ggcr: Allow option to ignore imagePullSecrets for push-only registry operations

[anithapriyanatarajan]

Describe the bug

The authn/kubernetes keychain currently reads both the .imagePullSecrets and .secrets associated with a ServiceAccount. While this is appropriate for image pull operations, it causes issues when the keychain is used for push operations.

Specifically, if:
.imagePullSecrets includes a read-only credential for a target registry, and
.secrets includes a different credential with write access for the same registry,

then the existing New function will consolidate both sets of secrets and return the first matching credential for the registry which is always the read-only one from .imagePullSecrets. This is because of the way secrets are appended in the current function while processing.

This results in push attempts failing despite appropriate write credentials being present in the ServiceAccount.

A option is needed to skip .imagePullSecrets when the keychain is being used for push operations.

To Reproduce

The Tekton Chains controller uses this library to determine the authentication required to push content to the user provided registry. Chains controller establishes auth only to push content using the ServiceAccount. Whenever the serviceAccount has .imagePullSecrets & .secrets targeting the same registry, push attempts by chains fails. For additional details please refer (issue)[https://github.com/tektoncd/chains/issues/1336]

Expected behavior

Add an option to ignore .imagePullSecrets when constructing the Kubernetes authn.Keychain, specifically for use cases involving image PUSH operations.

Additional context

• Registry used - Quay

[anithapriyanatarajan]

Proposal is to include an additional option IgnorePullSecrets . If this option is set to true only .secrets associated to the serviceAccount will be processed.

Existing Options for reference - https://github.com/google/go-containerregistry/blob/main/pkg/authn/kubernetes/keychain.go#L45-L67

type Options struct {

// Namespace holds the namespace inside of which we are resolving service
// account and pull secret references to access the image.
// If empty, "default" is assumed.
Namespace string

// ServiceAccountName holds the serviceaccount (within Namespace) as which a
// Pod might access the image.  Service accounts may have image pull secrets
// attached, so we lookup the service account to complete the keychain.
// If empty, "default" is assumed.  To avoid a service account lookup, pass
// NoServiceAccount explicitly.
ServiceAccountName string

// ImagePullSecrets holds the names of the Kubernetes secrets (scoped to
// Namespace) containing credential data to use for the image pull.
ImagePullSecrets []string

// UseMountSecrets determines whether or not mount secrets in the ServiceAccount
// should be considered. Mount secrets are those listed under the `.secrets`
// attribute of the ServiceAccount resource. Ignored if ServiceAccountName is set
// to NoServiceAccount.
UseMountSecrets bool

}