver from 0.27.1 to 0.27.2 (#7242)

Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.27.1 to 0.27.2.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.27.1...v0.27.2)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* passing rclientloader directly

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* lazy evaluate vars in conditions (#7238)

* lazy evaluate vars in conditions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove unnecessary conversion

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/conditions/03-manifests.yaml

Signed-off-by: shuting <shutting06@gmail.com>

* Update test/conformance/kuttl/validate/clusterpolicy/standard/variables/lazyload/README.md

Signed-off-by: shuting <shutting06@gmail.com>

* added error check in test

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* quote image in error (#7259)

Signed-off-by: bakito <github@bakito.ch>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: auto update webhooks not configuring fail endpoint (#7261)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix latest version check (#7263)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump svenstaro/upload-release-action from 2.5.0 to 2.6.0 (#7270)

Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.5.0 to 2.6.0.
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](7319e4733e...58d5258088)

---
updated-dependencies:
- dependency-name: svenstaro/upload-release-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump sigs.k8s.io/controller-runtime from 0.14.6 to 0.15.0 (#7272)

Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.14.6 to 0.15.0.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.14.6...v0.15.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: add yaml util to check empty document (#7276)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#7274)

Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* NIT

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* Azure to ACR

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* go mod fix

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* codegen

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* NIT

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* adding kuttl test

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* use pointer

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cleanup

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* global client

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cleanup

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* added kubeclient

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* added nil kubeclient check

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* context

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* factory

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more fixes

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* secrets lister

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* flags

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* tests

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix cli

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* kuttl test

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* factories

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Ved Ratan <vedratan8@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Signed-off-by: Richard Parke <richardparke15@gmail.com>
Signed-off-by: shuting <shutting06@gmail.com>
Signed-off-by: bakito <github@bakito.ch>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Ved Ratan <82467006+VedRatan@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Mariam Fahmy <55502281+MariamFahmy98@users.noreply.github.com>
Co-authored-by: rparke <50015370+rparke@users.noreply.github.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: kyverno-bot <104836976+kyverno-bot@users.noreply.github.com>
Co-authored-by: Marc Brugger <github@bakito.ch>

api/kyverno/v1/common_types.go

@@ -118,6 +118,10 @@ type ImageRegistry struct {
 	// the image reference.
 	// +optional
 	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 }
 
 // ConfigMapReference refers to a ConfigMap

api/kyverno/v1/image_verification_types.go

@@ -13,9 +13,19 @@ import (
 // +kubebuilder:default=Cosign
 type ImageVerificationType string
 
+// ImageRegistryCredentialsHelpersType provides the list of credential helpers required.
+// +kubebuilder:validation:Enum=default;amazon;azure;google;github
+type ImageRegistryCredentialsHelpersType string
+
 const (
 	Cosign ImageVerificationType = "Cosign"
 	Notary ImageVerificationType = "Notary"
+
+	DEFAULT ImageRegistryCredentialsHelpersType = "default"
+	AWS     ImageRegistryCredentialsHelpersType = "amazon"
+	ACR     ImageRegistryCredentialsHelpersType = "azure"
+	GCP     ImageRegistryCredentialsHelpersType = "google"
+	GHCR    ImageRegistryCredentialsHelpersType = "github"
 )
 
 // ImageVerification validates that images that match the specified pattern
@@ -95,6 +105,10 @@ type ImageVerification struct {
 	// +kubebuilder:default=true
 	// +kubebuilder:validation:Optional
 	Required bool `json:"required" yaml:"required"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 }
 
 type AttestorSet struct {
@@ -254,6 +268,22 @@ type Attestation struct {
 	Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
 }
 
+type ImageRegistryCredentials struct {
+	// AllowInsecureRegistry allows insecure access to a registry
+	// +kubebuilder:validation:Optional
+	AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
+
+	// Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
+	// It can be of one of these values: AWS, ACR, GCP, GHCR
+	// +kubebuilder:validation:Optional
+	Helpers []ImageRegistryCredentialsHelpersType `json:"helpers,omitempty" yaml:"helpers,omitempty"`
+
+	// Secrets specifies a list of secrets that are provided for credentials
+	// Secrets must live in the Kyverno namespace
+	// +kubebuilder:validation:Optional
+	Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
+}
+
 func (iv *ImageVerification) GetType() ImageVerificationType {
 	if iv.Type != "" {
 		return iv.Type

api/kyverno/v1/zz_generated.deepcopy.go

@@ -434,7 +434,7 @@ func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
 	if in.ImageRegistry != nil {
 		in, out := &in.ImageRegistry, &out.ImageRegistry
 		*out = new(ImageRegistry)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.Variable != nil {
 		in, out := &in.Variable, &out.Variable
@@ -673,6 +673,11 @@ func (in ImageExtractorConfigs) DeepCopy() ImageExtractorConfigs {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageRegistry) DeepCopyInto(out *ImageRegistry) {
 	*out = *in
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistry.
@@ -685,6 +690,31 @@ func (in *ImageRegistry) DeepCopy() *ImageRegistry {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageRegistryCredentials) DeepCopyInto(out *ImageRegistryCredentials) {
+	*out = *in
+	if in.Helpers != nil {
+		in, out := &in.Helpers, &out.Helpers
+		*out = make([]ImageRegistryCredentialsHelpersType, len(*in))
+		copy(*out, *in)
+	}
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistryCredentials.
+func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageRegistryCredentials)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 	*out = *in
@@ -721,6 +751,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 			(*out)[key] = val
 		}
 	}
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

api/kyverno/v2beta1/image_verification_types.go

@@ -5,16 +5,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
-// ImageVerificationType selects the type of verification algorithm
-// +kubebuilder:validation:Enum=Cosign;Notary
-// +kubebuilder:default=Cosign
-type ImageVerificationType string
-
-const (
-	Cosign ImageVerificationType = "Cosign"
-	Notary ImageVerificationType = "Notary"
-)
-
 // ImageVerification validates that images that match the specified pattern
 // are signed with the supplied public key. Once the image is verified it is
 // mutated to include the SHA digest retrieved during the registration.
@@ -22,7 +12,7 @@ type ImageVerification struct {
 	// Type specifies the method of signature validation. The allowed options
 	// are Cosign and Notary. By default Cosign is used if a type is not specified.
 	// +kubebuilder:validation:Optional
-	Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
+	Type kyvernov1.ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
 
 	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
 	// list must match the image for the rule to apply. Each image reference consists of a registry
@@ -60,6 +50,10 @@ type ImageVerification struct {
 	// +kubebuilder:default=true
 	// +kubebuilder:validation:Optional
 	Required bool `json:"required" yaml:"required"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 }
 
 // Validate implements programmatic validation
@@ -86,7 +80,7 @@ func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Pat
 		errs = append(errs, attestorErrors...)
 	}
 
-	if iv.Type == Notary {
+	if iv.Type == kyvernov1.Notary {
 		for _, attestorSet := range iv.Attestors {
 			for _, attestor := range attestorSet.Entries {
 				if attestor.Keyless != nil {

api/kyverno/v2beta1/zz_generated.deepcopy.go

@@ -184,6 +184,11 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(v1.ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.

cmd/background-controller/main.go

@@ -23,7 +23,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/policy"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
 	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
 )
@@ -39,7 +38,6 @@ func createrLeaderControllers(
 	kyvernoInformer kyvernoinformer.SharedInformerFactory,
 	kyvernoClient versioned.Interface,
 	dynamicClient dclient.Interface,
-	rclient registryclient.Client,
 	configuration config.Configuration,
 	metricsConfig metrics.MetricsConfigManager,
 	eventGenerator event.Interface,
@@ -160,6 +158,7 @@ func main() {
 		setup.RegistryClient,
 		setup.KubeClient,
 		setup.KyvernoClient,
+		setup.RegistrySecretLister,
 	)
 	// start informers and wait for cache sync
 	if !internal.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, kyvernoInformer) {
@@ -189,7 +188,6 @@ func main() {
 				kyvernoInformer,
 				setup.KyvernoClient,
 				setup.KyvernoDynamicClient,
-				setup.RegistryClient,
 				setup.Configuration,
 				setup.MetricsManager,
 				eventGenerator,

cmd/cli/kubectl-kyverno/utils/common/common.go

@@ -848,7 +848,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
 		fmt.Printf("Failed to mock dynamic client")
 		return nil, err
 	}
-
 	client.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
 	cfg := config.NewDefaultConfiguration(false)
 	c := generate.NewGenerateControllerWithOnlyClient(client, engine.NewEngine(
@@ -857,7 +856,6 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
 		jmespath.New(cfg),
 		adapters.Client(client),
 		nil,
-		nil,
 		store.ContextLoaderFactory(nil),
 		nil,
 		"",

cmd/cli/kubectl-kyverno/utils/common/kyverno_policies_types.go

@@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@@ -117,8 +118,7 @@ OuterLoop:
 		config.NewDefaultMetricsConfiguration(),
 		jmespath.New(cfg),
 		adapters.Client(c.Client),
-		adapters.ImageDataClient(rclient),
-		rclient,
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
 		store.ContextLoaderFactory(nil),
 		nil,
 		"",

cmd/cli/kubectl-kyverno/utils/store/contextloader.go

@@ -8,6 +8,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/logging"
 )
@@ -16,7 +17,7 @@ func ContextLoaderFactory(
 	cmResolver engineapi.ConfigmapResolver,
 ) engineapi.ContextLoaderFactory {
 	return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
-		inner := engineapi.DefaultContextLoaderFactory(cmResolver)
+		inner := factories.DefaultContextLoaderFactory(cmResolver)
 		if IsMock() {
 			return &mockContextLoader{
 				logger:     logging.WithName("MockContextLoaderFactory"),
@@ -39,7 +40,7 @@ func (l *mockContextLoader) Load(
 	ctx context.Context,
 	jp jmespath.Interface,
 	client engineapi.RawClient,
-	_ engineapi.ImageDataClient,
+	_ engineapi.RegistryClientFactory,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
@@ -57,7 +58,7 @@ func (l *mockContextLoader) Load(
 	for _, entry := range contextEntries {
 		if entry.ImageRegistry != nil && hasRegistryAccess {
 			rclient := GetRegistryClient()
-			if err := engineapi.LoadImageData(ctx, jp, adapters.ImageDataClient(rclient), l.logger, entry, jsonContext); err != nil {
+			if err := engineapi.LoadImageData(ctx, jp, factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil), l.logger, entry, jsonContext); err != nil {
 				return err
 			}
 		} else if entry.Variable != nil {

cmd/internal/engine.go

@@ -14,9 +14,11 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	"k8s.io/client-go/kubernetes"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )
 
 func NewEngine(
@@ -29,6 +31,7 @@ func NewEngine(
 	rclient registryclient.Client,
 	kubeClient kubernetes.Interface,
 	kyvernoClient versioned.Interface,
+	secretLister corev1listers.SecretNamespaceLister,
 ) engineapi.Engine {
 	configMapResolver := NewConfigMapResolver(ctx, logger, kubeClient, 15*time.Minute)
 	exceptionsSelector := NewExceptionSelector(ctx, logger, kyvernoClient, 15*time.Minute)
@@ -39,9 +42,8 @@ func NewEngine(
 		metricsConfiguration,
 		jp,
 		adapters.Client(client),
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(configMapResolver),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), secretLister),
+		factories.DefaultContextLoaderFactory(configMapResolver),
 		exceptionsSelector,
 		imageSignatureRepository,
 	)

cmd/internal/registry.go

@@ -10,22 +10,23 @@ import (
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )
 
-func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) registryclient.Client {
+func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) (registryclient.Client, corev1listers.SecretNamespaceLister) {
 	logger = logger.WithName("registry-client").WithValues("secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
 	logger.Info("setup registry client...")
+	factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
+	secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
+	// start informers and wait for cache sync
+	if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
+		checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
+	}
 	registryOptions := []registryclient.Option{
 		registryclient.WithTracing(),
 	}
 	secrets := strings.Split(imagePullSecrets, ",")
 	if imagePullSecrets != "" && len(secrets) > 0 {
-		factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
-		secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
-		// start informers and wait for cache sync
-		if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
-			checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
-		}
 		registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, secretLister, secrets...))
 	}
 	if allowInsecureRegistry {
@@ -36,5 +37,5 @@ func setupRegistryClient(ctx context.Context, logger logr.Logger, client kuberne
 	}
 	registryClient, err := registryclient.New(registryOptions...)
 	checkError(logger, err, "failed to create registry client")
-	return registryClient
+	return registryClient, secretLister
 }

cmd/internal/setup.go

@@ -15,6 +15,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/registryclient"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )
 
 func shutdown(logger logr.Logger, sdowns ...context.CancelFunc) context.CancelFunc {
@@ -37,6 +38,7 @@ type SetupResult struct {
 	KubeClient           kubeclient.UpstreamInterface
 	LeaderElectionClient kubeclient.UpstreamInterface
 	RegistryClient       registryclient.Client
+	RegistrySecretLister corev1listers.SecretNamespaceLister
 	KyvernoClient        kyvernoclient.UpstreamInterface
 	DynamicClient        dynamicclient.UpstreamInterface
 	ApiServerClient      apiserverclient.UpstreamInterface
@@ -59,8 +61,9 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
 	configuration := startConfigController(ctx, logger, client, skipResourceFilters)
 	sdownTracing := SetupTracing(logger, name, client)
 	var registryClient registryclient.Client
+	var registrySecretLister corev1listers.SecretNamespaceLister
 	if config.UsesRegistryClient() {
-		registryClient = setupRegistryClient(ctx, logger, client)
+		registryClient, registrySecretLister = setupRegistryClient(ctx, logger, client)
 	}
 	var leaderElectionClient kubeclient.UpstreamInterface
 	if config.UsesLeaderElection() {
@@ -96,6 +99,7 @@ func Setup(config Configuration, name string, skipResourceFilters bool) (context
 			KubeClient:           client,
 			LeaderElectionClient: leaderElectionClient,
 			RegistryClient:       registryClient,
+			RegistrySecretLister: registrySecretLister,
 			KyvernoClient:        kyvernoClient,
 			DynamicClient:        dynamicClient,
 			ApiServerClient:      apiServerClient,

cmd/kyverno/main.go

@@ -300,6 +300,7 @@ func main() {
 		setup.RegistryClient,
 		setup.KubeClient,
 		setup.KyvernoClient,
+		setup.RegistrySecretLister,
 	)
 	// create non leader controllers
 	nonLeaderControllers, nonLeaderBootstrap := createNonLeaderControllers(
@@ -414,7 +415,6 @@ func main() {
 		engine,
 		setup.KyvernoDynamicClient,
 		setup.KyvernoClient,
-		setup.RegistryClient,
 		setup.Configuration,
 		setup.MetricsManager,
 		policyCache,

cmd/reports-controller/main.go

@@ -23,7 +23,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	"github.com/kyverno/kyverno/pkg/logging"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
 	metadatainformers "k8s.io/client-go/metadata/metadatainformer"
 	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
@@ -41,7 +40,6 @@ func createReportControllers(
 	backgroundScanWorkers int,
 	client dclient.Interface,
 	kyvernoClient versioned.Interface,
-	rclient registryclient.Client,
 	metadataFactory metadatainformers.SharedInformerFactory,
 	kubeInformer kubeinformers.SharedInformerFactory,
 	kyvernoInformer kyvernoinformer.SharedInformerFactory,
@@ -132,7 +130,6 @@ func createrLeaderControllers(
 	metadataInformer metadatainformers.SharedInformerFactory,
 	kyvernoClient versioned.Interface,
 	dynamicClient dclient.Interface,
-	rclient registryclient.Client,
 	configuration config.Configuration,
 	jp jmespath.Interface,
 	eventGenerator event.Interface,
@@ -146,7 +143,6 @@ func createrLeaderControllers(
 		backgroundScanWorkers,
 		dynamicClient,
 		kyvernoClient,
-		rclient,
 		metadataInformer,
 		kubeInformer,
 		kyvernoInformer,
@@ -233,6 +229,7 @@ func main() {
 		setup.RegistryClient,
 		setup.KubeClient,
 		setup.KyvernoClient,
+		setup.RegistrySecretLister,
 	)
 	// start informers and wait for cache sync
 	if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kyvernoInformer) {
@@ -269,7 +266,6 @@ func main() {
 				metadataInformer,
 				setup.KyvernoClient,
 				setup.KyvernoDynamicClient,
-				setup.RegistryClient,
 				setup.Configuration,
 				setup.Jp,
 				eventGenerator,

config/crds/kyverno.io_cleanuppolicies.yaml

@@ -220,6 +220,37 @@ spec:
                       description: ImageRegistry defines requests to an OCI/Docker
                         V2 registry to fetch image details.
                       properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry
+                              type: boolean
+                            helpers:
+                              description: 'Helpers specifies a list of OCI Registry
+                                names, whose authentication helpers are provided It
+                                can be of one of these values: AWS, ACR, GCP, GHCR'
+                              items:
+                                description: ImageRegistryCredentialsHelpersType provides
+                                  the list of credential helpers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: Secrets specifies a list of secrets that
+                                are provided for credentials Secrets must live in
+                                the Kyverno namespace
+                              items:
+                                type: string
+                              type: array
+                          type: object
                         jmesPath:
                           description: JMESPath is an optional JSON Match Expression
                             that can be used to transform the ImageData struct returned

config/crds/kyverno.io_clustercleanuppolicies.yaml

@@ -220,6 +220,37 @@ spec:
                       description: ImageRegistry defines requests to an OCI/Docker
                         V2 registry to fetch image details.
                       properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry
+                              type: boolean
+                            helpers:
+                              description: 'Helpers specifies a list of OCI Registry
+                                names, whose authentication helpers are provided It
+                                can be of one of these values: AWS, ACR, GCP, GHCR'
+                              items:
+                                description: ImageRegistryCredentialsHelpersType provides
+                                  the list of credential helpers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: Secrets specifies a list of secrets that
+                                are provided for credentials Secrets must live in
+                                the Kyverno namespace
+                              items:
+                                type: string
+                              type: array
+                          type: object
                         jmesPath:
                           description: JMESPath is an optional JSON Match Expression
                             that can be used to transform the ImageData struct returned

config/crds/kyverno.io_clusterpolicies.yaml

@@ -258,6 +258,38 @@ spec:
                             description: ImageRegistry defines requests to an OCI/Docker
                               V2 registry to fetch image details.
                             properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the ImageData struct
@@ -1923,6 +1955,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -2221,6 +2288,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -2620,6 +2722,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -3708,6 +3845,38 @@ spec:
                             items:
                               type: string
                             type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                           issuer:
                             description: Issuer is the certificate issuer used for
                               keyless signing. Deprecated. Use KeylessAttestor instead.
@@ -4013,6 +4182,40 @@ spec:
                                 description: ImageRegistry defines requests to an
                                   OCI/Docker V2 registry to fetch image details.
                                 properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
@@ -5755,6 +5958,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -6067,6 +6306,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -6489,6 +6764,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -7626,6 +7937,38 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               issuer:
                                 description: Issuer is the certificate issuer used
                                   for keyless signing. Deprecated. Use KeylessAttestor
@@ -8028,6 +8371,38 @@ spec:
                             description: ImageRegistry defines requests to an OCI/Docker
                               V2 registry to fetch image details.
                             properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the ImageData struct
@@ -9267,6 +9642,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -9565,6 +9975,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -10146,6 +10591,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -11213,6 +11693,38 @@ spec:
                             items:
                               type: string
                             type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                           mutateDigest:
                             default: true
                             description: MutateDigest enables replacement of image
@@ -11499,6 +12011,40 @@ spec:
                                 description: ImageRegistry defines requests to an
                                   OCI/Docker V2 registry to fetch image details.
                                 properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
@@ -13241,6 +13787,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -13553,6 +14135,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -13975,6 +14593,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -15112,6 +15766,38 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               issuer:
                                 description: Issuer is the certificate issuer used
                                   for keyless signing. Deprecated. Use KeylessAttestor

config/crds/kyverno.io_policies.yaml

@@ -259,6 +259,38 @@ spec:
                             description: ImageRegistry defines requests to an OCI/Docker
                               V2 registry to fetch image details.
                             properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the ImageData struct
@@ -1924,6 +1956,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -2222,6 +2289,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -2621,6 +2723,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -3709,6 +3846,38 @@ spec:
                             items:
                               type: string
                             type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                           issuer:
                             description: Issuer is the certificate issuer used for
                               keyless signing. Deprecated. Use KeylessAttestor instead.
@@ -4015,6 +4184,40 @@ spec:
                                 description: ImageRegistry defines requests to an
                                   OCI/Docker V2 registry to fetch image details.
                                 properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
@@ -5757,6 +5960,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -6069,6 +6308,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -6491,6 +6766,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -7628,6 +7939,38 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               issuer:
                                 description: Issuer is the certificate issuer used
                                   for keyless signing. Deprecated. Use KeylessAttestor
@@ -8031,6 +8374,38 @@ spec:
                             description: ImageRegistry defines requests to an OCI/Docker
                               V2 registry to fetch image details.
                             properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               jmesPath:
                                 description: JMESPath is an optional JSON Match Expression
                                   that can be used to transform the ImageData struct
@@ -9270,6 +9645,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -9568,6 +9978,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -10149,6 +10594,41 @@ spec:
                                         to an OCI/Docker V2 registry to fetch image
                                         details.
                                       properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry
+                                              type: boolean
+                                            helpers:
+                                              description: 'Helpers specifies a list
+                                                of OCI Registry names, whose authentication
+                                                helpers are provided It can be of
+                                                one of these values: AWS, ACR, GCP,
+                                                GHCR'
+                                              items:
+                                                description: ImageRegistryCredentialsHelpersType
+                                                  provides the list of credential
+                                                  helpers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: Secrets specifies a list
+                                                of secrets that are provided for credentials
+                                                Secrets must live in the Kyverno namespace
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
                                         jmesPath:
                                           description: JMESPath is an optional JSON
                                             Match Expression that can be used to transform
@@ -11216,6 +11696,38 @@ spec:
                             items:
                               type: string
                             type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry
+                                type: boolean
+                              helpers:
+                                description: 'Helpers specifies a list of OCI Registry
+                                  names, whose authentication helpers are provided
+                                  It can be of one of these values: AWS, ACR, GCP,
+                                  GHCR'
+                                items:
+                                  description: ImageRegistryCredentialsHelpersType
+                                    provides the list of credential helpers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: Secrets specifies a list of secrets that
+                                  are provided for credentials Secrets must live in
+                                  the Kyverno namespace
+                                items:
+                                  type: string
+                                type: array
+                            type: object
                           mutateDigest:
                             default: true
                             description: MutateDigest enables replacement of image
@@ -11502,6 +12014,40 @@ spec:
                                 description: ImageRegistry defines requests to an
                                   OCI/Docker V2 registry to fetch image details.
                                 properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry
+                                        type: boolean
+                                      helpers:
+                                        description: 'Helpers specifies a list of
+                                          OCI Registry names, whose authentication
+                                          helpers are provided It can be of one of
+                                          these values: AWS, ACR, GCP, GHCR'
+                                        items:
+                                          description: ImageRegistryCredentialsHelpersType
+                                            provides the list of credential helpers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: Secrets specifies a list of secrets
+                                          that are provided for credentials Secrets
+                                          must live in the Kyverno namespace
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
                                   jmesPath:
                                     description: JMESPath is an optional JSON Match
                                       Expression that can be used to transform the
@@ -13244,6 +13790,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -13556,6 +14138,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -13978,6 +14596,42 @@ spec:
                                             to an OCI/Docker V2 registry to fetch
                                             image details.
                                           properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry
+                                                  type: boolean
+                                                helpers:
+                                                  description: 'Helpers specifies
+                                                    a list of OCI Registry names,
+                                                    whose authentication helpers are
+                                                    provided It can be of one of these
+                                                    values: AWS, ACR, GCP, GHCR'
+                                                  items:
+                                                    description: ImageRegistryCredentialsHelpersType
+                                                      provides the list of credential
+                                                      helpers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: Secrets specifies a
+                                                    list of secrets that are provided
+                                                    for credentials Secrets must live
+                                                    in the Kyverno namespace
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
                                             jmesPath:
                                               description: JMESPath is an optional
                                                 JSON Match Expression that can be
@@ -15115,6 +15769,38 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry
+                                    type: boolean
+                                  helpers:
+                                    description: 'Helpers specifies a list of OCI
+                                      Registry names, whose authentication helpers
+                                      are provided It can be of one of these values:
+                                      AWS, ACR, GCP, GHCR'
+                                    items:
+                                      description: ImageRegistryCredentialsHelpersType
+                                        provides the list of credential helpers required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: Secrets specifies a list of secrets
+                                      that are provided for credentials Secrets must
+                                      live in the Kyverno namespace
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
                               issuer:
                                 description: Issuer is the certificate issuer used
                                   for keyless signing. Deprecated. Use KeylessAttestor

docs/user/crd/index.html

@@ -1951,9 +1951,89 @@ transform the ImageData struct returned as a result of processing
 the image reference.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>imageRegistryCredentials</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">
+ImageRegistryCredentials
+</a>
+</em>
+</td>
+<td>
+<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
+<h3 id="kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v1.ImageRegistry">ImageRegistry</a>, 
+<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>, 
+<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
+</p>
+<p>
+</p>
+<table class="table table-striped">
+<thead class="thead-dark">
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>allowInsecureRegistry</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<p>AllowInsecureRegistry allows insecure access to a registry</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>helpers</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentialsHelpersType">
+[]ImageRegistryCredentialsHelpersType
+</a>
+</em>
+</td>
+<td>
+<p>Helpers specifies a list of OCI Registry names, whose authentication helpers are provided
+It can be of one of these values: AWS, ACR, GCP, GHCR</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secrets</code><br/>
+<em>
+[]string
+</em>
+</td>
+<td>
+<p>Secrets specifies a list of secrets that are provided for credentials
+Secrets must live in the Kyverno namespace</p>
+</td>
+</tr>
+</tbody>
+</table>
+<hr />
+<h3 id="kyverno.io/v1.ImageRegistryCredentialsHelpersType">ImageRegistryCredentialsHelpersType
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">ImageRegistryCredentials</a>)
+</p>
+<p>
+<p>ImageRegistryCredentialsHelpersType provides the list of credential helpers required.</p>
+</p>
 <h3 id="kyverno.io/v1.ImageVerification">ImageVerification
 </h3>
 <p>
@@ -2163,6 +2243,19 @@ bool
 <p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>imageRegistryCredentials</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">
+ImageRegistryCredentials
+</a>
+</em>
+</td>
+<td>
+<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
@@ -2170,7 +2263,8 @@ bool
 (<code>string</code> alias)</p></h3>
 <p>
 (<em>Appears on:</em>
-<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>)
+<a href="#kyverno.io/v1.ImageVerification">ImageVerification</a>, 
+<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
 </p>
 <p>
 <p>ImageVerificationType selects the type of verification algorithm</p>
@@ -6377,7 +6471,7 @@ mutated to include the SHA digest retrieved during the registration.</p>
 <td>
 <code>type</code><br/>
 <em>
-<a href="#kyverno.io/v2beta1.ImageVerificationType">
+<a href="#kyverno.io/v1.ImageVerificationType">
 ImageVerificationType
 </a>
 </em>
@@ -6476,18 +6570,22 @@ bool
 <p>Required validates that images are verified i.e. have matched passed a signature or attestation check.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>imageRegistryCredentials</code><br/>
+<em>
+<a href="#kyverno.io/v1.ImageRegistryCredentials">
+ImageRegistryCredentials
+</a>
+</em>
+</td>
+<td>
+<p>ImageRegistryCredentials provides credentials that will be used for authentication with registry</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr />
-<h3 id="kyverno.io/v2beta1.ImageVerificationType">ImageVerificationType
-(<code>string</code> alias)</p></h3>
-<p>
-(<em>Appears on:</em>
-<a href="#kyverno.io/v2beta1.ImageVerification">ImageVerification</a>)
-</p>
-<p>
-<p>ImageVerificationType selects the type of verification algorithm</p>
-</p>
 <h3 id="kyverno.io/v2beta1.MatchResources">MatchResources
 </h3>
 <p>

pkg/engine/adapters/rclient.go

@@ -10,10 +10,10 @@ import (
 )
 
 type rclientAdapter struct {
-	client registryclient.Client
+	registryclient.Client
 }
 
-func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
+func RegistryClient(client registryclient.Client) engineapi.RegistryClient {
 	if client == nil {
 		return nil
 	}
@@ -21,7 +21,7 @@ func ImageDataClient(client registryclient.Client) engineapi.ImageDataClient {
 }
 
 func (a *rclientAdapter) ForRef(ctx context.Context, ref string) (*engineapi.ImageData, error) {
-	desc, err := a.client.FetchImageDescriptor(ctx, ref)
+	desc, err := a.Client.FetchImageDescriptor(ctx, ref)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch image descriptor: %s, error: %v", ref, err)
 	}

pkg/engine/api/client.go

@@ -4,6 +4,9 @@ import (
 	"context"
 	"io"
 
+	"github.com/google/go-containerregistry/pkg/authn"
+	gcrremote "github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sigstore/cosign/pkg/oci/remote"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -46,4 +49,20 @@ type ImageData struct {
 
 type ImageDataClient interface {
 	ForRef(ctx context.Context, ref string) (*ImageData, error)
+	FetchImageDescriptor(context.Context, string) (*gcrremote.Descriptor, error)
+}
+
+type KeychainClient interface {
+	Keychain() authn.Keychain
+	RefreshKeychainPullSecrets(ctx context.Context) error
+}
+
+type CosignClient interface {
+	BuildRemoteOption(context.Context) remote.Option
+}
+
+type RegistryClient interface {
+	ImageDataClient
+	KeychainClient
+	CosignClient
 }

pkg/engine/api/context.go

@@ -75,8 +75,8 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con
 	}
 }
 
-func LoadImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
-	imageData, err := fetchImageData(ctx, jp, client, logger, entry, enginectx)
+func LoadImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) error {
+	imageData, err := fetchImageData(ctx, jp, rclientFactory, logger, entry, enginectx)
 	if err != nil {
 		return err
 	}
@@ -113,7 +113,7 @@ func LoadConfigMap(ctx context.Context, logger logr.Logger, entry kyvernov1.Cont
 	return nil
 }
 
-func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageDataClient, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
+func fetchImageData(ctx context.Context, jp jmespath.Interface, rclientFactory RegistryClientFactory, logger logr.Logger, entry kyvernov1.ContextEntry, enginectx enginecontext.Interface) (interface{}, error) {
 	ref, err := variables.SubstituteAll(logger, enginectx, entry.ImageRegistry.Reference)
 	if err != nil {
 		return nil, fmt.Errorf("ailed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.Reference, err)
@@ -126,6 +126,10 @@ func fetchImageData(ctx context.Context, jp jmespath.Interface, client ImageData
 	if err != nil {
 		return nil, fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.ImageRegistry.JMESPath, err)
 	}
+	client, err := rclientFactory.GetClient(ctx, entry.ImageRegistry.ImageRegistryCredentials)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get registry client %s: %v", entry.Name, err)
+	}
 	imageData, err := fetchImageDataMap(ctx, client, refString)
 	if err != nil {
 		return nil, err

pkg/engine/api/contextloader.go

@@ -2,15 +2,16 @@ package api
 
 import (
 	"context"
-	"fmt"
 
-	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/logging"
 )
 
+type RegistryClientFactory interface {
+	GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (RegistryClient, error)
+}
+
 // ContextLoaderFactory provides a ContextLoader given a policy context and rule name
 type ContextLoaderFactory = func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader
 
@@ -20,83 +21,8 @@ type ContextLoader interface {
 		ctx context.Context,
 		jp jmespath.Interface,
 		client RawClient,
-		imgClient ImageDataClient,
+		rclientFactory RegistryClientFactory,
 		contextEntries []kyvernov1.ContextEntry,
 		jsonContext enginecontext.Interface,
 	) error
 }
-
-func DefaultContextLoaderFactory(
-	cmResolver ConfigmapResolver,
-) ContextLoaderFactory {
-	return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) ContextLoader {
-		return &contextLoader{
-			logger:     logging.WithName("DefaultContextLoaderFactory"),
-			cmResolver: cmResolver,
-		}
-	}
-}
-
-type contextLoader struct {
-	logger     logr.Logger
-	cmResolver ConfigmapResolver
-}
-
-func (l *contextLoader) Load(
-	ctx context.Context,
-	jp jmespath.Interface,
-	client RawClient,
-	imgClient ImageDataClient,
-	contextEntries []kyvernov1.ContextEntry,
-	jsonContext enginecontext.Interface,
-) error {
-	for _, entry := range contextEntries {
-		deferredLoader := l.newDeferredLoader(ctx, jp, client, imgClient, entry, jsonContext)
-		if deferredLoader == nil {
-			return fmt.Errorf("invalid context entry %s", entry.Name)
-		}
-		jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
-	}
-	return nil
-}
-
-func (l *contextLoader) newDeferredLoader(
-	ctx context.Context,
-	jp jmespath.Interface,
-	client RawClient,
-	imgClient ImageDataClient,
-	entry kyvernov1.ContextEntry,
-	jsonContext enginecontext.Interface,
-) enginecontext.DeferredLoader {
-	if entry.ConfigMap != nil {
-		return func() error {
-			if err := LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
-				return err
-			}
-			return nil
-		}
-	} else if entry.APICall != nil {
-		return func() error {
-			if err := LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
-				return err
-			}
-			return nil
-		}
-	} else if entry.ImageRegistry != nil {
-		return func() error {
-			if err := LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
-				return err
-			}
-			return nil
-		}
-	} else if entry.Variable != nil {
-		return func() error {
-			if err := LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
-				return err
-			}
-			return nil
-		}
-	}
-
-	return nil
-}

pkg/engine/engine.go

@@ -17,7 +17,6 @@ import (
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/metrics"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	"github.com/kyverno/kyverno/pkg/tracing"
 	stringutils "github.com/kyverno/kyverno/pkg/utils/strings"
 	"go.opentelemetry.io/otel/metric"
@@ -31,8 +30,7 @@ type engine struct {
 	metricsConfiguration     config.MetricsConfiguration
 	jp                       jmespath.Interface
 	client                   engineapi.Client
-	imgClient                engineapi.ImageDataClient
-	rclient                  registryclient.Client
+	rclientFactory           engineapi.RegistryClientFactory
 	contextLoader            engineapi.ContextLoaderFactory
 	exceptionSelector        engineapi.PolicyExceptionSelector
 	imageSignatureRepository string
@@ -48,8 +46,7 @@ func NewEngine(
 	metricsConfiguration config.MetricsConfiguration,
 	jp jmespath.Interface,
 	client engineapi.Client,
-	imgClient engineapi.ImageDataClient,
-	rclient registryclient.Client,
+	rclientFactory engineapi.RegistryClientFactory,
 	contextLoader engineapi.ContextLoaderFactory,
 	exceptionSelector engineapi.PolicyExceptionSelector,
 	imageSignatureRepository string,
@@ -74,8 +71,7 @@ func NewEngine(
 		metricsConfiguration:     metricsConfiguration,
 		jp:                       jp,
 		client:                   client,
-		imgClient:                imgClient,
-		rclient:                  rclient,
+		rclientFactory:           rclientFactory,
 		contextLoader:            contextLoader,
 		exceptionSelector:        exceptionSelector,
 		imageSignatureRepository: imageSignatureRepository,
@@ -179,7 +175,7 @@ func (e *engine) ContextLoader(
 			ctx,
 			e.jp,
 			e.client,
-			e.imgClient,
+			e.rclientFactory,
 			contextEntries,
 			jsonContext,
 		)

pkg/engine/factories/contextloaderfactory.go

@@ -0,0 +1,86 @@
+package factories
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-logr/logr"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
+	"github.com/kyverno/kyverno/pkg/engine/jmespath"
+	"github.com/kyverno/kyverno/pkg/logging"
+)
+
+func DefaultContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
+	return func(policy kyvernov1.PolicyInterface, rule kyvernov1.Rule) engineapi.ContextLoader {
+		return &contextLoader{
+			logger:     logging.WithName("DefaultContextLoaderFactory"),
+			cmResolver: cmResolver,
+		}
+	}
+}
+
+type contextLoader struct {
+	logger     logr.Logger
+	cmResolver engineapi.ConfigmapResolver
+}
+
+func (l *contextLoader) Load(
+	ctx context.Context,
+	jp jmespath.Interface,
+	client engineapi.RawClient,
+	rclientFactory engineapi.RegistryClientFactory,
+	contextEntries []kyvernov1.ContextEntry,
+	jsonContext enginecontext.Interface,
+) error {
+	for _, entry := range contextEntries {
+		deferredLoader := l.newDeferredLoader(ctx, jp, client, rclientFactory, entry, jsonContext)
+		if deferredLoader == nil {
+			return fmt.Errorf("invalid context entry %s", entry.Name)
+		}
+		jsonContext.AddDeferredLoader(entry.Name, deferredLoader)
+	}
+	return nil
+}
+
+func (l *contextLoader) newDeferredLoader(
+	ctx context.Context,
+	jp jmespath.Interface,
+	client engineapi.RawClient,
+	rclientFactory engineapi.RegistryClientFactory,
+	entry kyvernov1.ContextEntry,
+	jsonContext enginecontext.Interface,
+) enginecontext.DeferredLoader {
+	if entry.ConfigMap != nil {
+		return func() error {
+			if err := engineapi.LoadConfigMap(ctx, l.logger, entry, jsonContext, l.cmResolver); err != nil {
+				return err
+			}
+			return nil
+		}
+	} else if entry.APICall != nil {
+		return func() error {
+			if err := engineapi.LoadAPIData(ctx, jp, l.logger, entry, jsonContext, client); err != nil {
+				return err
+			}
+			return nil
+		}
+	} else if entry.ImageRegistry != nil {
+		return func() error {
+			if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
+				return err
+			}
+			return nil
+		}
+	} else if entry.Variable != nil {
+		return func() error {
+			if err := engineapi.LoadVariable(l.logger, jp, entry, jsonContext); err != nil {
+				return err
+			}
+			return nil
+		}
+	}
+
+	return nil
+}

pkg/engine/factories/registryclientfactory.go

@@ -0,0 +1,50 @@
+package factories
+
+import (
+	"context"
+
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/pkg/engine/adapters"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/registryclient"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+)
+
+func DefaultRegistryClientFactory(globalClient engineapi.RegistryClient, secretsLister corev1listers.SecretNamespaceLister) engineapi.RegistryClientFactory {
+	return &registryClientFactory{
+		globalClient:  globalClient,
+		secretsLister: secretsLister,
+	}
+}
+
+type registryClientFactory struct {
+	globalClient  engineapi.RegistryClient
+	secretsLister corev1listers.SecretNamespaceLister
+}
+
+func (f *registryClientFactory) GetClient(ctx context.Context, creds *kyvernov1.ImageRegistryCredentials) (engineapi.RegistryClient, error) {
+	if creds != nil {
+		registryOptions := []registryclient.Option{
+			registryclient.WithTracing(),
+		}
+		if creds.AllowInsecureRegistry {
+			registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
+		}
+		if len(creds.Helpers) > 0 {
+			var helpers []string
+			for _, helper := range creds.Helpers {
+				helpers = append(helpers, string(helper))
+			}
+			registryOptions = append(registryOptions, registryclient.WithCredentialHelpers(helpers...))
+		}
+		if len(creds.Secrets) > 0 {
+			registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, f.secretsLister, creds.Secrets...))
+		}
+		client, err := registryclient.New(registryOptions...)
+		if err != nil {
+			return nil, err
+		}
+		return adapters.RegistryClient(client), nil
+	}
+	return f.globalClient, nil
+}

pkg/engine/handlers/mutation/mutate_image.go

@@ -14,7 +14,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	apiutils "github.com/kyverno/kyverno/pkg/utils/api"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
 	"gomodules.xyz/jsonpatch/v2"
@@ -23,7 +22,7 @@ import (
 
 type mutateImageHandler struct {
 	configuration            config.Configuration
-	rclient                  registryclient.Client
+	rclientFactory           engineapi.RegistryClientFactory
 	ivm                      *engineapi.ImageVerificationMetadata
 	images                   []apiutils.ImageInfo
 	imageSignatureRepository string
@@ -34,7 +33,7 @@ func NewMutateImageHandler(
 	resource unstructured.Unstructured,
 	rule kyvernov1.Rule,
 	configuration config.Configuration,
-	rclient registryclient.Client,
+	rclientFactory engineapi.RegistryClientFactory,
 	ivm *engineapi.ImageVerificationMetadata,
 	imageSignatureRepository string,
 ) (handlers.Handler, error) {
@@ -50,7 +49,7 @@ func NewMutateImageHandler(
 	}
 	return mutateImageHandler{
 		configuration:            configuration,
-		rclient:                  rclient,
+		rclientFactory:           rclientFactory,
 		ivm:                      ivm,
 		images:                   ruleImages,
 		imageSignatureRepository: imageSignatureRepository,
@@ -72,10 +71,16 @@ func (h mutateImageHandler) Process(
 			engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to substitute variables", err),
 		)
 	}
-	iv := internal.NewImageVerifier(logger, h.rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
 	var engineResponses []*engineapi.RuleResponse
 	var patches []jsonpatch.JsonPatchOperation
 	for _, imageVerify := range ruleCopy.VerifyImages {
+		rclient, err := h.rclientFactory.GetClient(ctx, imageVerify.ImageRegistryCredentials)
+		if err != nil {
+			return resource, handlers.WithResponses(
+				engineapi.RuleError(rule.Name, engineapi.ImageVerify, "failed to fetch secrets", err),
+			)
+		}
+		iv := internal.NewImageVerifier(logger, rclient, policyContext, *ruleCopy, h.ivm, h.imageSignatureRepository)
 		patch, ruleResponse := iv.Verify(ctx, imageVerify, h.images, h.configuration)
 		patches = append(patches, patch...)
 		engineResponses = append(engineResponses, ruleResponse...)

pkg/engine/image_verify.go

@@ -40,7 +40,7 @@ func (e *engine) verifyAndPatchImages(
 				matchedResource,
 				rule,
 				e.configuration,
-				e.rclient,
+				e.rclientFactory,
 				&ivm,
 				e.imageSignatureRepository,
 			)

pkg/engine/image_verify_test.go

@@ -15,6 +15,7 @@ import (
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/internal"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
@@ -182,9 +183,8 @@ func testVerifyAndPatchImages(
 		metricsCfg,
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(cmResolver),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+		factories.DefaultContextLoaderFactory(cmResolver),
 		nil,
 		"",
 	)

pkg/engine/internal/imageverifier.go

@@ -16,7 +16,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/images"
 	"github.com/kyverno/kyverno/pkg/notary"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	apiutils "github.com/kyverno/kyverno/pkg/utils/api"
 	"github.com/kyverno/kyverno/pkg/utils/jsonpointer"
 	"github.com/kyverno/kyverno/pkg/utils/wildcard"
@@ -27,7 +26,7 @@ import (
 
 type ImageVerifier struct {
 	logger                   logr.Logger
-	rclient                  registryclient.Client
+	rclient                  engineapi.RegistryClient
 	policyContext            engineapi.PolicyContext
 	rule                     kyvernov1.Rule
 	ivm                      *engineapi.ImageVerificationMetadata
@@ -36,7 +35,7 @@ type ImageVerifier struct {
 
 func NewImageVerifier(
 	logger logr.Logger,
-	rclient registryclient.Client,
+	rclient engineapi.RegistryClient,
 	policyContext engineapi.PolicyContext,
 	rule kyvernov1.Rule,
 	ivm *engineapi.ImageVerificationMetadata,

pkg/engine/mutation_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	enginetest "github.com/kyverno/kyverno/pkg/engine/test"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@@ -29,15 +30,14 @@ func testMutate(
 	contextLoader engineapi.ContextLoaderFactory,
 ) engineapi.EngineResponse {
 	if contextLoader == nil {
-		contextLoader = engineapi.DefaultContextLoaderFactory(nil)
+		contextLoader = factories.DefaultContextLoaderFactory(nil)
 	}
 	e := NewEngine(
 		cfg,
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		adapters.Client(client),
-		adapters.ImageDataClient(rclient),
-		rclient,
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
 		contextLoader,
 		nil,
 		"",

pkg/engine/test/contextloader.go

@@ -45,7 +45,7 @@ func (l *mockContextLoader) Load(
 	ctx context.Context,
 	jp jmespath.Interface,
 	client engineapi.RawClient,
-	imgClient engineapi.ImageDataClient,
+	rclientFactory engineapi.RegistryClientFactory,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
@@ -62,8 +62,8 @@ func (l *mockContextLoader) Load(
 	}
 	// Context Variable should be loaded after the values loaded from values file
 	for _, entry := range contextEntries {
-		if entry.ImageRegistry != nil && imgClient != nil {
-			if err := engineapi.LoadImageData(ctx, jp, imgClient, l.logger, entry, jsonContext); err != nil {
+		if entry.ImageRegistry != nil && rclientFactory != nil {
+			if err := engineapi.LoadImageData(ctx, jp, rclientFactory, l.logger, entry, jsonContext); err != nil {
 				return err
 			}
 		} else if entry.Variable != nil {

pkg/engine/validation_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	enginetest "github.com/kyverno/kyverno/pkg/engine/test"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
@@ -30,15 +31,14 @@ func testValidate(
 	contextLoader engineapi.ContextLoaderFactory,
 ) engineapi.EngineResponse {
 	if contextLoader == nil {
-		contextLoader = engineapi.DefaultContextLoaderFactory(nil)
+		contextLoader = factories.DefaultContextLoaderFactory(nil)
 	}
 	e := NewEngine(
 		cfg,
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
 		contextLoader,
 		nil,
 		"",

pkg/webhooks/resource/fake.go

@@ -9,8 +9,8 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
-	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/metrics"
@@ -40,12 +40,11 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 	configuration := config.NewDefaultConfiguration(false)
 	urLister := kyvernoInformers.Kyverno().V1beta1().UpdateRequests().Lister().UpdateRequests(config.KyvernoNamespace())
 	peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
-	rclient := registryclient.NewOrDie()
 	jp := jmespath.New(configuration)
+	rclient := registryclient.NewOrDie()
 
 	return &resourceHandlers{
 		client:         dclient,
-		rclient:        rclient,
 		configuration:  configuration,
 		metricsConfig:  metricsConfig,
 		pCache:         policyCache,
@@ -60,9 +59,8 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
 			config.NewDefaultMetricsConfiguration(),
 			jp,
 			adapters.Client(dclient),
-			adapters.ImageDataClient(rclient),
-			rclient,
-			engineapi.DefaultContextLoaderFactory(configMapResolver),
+			factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+			factories.DefaultContextLoaderFactory(configMapResolver),
 			peLister,
 			"",
 		),

pkg/webhooks/resource/handlers.go

@@ -19,7 +19,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/openapi"
 	"github.com/kyverno/kyverno/pkg/policycache"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
@@ -38,7 +37,6 @@ type resourceHandlers struct {
 	// clients
 	client        dclient.Interface
 	kyvernoClient versioned.Interface
-	rclient       registryclient.Client
 	engine        engineapi.Engine
 
 	// config
@@ -67,7 +65,6 @@ func NewHandlers(
 	engine engineapi.Engine,
 	client dclient.Interface,
 	kyvernoClient versioned.Interface,
-	rclient registryclient.Client,
 	configuration config.Configuration,
 	metricsConfig metrics.MetricsConfigManager,
 	pCache policycache.Cache,
@@ -86,7 +83,6 @@ func NewHandlers(
 		engine:                       engine,
 		client:                       client,
 		kyvernoClient:                kyvernoClient,
-		rclient:                      rclient,
 		configuration:                configuration,
 		metricsConfig:                metricsConfig,
 		pCache:                       pCache,

pkg/webhooks/resource/validation_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/adapters"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	log "github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/registryclient"
@@ -1058,9 +1059,8 @@ func TestValidate_failure_action_overrides(t *testing.T) {
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(nil),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+		factories.DefaultContextLoaderFactory(nil),
 		nil,
 		"",
 	)
@@ -1161,9 +1161,8 @@ func Test_RuleSelector(t *testing.T) {
 		config.NewDefaultMetricsConfiguration(),
 		jp,
 		nil,
-		adapters.ImageDataClient(rclient),
-		rclient,
-		engineapi.DefaultContextLoaderFactory(nil),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+		factories.DefaultContextLoaderFactory(nil),
 		nil,
 		"",
 	)

test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: secret-in-keys
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/01-manifests.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-verify-images
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keys
+  namespace: test-verify-images
+data:
+  certificate: |-
+    -----BEGIN CERTIFICATE-----
+    MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
+    BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
+    Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
+    MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
+    dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
+    DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
+    b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
+    hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
+    Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
+    Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
+    ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
+    A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
+    CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
+    kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
+    Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
+    ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
+    5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
+    uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
+    -----END CERTIFICATE-----
+---
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: secret-in-keys
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: verify-signature-notary
+      context:
+      - name: keys
+        configMap:
+          name: keys
+          namespace: test-verify-images
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - type: Notary
+        imageReferences:
+        - "ghcr.io/kyverno/test-verify-image*"
+        attestors:
+        - count: 1
+          entries:
+          - certificates:
+              cert: "{{ keys.data.certificate }}"
+        imageRegistryCredentials:
+          secrets:
+          - testsecret
+---
+apiVersion: v1
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJyZWciOnsidXNlcm5hbWUiOiJ1c2VyIiwicGFzc3dvcmQiOiJwYXNzIiwiYXV0aCI6ImRYTmxjanB3WVhOeiJ9fX0=
+kind: Secret
+metadata:
+  name: testsecret
+  namespace: kyverno
+type: kubernetes.io/dockerconfigjson

test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-assert.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-secret-pod
+  namespace: test-verify-images

test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/02-goodpod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-secret-pod
+  namespace: test-verify-images
+spec:
+  containers:
+  - image: ghcr.io/kyverno/test-verify-image:signed
+    name: test-secret

test/conformance/kuttl/verifyImages/clusterpolicy/standard/keyed-secret-from-policy/README.md

@@ -0,0 +1,3 @@
+# Title
+
+This test tries to verify an image from a private repo using credentials stored in a Kubernetes Secret.