update-image-registry does not correctly mutate images

BUG

Description:

When using the update-image-registry policy, pods that have multiple containers with separate images all result in having the same image. Updating values.policies.update-image-registry with:

update-image-registry:
        enabled: false
        parameters:
          update:
            - from: "registry1.dso.mil"
              to: "artifactory.custom.registry"

Results in an pods being mutated with duplicated images. Using sample pod manifest

apiVersion: v1
kind: Pod
metadata:
  name: image-registry-rewrite-test
  namespace: default
spec:
  containers:
    - name: app-one
      image: registry1.dso.mil/sample1/nginx:1.25
    - name: app-two
      image: registry1.dso.mil/sample2/busybox:1.36
      command: ["sh", "-c", "sleep 3600"]

Results in mutation to:

kubectl get pod image-registry-rewrite-test -o json | jq '.spec.containers[].image'
"artifactory.custom.registry/sample1/nginx:1.25"
"artifactory.custom.registry/sample1/nginx:1.25"

Looking at the policy implementation, this appears to be a limitation or unintended behavior of patchStrategicMerge when combined with wildcard list keys and string mutations.

From the policy implementation, when a Pod contains multiple containers with images from the same source registry but different repositories, the mutation collapses all container images to the value computed for the first container. https://github.com/DoD-Platform-One/Kyverno-Policies/blob/1d9a81c0132ed5b721220fd686585e4e3853b87e/chart/templates/update-image-registry.yaml#L35-L41

Right now our team has worked around this by re-implementing this policy using a forEach block above the patchStrategicMerge, but it would be nice if we could use the already provided policy in this repo.