refactor: move registry client init in internal package (#6853)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2023-04-11 15:32:17 +02:00 · 2023-04-11 15:32:17 +02:00 · 93cf943ad1
commit 93cf943ad1
parent ff93502421
9 changed files with 89 additions and 128 deletions
--- a/cmd/background-controller/main.go
+++ b/cmd/background-controller/main.go
@ -5,7 +5,6 @@ import (
 	"errors"
 	"flag"
 	"os"
-	"strings"
 	"sync"
 	"time"

@ -29,7 +28,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/policy"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
-	corev1listers "k8s.io/client-go/listers/core/v1"
 	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
 )

@ -37,22 +35,6 @@ const (
 	resyncPeriod = 15 * time.Minute
 )

-func setupRegistryClient(ctx context.Context, logger logr.Logger, lister corev1listers.SecretNamespaceLister, imagePullSecrets string, allowInsecureRegistry bool) (registryclient.Client, error) {
-	logger = logger.WithName("registry-client")
-	logger.Info("setup registry client...", "secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
-	registryOptions := []registryclient.Option{
-		registryclient.WithTracing(),
-	}
-	secrets := strings.Split(imagePullSecrets, ",")
-	if imagePullSecrets != "" && len(secrets) > 0 {
-		registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, lister, secrets...))
-	}
-	if allowInsecureRegistry {
-		registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
-	}
-	return registryclient.New(registryOptions...)
-}
-
 func setupCosign(logger logr.Logger, imageSignatureRepository string) {
 	logger = logger.WithName("cosign")
 	logger.Info("setup cosign...", "repository", imageSignatureRepository)
@ -111,16 +93,12 @@ func main() {
 	var (
 		genWorkers                int
 		maxQueuedEvents           int
-		imagePullSecrets          string
 		imageSignatureRepository  string
-		allowInsecureRegistry     bool
 		leaderElectionRetryPeriod time.Duration
 	)
 	flagset := flag.NewFlagSet("updaterequest-controller", flag.ExitOnError)
 	flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for the background controller.")
-	flagset.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
 	flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
-	flagset.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
 	flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
 	flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
 	// config
@ -131,19 +109,14 @@ func main() {
 		internal.WithKubeconfig(),
 		internal.WithPolicyExceptions(),
 		internal.WithConfigMapCaching(),
+		internal.WithRegistryClient(),
 		internal.WithFlagSets(flagset),
 	)
 	// parse flags
 	internal.ParseFlags(appConfig)
-	// setup logger
-	// show version
-	// start profiling
-	// setup signals
-	// setup maxprocs
-	// setup metrics
-	signalCtx, setup, sdown := internal.Setup("kyverno-background-controller", false)
+	// setup
+	signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-background-controller", false)
 	defer sdown()
-	// logger := setup.Logger
 	// create instrumented clients
 	leaderElectionClient := internal.CreateKubernetesClient(setup.Logger, kubeclient.WithMetrics(setup.MetricsManager, metrics.KubeClient), kubeclient.WithTracing())
 	kyvernoClient := internal.CreateKyvernoClient(setup.Logger, kyvernoclient.WithMetrics(setup.MetricsManager, metrics.KyvernoClient), kyvernoclient.WithTracing())
@ -157,15 +130,7 @@ func main() {
 	// ELSE KYAML IS NOT THREAD SAFE
 	kyamlopenapi.Schema()
 	// informer factories
-	kubeKyvernoInformer := kubeinformers.NewSharedInformerFactoryWithOptions(setup.KubeClient, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
 	kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
-	secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
-	// setup registry client
-	rclient, err := setupRegistryClient(signalCtx, setup.Logger, secretLister, imagePullSecrets, allowInsecureRegistry)
-	if err != nil {
-		setup.Logger.Error(err, "failed to setup registry client")
-		os.Exit(1)
-	}
 	// setup cosign
 	setupCosign(setup.Logger, imageSignatureRepository)
 	eventGenerator := event.NewEventGenerator(
@ -189,12 +154,12 @@ func main() {
 		setup.Configuration,
 		setup.MetricsConfiguration,
 		dClient,
-		rclient,
+		setup.RegistryClient,
 		setup.KubeClient,
 		kyvernoClient,
 	)
 	// start informers and wait for cache sync
-	if !internal.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, kyvernoInformer, kubeKyvernoInformer) {
+	if !internal.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, kyvernoInformer) {
 		setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
 		os.Exit(1)
 	}
@ -221,7 +186,7 @@ func main() {
 				kyvernoInformer,
 				kyvernoClient,
 				dClient,
-				rclient,
+				setup.RegistryClient,
 				setup.Configuration,
 				setup.MetricsManager,
 				eventGenerator,
--- a/cmd/cleanup-controller/main.go
+++ b/cmd/cleanup-controller/main.go
@ -72,13 +72,8 @@ func main() {
 	)
 	// parse flags
 	internal.ParseFlags(appConfig)
-	// setup logger
-	// show version
-	// start profiling
-	// setup signals
-	// setup maxprocs
-	// setup metrics
-	ctx, setup, sdown := internal.Setup("kyverno-cleanup-controller", false)
+	// setup
+	ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
 	defer sdown()
 	// create instrumented clients
 	leaderElectionClient := internal.CreateKubernetesClient(setup.Logger, kubeclient.WithMetrics(setup.MetricsManager, metrics.KubeClient), kubeclient.WithTracing())
--- a/cmd/internal/config.go
+++ b/cmd/internal/config.go
@ -11,6 +11,7 @@ type Configuration interface {
 	UsesKubeconfig() bool
 	UsesPolicyExceptions() bool
 	UsesConfigMapCaching() bool
+	UsesRegistryClient() bool
 	FlagSets() []*flag.FlagSet
 }

@ -60,6 +61,12 @@ func WithConfigMapCaching() ConfigurationOption {
 	}
 }

+func WithRegistryClient() ConfigurationOption {
+	return func(c *configuration) {
+		c.usesRegistryClient = true
+	}
+}
+
 func WithFlagSets(flagsets ...*flag.FlagSet) ConfigurationOption {
 	return func(c *configuration) {
 		c.flagSets = append(c.flagSets, flagsets...)
@ -73,6 +80,7 @@ type configuration struct {
 	usesKubeconfig       bool
 	usesPolicyExceptions bool
 	usesConfigMapCaching bool
+	usesRegistryClient   bool
 	flagSets             []*flag.FlagSet
 }

@ -100,6 +108,10 @@ func (c *configuration) UsesConfigMapCaching() bool {
 	return c.usesConfigMapCaching
 }

+func (c *configuration) UsesRegistryClient() bool {
+	return c.usesRegistryClient
+}
+
 func (c *configuration) FlagSets() []*flag.FlagSet {
 	return c.flagSets
 }
--- a/cmd/internal/flag.go
+++ b/cmd/internal/flag.go
@ -32,6 +32,9 @@ var (
 	enablePolicyException  bool
 	exceptionNamespace     string
 	enableConfigMapCaching bool
+	// registry client
+	imagePullSecrets      string
+	allowInsecureRegistry bool
 )

 func initLoggingFlags() {
@ -76,6 +79,11 @@ func initConfigMapCachingFlags() {
 	flag.BoolVar(&enableConfigMapCaching, "enableConfigMapCaching", true, "Enable config maps caching.")
 }

+func initRegistryClientFlags() {
+	flag.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
+	flag.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
+}
+
 func InitFlags(config Configuration) {
 	// logging
 	initLoggingFlags()
@ -103,6 +111,10 @@ func InitFlags(config Configuration) {
 	if config.UsesConfigMapCaching() {
 		initConfigMapCachingFlags()
 	}
+	// registry client
+	if config.UsesRegistryClient() {
+		initRegistryClientFlags()
+	}
 	for _, flagset := range config.FlagSets() {
 		flagset.VisitAll(func(f *flag.Flag) {
 			flag.CommandLine.Var(f.Value, f.Name, f.Usage)
--- a/cmd/internal/registry.go
+++ b/cmd/internal/registry.go
@ -0,0 +1,37 @@
+package internal
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"github.com/go-logr/logr"
+	"github.com/kyverno/kyverno/pkg/config"
+	"github.com/kyverno/kyverno/pkg/registryclient"
+	kubeinformers "k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+)
+
+func setupRegistryClient(ctx context.Context, logger logr.Logger, client kubernetes.Interface) registryclient.Client {
+	logger = logger.WithName("registry-client").WithValues("secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
+	logger.Info("setup registry client...")
+	registryOptions := []registryclient.Option{
+		registryclient.WithTracing(),
+	}
+	secrets := strings.Split(imagePullSecrets, ",")
+	if imagePullSecrets != "" && len(secrets) > 0 {
+		factory := kubeinformers.NewSharedInformerFactoryWithOptions(client, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
+		secretLister := factory.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
+		// start informers and wait for cache sync
+		if !StartInformersAndWaitForCacheSync(ctx, logger, factory) {
+			checkError(logger, errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
+		}
+		registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, secretLister, secrets...))
+	}
+	if allowInsecureRegistry {
+		registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
+	}
+	registryClient, err := registryclient.New(registryOptions...)
+	checkError(logger, err, "failed to create registry client")
+	return registryClient
+}
--- a/cmd/internal/setup.go
+++ b/cmd/internal/setup.go
@ -7,6 +7,7 @@ import (
 	kubeclient "github.com/kyverno/kyverno/pkg/clients/kube"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/registryclient"
 	"k8s.io/client-go/kubernetes"
 )

@ -27,9 +28,10 @@ type SetupResult struct {
 	MetricsConfiguration config.MetricsConfiguration
 	MetricsManager       metrics.MetricsConfigManager
 	KubeClient           kubernetes.Interface
+	RegistryClient       registryclient.Client
 }

-func Setup(name string, skipResourceFilters bool) (context.Context, SetupResult, context.CancelFunc) {
+func Setup(config Configuration, name string, skipResourceFilters bool) (context.Context, SetupResult, context.CancelFunc) {
 	logger := SetupLogger()
 	ShowVersion(logger)
 	sdownMaxProcs := SetupMaxProcs(logger)
@ -41,6 +43,10 @@ func Setup(name string, skipResourceFilters bool) (context.Context, SetupResult,
 	client = client.WithMetrics(metricsManager, metrics.KubeClient)
 	configuration := startConfigController(ctx, logger, client, skipResourceFilters)
 	sdownTracing := SetupTracing(logger, name, client)
+	var registryClient registryclient.Client
+	if config.UsesRegistryClient() {
+		registryClient = setupRegistryClient(ctx, logger, client)
+	}
 	return ctx,
 		SetupResult{
 			Logger:               logger,
@ -48,6 +54,7 @@ func Setup(name string, skipResourceFilters bool) (context.Context, SetupResult,
 			MetricsConfiguration: metricsConfiguration,
 			MetricsManager:       metricsManager,
 			KubeClient:           client,
+			RegistryClient:       registryClient,
 		},
 		shutdown(logger.WithName("shutdown"), sdownMaxProcs, sdownMetrics, sdownTracing, sdownSignals)
 }
--- a/cmd/kyverno-init/main.go
+++ b/cmd/kyverno-init/main.go
@ -40,7 +40,7 @@ func main() {
 	// start profiling
 	// setup signals
 	// setup maxprocs
-	ctx, setup, sdown := internal.Setup("kyverno-init-controller", false)
+	ctx, setup, sdown := internal.Setup(appConfig, "kyverno-init-controller", false)
 	defer sdown()
 	// create clients
 	dynamicClient := internal.CreateDynamicClient(setup.Logger)
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -7,7 +7,6 @@ import (
 	"flag"
 	"fmt"
 	"os"
-	"strings"
 	"sync"
 	"time"

@ -36,7 +35,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/openapi"
 	"github.com/kyverno/kyverno/pkg/policycache"
-	"github.com/kyverno/kyverno/pkg/registryclient"
 	"github.com/kyverno/kyverno/pkg/tls"
 	"github.com/kyverno/kyverno/pkg/toggle"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
@ -52,7 +50,6 @@ import (
 	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	kubeinformers "k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
-	corev1listers "k8s.io/client-go/listers/core/v1"
 	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
 )

@ -61,22 +58,6 @@ const (
 	exceptionWebhookControllerName = "exception-webhook-controller"
 )

-func setupRegistryClient(ctx context.Context, logger logr.Logger, lister corev1listers.SecretNamespaceLister, imagePullSecrets string, allowInsecureRegistry bool) (registryclient.Client, error) {
-	logger = logger.WithName("registry-client")
-	logger.Info("setup registry client...", "secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
-	registryOptions := []registryclient.Option{
-		registryclient.WithTracing(),
-	}
-	secrets := strings.Split(imagePullSecrets, ",")
-	if imagePullSecrets != "" && len(secrets) > 0 {
-		registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, lister, secrets...))
-	}
-	if allowInsecureRegistry {
-		registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
-	}
-	return registryclient.New(registryOptions...)
-}
-
 func setupCosign(logger logr.Logger, imageSignatureRepository string) {
 	logger = logger.WithName("cosign")
 	logger.Info("setup cosign...", "repository", imageSignatureRepository)
@ -217,9 +198,7 @@ func main() {
 		genWorkers                   int
 		maxQueuedEvents              int
 		autoUpdateWebhooks           bool
-		imagePullSecrets             string
 		imageSignatureRepository     string
-		allowInsecureRegistry        bool
 		webhookRegistrationTimeout   time.Duration
 		admissionReports             bool
 		dumpPayload                  bool
@ -233,9 +212,7 @@ func main() {
 	flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.")
 	flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
 	flagset.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
-	flagset.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
 	flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
-	flagset.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
 	flagset.BoolVar(&autoUpdateWebhooks, "autoUpdateWebhooks", true, "Set this flag to 'false' to disable auto-configuration of the webhook.")
 	flagset.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
 	flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
@ -252,17 +229,13 @@ func main() {
 		internal.WithKubeconfig(),
 		internal.WithPolicyExceptions(),
 		internal.WithConfigMapCaching(),
+		internal.WithRegistryClient(),
 		internal.WithFlagSets(flagset),
 	)
 	// parse flags
 	internal.ParseFlags(appConfig)
-	// setup logger
-	// show version
-	// start profiling
-	// setup signals
-	// setup maxprocs
-	// setup metrics
-	signalCtx, setup, sdown := internal.Setup("kyverno-admission-controller", false)
+	// setup
+	signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
 	defer sdown()
 	// show version
 	showWarnings(setup.Logger)
@ -289,12 +262,6 @@ func main() {
 	kubeKyvernoInformer := kubeinformers.NewSharedInformerFactoryWithOptions(setup.KubeClient, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
 	kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
 	secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
-	// setup registry client
-	rclient, err := setupRegistryClient(signalCtx, setup.Logger, secretLister, imagePullSecrets, allowInsecureRegistry)
-	if err != nil {
-		setup.Logger.Error(err, "failed to setup registry client")
-		os.Exit(1)
-	}
 	// setup cosign
 	setupCosign(setup.Logger, imageSignatureRepository)
 	openApiManager, err := openapi.NewManager(setup.Logger.WithName("openapi"))
@ -352,7 +319,7 @@ func main() {
 		setup.Configuration,
 		setup.MetricsConfiguration,
 		dClient,
-		rclient,
+		setup.RegistryClient,
 		setup.KubeClient,
 		kyvernoClient,
 	)
@ -469,7 +436,7 @@ func main() {
 		engine,
 		dClient,
 		kyvernoClient,
-		rclient,
+		setup.RegistryClient,
 		setup.Configuration,
 		setup.MetricsManager,
 		policyCache,
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@ -5,7 +5,6 @@ import (
 	"errors"
 	"flag"
 	"os"
-	"strings"
 	"sync"
 	"time"

@ -31,7 +30,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/registryclient"
 	kubeinformers "k8s.io/client-go/informers"
-	corev1listers "k8s.io/client-go/listers/core/v1"
 	metadatainformers "k8s.io/client-go/metadata/metadatainformer"
 	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
 )
@ -40,22 +38,6 @@ const (
 	resyncPeriod = 15 * time.Minute
 )

-func setupRegistryClient(ctx context.Context, logger logr.Logger, lister corev1listers.SecretNamespaceLister, imagePullSecrets string, allowInsecureRegistry bool) (registryclient.Client, error) {
-	logger = logger.WithName("registry-client")
-	logger.Info("setup registry client...", "secrets", imagePullSecrets, "insecure", allowInsecureRegistry)
-	registryOptions := []registryclient.Option{
-		registryclient.WithTracing(),
-	}
-	secrets := strings.Split(imagePullSecrets, ",")
-	if imagePullSecrets != "" && len(secrets) > 0 {
-		registryOptions = append(registryOptions, registryclient.WithKeychainPullSecrets(ctx, lister, secrets...))
-	}
-	if allowInsecureRegistry {
-		registryOptions = append(registryOptions, registryclient.WithAllowInsecureRegistry())
-	}
-	return registryclient.New(registryOptions...)
-}
-
 func setupCosign(logger logr.Logger, imageSignatureRepository string) {
 	logger = logger.WithName("cosign")
 	logger.Info("setup cosign...", "repository", imageSignatureRepository)
@ -188,9 +170,7 @@ func createrLeaderControllers(
 func main() {
 	var (
 		leaderElectionRetryPeriod time.Duration
-		imagePullSecrets          string
 		imageSignatureRepository  string
-		allowInsecureRegistry     bool
 		backgroundScan            bool
 		admissionReports          bool
 		reportsChunkSize          int
@ -201,9 +181,7 @@ func main() {
 	)
 	flagset := flag.NewFlagSet("reports-controller", flag.ExitOnError)
 	flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
-	flagset.StringVar(&imagePullSecrets, "imagePullSecrets", "", "Secret resource names for image registry access credentials.")
 	flagset.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
-	flagset.BoolVar(&allowInsecureRegistry, "allowInsecureRegistry", false, "Whether to allow insecure connections to registries. Don't use this for anything but testing.")
 	flagset.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
 	flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
 	flagset.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
@ -219,17 +197,13 @@ func main() {
 		internal.WithKubeconfig(),
 		internal.WithPolicyExceptions(),
 		internal.WithConfigMapCaching(),
+		internal.WithRegistryClient(),
 		internal.WithFlagSets(flagset),
 	)
 	// parse flags
 	internal.ParseFlags(appConfig)
-	// setup logger
-	// show version
-	// start profiling
-	// setup signals
-	// setup maxprocs
-	// setup metrics
-	ctx, setup, sdown := internal.Setup("kyverno-reports-controller", skipResourceFilters)
+	// setup
+	ctx, setup, sdown := internal.Setup(appConfig, "kyverno-reports-controller", skipResourceFilters)
 	defer sdown()
 	// create instrumented clients
 	leaderElectionClient := internal.CreateKubernetesClient(setup.Logger, kubeclient.WithMetrics(setup.MetricsManager, metrics.KubeClient), kubeclient.WithTracing())
@ -245,15 +219,7 @@ func main() {
 	// ELSE KYAML IS NOT THREAD SAFE
 	kyamlopenapi.Schema()
 	// informer factories
-	kubeKyvernoInformer := kubeinformers.NewSharedInformerFactoryWithOptions(setup.KubeClient, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
 	kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
-	secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
-	// setup registry client
-	rclient, err := setupRegistryClient(ctx, setup.Logger, secretLister, imagePullSecrets, allowInsecureRegistry)
-	if err != nil {
-		setup.Logger.Error(err, "failed to setup registry client")
-		os.Exit(1)
-	}
 	// setup cosign
 	setupCosign(setup.Logger, imageSignatureRepository)
 	eventGenerator := event.NewEventGenerator(
@ -270,12 +236,12 @@ func main() {
 		setup.Configuration,
 		setup.MetricsConfiguration,
 		dClient,
-		rclient,
+		setup.RegistryClient,
 		setup.KubeClient,
 		kyvernoClient,
 	)
 	// start informers and wait for cache sync
-	if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kyvernoInformer, kubeKyvernoInformer) {
+	if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kyvernoInformer) {
 		setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
 		os.Exit(1)
 	}
@ -309,7 +275,7 @@ func main() {
 				metadataInformer,
 				kyvernoClient,
 				dClient,
-				rclient,
+				setup.RegistryClient,
 				setup.Configuration,
 				eventGenerator,
 				backgroundScanInterval,