secrets-webhook ignores registry proxies

[arjen-s]

Hi,

We have a kubernetes cluster that uses containerd as its container runtime.
Containerd has been configured to use registry proxies for certain registries, including our own private registry (in gitlab in our case).
This way requests for images on 'registry.gitlab.com' are actually sent to gitlab_proxy:5000 (our proxy for gitlab) without us having to change the image's repository or tags i n kubernetes.

Now the problem starts when the secrets-webhook tries to retrieve the 'image descriptor' of an image of a pod it needs to inject the init container into as it ignores the proxy altogether and calls the private registry directly.
https://github.com/bank-vaults/vault-secrets-webhook/blob/main/pkg/webhook/registry.go#L195

This results in 2 issues:

• the private registry may not be accessible directly
• the private registry may require a pull secret to be used that the proxy does not.

Looking at the source code and docs I don't think the 'remote' registry has the ability to get it's proxy config from somewhere, but does anyone have any suggestions how i can configure it to use proxies for specific registries?
https://pkg.go.dev/github.com/google/go-containerregistry/pkg/v1/remote

Thanks

[github-actions]

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.