From cdd5d4fd229a1714e2deb2f41c8c82ee91a291d5 Mon Sep 17 00:00:00 2001
From: raffis <raffael.sahli@doodle.com>
Date: Tue, 19 Dec 2023 22:33:05 +0100
Subject: [PATCH] fix(kubectl-kyverno): apply registry auth (#9151)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(kubectl-kyverno): apply registry auth

Signed-off-by: Raffael Sahli <raffael.sahli@doodle.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Raffael Sahli <raffael.sahli@doodle.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 cmd/cli/kubectl-kyverno/commands/apply/command.go   | 13 +++++++++++++
 cmd/cli/kubectl-kyverno/commands/test/test.go       |  2 ++
 .../kubectl-kyverno/processor/policy_processor.go   |  5 +++--
 .../processor/policy_processor_test.go              |  2 ++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/cmd/cli/kubectl-kyverno/commands/apply/command.go b/cmd/cli/kubectl-kyverno/commands/apply/command.go
index 4aaebb2b52..34f35550cc 100644
--- a/cmd/cli/kubectl-kyverno/commands/apply/command.go
+++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go
@@ -28,6 +28,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/registryclient"
 	gitutils "github.com/kyverno/kyverno/pkg/utils/git"
 	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
 	"github.com/spf13/cobra"
@@ -162,6 +163,14 @@ func (c *ApplyCommandConfig) applyCommandHelper(out io.Writer) (*processor.Resul
 		policyRulesCount += len(validatingAdmissionPolicies)
 		fmt.Fprintf(out, "\nApplying %d policy rule(s) to %d resource(s)...\n", policyRulesCount, len(resources))
 	}
+
+	var regOpts []registryclient.Option
+	if c.RegistryAccess {
+		regOpts = append(regOpts, registryclient.WithLocalKeychain())
+	}
+
+	rclient := registryclient.NewOrDie(regOpts...)
+
 	rc, resources1, responses1, err = c.applyPolicytoResource(
 		out,
 		&store,
@@ -172,6 +181,7 @@ func (c *ApplyCommandConfig) applyCommandHelper(out io.Writer) (*processor.Resul
 		dClient,
 		userInfo,
 		mutateLogPathIsDir,
+		rclient,
 	)
 	if err != nil {
 		return rc, resources1, skipInvalidPolicies, responses1, err
@@ -229,6 +239,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
 	dClient dclient.Interface,
 	userInfo *v1beta1.RequestInfo,
 	mutateLogPathIsDir bool,
+	rclient registryclient.Client,
 ) (*processor.ResultCounts, []*unstructured.Unstructured, []engineapi.EngineResponse, error) {
 	if vars != nil {
 		vars.SetInStore(store)
@@ -249,6 +260,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
 		}
 		validPolicies = append(validPolicies, pol)
 	}
+
 	var rc processor.ResultCounts
 	var responses []engineapi.EngineResponse
 	for _, resource := range resources {
@@ -269,6 +281,7 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
 			AuditWarn:            c.AuditWarn,
 			Subresources:         vars.Subresources(),
 			Out:                  out,
+			RegistryClient:       rclient,
 		}
 		ers, err := processor.ApplyPoliciesOnResource()
 		if err != nil {
diff --git a/cmd/cli/kubectl-kyverno/commands/test/test.go b/cmd/cli/kubectl-kyverno/commands/test/test.go
index e41ccccbfc..26fed138c6 100644
--- a/cmd/cli/kubectl-kyverno/commands/test/test.go
+++ b/cmd/cli/kubectl-kyverno/commands/test/test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/registryclient"
 	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
@@ -152,6 +153,7 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool, auditWa
 			Client:                    dClient,
 			Subresources:              vars.Subresources(),
 			Out:                       out,
+			RegistryClient:            registryclient.NewOrDie(),
 		}
 		ers, err := processor.ApplyPoliciesOnResource()
 		if err != nil {
diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
index 4dbb7059c8..4ccc8d2e3b 100644
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@@ -52,6 +52,7 @@ type PolicyProcessor struct {
 	AuditWarn                 bool
 	Subresources              []v1alpha1.Subresource
 	Out                       io.Writer
+	RegistryClient            registryclient.Client
 }
 
 func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse, error) {
@@ -63,13 +64,13 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse,
 	if p.Client != nil {
 		client = adapters.Client(p.Client)
 	}
-	rclient := registryclient.NewOrDie()
+
 	eng := engine.NewEngine(
 		cfg,
 		config.NewDefaultMetricsConfiguration(),
 		jmespath.New(cfg),
 		client,
-		factories.DefaultRegistryClientFactory(adapters.RegistryClient(rclient), nil),
+		factories.DefaultRegistryClientFactory(adapters.RegistryClient(p.RegistryClient), nil),
 		imageverifycache.DisabledImageVerifyCache(),
 		store.ContextLoaderFactory(p.Store, nil),
 		nil,
diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor_test.go b/cmd/cli/kubectl-kyverno/processor/policy_processor_test.go
index 0b5dd68003..08f91446af 100644
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor_test.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/resource"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/store"
+	"github.com/kyverno/kyverno/pkg/registryclient"
 	yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml"
 	"gotest.tools/assert"
 )
@@ -116,6 +117,7 @@ func Test_NamespaceSelector(t *testing.T) {
 			NamespaceSelectorMap: tc.namespaceSelectorMap,
 			Rc:                   rc,
 			Out:                  os.Stdout,
+			RegistryClient:       registryclient.NewOrDie(),
 		}
 		processor.ApplyPoliciesOnResource()
 		assert.Equal(t, int64(rc.Pass()), int64(tc.result.pass))